From: Steffan Karger <steffan.karger@fox-it.com>
Date: Mon, 19 Jun 2017 09:28:37 +0000 (+0200)
Subject: mbedtls: require C-string compatible types for --x509-username-field
X-Git-Tag: v2.4.3~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20f1a472031f0e8ad207ed96acc46ddf51616b5e;p=thirdparty%2Fopenvpn.git

mbedtls: require C-string compatible types for --x509-username-field

In the --x509-username-field extenstion, we handle the subject string as
if it is a C string.  Make this assumption explicit and reject incomatible
ASN.1 string types.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497864520-12219-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-3-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0007b2dbd12a83be3e4aeabc20550a5e16faf214)
---

diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index d3b36dcb1..838c21766 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -267,6 +267,14 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc)
     size_t i;
     char *val;
 
+    if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
+          || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
+          || orig->tag == MBEDTLS_ASN1_IA5_STRING))
+    {
+        /* Only support C-string compatible types */
+        return string_alloc("ERROR: unsupported ASN.1 string type", gc);
+    }
+
     for (i = 0; i < orig->len; ++i)
     {
         if (orig->p[i] == '\0')