aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2009-08-23 21:00:38 +0300
committerJouni Malinen <j@w1.fi>2009-08-23 21:00:38 +0300
commitad469aecc10ce5868e86e2ce52940a9ce22d695b (patch)
treef176657d51c54bbdb2022c19f652804e58c0a6c4
parent9932c17fc84b820d3b3f07e15000e0fc470894b1 (diff)
downloadexternal_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.zip
external_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.tar.gz
external_wpa_supplicant_8_ti-ad469aecc10ce5868e86e2ce52940a9ce22d695b.tar.bz2
Reject X.509 certificate strings with embedded NUL characters
These could, at least in theory, be used to generate unexpected common name or subject alternative name matches should a CA sign strings with NUL (C string termination) in them. For now, just reject the certificate if an embedded NUL is detected. In theory, all the comparison routines could be made to compare these strings as binary blobs (with additional X.509 rules to handle some exceptions) and display NUL characters somehow. Anyway, just rejecting the certificate will get rid of potential problems with the C string getting terminated and it should not really be used in certificates, so this should not break valid use cases.
-rw-r--r--src/tls/x509v3.c31
1 files changed, 31 insertions, 0 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 01bcc00..b3420e3 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -440,6 +440,13 @@ static int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
}
os_memcpy(*fieldp, hdr.payload, hdr.length);
(*fieldp)[hdr.length] = '\0';
+ if (os_strlen(*fieldp) != hdr.length) {
+ wpa_printf(MSG_INFO, "X509: Reject certificate with "
+ "embedded NUL byte in a string (%s[NUL])",
+ *fieldp);
+ x509_free_name(name);
+ return -1;
+ }
}
return 0;
@@ -834,6 +841,14 @@ static int x509_parse_alt_name_rfc8222(struct x509_name *name,
if (name->alt_email == NULL)
return -1;
os_memcpy(name->alt_email, pos, len);
+ if (os_strlen(name->alt_email) != len) {
+ wpa_printf(MSG_INFO, "X509: Reject certificate with "
+ "embedded NUL byte in rfc822Name (%s[NUL])",
+ name->alt_email);
+ os_free(name->alt_email);
+ name->alt_email = NULL;
+ return -1;
+ }
return 0;
}
@@ -848,6 +863,14 @@ static int x509_parse_alt_name_dns(struct x509_name *name,
if (name->dns == NULL)
return -1;
os_memcpy(name->dns, pos, len);
+ if (os_strlen(name->dns) != len) {
+ wpa_printf(MSG_INFO, "X509: Reject certificate with "
+ "embedded NUL byte in dNSName (%s[NUL])",
+ name->dns);
+ os_free(name->dns);
+ name->dns = NULL;
+ return -1;
+ }
return 0;
}
@@ -864,6 +887,14 @@ static int x509_parse_alt_name_uri(struct x509_name *name,
if (name->uri == NULL)
return -1;
os_memcpy(name->uri, pos, len);
+ if (os_strlen(name->uri) != len) {
+ wpa_printf(MSG_INFO, "X509: Reject certificate with "
+ "embedded NUL byte in uniformResourceIdentifier "
+ "(%s[NUL])", name->uri);
+ os_free(name->uri);
+ name->uri = NULL;
+ return -1;
+ }
return 0;
}