From: beck <beck@openbsd.org>
Date: Sun, 26 Jun 2022 11:29:27 +0000 (+0000)
Subject: Fix URI name constraints, allow for URI's with no host part.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=8e3291af1e0f6fd63cae7c1511b0d04f99b74692;p=openbsd

Fix URI name constraints, allow for URI's with no host part.

Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.

Adds regress testing for this same case.

fixes https://github.com/libressl-portable/openbsd/issues/131

ok tb@
---

diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c
index 533bbbf4cad..c68f282a050 100644
--- a/lib/libcrypto/x509/x509_constraints.c
+++ b/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
 			break;
 		}
 	}
-	if (authority == NULL)
-		return 0;
+	if (authority == NULL) {
+		/*
+		 * There is no authority, so no host part in this
+		 * URI. This might be ok or might not, but it must
+		 * fail if we run into a name constraint later, so
+		 * we indicate that we have a URI with an empty
+		 * host part, and succeed.
+		 */
+		*hostpart = strdup("");
+		return 1;
+	}
 	for (i = authority - uri; i < len; i++) {
 		if (!isascii(uri[i]))
 			return 0;
diff --git a/regress/lib/libcrypto/x509/constraints.c b/regress/lib/libcrypto/x509/constraints.c
index b552f30989a..d4867a362cf 100644
--- a/regress/lib/libcrypto/x509/constraints.c
+++ b/regress/lib/libcrypto/x509/constraints.c
@@ -397,6 +397,10 @@ test_constraints1(void)
 		"",
 		NULL,
 	};
+	unsigned char *noauthority[] = {
+		"urn:open62541.server.application",
+		NULL,
+	};
 	for (i = 0; constraints[i] != NULL; i++) {
 		char *constraint = constraints[i];
 		size_t clen = strlen(constraints[i]);
@@ -442,6 +446,28 @@ test_constraints1(void)
 				goto done;
 			}
 		}
+		for (j = 0; noauthority[j] != NULL; j++) {
+			error = 0;
+			char *hostpart = NULL;
+			if (!x509_constraints_uri_host(noauthority[j],
+				strlen(noauthority[j]), &hostpart)) {
+				FAIL("name '%s' should parse as a URI",
+				    noauthority[j]);
+				failure = 1;
+				free(hostpart);
+				goto done;
+			}
+			free(hostpart);
+
+			if (x509_constraints_uri(noauthority[j],
+			    strlen(noauthority[j]), constraint, clen, &error)) {
+				FAIL("constraint '%s' should not have matched URI"
+				    " '%s' (error %d)\n",
+				    constraint, failinguri[j], error);
+				failure = 1;
+				goto done;
+			}
+		}
 	}
 	c = ".openbsd.org";
 	cl = strlen(".openbsd.org");