[openssl] master update
Matt Caswell
matt at openssl.org
Fri Jun 4 16:31:36 UTC 2021
The branch master has been updated
via f43f9d6313e31e90bb33a7f6f2fc0c657ef8495a (commit)
via 39145c4111aaa358f521212f5e4c741f265b012a (commit)
from 0e0a47377f98ac45648d2a46e0f2dfd799b07ec6 (commit)
- Log -----------------------------------------------------------------
commit f43f9d6313e31e90bb33a7f6f2fc0c657ef8495a
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 3 11:50:48 2021 +0100
Test a bad SmtpUTF8Mailbox name constraint
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
commit 39145c4111aaa358f521212f5e4c741f265b012a
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 3 11:08:25 2021 +0100
Check that we got the expected name type when verifying name constraints
If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify that it really does before we
attempt to use the value in it.
Reported by Corey Bonnell
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_ncons.c | 25 ++++++++++++++++---------
test/certs/bad-othername-namec-inter.pem | 17 +++++++++++++++++
test/certs/bad-othername-namec-key.pem | 27 +++++++++++++++++++++++++++
test/certs/bad-othername-namec.pem | 18 ++++++++++++++++++
test/recipes/25-test_verify.t | 11 +++++++++--
5 files changed, 87 insertions(+), 11 deletions(-)
create mode 100644 test/certs/bad-othername-namec-inter.pem
create mode 100644 test/certs/bad-othername-namec-key.pem
create mode 100644 test/certs/bad-othername-namec.pem
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index 4917884fd9..d3b9e8c6f1 100644
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -35,7 +35,7 @@ static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
-static int nc_email_eai(ASN1_UTF8STRING *sub, ASN1_IA5STRING *eml);
+static int nc_email_eai(ASN1_TYPE *emltype, ASN1_IA5STRING *base);
static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
@@ -521,8 +521,8 @@ static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
* We are here only when we have SmtpUTF8 name,
* so we match the value of othername with base->d.rfc822Name
*/
- return nc_email_eai(gen->d.otherName->value->value.utf8string,
- base->d.rfc822Name);
+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
+
case GEN_DIRNAME:
return nc_dn(gen->d.directoryName, base->d.directoryName);
@@ -591,21 +591,28 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
}
/*
- * This function implements comparison between ASCII/U-label in eml
+ * This function implements comparison between ASCII/U-label in emltype
* and A-label in base according to RFC 8398, section 6.
* Convert base to U-label and ASCII-parts of domain names, for base
- * Octet-to-octet comparison of `eml` and `base` hostname parts
+ * Octet-to-octet comparison of `emltype` and `base` hostname parts
* (ASCII-parts should be compared in case-insensitive manner)
*/
-static int nc_email_eai(ASN1_UTF8STRING *eml, ASN1_IA5STRING *base)
+static int nc_email_eai(ASN1_TYPE *emltype, ASN1_IA5STRING *base)
{
+ ASN1_UTF8STRING *eml;
const char *baseptr = (char *)base->data;
- const char *emlptr = (char *)eml->data;
- const char *emlat = strrchr(emlptr, '@');
-
+ const char *emlptr;
+ const char *emlat;
char ulabel[256];
size_t size = sizeof(ulabel) - 1;
+ if (emltype->type != V_ASN1_UTF8STRING)
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+
+ eml = emltype->value.utf8string;
+ emlptr = (char *)eml->data;
+ emlat = strrchr(emlptr, '@');
+
if (emlat == NULL)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
diff --git a/test/certs/bad-othername-namec-inter.pem b/test/certs/bad-othername-namec-inter.pem
new file mode 100644
index 0000000000..2480c8ccb7
--- /dev/null
+++ b/test/certs/bad-othername-namec-inter.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZSb290
+IDIwHhcNMjEwNjAyMTMwMzExWhcNMjEwNzAyMTMwMzExWjAPMQ0wCwYDVQQDDARS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvfhnjWl5hnF1ecJv
+kq21AWOfHhPsQT/5juFA/v/goAFatKr40+k7Jy3qQ79FRLBf2l4yMun8K7ZPMFfV
+q7q3SliOmLqRq0Uf1Eyh8KdQTWc5QIhNttlDaP8EMDuoTJK2NIUTenV/y5errWNJ
+l1a8l+kbI6PuKTyziAi524Hja7BH4nQ5rk2vb3nc4vlRAYZtke2MMeHSxZhvkZj/
+UtAfAu2Ql9auc6sfViGuaBc4sShS2F7rmQnJmmf0+qW6y9VoYV68HC7EsO22UDXd
+aYhY2To9al04rdL0rDDw018Z8VbcW6lwPOkgfbpQDl9fvuFFfxb/2t7soRsAcuKr
++gbWmQIDAQABoy4wLDAPBgNVHRMBAf8EBTADAQH/MBkGA1UdHgQSMBCgDDAKgQgu
+Zm9vLmNvbaEAMA0GCSqGSIb3DQEBCwUAA4IBAQCA9aWhpHdUM/9yx0HRgkW5M8IS
+zc83Fzbhv3/32s8H2gplxq+XqfIIdoOosgnaEi01ynPncG6IWqj4hfOuoyoorZA3
+cmubAjkHrTu8VaMgZL43SwvyWda7atpCOo7rGdz+LL9hH/jcwhLtEqoB+Tdj6wOp
+1O14ndCLi0XXoBezsCpmGtjF7aIunsu6yxJN7b/nTcKh/XSAxjpsa6GlNXTbfJyL
+BAUiksQ1KTiW8LyF9IRjckpkf1RH9pqBD8vVeunEpXOUPGOfseL5AAXbvYI6iN70
+aCxKkiRwqX7ZK0lL9Oh+hhaVqqdPnGxb+O3ZX/88FvKvWiicnftMx56lzv4H
+-----END CERTIFICATE-----
diff --git a/test/certs/bad-othername-namec-key.pem b/test/certs/bad-othername-namec-key.pem
new file mode 100644
index 0000000000..88f9d967a8
--- /dev/null
+++ b/test/certs/bad-othername-namec-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArQTbBNa+PaMZw/guenN8vEa/Q8dhG0jnwSt78qkaXt1a/CKp
+M/NWG1FL9TnOa0j3mjrZJ9/ePzd8TfJw8arpNToFL9rZ6eqs3QB45OIf0gAIvkN4
+NNre7UInM9CpdiMdNf/jldJWi8yPIyogDOrhB5mtAVJfCsd9cn4JmMncqQcZ0Mto
+Jjm10y+Nn6Li1efV9zQ974M8KY14vhPyxGklqiRWM/+M3UzhhklCdxyYLGpp9tou
+KjwaO3nnGQ1lqgbJIfs0ciRHdcrh/CkK5zSySpCeep1NumjwzmN7s+jPtjoBmbWW
+jc3KFnEfTBet3FgXXath2fpxKYZSHD044/63kQIDAQABAoIBACx6oxOLYTzXQThw
+BQLVzatZRLJX/07UXz/5vdOURYM9xLYs8vK4C9rZ+3z/b2GFUKIFnu3xT2FRElO3
+j/GQzoMwd0TmLj9EZUwrYuj0eNmzyIuhLLXpzoWQDCP18Jq+TDQlpIxPlpA59lJD
+8hlgCJm7mA5O7sAGqOlWHYF545BQJq/wNcsgKjLZ4y5Ef8SRT9v/JZOVhCMTX4pV
+kn67XTQ9qNH51E963QCMOxa4DSHeduZWLpEwBbpJpXvVLKuUmb8JYWfgjdAjtm3W
+qyQzjeGnjX1ZNkvBIBmfYYZ99pNtoy/tdbb0G87GYNf/WHFUtckU1/IqPeMuG5Q1
+8m8SGwECgYEA3FwGueYji4IFL9lyIgccnzssQ2lQ4Xh75R1JMKvi3usFFPby38EY
+z8Fpyqa/vLQtg+6ne5L1Qxl2U4Vqyzw3RKNOONkCd0qCIG7/NDRoxUmE+6ojHrbi
+4F5sTPZDmGrwGdVKUjeVK/nKIHTDyZjuJl9Mb6BG0xZj6waFnQxGoT0CgYEAyQCy
+mmLC8GjtvTHGDjlDAI+OZbJGal0UdE0VMxQuVJwxDAB5QMhXX+DvF/tYqnPtwMMy
+n4QXkiy4dRqlJfcmtwHpBoTsfApwxSyw38WJR9mUCVWaOC06CEBSquIe0WhmAZMO
+je79veqJlZjYI7S/px7Jaje5NVTWFVztPHciLOUCgYBpNIJ9lJOZ0myZiK5F8rFG
+kGC0mn5j9zrnixDbbOT22qvlc3VHQJCQ992DRBM8i6VDXNiXVfVEoM5uV79B4rDc
+Uz9QQsM7otX3mCa9jNwMfOpBoNv9mQE+b7YzFEv3Y+7X1o4SLLlKcop+7mBfSmVA
+6rS6goHt272+grGd5jN+XQKBgBIsCvmkNiWQBvZU2qgMiz8wu1n8XRteoOvG0ETW
+7T1fBZwlKtEti6CycEtFwQVgB72mqBv90De57U9BAm9FQe3HsW6Sc+Le+sUIvlDs
+xfWF+TlC0PeFNzrpvc+PM+QQwTAhQG6ajbwuyROKRvgrbixIv0LoGMl2iwhRZ21R
+A/j1AoGBAJqUpT30dWSSDnUMir0TNnD//01+0R2eu8EPQu9h443KuKP9nf4GCJ9s
+qP3MKE0iKmsQ6ybPkCDc+mbViFqY5LQOssffHCMwWjv4vVnJt6N5SqNT5T2+Ctxy
+ZVwsbqSjxBsew6jBA8aDpI2igcBaZhBl8+ZmQph+723N3iBk1FXl
+-----END RSA PRIVATE KEY-----
diff --git a/test/certs/bad-othername-namec.pem b/test/certs/bad-othername-namec.pem
new file mode 100644
index 0000000000..ffaba405cf
--- /dev/null
+++ b/test/certs/bad-othername-namec.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAbWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MB4XDTIxMDYwMjEzNDIzNVoXDTIxMDcwMjEzNDIzNVowDTELMAkGA1UEAwwCRUUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtBNsE1r49oxnD+C56c3y8
+Rr9Dx2EbSOfBK3vyqRpe3Vr8Iqkz81YbUUv1Oc5rSPeaOtkn394/N3xN8nDxquk1
+OgUv2tnp6qzdAHjk4h/SAAi+Q3g02t7tQicz0Kl2Ix01/+OV0laLzI8jKiAM6uEH
+ma0BUl8Kx31yfgmYydypBxnQy2gmObXTL42fouLV59X3ND3vgzwpjXi+E/LEaSWq
+JFYz/4zdTOGGSUJ3HJgsamn22i4qPBo7eecZDWWqBskh+zRyJEd1yuH8KQrnNLJK
+kJ56nU26aPDOY3uz6M+2OgGZtZaNzcoWcR9MF63cWBddq2HZ+nEphlIcPTjj/reR
+AgMBAAGjNjA0MAwGA1UdEwEB/wQCMAAwJAYDVR0RBB0wG6AOBggrBgEFBQcICaAC
+BQCCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAa12YtetxpZT+llksQiec
+acdRVyWupsENMHeE+hHcDwc09M3c6JvjF0YB03cVBSRRra8MCV4pNNK1fGSfKb0Q
+0ZE06bM6v+rjJW/CdUeb7yoq1Vk60ppevbDsf+EmSq76kGJoocYh88qLpL7QVINQ
+G0fcuMfBs2oTonJbIGcXWSrj5yIaZMRrARlp97ynR6phArufKblBYk1NQIJZUO+V
+IItENBfAPe4QZMnvjFO+hqmLzvVAz0480iNMa1++RmO66TxYi7b+nKGIUtonTGpt
+HspWZDtnB+y+qd6WbH1Yev5BoZLxdQAm4CFIESB4DrDBBV3QZPlVF0ZrLWFqMpBr
+Uw==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index b1f4fd6827..3ed408b795 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -11,7 +11,7 @@ use strict;
use warnings;
use File::Spec::Functions qw/canonpath/;
-use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
+use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips with/;
use OpenSSL::Test::Utils;
setup("test_verify");
@@ -28,7 +28,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 155;
+plan tests => 156;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -369,6 +369,13 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name constraints nested DNS name excluded");
+#Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 2; } },
+ sub {
+ ok(verify("bad-othername-namec", "", ["bad-othername-namec-inter"], [], "-partial_chain"),
+ "Name constraints bad othername name constraint");
+ });
+
ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
"Accept PSS signature using SHA1 at auth level 0");
More information about the openssl-commits
mailing list