Restore error code from DecodeGeneralName#10793
Conversation
There was a problem hiding this comment.
Pull request overview
Adjusts X.509 SubjectAltName parsing so embedded NUL bytes in IA5String-based GeneralNames (dNSName/rfc822Name/URI) do not abort certificate parsing with ASN_PARSE_E, restoring the expected verification-time failure mode (e.g., DOMAIN_NAME_MISMATCH) and fixing the curl test 311 regression described in #10790.
Changes:
- Stop rejecting embedded-NUL IA5String SAN values at parse time by removing
DecodeGeneralNameCheckCharsfrom both ASN parsers. - Add/adjust tests to ensure certificates with embedded-NUL dNSName SANs still parse and store the full (non-truncated) value, while hostname verification still fails.
- Update doxygen to warn that
wolfSSL_X509_get_next_altname()returns a C string without a length and can be silently truncated by embedded NULs.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| wolfcrypt/src/asn.c | Removes parse-time NUL rejection for GeneralName IA5String SANs; documents rationale in-code. |
| wolfcrypt/src/asn_orig.c | Mirrors the same behavior change in the legacy ASN parser. |
| tests/api/test_asn.c | Updates SAN tests to require parse success and verify embedded NUL is preserved in stored altName data. |
| tests/api/test_ossl_x509.h | Registers the new regression test in the ossl_x509 test group. |
| tests/api/test_ossl_x509.c | Adds regression test reproducing curl-311 scenario (good CN, bad SAN with embedded NUL). |
| doc/dox_comments/header_files/ssl.h | Adds API documentation warning about embedded NUL truncation with wolfSSL_X509_get_next_altname(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10793
Scan targets checked: wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
No new issues found in the changed files. ✅
|
retest this please |
|
|
retest this please |
|
@wolfSSL-Bot - please review / merge OSP fix prior to this fix |
Description
PR #10279 added
DecodeGeneralNameCheckChars, which returnsASN_PARSE_Efor an embedded NUL in dNSName/rfc822Name/URI SANs, aborting the whole certificate parse before hostname matching ever runs. This broke cert testing in curl and changed the expected failure mode.Fixes #10790
Dependency on fix in Python OSP wolfSSL/osp#347
Testing
Checklist