x509: nameConstraints sequence does not require a loop
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 5 May 2017 09:21:12 +0000 (11:21 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 29 May 2017 09:05:04 +0000 (11:05 +0200)
Fixes: CVE-2017-9023

src/libstrongswan/plugins/x509/x509_cert.c

index 8f1901d..974e687 100644 (file)
@@ -933,14 +933,13 @@ end:
  * ASN.1 definition of nameConstraints
  */
 static const asn1Object_t nameConstraintsObjects[] = {
-       { 0, "nameConstraints",                 ASN1_SEQUENCE,          ASN1_LOOP                       }, /*  0 */
+       { 0, "nameConstraints",                 ASN1_SEQUENCE,          ASN1_NONE                       }, /*  0 */
        { 1,   "permittedSubtrees",             ASN1_CONTEXT_C_0,       ASN1_OPT|ASN1_LOOP      }, /*  1 */
        { 2,     "generalSubtree",              ASN1_SEQUENCE,          ASN1_BODY                       }, /*  2 */
        { 1,   "end loop",                              ASN1_EOC,                       ASN1_END                        }, /*  3 */
        { 1,   "excludedSubtrees",              ASN1_CONTEXT_C_1,       ASN1_OPT|ASN1_LOOP      }, /*  4 */
        { 2,     "generalSubtree",              ASN1_SEQUENCE,          ASN1_BODY                       }, /*  5 */
        { 1,   "end loop",                              ASN1_EOC,                       ASN1_END                        }, /*  6 */
-       { 0, "end loop",                                ASN1_EOC,                       ASN1_END                        }, /*  7 */
        { 0, "exit",                                    ASN1_EOC,                       ASN1_EXIT                       }
 };
 #define NAME_CONSTRAINT_PERMITTED 2