From 8ee01ebaf226164e1ad982033a84478462b95f67 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 20 Jun 2024 13:42:31 -0600 Subject: [PATCH] sanity check for empty directory strings --- wolfcrypt/src/asn.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7754f6ec53..6b142fcb5c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13903,6 +13903,18 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, return ASN_PARSE_E; } + #ifndef WOLFSSL_NO_ASN_STRICT + /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being + * 1..MAX in length */ + if (strLen < 1) { + WOLFSSL_MSG("Non conforming DirectoryString of length 0 was" + " found"); + WOLFSSL_MSG("Use WOLFSSL_NO_ASN_STRICT if wanting to allow" + " empty DirectoryString's"); + return ASN_PARSE_E; + } + #endif + if (id == ASN_COMMON_NAME) { if (nameType == SUBJECT) { cert->subjectCN = (char *)&input[srcIdx]; @@ -14533,6 +14545,18 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, /* Get string reference. */ GetASN_GetRef(&dataASN[RDNASN_IDX_ATTR_VAL], &str, &strLen); + #ifndef WOLFSSL_NO_ASN_STRICT + /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being + * 1..MAX in length */ + if (ret == 0 && strLen < 1) { + WOLFSSL_MSG("Non conforming DirectoryString of length 0 was" + " found"); + WOLFSSL_MSG("Use WOLFSSL_NO_ASN_STRICT if wanting to allow" + " empty DirectoryString's"); + ret = ASN_PARSE_E; + } + #endif + /* Convert BER tag to a OpenSSL type. */ switch (tag) { case CTC_UTF8: