diff options
author | Jouni Malinen <j@w1.fi> | 2009-08-23 21:00:38 +0300 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2009-08-23 21:00:38 +0300 |
commit | ad469aecc10ce5868e86e2ce52940a9ce22d695b (patch) | |
tree | f176657d51c54bbdb2022c19f652804e58c0a6c4 | |
parent | 9932c17fc84b820d3b3f07e15000e0fc470894b1 (diff) | |
download | external_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.zip external_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.tar.gz external_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.tar.bz2 |
Reject X.509 certificate strings with embedded NUL characters
These could, at least in theory, be used to generate unexpected common
name or subject alternative name matches should a CA sign strings with
NUL (C string termination) in them. For now, just reject the certificate
if an embedded NUL is detected. In theory, all the comparison routines
could be made to compare these strings as binary blobs (with additional
X.509 rules to handle some exceptions) and display NUL characters
somehow. Anyway, just rejecting the certificate will get rid of
potential problems with the C string getting terminated and it should
not really be used in certificates, so this should not break valid use
cases.
-rw-r--r-- | src/tls/x509v3.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c index 01bcc00..b3420e3 100644 --- a/src/tls/x509v3.c +++ b/src/tls/x509v3.c @@ -440,6 +440,13 @@ static int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name, } os_memcpy(*fieldp, hdr.payload, hdr.length); (*fieldp)[hdr.length] = '\0'; + if (os_strlen(*fieldp) != hdr.length) { + wpa_printf(MSG_INFO, "X509: Reject certificate with " + "embedded NUL byte in a string (%s[NUL])", + *fieldp); + x509_free_name(name); + return -1; + } } return 0; @@ -834,6 +841,14 @@ static int x509_parse_alt_name_rfc8222(struct x509_name *name, if (name->alt_email == NULL) return -1; os_memcpy(name->alt_email, pos, len); + if (os_strlen(name->alt_email) != len) { + wpa_printf(MSG_INFO, "X509: Reject certificate with " + "embedded NUL byte in rfc822Name (%s[NUL])", + name->alt_email); + os_free(name->alt_email); + name->alt_email = NULL; + return -1; + } return 0; } @@ -848,6 +863,14 @@ static int x509_parse_alt_name_dns(struct x509_name *name, if (name->dns == NULL) return -1; os_memcpy(name->dns, pos, len); + if (os_strlen(name->dns) != len) { + wpa_printf(MSG_INFO, "X509: Reject certificate with " + "embedded NUL byte in dNSName (%s[NUL])", + name->dns); + os_free(name->dns); + name->dns = NULL; + return -1; + } return 0; } @@ -864,6 +887,14 @@ static int x509_parse_alt_name_uri(struct x509_name *name, if (name->uri == NULL) return -1; os_memcpy(name->uri, pos, len); + if (os_strlen(name->uri) != len) { + wpa_printf(MSG_INFO, "X509: Reject certificate with " + "embedded NUL byte in uniformResourceIdentifier " + "(%s[NUL])", name->uri); + os_free(name->uri); + name->uri = NULL; + return -1; + } return 0; } |