In the --x509-username-field extenstion, we handle the subject string as
if it is a C string. Make this assumption explicit and reject incomatible
ASN.1 string types.
Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
---
src/openvpn/ssl_verify_mbedtls.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index d3b36dc..838c217 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -267,6 +267,14 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct
gc_arena *gc)
size_t i;
char *val;
+ if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
+ || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
+ || orig->tag == MBEDTLS_ASN1_IA5_STRING))
+ {
+ /* Only support C-string compatible types */
+ return string_alloc("ERROR: unsupported ASN.1 string type", gc);
+ }
+
for (i = 0; i < orig->len; ++i)
{
if (orig->p[i] == '\0')
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
