File gnutls-CVE-2025-14831.patch of Package gnutls.42641
From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Wed, 4 Feb 2026 20:03:49 +0100
Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect
over sorted
Fixes: #1773
Fixes: GNUTLS-SA-2026-02-09-2
Fixes: CVE-2025-14831
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Index: gnutls-3.7.3/lib/x509/name_constraints.c
===================================================================
--- gnutls-3.7.3.orig/lib/x509/name_constraints.c
+++ gnutls-3.7.3/lib/x509/name_constraints.c
@@ -39,6 +39,10 @@
#include "ip.h"
#include "ip-in-cidr.h"
#include "intprops.h"
+#include "minmax.h"
+
+#include <assert.h>
+#include <string.h>
#define MAX_NC_CHECKS (1 << 20)
@@ -51,6 +55,9 @@ struct name_constraints_node_list_st {
struct name_constraints_node_st **data;
size_t size;
size_t capacity;
+ /* sorted-on-demand view, valid only when dirty == false */
+ bool dirty;
+ struct name_constraints_node_st **sorted_view;
};
struct gnutls_name_constraints_st {
@@ -61,7 +68,315 @@ struct gnutls_name_constraints_st {
static struct name_constraints_node_st *
name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
- unsigned char *data, unsigned int size);
+ const unsigned char *data, unsigned int size);
+
+/* An enum for "rich" comparisons that not only let us sort name constraints,
+ * children-before-parent, but also subsume them during intersection. */
+enum name_constraint_relation {
+ NC_SORTS_BEFORE = -2, /* unrelated constraints */
+ NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort first */
+ NC_EQUAL = 0, /* exact match */
+ NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */
+ NC_SORTS_AFTER = 2 /* unrelated constraints */
+};
+
+/* A helper to compare just a pair of strings with this rich comparison */
+static enum name_constraint_relation
+compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+{
+ int r = memcmp(n1, n2, MIN(n1_len, n2_len));
+ if (r < 0)
+ return NC_SORTS_BEFORE;
+ if (r > 0)
+ return NC_SORTS_AFTER;
+ if (n1_len < n2_len)
+ return NC_SORTS_BEFORE;
+ if (n1_len > n2_len)
+ return NC_SORTS_AFTER;
+ return NC_EQUAL;
+}
+
+/* Rich-compare DNS names. Example order/relationships:
+ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
+static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
+ const gnutls_datum_t *n2)
+{
+ enum name_constraint_relation rel;
+ unsigned int i, j, i_end, j_end;
+
+ /* start from the end of each name */
+ i = i_end = n1->size;
+ j = j_end = n2->size;
+
+ /* skip the trailing dots for the comparison */
+ while (i && n1->data[i - 1] == '.')
+ i_end = i = i - 1;
+ while (j && n2->data[j - 1] == '.')
+ j_end = j = j - 1;
+
+ while (1) {
+ // rewind back to beginning or an after-dot position
+ while (i && n1->data[i - 1] != '.')
+ i--;
+ while (j && n2->data[j - 1] != '.')
+ j--;
+
+ rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
+ j_end - j);
+ if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
+ return NC_SORTS_BEFORE;
+ if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
+ return NC_SORTS_AFTER;
+ if (!i && j) /* x.a INCLUDES z.x.a */
+ return NC_INCLUDES;
+ if (i && !j) /* z.x.a INCLUDED_BY x.a */
+ return NC_INCLUDED_BY;
+
+ if (!i && !j) /* r == 0, we ran out of components to compare */
+ return NC_EQUAL;
+ /* r == 0, i && j: step back past a dot and keep comparing */
+ i_end = i = i - 1;
+ j_end = j = j - 1;
+
+ /* support for non-standard ".gr INCLUDES example.gr" [1] */
+ if (!i && j) /* .a INCLUDES x.a */
+ return NC_INCLUDES;
+ if (i && !j) /* x.a INCLUDED_BY .a */
+ return NC_INCLUDED_BY;
+ }
+}
+/* [1] https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */
+
+/* Rich-compare email name constraints. Example order/relationships:
+ * z@x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE y@b */
+static enum name_constraint_relation compare_emails(const gnutls_datum_t *n1,
+ const gnutls_datum_t *n2)
+{
+ enum name_constraint_relation domains_rel;
+ unsigned int i, j, i_end, j_end;
+ gnutls_datum_t d1, d2; /* borrow from n1 and n2 */
+
+ /* start from the end of each name */
+ i = i_end = n1->size;
+ j = j_end = n2->size;
+
+ /* rewind to @s to look for domains */
+ while (i && n1->data[i - 1] != '@')
+ i--;
+ d1.size = i_end - i;
+ d1.data = &n1->data[i];
+ while (j && n2->data[j - 1] != '@')
+ j--;
+ d2.size = j_end - j;
+ d2.data = &n2->data[j];
+
+ domains_rel = compare_dns_names(&d1, &d2);
+
+ /* email constraint semantics differ from DNS
+ * DNS: x.a INCLUDED_BY a
+ * Email: x.a INCLUDED_BY .a BEFORE a */
+ if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) {
+ bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.');
+ bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.');
+ /* a constraint without a dot is exact, excluding subdomains */
+ if (!d2_has_dot && domains_rel == NC_INCLUDED_BY)
+ domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */
+ if (!d1_has_dot && domains_rel == NC_INCLUDES)
+ domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */
+ }
+
+ if (!i && !j) { /* both are domains-only */
+ return domains_rel;
+ } else if (i && !j) { /* n1 is email, n2 is domain */
+ switch (domains_rel) {
+ case NC_SORTS_AFTER:
+ return NC_SORTS_AFTER;
+ case NC_SORTS_BEFORE:
+ return NC_SORTS_BEFORE;
+ case NC_INCLUDES: /* n2 is more specific, a@x.a AFTER z.x.a */
+ return NC_SORTS_AFTER;
+ case NC_EQUAL: /* subdomains match, z@x.a INCLUDED_BY x.a */
+ case NC_INCLUDED_BY: /* n1 is more specific */
+ return NC_INCLUDED_BY;
+ }
+ } else if (!i && j) { /* n1 is domain, n2 is email */
+ switch (domains_rel) {
+ case NC_SORTS_AFTER:
+ return NC_SORTS_AFTER;
+ case NC_SORTS_BEFORE:
+ return NC_SORTS_BEFORE;
+ case NC_INCLUDES: /* n2 is more specific, a AFTER z@x.a */
+ return NC_SORTS_AFTER;
+ case NC_EQUAL: /* subdomains match, x.a INCLUDES z@x.a */
+ return NC_INCLUDES;
+ case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a */
+ return NC_SORTS_BEFORE;
+ }
+ } else if (i && j) { /* both are emails */
+ switch (domains_rel) {
+ case NC_SORTS_AFTER:
+ return NC_SORTS_AFTER;
+ case NC_SORTS_BEFORE:
+ return NC_SORTS_BEFORE;
+ case NC_INCLUDES: // n2 is more specific
+ return NC_SORTS_AFTER;
+ case NC_INCLUDED_BY: // n1 is more specific
+ return NC_SORTS_BEFORE;
+ case NC_EQUAL: // only case when we need to look before the @
+ break; // see below for readability
+ }
+ }
+
+ /* i && j, both are emails, domain names match, compare up to @ */
+ return compare_strings(n1->data, i - 1, n2->data, j - 1);
+}
+
+/* Rich-compare IP address constraints. Example order/relationships:
+ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY 1::1/127 */
+static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1,
+ const gnutls_datum_t *n2)
+{
+ unsigned int len, i;
+ int r;
+ const unsigned char *ip1, *ip2, *mask1, *mask2;
+ unsigned char masked11[16], masked22[16], masked12[16], masked21[16];
+
+ if (n1->size < n2->size)
+ return NC_SORTS_BEFORE;
+ if (n1->size > n2->size)
+ return NC_SORTS_AFTER;
+ len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */
+
+ /* data is a concatenation of prefix and mask */
+ ip1 = n1->data;
+ ip2 = n2->data;
+ mask1 = n1->data + len;
+ mask2 = n2->data + len;
+ for (i = 0; i < len; i++) {
+ masked11[i] = ip1[i] & mask1[i];
+ masked22[i] = ip2[i] & mask2[i];
+ masked12[i] = ip1[i] & mask2[i];
+ masked21[i] = ip2[i] & mask1[i];
+ }
+
+ r = memcmp(mask1, mask2, len);
+ if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < prefix2 */
+ return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */
+ if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > prefix2 */
+ return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */
+
+ r = memcmp(masked11, masked22, len);
+ if (r < 0)
+ return NC_SORTS_BEFORE;
+ else if (r > 0)
+ return NC_SORTS_AFTER;
+ return NC_EQUAL;
+}
+
+static inline bool is_supported_type(unsigned type)
+{
+ /* all of these should be under GNUTLS_SAN_MAX (intersect bitmasks) */
+ return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
+ type == GNUTLS_SAN_IPADDRESS;
+}
+
+/* Universal comparison for name constraint nodes.
+ * Unsupported types sort before supported types to allow early handling.
+ * NULL represents end-of-list and sorts after everything else. */
+static enum name_constraint_relation
+compare_name_constraint_nodes(const struct name_constraints_node_st *n1,
+ const struct name_constraints_node_st *n2)
+{
+ bool n1_supported, n2_supported;
+
+ if (!n1 && !n2)
+ return NC_EQUAL;
+ if (!n1)
+ return NC_SORTS_AFTER;
+ if (!n2)
+ return NC_SORTS_BEFORE;
+
+ n1_supported = is_supported_type(n1->type);
+ n2_supported = is_supported_type(n2->type);
+
+ /* unsupported types bubble up (sort first). intersect relies on this */
+ if (!n1_supported && n2_supported)
+ return NC_SORTS_BEFORE;
+ if (n1_supported && !n2_supported)
+ return NC_SORTS_AFTER;
+
+ /* next, sort by type */
+ if (n1->type < n2->type)
+ return NC_SORTS_BEFORE;
+ if (n1->type > n2->type)
+ return NC_SORTS_AFTER;
+
+ /* now look deeper */
+ switch (n1->type) {
+ case GNUTLS_SAN_DNSNAME:
+ return compare_dns_names(&n1->name, &n2->name);
+ case GNUTLS_SAN_RFC822NAME:
+ return compare_emails(&n1->name, &n2->name);
+ case GNUTLS_SAN_IPADDRESS:
+ return compare_ip_ncs(&n1->name, &n2->name);
+ default:
+ /* unsupported types: stable lexicographic order */
+ return compare_strings(n1->name.data, n1->name.size,
+ n2->name.data, n2->name.size);
+ }
+}
+
+/* qsort-compatible wrapper */
+static int compare_name_constraint_nodes_qsort(const void *a, const void *b)
+{
+ const struct name_constraints_node_st *const *n1 = a;
+ const struct name_constraints_node_st *const *n2 = b;
+ enum name_constraint_relation rel;
+
+ rel = compare_name_constraint_nodes(*n1, *n2);
+ switch (rel) {
+ case NC_SORTS_BEFORE:
+ case NC_INCLUDED_BY:
+ return -1;
+ case NC_SORTS_AFTER:
+ case NC_INCLUDES:
+ return 1;
+ case NC_EQUAL:
+ default:
+ return 0;
+ }
+}
+
+/* Bring the sorted view up to date with the list data; clear the dirty flag. */
+static int ensure_sorted(struct name_constraints_node_list_st *list)
+{
+ struct name_constraints_node_st **new_data;
+
+ if (!list->dirty)
+ return GNUTLS_E_SUCCESS;
+ if (!list->size) {
+ list->dirty = false;
+ return GNUTLS_E_SUCCESS;
+ }
+
+ /* reallocate sorted view to match current size */
+ new_data =
+ _gnutls_reallocarray(list->sorted_view, list->size,
+ sizeof(struct name_constraints_node_st *));
+ if (!new_data)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ list->sorted_view = new_data;
+
+ /* copy pointers and sort in-place */
+ memcpy(list->sorted_view, list->data,
+ list->size * sizeof(struct name_constraints_node_st *));
+ qsort(list->sorted_view, list->size,
+ sizeof(struct name_constraints_node_st *),
+ compare_name_constraint_nodes_qsort);
+
+ list->dirty = false;
+ return GNUTLS_E_SUCCESS;
+}
static int
name_constraints_node_list_add(struct name_constraints_node_list_st *list,
@@ -82,16 +397,54 @@ name_constraints_node_list_add(struct na
list->capacity = new_capacity;
list->data = new_data;
}
+ list->dirty = true;
list->data[list->size++] = node;
return 0;
}
-// for documentation see the implementation
-static int name_constraints_intersect_nodes(
- gnutls_x509_name_constraints_t nc,
- const struct name_constraints_node_st *node1,
- const struct name_constraints_node_st *node2,
- struct name_constraints_node_st **intersection);
+static void
+name_constraints_node_list_clear(struct name_constraints_node_list_st *list)
+{
+ gnutls_free(list->data);
+ gnutls_free(list->sorted_view);
+ list->data = NULL;
+ list->sorted_view = NULL;
+ list->capacity = 0;
+ list->size = 0;
+ list->dirty = false;
+}
+
+static int
+name_constraints_node_add_new(gnutls_x509_name_constraints_t nc,
+ struct name_constraints_node_list_st *list,
+ unsigned type, const unsigned char *data,
+ unsigned int size)
+{
+ struct name_constraints_node_st *node;
+ int ret;
+ node = name_constraints_node_new(nc, type, data, size);
+ if (node == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+ ret = name_constraints_node_list_add(list, node);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ return GNUTLS_E_SUCCESS;
+}
+
+static int
+name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc,
+ struct name_constraints_node_list_st *dest,
+ const struct name_constraints_node_st *src)
+{
+ if (!src)
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ return name_constraints_node_add_new(nc, dest, src->type,
+ src->name.data, src->name.size);
+}
/*-
* _gnutls_x509_name_constraints_is_empty:
@@ -161,6 +514,23 @@ static int validate_name_constraints_nod
return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR);
}
+ /* Validate DNS names and email addresses for malformed input */
+ if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) {
+ unsigned int i;
+ if (name->size == 0)
+ return GNUTLS_E_SUCCESS;
+
+ /* reject names with consecutive dots... */
+ for (i = 0; i + 1 < name->size; i++) {
+ if (name->data[i] == '.' && name->data[i + 1] == '.')
+ return gnutls_assert_val(
+ GNUTLS_E_ILLEGAL_PARAMETER);
+ }
+ /* ... or names consisting exclusively of dots */
+ if (name->size == 1 && name->data[0] == '.')
+ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ }
+
return GNUTLS_E_SUCCESS;
}
@@ -172,7 +542,6 @@ static int extract_name_constraints(gnut
unsigned indx;
gnutls_datum_t tmp = { NULL, 0 };
unsigned int type;
- struct name_constraints_node_st *node;
for (indx=1;;indx++) {
snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx);
@@ -191,15 +560,9 @@ static int extract_name_constraints(gnut
goto cleanup;
}
- node = name_constraints_node_new(nc, type, tmp.data, tmp.size);
+ ret = name_constraints_node_add_new(nc, nodes, type, tmp.data,
+ tmp.size);
_gnutls_free_datum(&tmp);
- if (node == NULL) {
- gnutls_assert();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
-
- ret = name_constraints_node_list_add(nodes, node);
if (ret < 0) {
gnutls_assert();
goto cleanup;
@@ -262,7 +625,7 @@ static void name_constraints_node_free(s
-*/
static struct name_constraints_node_st *
name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
- unsigned char *data, unsigned int size)
+ const unsigned char *data, unsigned int size)
{
struct name_constraints_node_st *tmp;
int ret;
@@ -292,6 +655,21 @@ name_constraints_node_new(gnutls_x509_na
}
+static int
+name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
+ struct name_constraints_node_list_st *nodes,
+ struct name_constraints_node_list_st *nodes2);
+
+#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */
+#define type_bitmask_set(mask, t) ((mask) |= (1u << (t)))
+#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t)))
+#define type_bitmask_in(mask, t) ((mask) & (1u << (t)))
+/* C99-compatible compile-time assertions; gnutls_int.h undefines verify */
+typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1];
+typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 : -1];
+typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? 1 : -1];
+typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1];
+
/*-
* @brief name_constraints_node_list_intersect:
* @nc: %gnutls_x509_name_constraints_t
@@ -309,138 +687,143 @@ name_constraints_node_new(gnutls_x509_na
static int name_constraints_node_list_intersect(
gnutls_x509_name_constraints_t nc,
struct name_constraints_node_list_st *permitted,
- const struct name_constraints_node_list_st *permitted2,
+ struct name_constraints_node_list_st *permitted2,
struct name_constraints_node_list_st *excluded)
{
- struct name_constraints_node_st *tmp;
- int ret, type, used;
- struct name_constraints_node_list_st removed = { .data = NULL,
- .size = 0,
- .capacity = 0 };
-
- /* temporary array to see, if we need to add universal excluded constraints
- * (see phase 3 for details)
- * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */
- unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX];
- memset(types_with_empty_intersection, 0,
- sizeof(types_with_empty_intersection));
+ struct name_constraints_node_st *nc1, *nc2;
+ struct name_constraints_node_list_st result = { 0 };
+ struct name_constraints_node_list_st unsupp2 = { 0 };
+ enum name_constraint_relation rel;
+ unsigned type;
+ int ret = GNUTLS_E_SUCCESS;
+ size_t i, j, p1_unsupp = 0, p2_unsupp = 0;
+ type_bitmask_t universal_exclude_needed = 0;
+ type_bitmask_t types_in_p1 = 0, types_in_p2 = 0;
+ static const unsigned char universal_ip[32] = { 0 };
if (permitted->size == 0 || permitted2->size == 0)
- return 0;
+ return GNUTLS_E_SUCCESS;
- /* Phase 1
- * For each name in PERMITTED, if a PERMITTED2 does not contain a name
- * with the same type, move the original name to REMOVED.
- * Do this also for node of unknown type (not DNS, email, IP) */
- for (size_t i = 0; i < permitted->size;) {
- struct name_constraints_node_st *t = permitted->data[i];
- const struct name_constraints_node_st *found = NULL;
-
- for (size_t j = 0; j < permitted2->size; j++) {
- const struct name_constraints_node_st *t2 =
- permitted2->data[j];
- if (t->type == t2->type) {
- // check bounds (we will use 't->type' as index)
- if (t->type > GNUTLS_SAN_MAX || t->type == 0) {
- gnutls_assert();
- ret = GNUTLS_E_INTERNAL_ERROR;
- goto cleanup;
- }
- // note the possibility of empty intersection for this type
- // if we add something to the intersection in phase 2,
- // we will reset this flag back to 0 then
- types_with_empty_intersection[t->type - 1] = 1;
- found = t2;
- break;
- }
+ /* make sorted views of the arrays */
+ ret = ensure_sorted(permitted);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ ret = ensure_sorted(permitted2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* deal with the leading unsupported types first: count, then union */
+ while (p1_unsupp < permitted->size &&
+ !is_supported_type(permitted->sorted_view[p1_unsupp]->type))
+ p1_unsupp++;
+ while (p2_unsupp < permitted2->size &&
+ !is_supported_type(permitted2->sorted_view[p2_unsupp]->type))
+ p2_unsupp++;
+ if (p1_unsupp) { /* copy p1 unsupported type pointers into result */
+ result.data = gnutls_calloc(
+ p1_unsupp, sizeof(struct name_constraints_node_st *));
+ if (!result.data) {
+ ret = GNUTLS_E_MEMORY_ERROR;
+ gnutls_assert();
+ goto cleanup;
}
+ memcpy(result.data, permitted->sorted_view,
+ p1_unsupp * sizeof(struct name_constraints_node_st *));
+ result.size = result.capacity = p1_unsupp;
+ result.dirty = true;
+ }
+ if (p2_unsupp) { /* union will make deep copies from p2 */
+ unsupp2.data = permitted2->sorted_view; /* so, just alias */
+ unsupp2.size = unsupp2.capacity = p2_unsupp;
+ unsupp2.dirty = false; /* we know it's sorted */
+ unsupp2.sorted_view = permitted2->sorted_view;
+ ret = name_constraints_node_list_union(nc, &result, &unsupp2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
- if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME ||
- t->type == GNUTLS_SAN_RFC822NAME ||
- t->type == GNUTLS_SAN_IPADDRESS)) {
- /* move node from PERMITTED to REMOVED */
- ret = name_constraints_node_list_add(&removed, t);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
- /* remove node by swapping */
- if (i < permitted->size - 1)
- permitted->data[i] =
- permitted->data[permitted->size - 1];
- permitted->size--;
- continue;
+ /* with that out of the way, pre-compute the supported types we have */
+ for (i = p1_unsupp; i < permitted->size; i++) {
+ type = permitted->sorted_view[i]->type;
+ if (type < 1 || type > GNUTLS_SAN_MAX) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto cleanup;
+ }
+ type_bitmask_set(types_in_p1, type);
+ }
+ for (j = p2_unsupp; j < permitted2->size; j++) {
+ type = permitted2->sorted_view[j]->type;
+ if (type < 1 || type > GNUTLS_SAN_MAX) {
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto cleanup;
}
- i++;
+ type_bitmask_set(types_in_p2, type);
}
+ /* universal excludes might be needed for types intersecting to empty */
+ universal_exclude_needed = types_in_p1 & types_in_p2;
- /* Phase 2
- * iterate through all combinations from PERMITTED2 and PERMITTED
- * and create intersections of nodes with same type */
- for (size_t i = 0; i < permitted2->size; i++) {
- const struct name_constraints_node_st *t2 = permitted2->data[i];
-
- // current PERMITTED2 node has not yet been used for any intersection
- // (and is not in REMOVED either)
- used = 0;
- for (size_t j = 0; j < removed.size; j++) {
- const struct name_constraints_node_st *t =
- removed.data[j];
- // save intersection of name constraints into tmp
- ret = name_constraints_intersect_nodes(nc, t, t2, &tmp);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
- used = 1;
- // if intersection is not empty
- if (tmp !=
- NULL) { // intersection for this type is not empty
- // check bounds
- if (tmp->type > GNUTLS_SAN_MAX ||
- tmp->type == 0) {
- gnutls_free(tmp);
- return gnutls_assert_val(
- GNUTLS_E_INTERNAL_ERROR);
- }
- // we will not add universal excluded constraint for this type
- types_with_empty_intersection[tmp->type - 1] =
- 0;
- // add intersection node to PERMITTED
- ret = name_constraints_node_list_add(permitted,
- tmp);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
- }
+ /* go through supported type NCs and intersect in a single pass */
+ i = p1_unsupp;
+ j = p2_unsupp;
+ while (i < permitted->size || j < permitted2->size) {
+ nc1 = (i < permitted->size) ? permitted->sorted_view[i] : NULL;
+ nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] :
+ NULL;
+ rel = compare_name_constraint_nodes(nc1, nc2);
+
+ switch (rel) {
+ case NC_SORTS_BEFORE:
+ assert(nc1 != NULL); /* comparator-guaranteed */
+ /* if nothing to intersect with, shallow-copy nc1 */
+ if (!type_bitmask_in(types_in_p2, nc1->type))
+ ret = name_constraints_node_list_add(&result,
+ nc1);
+ i++; /* otherwise skip nc1 */
+ break;
+ case NC_SORTS_AFTER:
+ assert(nc2 != NULL); /* comparator-guaranteed */
+ /* if nothing to intersect with, deep-copy nc2 */
+ if (!type_bitmask_in(types_in_p1, nc2->type))
+ ret = name_constraints_node_add_copy(
+ nc, &result, nc2);
+ j++; /* otherwise skip nc2 */
+ break;
+ case NC_INCLUDED_BY: /* add nc1, shallow-copy */
+ assert(nc1 != NULL && nc2 != NULL); /* comparator */
+ type_bitmask_clr(universal_exclude_needed, nc1->type);
+ ret = name_constraints_node_list_add(&result, nc1);
+ i++;
+ break;
+ case NC_INCLUDES: /* pick nc2, deep-copy */
+ assert(nc1 != NULL && nc2 != NULL); /* comparator */
+ type_bitmask_clr(universal_exclude_needed, nc2->type);
+ ret = name_constraints_node_add_copy(nc, &result, nc2);
+ j++;
+ break;
+ case NC_EQUAL: /* pick whichever: nc1, shallow-copy */
+ assert(nc1 != NULL && nc2 != NULL); /* loop condition */
+ type_bitmask_clr(universal_exclude_needed, nc1->type);
+ ret = name_constraints_node_list_add(&result, nc1);
+ i++;
+ j++;
+ break;
}
- // if the node from PERMITTED2 was not used for intersection, copy it to DEST
- // Beware: also copies nodes other than DNS, email, IP,
- // since their counterpart may have been moved in phase 1.
- if (!used) {
- tmp = name_constraints_node_new(
- nc, t2->type, t2->name.data, t2->name.size);
- if (tmp == NULL) {
- gnutls_assert();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
- ret = name_constraints_node_list_add(permitted, tmp);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
}
}
- /* Phase 3
- * For each type: If we have empty permitted name constraints now
- * and we didn't have at the beginning, we have to add a new
- * excluded constraint with universal wildcard
- * (since the intersection of permitted is now empty). */
+ /* finishing touch: add universal excluded constraints for types where
+ * both lists had constraints, but all intersections ended up empty */
for (type = 1; type <= GNUTLS_SAN_MAX; type++) {
- if (types_with_empty_intersection[type - 1] == 0)
+ if (!type_bitmask_in(universal_exclude_needed, type))
continue;
_gnutls_hard_log(
"Adding universal excluded name constraint for type %d.\n",
@@ -448,27 +831,17 @@ static int name_constraints_node_list_in
switch (type) {
case GNUTLS_SAN_IPADDRESS:
// add universal restricted range for IPv4
- tmp = name_constraints_node_new(
- nc, GNUTLS_SAN_IPADDRESS, NULL, 8);
- if (tmp == NULL) {
- gnutls_assert();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
- ret = name_constraints_node_list_add(excluded, tmp);
+ ret = name_constraints_node_add_new(
+ nc, excluded, GNUTLS_SAN_IPADDRESS,
+ universal_ip, 8);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
// add universal restricted range for IPv6
- tmp = name_constraints_node_new(
- nc, GNUTLS_SAN_IPADDRESS, NULL, 32);
- if (tmp == NULL) {
- gnutls_assert();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
- ret = name_constraints_node_list_add(excluded, tmp);
+ ret = name_constraints_node_add_new(
+ nc, excluded, GNUTLS_SAN_IPADDRESS,
+ universal_ip, 32);
if (ret < 0) {
gnutls_assert();
goto cleanup;
@@ -476,52 +849,128 @@ static int name_constraints_node_list_in
break;
case GNUTLS_SAN_DNSNAME:
case GNUTLS_SAN_RFC822NAME:
- tmp = name_constraints_node_new(nc, type, NULL, 0);
- if (tmp == NULL) {
- gnutls_assert();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
- ret = name_constraints_node_list_add(excluded, tmp);
+ ret = name_constraints_node_add_new(nc, excluded, type,
+ NULL, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
break;
- default: // do nothing, at least one node was already moved in phase 1
- break;
+ default: /* unsupported type; should be unreacheable */
+ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ goto cleanup;
}
}
- ret = GNUTLS_E_SUCCESS;
+ gnutls_free(permitted->data);
+ gnutls_free(permitted->sorted_view);
+ permitted->data = result.data;
+ permitted->sorted_view = NULL;
+ permitted->size = result.size;
+ permitted->capacity = result.capacity;
+ permitted->dirty = true;
+
+ result.data = NULL;
+ ret = GNUTLS_E_SUCCESS;
cleanup:
- gnutls_free(removed.data);
+ name_constraints_node_list_clear(&result);
return ret;
}
-static int name_constraints_node_list_concat(
- gnutls_x509_name_constraints_t nc,
- struct name_constraints_node_list_st *nodes,
- const struct name_constraints_node_list_st *nodes2)
+#undef type_bitmask_t
+#undef type_bitmask_set
+#undef type_bitmask_clr
+#undef type_bitmask_in
+
+static int
+name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
+ struct name_constraints_node_list_st *nodes,
+ struct name_constraints_node_list_st *nodes2)
{
- for (size_t i = 0; i < nodes2->size; i++) {
- const struct name_constraints_node_st *node = nodes2->data[i];
- struct name_constraints_node_st *tmp;
- int ret;
-
- tmp = name_constraints_node_new(nc, node->type, node->name.data,
- node->name.size);
- if (tmp == NULL) {
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ int ret;
+ size_t i = 0, j = 0;
+ struct name_constraints_node_st *nc1;
+ const struct name_constraints_node_st *nc2;
+ enum name_constraint_relation rel;
+ struct name_constraints_node_list_st result = { 0 };
+
+ if (nodes2->size == 0) /* nothing to do */
+ return GNUTLS_E_SUCCESS;
+
+ ret = ensure_sorted(nodes);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ ret = ensure_sorted(nodes2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* traverse both lists in a single pass and merge them w/o duplicates */
+ while (i < nodes->size || j < nodes2->size) {
+ nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL;
+ nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL;
+
+ rel = compare_name_constraint_nodes(nc1, nc2);
+ switch (rel) {
+ case NC_SORTS_BEFORE:
+ assert(nc1 != NULL); /* comparator-guaranteed */
+ ret = name_constraints_node_list_add(&result, nc1);
+ i++;
+ break;
+ case NC_SORTS_AFTER:
+ assert(nc2 != NULL); /* comparator-guaranteed */
+ ret = name_constraints_node_add_copy(nc, &result, nc2);
+ j++;
+ break;
+ case NC_INCLUDES: /* nc1 is broader, shallow-copy it */
+ assert(nc1 != NULL && nc2 != NULL); /* comparator */
+ ret = name_constraints_node_list_add(&result, nc1);
+ i++;
+ j++;
+ break;
+ case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */
+ assert(nc1 != NULL && nc2 != NULL); /* comparator */
+ ret = name_constraints_node_add_copy(nc, &result, nc2);
+ i++;
+ j++;
+ break;
+ case NC_EQUAL:
+ assert(nc1 != NULL && nc2 != NULL); /* loop condition */
+ ret = name_constraints_node_list_add(&result, nc1);
+ i++;
+ j++;
+ break;
}
- ret = name_constraints_node_list_add(nodes, tmp);
if (ret < 0) {
- name_constraints_node_free(tmp);
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ gnutls_assert();
+ goto cleanup;
}
}
- return 0;
+ gnutls_free(nodes->data);
+ gnutls_free(nodes->sorted_view);
+ nodes->data = result.data;
+ nodes->sorted_view = NULL;
+ nodes->size = result.size;
+ nodes->capacity = result.capacity;
+ nodes->dirty = true;
+ /* since we know it's sorted, populate sorted_view almost for free */
+ nodes->sorted_view = gnutls_calloc(
+ nodes->size, sizeof(struct name_constraints_node_st *));
+ if (!nodes->sorted_view)
+ return GNUTLS_E_SUCCESS; /* we tried, no harm done */
+ memcpy(nodes->sorted_view, nodes->data,
+ nodes->size * sizeof(struct name_constraints_node_st *));
+ nodes->dirty = false;
+
+ result.data = NULL;
+ return GNUTLS_E_SUCCESS;
+cleanup:
+ name_constraints_node_list_clear(&result);
+ return gnutls_assert_val(ret);
}
/**
@@ -594,17 +1043,9 @@ void _gnutls_x509_name_constraints_clear
struct name_constraints_node_st *node = nc->nodes.data[i];
name_constraints_node_free(node);
}
- gnutls_free(nc->nodes.data);
- nc->nodes.capacity = 0;
- nc->nodes.size = 0;
-
- gnutls_free(nc->permitted.data);
- nc->permitted.capacity = 0;
- nc->permitted.size = 0;
-
- gnutls_free(nc->excluded.data);
- nc->excluded.capacity = 0;
- nc->excluded.size = 0;
+ name_constraints_node_list_clear(&nc->nodes);
+ name_constraints_node_list_clear(&nc->permitted);
+ name_constraints_node_list_clear(&nc->excluded);
}
/**
@@ -652,7 +1093,6 @@ int name_constraints_add(gnutls_x509_nam
const gnutls_datum_t * name,
unsigned permitted)
{
- struct name_constraints_node_st *tmp;
struct name_constraints_node_list_st *nodes;
int ret;
@@ -662,15 +1102,10 @@ int name_constraints_add(gnutls_x509_nam
nodes = permitted ? &nc->permitted : &nc->excluded;
- tmp = name_constraints_node_new(nc, type, name->data, name->size);
- if (tmp == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
- ret = name_constraints_node_list_add(nodes, tmp);
- if (ret < 0) {
- name_constraints_node_free(tmp);
+ ret = name_constraints_node_add_new(nc, nodes, type, name->data,
+ name->size);
+ if (ret < 0)
return gnutls_assert_val(ret);
- }
return 0;
}
@@ -681,7 +1116,7 @@ int name_constraints_add(gnutls_x509_nam
* @nc2: The name constraints to be merged with
*
* This function will merge the provided name constraints structures
- * as per RFC5280 p6.1.4. That is, the excluded constraints will be appended,
+ * as per RFC5280 p6.1.4. That is, the excluded constraints will be unioned,
* and permitted will be intersected. The intersection assumes that @nc
* is the root CA constraints.
*
@@ -702,8 +1137,8 @@ int _gnutls_x509_name_constraints_merge(
return ret;
}
- ret = name_constraints_node_list_concat(nc, &nc->excluded,
- &nc2->excluded);
+ ret = name_constraints_node_list_union(nc, &nc->excluded,
+ &nc2->excluded);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -799,57 +1234,13 @@ cleanup:
return ret;
}
-static
-unsigned ends_with(const gnutls_datum_t * str, const gnutls_datum_t * suffix)
-{
- unsigned char *tree;
- unsigned int treelen;
-
- if (suffix->size >= str->size)
- return 0;
-
- tree = suffix->data;
- treelen = suffix->size;
- if((treelen > 0) && (tree[0] == '.')) {
- tree++;
- treelen--;
- }
-
- if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 &&
- str->data[str->size - treelen -1] == '.')
- return 1; /* match */
-
- return 0;
-}
-
-static
-unsigned email_ends_with(const gnutls_datum_t * str, const gnutls_datum_t * suffix)
-{
- if (suffix->size >= str->size)
- return 0;
-
- if (suffix->size > 1 && suffix->data[0] == '.') {
- /* .domain.com */
- if (memcmp(str->data + str->size - suffix->size, suffix->data, suffix->size) == 0)
- return 1; /* match */
- } else {
- if (memcmp(str->data + str->size - suffix->size, suffix->data, suffix->size) == 0 &&
- str->data[str->size - suffix->size -1] == '@')
- return 1; /* match */
- }
-
- return 0;
-}
-
static unsigned dnsname_matches(const gnutls_datum_t *name, const gnutls_datum_t *suffix)
{
_gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", name->size, name->data,
suffix->size, suffix->data);
- if (suffix->size == name->size && memcmp(suffix->data, name->data, suffix->size) == 0)
- return 1; /* match */
-
- return ends_with(name, suffix);
+ enum name_constraint_relation rel = compare_dns_names(name, suffix);
+ return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
}
static unsigned email_matches(const gnutls_datum_t *name, const gnutls_datum_t *suffix)
@@ -857,102 +1248,8 @@ static unsigned email_matches(const gnut
_gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n", name->size, name->data,
suffix->size, suffix->data);
- if (suffix->size == name->size && memcmp(suffix->data, name->data, suffix->size) == 0)
- return 1; /* match */
-
- return email_ends_with(name, suffix);
-}
-
-/*-
- * name_constraints_intersect_nodes:
- * @nc1: name constraints node 1
- * @nc2: name constraints node 2
- * @_intersection: newly allocated node with intersected constraints,
- * NULL if the intersection is empty
- *
- * Inspect 2 name constraints nodes (of possibly different types) and allocate
- * a new node with intersection of given constraints.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
- -*/
-static int name_constraints_intersect_nodes(
- gnutls_x509_name_constraints_t nc,
- const struct name_constraints_node_st *node1,
- const struct name_constraints_node_st *node2,
- struct name_constraints_node_st **_intersection)
-{
- // presume empty intersection
- struct name_constraints_node_st *intersection = NULL;
- const struct name_constraints_node_st *to_copy = NULL;
- unsigned iplength = 0;
- unsigned byte;
-
- *_intersection = NULL;
-
- if (node1->type != node2->type) {
- return GNUTLS_E_SUCCESS;
- }
- switch (node1->type) {
- case GNUTLS_SAN_DNSNAME:
- if (!dnsname_matches(&node2->name, &node1->name))
- return GNUTLS_E_SUCCESS;
- to_copy = node2;
- break;
- case GNUTLS_SAN_RFC822NAME:
- if (!email_matches(&node2->name, &node1->name))
- return GNUTLS_E_SUCCESS;
- to_copy = node2;
- break;
- case GNUTLS_SAN_IPADDRESS:
- if (node1->name.size != node2->name.size)
- return GNUTLS_E_SUCCESS;
- iplength = node1->name.size / 2;
- for (byte = 0; byte < iplength; byte++) {
- if (((node1->name.data[byte] ^
- node2->name.data[byte]) // XOR of addresses
- & node1->name.data[byte +
- iplength] // AND mask from nc1
- & node2->name.data[byte +
- iplength]) // AND mask from nc2
- != 0) {
- // CIDRS do not intersect
- return GNUTLS_E_SUCCESS;
- }
- }
- to_copy = node2;
- break;
- default:
- // for other types, we don't know how to do the intersection, assume empty
- return GNUTLS_E_SUCCESS;
- }
-
- // copy existing node if applicable
- if (to_copy != NULL) {
- *_intersection = name_constraints_node_new(nc, to_copy->type,
- to_copy->name.data,
- to_copy->name.size);
- if (*_intersection == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- intersection = *_intersection;
-
- assert(intersection->name.data != NULL);
-
- if (intersection->type == GNUTLS_SAN_IPADDRESS) {
- // make sure both IP addresses are correctly masked
- _gnutls_mask_ip(intersection->name.data,
- intersection->name.data + iplength,
- iplength);
- _gnutls_mask_ip(node1->name.data,
- node1->name.data + iplength, iplength);
- // update intersection, if necessary (we already know one is subset of other)
- for (byte = 0; byte < 2 * iplength; byte++) {
- intersection->name.data[byte] |=
- node1->name.data[byte];
- }
- }
- }
-
- return GNUTLS_E_SUCCESS;
+ enum name_constraint_relation rel = compare_emails(name, suffix);
+ return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
}
/*
