Reject X.509 certificate strings with embedded NUL characters
These could, at least in theory, be used to generate unexpected common name or subject alternative name matches should a CA sign strings with NUL (C string termination) in them. For now, just reject the certificate if an embedded NUL is detected. In theory, all the comparison routines could be made to compare these strings as binary blobs (with additional X.509 rules to handle some exceptions) and display NUL characters somehow. Anyway, just rejecting the certificate will get rid of potential problems with the C string getting terminated and it should not really be used in certificates, so this should not break valid use cases.
This commit is contained in:
Jouni Malinen
parent
9932c17fc8
commit
ad469aecc1
1 changed files with 31 additions and 0 deletions
|
|
@ -440,6 +440,13 @@ static int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
|
||||||
}
|
}
|
||||||
os_memcpy(*fieldp, hdr.payload, hdr.length);
|
os_memcpy(*fieldp, hdr.payload, hdr.length);
|
||||||
(*fieldp)[hdr.length] = '\0';
|
(*fieldp)[hdr.length] = '\0';
|
||||||
|
if (os_strlen(*fieldp) != hdr.length) {
|
||||||
|
wpa_printf(MSG_INFO, "X509: Reject certificate with "
|
||||||
|
"embedded NUL byte in a string (%s[NUL])",
|
||||||
|
*fieldp);
|
||||||
|
x509_free_name(name);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -834,6 +841,14 @@ static int x509_parse_alt_name_rfc8222(struct x509_name *name,
|
||||||
if (name->alt_email == NULL)
|
if (name->alt_email == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
os_memcpy(name->alt_email, pos, len);
|
os_memcpy(name->alt_email, pos, len);
|
||||||
|
if (os_strlen(name->alt_email) != len) {
|
||||||
|
wpa_printf(MSG_INFO, "X509: Reject certificate with "
|
||||||
|
"embedded NUL byte in rfc822Name (%s[NUL])",
|
||||||
|
name->alt_email);
|
||||||
|
os_free(name->alt_email);
|
||||||
|
name->alt_email = NULL;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -848,6 +863,14 @@ static int x509_parse_alt_name_dns(struct x509_name *name,
|
||||||
if (name->dns == NULL)
|
if (name->dns == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
os_memcpy(name->dns, pos, len);
|
os_memcpy(name->dns, pos, len);
|
||||||
|
if (os_strlen(name->dns) != len) {
|
||||||
|
wpa_printf(MSG_INFO, "X509: Reject certificate with "
|
||||||
|
"embedded NUL byte in dNSName (%s[NUL])",
|
||||||
|
name->dns);
|
||||||
|
os_free(name->dns);
|
||||||
|
name->dns = NULL;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -864,6 +887,14 @@ static int x509_parse_alt_name_uri(struct x509_name *name,
|
||||||
if (name->uri == NULL)
|
if (name->uri == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
os_memcpy(name->uri, pos, len);
|
os_memcpy(name->uri, pos, len);
|
||||||
|
if (os_strlen(name->uri) != len) {
|
||||||
|
wpa_printf(MSG_INFO, "X509: Reject certificate with "
|
||||||
|
"embedded NUL byte in uniformResourceIdentifier "
|
||||||
|
"(%s[NUL])", name->uri);
|
||||||
|
os_free(name->uri);
|
||||||
|
name->uri = NULL;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue