From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 5 May 2017 09:21:12 +0000 (+0200)
Subject: x509: nameConstraints sequence does not require a loop
X-Git-Tag: 5.5.3~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38a8ecadb7d9e183d1c869ad0b8f60a12f9d34d4;p=thirdparty%2Fstrongswan.git

x509: nameConstraints sequence does not require a loop

Fixes: CVE-2017-9023
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 8f1901da81..974e687f9f 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -933,14 +933,13 @@ end:
  * ASN.1 definition of nameConstraints
  */
 static const asn1Object_t nameConstraintsObjects[] = {
-	{ 0, "nameConstraints",			ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 0, "nameConstraints",			ASN1_SEQUENCE,		ASN1_NONE			}, /*  0 */
 	{ 1,   "permittedSubtrees",		ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  1 */
 	{ 2,     "generalSubtree",		ASN1_SEQUENCE,		ASN1_BODY			}, /*  2 */
 	{ 1,   "end loop",				ASN1_EOC,			ASN1_END			}, /*  3 */
 	{ 1,   "excludedSubtrees",		ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_LOOP	}, /*  4 */
 	{ 2,     "generalSubtree",		ASN1_SEQUENCE,		ASN1_BODY			}, /*  5 */
 	{ 1,   "end loop",				ASN1_EOC,			ASN1_END			}, /*  6 */
-	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /*  7 */
 	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
 #define NAME_CONSTRAINT_PERMITTED 2