Merge pull request #9678 from cconlon/otherNameSan

dgarske · web-flow · commit 17401da6ae74 · 2026-01-20T10:56:37.000-08:00
Fix GENERAL_NAME memory management for otherName and RID SANs
diff --git a/src/x509.c b/src/x509.c
@@ -571,7 +571,6 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns,
         tag = WOLFSSL_V_ASN1_SEQUENCE;
     }
 
-
     /* Create a WOLFSSL_ASN1_STRING from the DER. */
     str = wolfSSL_ASN1_STRING_type_new(tag);
     if (str == NULL) {
@@ -584,15 +583,23 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns,
     if (type == NULL)
         goto err;
     wolfSSL_ASN1_TYPE_set(type, tag, str);
+    str = NULL; /* type now owns str */
+
+    if (wolfSSL_GENERAL_NAME_set_type(gn, WOLFSSL_GEN_OTHERNAME)
+            != WOLFSSL_SUCCESS) {
+        goto err;
+    }
 
     /* Store the object and string in general name. */
     gn->d.otherName->type_id = obj;
     gn->d.otherName->value = type;
+    type = NULL; /* gn->d.otherName owns type */
 
     ret = 1;
 err:
     if (ret != 1) {
         wolfSSL_ASN1_OBJECT_free(obj);
+        wolfSSL_ASN1_TYPE_free(type);
         wolfSSL_ASN1_STRING_free(str);
     }
     return ret;
@@ -602,30 +609,32 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns,
 #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
 static int DNS_to_GENERAL_NAME(WOLFSSL_GENERAL_NAME* gn, DNS_entry* dns)
 {
-    gn->type = dns->type;
-    switch (gn->type) {
+    switch (dns->type) {
         case WOLFSSL_GEN_OTHERNAME:
-                if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) {
-                    WOLFSSL_MSG("OTHERNAME set failed");
-                    return WOLFSSL_FAILURE;
-                }
+            /* Sets gn->type internally */
+            if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) {
+                WOLFSSL_MSG("OTHERNAME set failed");
+                return WOLFSSL_FAILURE;
+            }
             break;
 
         case WOLFSSL_GEN_EMAIL:
         case WOLFSSL_GEN_DNS:
         case WOLFSSL_GEN_URI:
         case WOLFSSL_GEN_IPADD:
         case WOLFSSL_GEN_IA5:
-                gn->d.ia5->length = dns->len;
-                if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name,
-                        gn->d.ia5->length) != WOLFSSL_SUCCESS) {
-                    WOLFSSL_MSG("ASN1_STRING_set failed");
-                    return WOLFSSL_FAILURE;
-                }
-                break;
+            gn->type = dns->type;
+            gn->d.ia5->length = dns->len;
+            if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name,
+                    gn->d.ia5->length) != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("ASN1_STRING_set failed");
+                return WOLFSSL_FAILURE;
+            }
+            break;
 
 
         case WOLFSSL_GEN_DIRNAME:
+            gn->type = dns->type;
             /* wolfSSL_GENERAL_NAME_new() mallocs this by default */
             wolfSSL_ASN1_STRING_free(gn->d.ia5);
             gn->d.ia5 = NULL;
@@ -636,6 +645,7 @@ static int DNS_to_GENERAL_NAME(WOLFSSL_GENERAL_NAME* gn, DNS_entry* dns)
 
 #ifdef WOLFSSL_RID_ALT_NAME
         case WOLFSSL_GEN_RID:
+            gn->type = dns->type;
             /* wolfSSL_GENERAL_NAME_new() mallocs this by default */
             wolfSSL_ASN1_STRING_free(gn->d.ia5);
             gn->d.ia5 = NULL;
@@ -2310,9 +2320,9 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
                         goto err;
                     }
 
-                    gn->type = dns->type;
-                    switch (gn->type) {
+                    switch (dns->type) {
                         case ASN_DIR_TYPE:
+                            gn->type = dns->type;
                             {
                                 int localIdx = 0;
                                 unsigned char* n = (unsigned char*)XMALLOC(
@@ -2336,12 +2346,14 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
                             break;
 
                         case ASN_OTHER_TYPE:
+                            /* gn->type set internally */
                             if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) {
                                 goto err;
                             }
                             break;
 
                         case ASN_IP_TYPE:
+                            gn->type = dns->type;
                             if (wolfSSL_ASN1_STRING_set(gn->d.iPAddress,
                                     dns->name, dns->len) != WOLFSSL_SUCCESS) {
                                 WOLFSSL_MSG("ASN1_STRING_set failed");
@@ -2350,7 +2362,35 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
                             gn->d.iPAddress->type = WOLFSSL_V_ASN1_OCTET_STRING;
                             break;
 
+                    #ifdef WOLFSSL_RID_ALT_NAME
+                        case ASN_RID_TYPE:
+                            gn->type = dns->type;
+                            /* Free ia5 before using union for registeredID */
+                            wolfSSL_ASN1_STRING_free(gn->d.ia5);
+                            gn->d.ia5 = NULL;
+
+                            gn->d.registeredID = wolfSSL_ASN1_OBJECT_new();
+                            if (gn->d.registeredID == NULL) {
+                                goto err;
+                            }
+                            gn->d.registeredID->obj =
+                                (const unsigned char*)XMALLOC(dns->len,
+                                    gn->d.registeredID->heap, DYNAMIC_TYPE_ASN1);
+                            if (gn->d.registeredID->obj == NULL) {
+                                goto err;
+                            }
+                            gn->d.registeredID->dynamic |=
+                                WOLFSSL_ASN1_DYNAMIC_DATA;
+                            XMEMCPY((byte*)gn->d.registeredID->obj,
+                                dns->ridString, dns->len);
+                            gn->d.registeredID->objSz = dns->len;
+                            gn->d.registeredID->grp = oidCertExtType;
+                            gn->d.registeredID->nid = WC_NID_registeredAddress;
+                            break;
+                    #endif /* WOLFSSL_RID_ALT_NAME */
+
                         default:
+                            gn->type = dns->type;
                             if (wolfSSL_ASN1_STRING_set(gn->d.dNSName,
                                     dns->name, dns->len) != WOLFSSL_SUCCESS) {
                                 WOLFSSL_MSG("ASN1_STRING_set failed");
@@ -4643,7 +4683,12 @@ int wolfSSL_GENERAL_NAME_set0_othername(WOLFSSL_GENERAL_NAME* gen,
         return WOLFSSL_FAILURE;
     }
 
-    gen->type = WOLFSSL_GEN_OTHERNAME;
+    if (wolfSSL_GENERAL_NAME_set_type(gen, WOLFSSL_GEN_OTHERNAME)
+            != WOLFSSL_SUCCESS) {
+        wolfSSL_ASN1_OBJECT_free(x);
+        return WOLFSSL_FAILURE;
+    }
+
     gen->d.otherName->type_id = x;
     gen->d.otherName->value = value;
     return WOLFSSL_SUCCESS;
@@ -4975,6 +5020,16 @@ int wolfSSL_GENERAL_NAME_set_type(WOLFSSL_GENERAL_NAME* name, int typ)
                 if (name->d.uniformResourceIdentifier == NULL)
                     ret = MEMORY_E;
                 break;
+            case WOLFSSL_GEN_OTHERNAME:
+                name->d.otherName = (WOLFSSL_ASN1_OTHERNAME*)XMALLOC(
+                    sizeof(WOLFSSL_ASN1_OTHERNAME), NULL, DYNAMIC_TYPE_ASN1);
+                if (name->d.otherName == NULL) {
+                    ret = MEMORY_E;
+                }
+                else {
+                    XMEMSET(name->d.otherName, 0, sizeof(WOLFSSL_ASN1_OTHERNAME));
+                }
+                break;
             default:
                 name->type = WOLFSSL_GEN_IA5;
                 name->d.ia5 = wolfSSL_ASN1_STRING_new();
diff --git a/tests/api.c b/tests/api.c
@@ -15548,6 +15548,104 @@ static int test_GENERAL_NAME_set0_othername(void)
     return EXPECT_RESULT();
 }
 
+/* Test RID (Registered ID) GENERAL_NAME creation and freeing */
+static int test_RID_GENERAL_NAME_free(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_RID_ALT_NAME)
+    /* RID OID: 1.2.3.4.5 in DER */
+    const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 };
+    const unsigned char* p = ridData;
+    GENERAL_NAME* gn = NULL;
+    GENERAL_NAMES* gns = NULL;
+    ASN1_OBJECT* ridObj = NULL;
+
+    /* Create RID ASN1_OBJECT from DER */
+    ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(ridData)));
+
+    /* Create GENERAL_NAME and set up as RID */
+    ExpectNotNull(gn = GENERAL_NAME_new());
+    if (gn != NULL) {
+        /* GENERAL_NAME_new allocates ia5, must free before using as RID */
+        gn->type = GEN_RID;
+        wolfSSL_ASN1_STRING_free(gn->d.ia5);
+        gn->d.ia5 = NULL;
+        gn->d.registeredID = ridObj;
+        ridObj = NULL; /* gn owns */
+    }
+    if (EXPECT_FAIL()) {
+        wolfSSL_ASN1_OBJECT_free(ridObj);
+    }
+
+    /* Add to stack */
+    ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL));
+    ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1);
+    if (EXPECT_FAIL()) {
+        GENERAL_NAME_free(gn);
+        gn = NULL;
+    }
+
+    /* Verify RID is set up correctly */
+    ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 0));
+    ExpectIntEQ(gn->type, GEN_RID);
+    ExpectNotNull(gn->d.registeredID);
+
+    /* Free via sk_GENERAL_NAME_pop_free, exercises type_free for RID */
+    sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free);
+#endif
+    return EXPECT_RESULT();
+}
+
+/* Test RID (Registered ID) SAN parsing via X509_get_ext_d2i().
+ * Uses rid-cert.der which contains a RID SAN with OID 1.2.3.4.5. This tests
+ * that ASN_RID_TYPE case in wolfSSL_X509_get_ext_d2i() frees ia5 before
+ * allocating registeredID. */
+static int test_RID_X509_get_ext_d2i(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_RID_ALT_NAME) && \
+    !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+    int i;
+    int numNames;
+    int foundRID = 0;
+    const char* ridCert = "./certs/rid-cert.der";
+    X509* x509 = NULL;
+    GENERAL_NAMES* gns = NULL;
+    GENERAL_NAME* gn = NULL;
+    XFILE f = XBADFILE;
+
+    ExpectTrue((f = XFOPEN(ridCert, "rb")) != XBADFILE);
+    ExpectNotNull(x509 = d2i_X509_fp(f, NULL));
+    if (f != XBADFILE) {
+        XFCLOSE(f);
+        f = XBADFILE;
+    }
+
+    /* Get SANs, will exercise ASN_RID_TYPE case */
+    ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509,
+        NID_subject_alt_name, NULL, NULL));
+
+    /* rid-cert.der contains: UPN, RID (1.2.3.4.5), DNS, URI, othername */
+    numNames = sk_GENERAL_NAME_num(gns);
+    ExpectIntGE(numNames, 2);
+
+    for (i = 0; i < numNames; i++) {
+        gn = sk_GENERAL_NAME_value(gns, i);
+        if (gn != NULL && gn->type == GEN_RID) {
+            ExpectNotNull(gn->d.registeredID);
+            foundRID = 1;
+            break;
+        }
+    }
+    ExpectIntEQ(foundRID, 1);
+
+    /* Free via sk_GENERAL_NAME_pop_free, exercises type_free for RID */
+    sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free);
+    X509_free(x509);
+#endif
+    return EXPECT_RESULT();
+}
+
 /* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */
 static int test_othername_and_SID_ext(void)
 {
@@ -31205,6 +31303,8 @@ TEST_CASE testCases[] = {
     TEST_OSSL_X509_LOOKUP_DECLS,
 
     TEST_DECL(test_GENERAL_NAME_set0_othername),
+    TEST_DECL(test_RID_GENERAL_NAME_free),
+    TEST_DECL(test_RID_X509_get_ext_d2i),
     TEST_DECL(test_othername_and_SID_ext),
     TEST_DECL(test_wolfSSL_dup_CA_list),
     /* OpenSSL sk_X509 API test */
