x509: do not attempt to ACE encode values stored in certificates

The email and hostname values are required to be in ASCII form by PKIX.
We instead ignore these names, if their values are outside the ASCII
printable character set.

2 files changed, 12 insertions, 36 deletions

diff --git a/lib/x509/email-verify.c b/lib/x509/email-verify.c
index d0c5bad762..974badb877 100644
--- a/lib/x509/email-verify.c
+++ b/lib/x509/email-verify.c
@@ -54,7 +54,6 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
 	int ret = 0;
 	int i = 0;
 	char *a_email;
-	char *a_rfc822name;
 	gnutls_datum_t out;
 
 	/* convert the provided email to ACE-Labels domain. */
@@ -94,17 +93,12 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
 				continue;
 			}
 
-			ret = _gnutls_idna_email_map(rfc822name, rfc822namesize, &out);
-			if (ret < 0) {
-				_gnutls_debug_log("unable to convert rfc822name %s to IDNA format\n", rfc822name);
+			if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
+				_gnutls_debug_log("invalid (non-ASCII) email in certificate %.*s", (int)rfc822namesize, rfc822name);
 				continue;
 			}
 
-			a_rfc822name = (char*)out.data;
-
-			ret = _gnutls_hostname_compare(a_rfc822name, strlen(a_rfc822name), a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
-			gnutls_free(a_rfc822name);
-
+			ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
 			if (ret != 0) {
 				ret = 1;
 				goto cleanup;
@@ -142,19 +136,13 @@ gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
 			goto cleanup;
 		}
 
-		ret = _gnutls_idna_email_map (rfc822name, rfc822namesize, &out);
-		if (ret < 0) {
-			_gnutls_debug_log("unable to convert EMAIL %s to IDNA format\n", rfc822name);
+		if (!_gnutls_str_is_print(rfc822name, rfc822namesize)) {
+			_gnutls_debug_log("invalid (non-ASCII) email in certificate DN %.*s", (int)rfc822namesize, rfc822name);
 			ret = 0;
 			goto cleanup;
 		}
 
-		a_rfc822name = (char*)out.data;
-
-		ret = _gnutls_hostname_compare(a_rfc822name, strlen(a_rfc822name), a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
-
-		gnutls_free(a_rfc822name);
-
+		ret = _gnutls_hostname_compare(rfc822name, rfc822namesize, a_email, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
 		if (ret != 0) {
 			ret = 1;
 			goto cleanup;
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index 1491b0ac52..c3d74f8567 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -128,7 +128,6 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
 	struct in_addr ipv4;
 	char *p = NULL;
 	char *a_hostname;
-	char *a_dnsname;
 	gnutls_datum_t out;
 
 	/* check whether @hostname is an ip address */
@@ -195,17 +194,12 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
 				continue;
 			}
 
-			ret = gnutls_idna_map (dnsname, dnsnamesize, &out, 0);
-			if (ret < 0) {
-				_gnutls_debug_log("unable to convert dnsname %s to IDNA format\n", dnsname);
+			if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
+				_gnutls_debug_log("invalid (non-ASCII) name in certificate %.*s", (int)dnsnamesize, dnsname);
 				continue;
 			}
 
-			a_dnsname = (char*)out.data;
-
-			ret = _gnutls_hostname_compare(a_dnsname, strlen(a_dnsname), a_hostname, flags);
-			gnutls_free(a_dnsname);
-
+			ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
 			if (ret != 0) {
 				ret = 1;
 				goto cleanup;
@@ -246,19 +240,13 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
 			goto cleanup;
 		}
 
-		ret = gnutls_idna_map (dnsname, dnsnamesize, &out, 0);
-		if (ret < 0) {
-			_gnutls_debug_log("unable to convert CN %s to IDNA format\n", dnsname);
+		if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
+			_gnutls_debug_log("invalid (non-ASCII) name in certificate CN %.*s", (int)dnsnamesize, dnsname);
 			ret = 0;
 			goto cleanup;
 		}
 
-		a_dnsname = (char*)out.data;
-
-		ret = _gnutls_hostname_compare(a_dnsname, strlen(a_dnsname), a_hostname, flags);
-
-		gnutls_free(a_dnsname);
-
+		ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
 		if (ret != 0) {
 			ret = 1;
 			goto cleanup;