x509/name_constraints: reject some malformed domain names

author Alexander Sosedkin <asosedkin@redhat.com>

Mon, 26 Jan 2026 19:14:33 +0000 (20:14 +0100)

committer Alexander Sosedkin <asosedkin@redhat.com>

Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)
author Alexander Sosedkin <asosedkin@redhat.com>
Mon, 26 Jan 2026 19:14:33 +0000 (20:14 +0100)
committer Alexander Sosedkin <asosedkin@redhat.com>
Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c

index d07482e3c94d7062ea4cea7abe824c333d46d750..9783d92851d0bd8979c01747c97f723a4644eb42 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
                         return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR);
         }
  
+       /* Validate DNS names and email addresses for malformed input */
+       if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) {
+               unsigned int i;
+               if (name->size == 0)
+                       return GNUTLS_E_SUCCESS;
+
+               /* reject names with consecutive dots... */
+               for (i = 0; i + 1 < name->size; i++) {
+                       if (name->data[i] == '.' && name->data[i + 1] == '.')
+                               return gnutls_assert_val(
+                                       GNUTLS_E_ILLEGAL_PARAMETER);
+               }
+               /* ... or names consisting exclusively of dots */
+               if (name->size == 1 && name->data[0] == '.')
+                       return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+       }
+
         return GNUTLS_E_SUCCESS;
  }
author	Alexander Sosedkin <asosedkin@redhat.com>
	Mon, 26 Jan 2026 19:14:33 +0000 (20:14 +0100)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)