diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-08 13:20:05 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-08 14:56:51 +0100 |
| commit | 1e82546e9a4a005dde3e3d0e61feada7c069898f (patch) | |
| tree | bdaf64c4eef6ebf85bdf5046f146cce5d66564ca /lib/x509/hostname-verify.c | |
| parent | 8bfacc54e37b019ddd077f1f819b1bc8a51e59ad (diff) | |
| download | gnutls-1e82546e9a4a005dde3e3d0e61feada7c069898f.tar.gz | |
x509: do not attempt to ACE encode values stored in certificates
The email and hostname values are required to be in ASCII form by PKIX.
We instead ignore these names, if their values are outside the ASCII
printable character set.
Diffstat (limited to 'lib/x509/hostname-verify.c')
| -rw-r--r-- | lib/x509/hostname-verify.c | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index 1491b0ac52..c3d74f8567 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -128,7 +128,6 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, struct in_addr ipv4; char *p = NULL; char *a_hostname; - char *a_dnsname; gnutls_datum_t out; /* check whether @hostname is an ip address */ @@ -195,17 +194,12 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, continue; } - ret = gnutls_idna_map (dnsname, dnsnamesize, &out, 0); - if (ret < 0) { - _gnutls_debug_log("unable to convert dnsname %s to IDNA format\n", dnsname); + if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { + _gnutls_debug_log("invalid (non-ASCII) name in certificate %.*s", (int)dnsnamesize, dnsname); continue; } - a_dnsname = (char*)out.data; - - ret = _gnutls_hostname_compare(a_dnsname, strlen(a_dnsname), a_hostname, flags); - gnutls_free(a_dnsname); - + ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags); if (ret != 0) { ret = 1; goto cleanup; @@ -246,19 +240,13 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, goto cleanup; } - ret = gnutls_idna_map (dnsname, dnsnamesize, &out, 0); - if (ret < 0) { - _gnutls_debug_log("unable to convert CN %s to IDNA format\n", dnsname); + if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { + _gnutls_debug_log("invalid (non-ASCII) name in certificate CN %.*s", (int)dnsnamesize, dnsname); ret = 0; goto cleanup; } - a_dnsname = (char*)out.data; - - ret = _gnutls_hostname_compare(a_dnsname, strlen(a_dnsname), a_hostname, flags); - - gnutls_free(a_dnsname); - + ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags); if (ret != 0) { ret = 1; goto cleanup; |