Fix URI name constraints, allow for URI's with no host part.

Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.

Adds regress testing for this same case.

fixes https://github.com/libressl-portable/openbsd/issues/131

ok tb@

diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c
index 533bbbf..c68f282 100644 (file)
--- a/lib/libcrypto/x509/x509_constraints.c
+++ b/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
                        break;
                }
        }
-       if (authority == NULL)
-               return 0;
+       if (authority == NULL) {
+               /*
+                * There is no authority, so no host part in this
+                * URI. This might be ok or might not, but it must
+                * fail if we run into a name constraint later, so
+                * we indicate that we have a URI with an empty
+                * host part, and succeed.
+                */
+               *hostpart = strdup("");
+               return 1;
+       }
        for (i = authority - uri; i < len; i++) {
                if (!isascii(uri[i]))
                        return 0;

diff --git a/regress/lib/libcrypto/x509/constraints.c b/regress/lib/libcrypto/x509/constraints.c
index b552f30..d4867a3 100644 (file)
--- a/regress/lib/libcrypto/x509/constraints.c
+++ b/regress/lib/libcrypto/x509/constraints.c
@@ -397,6 +397,10 @@ test_constraints1(void)
                "",
                NULL,
        };
+       unsigned char *noauthority[] = {
+               "urn:open62541.server.application",
+               NULL,
+       };
        for (i = 0; constraints[i] != NULL; i++) {
                char *constraint = constraints[i];
                size_t clen = strlen(constraints[i]);
@@ -442,6 +446,28 @@ test_constraints1(void)
                                goto done;
                        }
                }
+               for (j = 0; noauthority[j] != NULL; j++) {
+                       error = 0;
+                       char *hostpart = NULL;
+                       if (!x509_constraints_uri_host(noauthority[j],
+                               strlen(noauthority[j]), &hostpart)) {
+                               FAIL("name '%s' should parse as a URI",
+                                   noauthority[j]);
+                               failure = 1;
+                               free(hostpart);
+                               goto done;
+                       }
+                       free(hostpart);
+
+                       if (x509_constraints_uri(noauthority[j],
+                           strlen(noauthority[j]), constraint, clen, &error)) {
+                               FAIL("constraint '%s' should not have matched URI"
+                                   " '%s' (error %d)\n",
+                                   constraint, failinguri[j], error);
+                               failure = 1;
+                               goto done;
+                       }
+               }
        }
        c = ".openbsd.org";
        cl = strlen(".openbsd.org");