From d9002bb0720a34bc54826396b08c489b2f7d7ccf Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 5 Feb 2018 17:04:50 -0800
Subject: [PATCH] Fix to enforce RFC 5280 Sec 4.2.1.6: "The name MUST NOT be a
 relative URI". Verifies the URI contains "://". Can be disabled using
 `WOLFSSL_NO_ASN_STRICT`.

---
 wolfcrypt/src/asn.c             | 18 ++++++++++++++++--
 wolfcrypt/src/error.c           |  3 +++
 wolfssl/wolfcrypt/error-crypt.h |  1 +
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 15b550bcc..4164bcadf 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5433,6 +5433,16 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             }
             length -= (idx - lenStartIdx);
 
+        #ifndef WOLFSSL_NO_ASN_STRICT
+            /* Verify RFC 5280 Sec 4.2.1.6 rule:
+                "The name MUST NOT be a relative URI" */
+
+            if (XSTRNCMP((const char*)&input[idx], "://", strLen + 1) != 0) {
+                WOLFSSL_MSG("\tAlt Name must be absolute URI");
+                return ASN_ALT_NAME_E;
+            }
+        #endif
+
             uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
                                         DYNAMIC_TYPE_ALTNAME);
             if (uriEntry == NULL) {
@@ -6264,8 +6274,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
                     cert->extSubjAltNameSet = 1;
                     cert->extSubjAltNameCrit = critical;
                 #endif
-                if (DecodeAltNames(&input[idx], length, cert) < 0)
-                    return ASN_PARSE_E;
+                ret = DecodeAltNames(&input[idx], length, cert);
+                if (ret < 0)
+                    return ret;
                 break;
 
             case AUTH_KEY_OID:
@@ -6335,6 +6346,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
             #ifndef IGNORE_NAME_CONSTRAINTS
             case NAME_CONS_OID:
             #ifndef WOLFSSL_NO_ASN_STRICT
+                /* Verify RFC 5280 Sec 4.2.1.10 rule:
+                    "The name constraints extension,
+                    which MUST be used only in a CA certificate" */
                 if (!cert->ca) {
                     WOLFSSL_MSG("Name constraints allowed only for CA certs");
                     return ASN_NAME_INVALID_E;
diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c
index add4f6458..7b52791c9 100644
--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
@@ -206,6 +206,9 @@ const char* wc_GetErrorString(int error)
     case ASN_CRIT_EXT_E:
         return "X.509 Critical extension ignored or invalid";
 
+    case ASN_ALT_NAME_E:
+        return "ASN alternate name error";
+
     case ECC_BAD_ARG_E :
         return "ECC input argument wrong type, invalid input";
 
diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h
index 9ca0c1a2b..c047dfec9 100644
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@@ -97,6 +97,7 @@ enum {
     ASN_DH_KEY_E       = -158,  /* ASN key init error, invalid input */
     ASN_NTRU_KEY_E     = -159,  /* ASN ntru key decode error, invalid input */
     ASN_CRIT_EXT_E     = -160,  /* ASN unsupported critical extension */
+    ASN_ALT_NAME_E     = -161,  /* ASN alternate name error */
 
     ECC_BAD_ARG_E      = -170,  /* ECC input argument of wrong type */
     ASN_ECC_KEY_E      = -171,  /* ASN ECC bad input */