@@ -19956,6 +19956,75 @@ int wolfssl_local_MatchBaseName(int type, const char* name, int nameSz,
1995619956 return 1;
1995719957}
1995819958
19959+ static int MatchUriNameConstraint(const char* uri, int uriSz, const char* base,
19960+ int baseSz)
19961+ {
19962+ const char* hostStart;
19963+ const char* hostEnd;
19964+ const char* p;
19965+ const char* uriEnd;
19966+ int hostSz;
19967+
19968+ if (uri == NULL || uriSz <= 0 || base == NULL || baseSz <= 0) {
19969+ return 0;
19970+ }
19971+
19972+ uriEnd = uri + uriSz;
19973+ hostStart = NULL;
19974+ for (p = uri; p < uriEnd - 2; p++) {
19975+ if (p[0] == ':' && p[1] == '/' && p[2] == '/') {
19976+ hostStart = p + 3;
19977+ break;
19978+ }
19979+ }
19980+ if (hostStart == NULL || hostStart >= uriEnd) {
19981+ return 0;
19982+ }
19983+
19984+ for (p = hostStart; p < uriEnd; p++) {
19985+ if (*p == '@') {
19986+ hostStart = p + 1;
19987+ break;
19988+ }
19989+ if (*p == '/' || *p == '?' || *p == '#') {
19990+ break;
19991+ }
19992+ if (*p == '[') {
19993+ break;
19994+ }
19995+ }
19996+ if (hostStart >= uriEnd) {
19997+ return 0;
19998+ }
19999+
20000+ if (*hostStart == '[') {
20001+ hostStart++;
20002+ hostEnd = hostStart;
20003+ while (hostEnd < uriEnd && *hostEnd != ']') {
20004+ hostEnd++;
20005+ }
20006+ if (hostEnd >= uriEnd) {
20007+ return 0;
20008+ }
20009+ hostSz = (int)(hostEnd - hostStart);
20010+ }
20011+ else {
20012+ hostEnd = hostStart;
20013+ while (hostEnd < uriEnd && *hostEnd != ':' && *hostEnd != '/' &&
20014+ *hostEnd != '?' && *hostEnd != '#') {
20015+ hostEnd++;
20016+ }
20017+ hostSz = (int)(hostEnd - hostStart);
20018+ }
20019+
20020+ if (hostSz <= 0) {
20021+ return 0;
20022+ }
20023+
20024+ return wolfssl_local_MatchBaseName(ASN_DNS_TYPE, hostStart, hostSz, base,
20025+ baseSz);
20026+ }
20027+
1995920028/* Check if IP address matches a name constraint.
1996020029 * IP name constraints contain IP address and subnet mask.
1996120030 * IPv4: ip is 4 bytes, constraint is 8 bytes (4 IP + 4 mask)
@@ -20019,6 +20088,13 @@ static int PermittedListOk(DNS_entry* name, Base_entry* dnsList, byte nameType)
2001920088 break;
2002020089 }
2002120090 }
20091+ else if (nameType == ASN_URI_TYPE) {
20092+ if (MatchUriNameConstraint(name->name, name->len,
20093+ current->name, current->nameSz)) {
20094+ match = 1;
20095+ break;
20096+ }
20097+ }
2002220098 else if (name->len >= current->nameSz &&
2002320099 wolfssl_local_MatchBaseName(nameType, name->name, name->len,
2002420100 current->name, current->nameSz)) {
@@ -20059,6 +20135,13 @@ static int IsInExcludedList(DNS_entry* name, Base_entry* dnsList, byte nameType)
2005920135 break;
2006020136 }
2006120137 }
20138+ else if (nameType == ASN_URI_TYPE) {
20139+ if (MatchUriNameConstraint(name->name, name->len,
20140+ current->name, current->nameSz)) {
20141+ ret = 1;
20142+ break;
20143+ }
20144+ }
2006220145 else if (name->len >= current->nameSz &&
2006320146 wolfssl_local_MatchBaseName(nameType, name->name, name->len,
2006420147 current->name, current->nameSz)) {
@@ -20076,7 +20159,7 @@ static int IsInExcludedList(DNS_entry* name, Base_entry* dnsList, byte nameType)
2007620159static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
2007720160{
2007820161 const byte nameTypes[] = {ASN_RFC822_TYPE, ASN_DNS_TYPE, ASN_DIR_TYPE,
20079- ASN_IP_TYPE};
20162+ ASN_IP_TYPE, ASN_URI_TYPE };
2008020163 int i;
2008120164
2008220165 if (signer == NULL || cert == NULL)
@@ -20137,6 +20220,9 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
2013720220 subjectDnsName.name = (char *)cert->subjectRaw;
2013820221 }
2013920222 break;
20223+ case ASN_URI_TYPE:
20224+ name = cert->altNames;
20225+ break;
2014020226 default:
2014120227 /* Other types of names are ignored for now.
2014220228 * Shouldn't it be rejected if it there is a altNamesByType[nameType]
0 commit comments