diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-05 11:54:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-05 13:44:24 +0200 |
commit | ee6deb907a3d7f38401dbb335d2e97d51d07c280 (patch) | |
tree | 0e31ce9cb87c5beb82d8b1b19bb2ee8d5347d907 | |
parent | 4423c5f0afe492e2051f9d4779793c8498dbfda1 (diff) | |
download | gnutls-ee6deb907a3d7f38401dbb335d2e97d51d07c280.tar.gz |
name constraints: enforce the rules for IP constraints when adding
This will prevent gnutls from generating badly formed certificates.
-rw-r--r-- | lib/x509/name_constraints.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index 5ba9336f5d..e188a593c6 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -254,6 +254,10 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc, type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI && type != GNUTLS_SAN_IPADDRESS) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (type == GNUTLS_SAN_IPADDRESS && (name->size != 8 && name->size != 32)) { + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } + if (permitted != 0) prev = tmp = nc->permitted; else @@ -296,7 +300,10 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc, * @name: The data of the constraints * * This function will add a name constraint to the list of permitted - * constraints. + * constraints. The constraints @type can be any of the following types: + * %GNUTLS_SAN_DNSNAME, %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DN, + * %GNUTLS_SAN_URI, %GNUTLS_SAN_IPADDRESS. For the latter, an IP address + * in network byte order is expected, followed by its network mask. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * @@ -316,7 +323,11 @@ int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc * @name: The data of the constraints * * This function will add a name constraint to the list of excluded - * constraints. + * constraints. The constraints @type can be any of the following types: + * %GNUTLS_SAN_DNSNAME, %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DN, + * %GNUTLS_SAN_URI, %GNUTLS_SAN_IPADDRESS. For the latter, an IP address + * in network byte order is expected, followed by its network mask (which is + * 4 bytes in IPv4 or 16-bytes in IPv6). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * |