From: Nikos Mavrogiannopoulos Date: Wed, 1 Jul 2015 09:15:38 +0000 (+0200) Subject: name constraints: simplified gnutls_x509_name_constraints_check_crt() X-Git-Tag: gnutls_3_4_3~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b94e2cdf9eb2a77f6bfbd4129bf5d40944445345;p=thirdparty%2Fgnutls.git name constraints: simplified gnutls_x509_name_constraints_check_crt() --- diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index 50ff310408..26b3fcf25a 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -591,6 +591,46 @@ unsigned gnutls_x509_name_constraints_check(gnutls_x509_name_constraints_t nc, return check_unsupported_constraint(nc, type); } +/* This function checks for unsupported constraints, that we also + * know their structure. That is it will fail only if the constraint + * is present in the CA, _and_ the name in the end certificate contains + * the constrained element. */ +static int check_unsupported_constraint2(gnutls_x509_crt_t cert, + gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type) +{ + unsigned idx, found_one; + char name[MAX_CN]; + size_t name_size; + unsigned san_type; + int ret; + + idx = 0; + found_one = 0; + + do { + name_size = sizeof(name); + ret = gnutls_x509_crt_get_subject_alt_name2(cert, + idx++, name, &name_size, &san_type, NULL); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + else if (ret < 0) + return gnutls_assert_val(0); + + if (san_type != GNUTLS_SAN_URI) + continue; + + found_one = 1; + break; + } while(ret >= 0); + + if (found_one != 0) + return check_unsupported_constraint(nc, type); + + /* no name was found in the certificate, so accept */ + return 1; +} + /** * gnutls_x509_name_constraints_check_crt: * @nc: the extracted name constraints @@ -749,54 +789,8 @@ unsigned found_one; */ return gnutls_assert_val(1); } - } else if (type == GNUTLS_SAN_IPADDRESS) { - /* Only check whether the IPAddress is present */ - idx = found_one = 0; - do { - name_size = sizeof(name); - ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret < 0) - return gnutls_assert_val(0); - - if (san_type != GNUTLS_SAN_IPADDRESS) - continue; - - found_one = 1; - break; - } while(ret >= 0); - - if (found_one != 0) - return check_unsupported_constraint(nc, type); - - /* no IPaddress was found in the certificate, so accept */ - return 1; - } else if (type == GNUTLS_SAN_URI) { - /* Only check whether the URI is present */ - idx = found_one = 0; - do { - name_size = sizeof(name); - ret = gnutls_x509_crt_get_subject_alt_name2(cert, - idx++, name, &name_size, &san_type, NULL); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret < 0) - return gnutls_assert_val(0); - - if (san_type != GNUTLS_SAN_URI) - continue; - - found_one = 1; - break; - } while(ret >= 0); - - if (found_one != 0) - return check_unsupported_constraint(nc, type); - - /* no IPaddress was found in the certificate, so accept */ - return 1; + } else if (type == GNUTLS_SAN_IPADDRESS || type == GNUTLS_SAN_URI) { + return check_unsupported_constraint2(cert, nc, type); } else return check_unsupported_constraint(nc, type); }