Reject X.509 certificate strings with embedded NUL characters

These could, at least in theory, be used to generate unexpected common
name or subject alternative name matches should a CA sign strings with
NUL (C string termination) in them. For now, just reject the certificate
if an embedded NUL is detected. In theory, all the comparison routines
could be made to compare these strings as binary blobs (with additional
X.509 rules to handle some exceptions) and display NUL characters
somehow. Anyway, just rejecting the certificate will get rid of
potential problems with the C string getting terminated and it should
not really be used in certificates, so this should not break valid use
cases.
This commit is contained in:
Jouni Malinen 2009-08-23 21:00:38 +03:00
parent 9932c17fc8
commit ad469aecc1

View file

@ -440,6 +440,13 @@ static int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
}
os_memcpy(*fieldp, hdr.payload, hdr.length);
(*fieldp)[hdr.length] = '\0';
if (os_strlen(*fieldp) != hdr.length) {
wpa_printf(MSG_INFO, "X509: Reject certificate with "
"embedded NUL byte in a string (%s[NUL])",
*fieldp);
x509_free_name(name);
return -1;
}
}
return 0;
@ -834,6 +841,14 @@ static int x509_parse_alt_name_rfc8222(struct x509_name *name,
if (name->alt_email == NULL)
return -1;
os_memcpy(name->alt_email, pos, len);
if (os_strlen(name->alt_email) != len) {
wpa_printf(MSG_INFO, "X509: Reject certificate with "
"embedded NUL byte in rfc822Name (%s[NUL])",
name->alt_email);
os_free(name->alt_email);
name->alt_email = NULL;
return -1;
}
return 0;
}
@ -848,6 +863,14 @@ static int x509_parse_alt_name_dns(struct x509_name *name,
if (name->dns == NULL)
return -1;
os_memcpy(name->dns, pos, len);
if (os_strlen(name->dns) != len) {
wpa_printf(MSG_INFO, "X509: Reject certificate with "
"embedded NUL byte in dNSName (%s[NUL])",
name->dns);
os_free(name->dns);
name->dns = NULL;
return -1;
}
return 0;
}
@ -864,6 +887,14 @@ static int x509_parse_alt_name_uri(struct x509_name *name,
if (name->uri == NULL)
return -1;
os_memcpy(name->uri, pos, len);
if (os_strlen(name->uri) != len) {
wpa_printf(MSG_INFO, "X509: Reject certificate with "
"embedded NUL byte in uniformResourceIdentifier "
"(%s[NUL])", name->uri);
os_free(name->uri);
name->uri = NULL;
return -1;
}
return 0;
}