mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 22:50:56 +02:00
Restore error code from DecodeGeneralName
This commit is contained in:
+7
-26
@@ -18900,31 +18900,20 @@ static int DecodeOtherName(DecodedCert* cert, const byte* input,
|
||||
* @return ASN_UNKNOWN_OID_E when the OID cannot be verified.
|
||||
* @return MEMORY_E when dynamic memory allocation fails.
|
||||
*/
|
||||
/* Reject IA5String SAN content that cannot legally appear in
|
||||
* dNSName / rfc822Name / URI per RFC 5280 4.2.1.6. Currently just NUL. */
|
||||
static int DecodeGeneralNameCheckChars(const byte* input, int len)
|
||||
{
|
||||
int i;
|
||||
for (i = 0; i < len; i++) {
|
||||
if (input[i] == 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
|
||||
int len, DecodedCert* cert)
|
||||
{
|
||||
int ret = 0;
|
||||
word32 idx = *inOutIdx;
|
||||
|
||||
/* GeneralName choice: dnsName */
|
||||
/* GeneralName choice: dnsName.
|
||||
* An embedded NUL makes a dNSName an invalid presented identifier
|
||||
* (RFC 6125 Sec. 6.3 / RFC 9525 Sec. 6.3), not a malformed certificate.
|
||||
* Store it so its presence still suppresses Subject CN fallback, but
|
||||
* length-based matching in MatchDomainName never matches a NUL-free
|
||||
* reference hostname. The result is DOMAIN_NAME_MISMATCH at verification
|
||||
* time rather than ASN_PARSE_E at parse time. */
|
||||
if (tag == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
|
||||
ret = DecodeGeneralNameCheckChars(input + idx, len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
|
||||
ASN_DNS_TYPE, &cert->altNames);
|
||||
if (ret == 0) {
|
||||
@@ -18952,10 +18941,6 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
|
||||
}
|
||||
/* GeneralName choice: rfc822Name */
|
||||
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
|
||||
ret = DecodeGeneralNameCheckChars(input + idx, len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
|
||||
ASN_RFC822_TYPE, &cert->altEmailNames);
|
||||
if (ret == 0) {
|
||||
@@ -18964,10 +18949,6 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
|
||||
}
|
||||
/* GeneralName choice: uniformResourceIdentifier */
|
||||
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
|
||||
ret = DecodeGeneralNameCheckChars(input + idx, len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
WOLFSSL_MSG("\tPutting URI into list but not using");
|
||||
|
||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||
|
||||
@@ -3125,19 +3125,6 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Reject IA5String SAN content that cannot legally appear in
|
||||
* dNSName / rfc822Name / URI per RFC 5280 4.2.1.6. Currently just NUL. */
|
||||
static int DecodeGeneralNameCheckChars(const byte* input, int len)
|
||||
{
|
||||
int i;
|
||||
for (i = 0; i < len; i++) {
|
||||
if (input[i] == 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
{
|
||||
word32 idx = 0;
|
||||
@@ -3200,9 +3187,12 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
if ((word32)strLen + idx > sz) {
|
||||
return BUFFER_E;
|
||||
}
|
||||
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
/* An embedded NUL makes a dNSName an invalid presented identifier
|
||||
* (RFC 6125 Sec. 6.3), not a malformed certificate. Store it so
|
||||
* its presence still suppresses Subject CN fallback; length-based
|
||||
* matching in MatchDomainName never matches a NUL-free hostname,
|
||||
* giving DOMAIN_NAME_MISMATCH at verification rather than
|
||||
* ASN_PARSE_E at parse time. */
|
||||
|
||||
dnsEntry = AltNameNew(cert->heap);
|
||||
if (dnsEntry == NULL) {
|
||||
@@ -3292,9 +3282,6 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
if ((word32)strLen + idx > sz) {
|
||||
return BUFFER_E;
|
||||
}
|
||||
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
emailEntry = AltNameNew(cert->heap);
|
||||
if (emailEntry == NULL) {
|
||||
@@ -3341,10 +3328,6 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
|
||||
return BUFFER_E;
|
||||
}
|
||||
|
||||
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||
/* Verify RFC 5280 Sec 4.2.1.6 rule:
|
||||
"The name MUST NOT be a relative URI"
|
||||
|
||||
Reference in New Issue
Block a user