diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-05 11:54:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-05 13:44:01 +0200 |
commit | 04663c178fac57edb712c7e83f386c492d0b5cbb (patch) | |
tree | 3f7fdd980a664601e40ae961b35b2c646add33f0 | |
parent | 2e497d1c3798644b33df9f8ed4c6174428db97d9 (diff) | |
download | gnutls-04663c178fac57edb712c7e83f386c492d0b5cbb.tar.gz |
name constraints: enforce the rules for IP constraints when adding
This will prevent gnutls from generating badly formed certificates.
-rw-r--r-- | lib/x509/name_constraints.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index 26b3fcf25a..d0c1a5ef94 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -254,6 +254,10 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc, type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI && type != GNUTLS_SAN_IPADDRESS) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (type == GNUTLS_SAN_IPADDRESS && (name->size != 8 && name->size != 32)) { + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } + if (permitted != 0) prev = tmp = nc->permitted; else @@ -296,7 +300,10 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc, * @name: The data of the constraints * * This function will add a name constraint to the list of permitted - * constraints. + * constraints. The constraints @type can be any of the following types: + * %GNUTLS_SAN_DNSNAME, %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DN, + * %GNUTLS_SAN_URI, %GNUTLS_SAN_IPADDRESS. For the latter, an IP address + * in network byte order is expected, followed by its network mask. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * @@ -316,7 +323,11 @@ int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc * @name: The data of the constraints * * This function will add a name constraint to the list of excluded - * constraints. + * constraints. The constraints @type can be any of the following types: + * %GNUTLS_SAN_DNSNAME, %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DN, + * %GNUTLS_SAN_URI, %GNUTLS_SAN_IPADDRESS. For the latter, an IP address + * in network byte order is expected, followed by its network mask (which is + * 4 bytes in IPv4 or 16-bytes in IPv6). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * |