Add modified certificate DNS check

[KarthikaRajendran11]

No description provided.

[rubens21]

@KarthikaRajendran11 , these variables' names could be more meaningful. The current ones make it hard to follow the logic.

[DaveTuchlinsky]

Has this been tested with multiple DNS names in the certificate? For example, SingleDigits contains 3af521.net, *.3af521.net, 3af521.com, *.3af521.com in the SAN.

[KarthikaRajendran11]

Has this been tested with multiple DNS names in the certificate? For example, SingleDigits contains 3af521.net, *.3af521.net, 3af521.com, *.3af521.com in the SAN.

If the host name returned by the script is idp.3af521.net, then it will match only to *.3af521.net and idp.3af521.net
It wont match for idp.3af521.com or *.3af521.com

[dave-greenfieldlabs]

Add null checks for the certDNS, and scriptHostName pointers. Initialize each variable (pos, modifiedScriptHostName, and result) to a known value, specifically NULL.

[dave-greenfieldlabs]

(1) Use calloc() instead (it creates a zero'd memory buffer instead of random bytes that malloc gives you).
(2) Check for memory allocation failures. Specifically malloc/calloc return NULL when the system is out of memory, check for this, and bail.
(3) You can eliminate L646 as well, since the array will be all zeros.

[dave-greenfieldlabs]

Remove (per earlier comment)

[dave-greenfieldlabs]

modifiedScriptHostName is an attacker (think "specially crafted malicious certificate") controlled. Let's not print out the certificate info, unless we REALLY need to.

[dave-greenfieldlabs]

Again, use calloc() here, and check for out of memory conditions.

[dave-greenfieldlabs]

My preferred way to code this would be. It's less likely to leak memory as changes are made to the code base over time.

if (strlen(...) == strlen(...)....) {
ret = 1
} else {
ret = 0
}

if (result) {
free(result);
result = NULL;
}

if (modifiedScriptHostName) {
free(modifiedScriptHostName);
modifiedScriptHostName = NULL;
}

return ret;

[dave-greenfieldlabs]

Remove the +1 at the end, since calloc will give you a zero'd array. If for some reason modifiedScriptHostName isn't null terminated, then you're not corrupting the result buffer along the way. This guarantees that result will be null terminated.

[dave-greenfieldlabs]

Have you considered the following certificate/DNS testing issues?
Please read https://datatracker.ietf.org/doc/html/rfc6125#section-6.4

• DNS comparisons are case insensitive ASCII, the code looks like idp.EXAMPLE.COM won't match to *.example.com and it should.
• Wildcard certificates cannot match on strings like "bar.*.example.net". Only the first level should be compared.
• Internationalized Domain Names have special rules, and pre-processing requirements.

[DaveTuchlinsky]

Why was this certificate removed?

[KarthikaRajendran11]

It is not being used in any tests. They are just allocating it and freeing

[DaveTuchlinsky]

Why is this in the match->exact block? If it must be here, then please include a comment on why since it mutates the expected behaviour of an exact match.

[KarthikaRajendran11]

This is the original code format. If match->exact is set it means we have found a host/DNS (the script has returned a valid host).

[DaveTuchlinsky]

This func is not copy. It is allocating & concatenating.

[dave-greenfieldlabs]

Off by one error, should be strlen(s1)+strlen(s2)+1.

[dave-greenfieldlabs]

Should be the first boolean test made.

[dave-greenfieldlabs]

Dangerous, this breaks the schematics of the function. Returning s2 doesn't return a deep copy (or clone) of s2, but a pointer to s2. Doing do would cause the memory to be improperly deallocated as shown below...

char* mynewstring = copy("Foo", "Bar");
// use mynewstring for a while, then deallocate it.
free(mynewstring);
mynewstring=NULL;

char* thisisbad = copy(NULL, "Foo");
// use thisisbad
free(thisisbad);  // Attempt to free the pointer to the string "Foo" which ISN'T heap allocated.

You should allocate new memory for "Foo" from the heap (with calloc) and then copy it over.

[dave-greenfieldlabs]

Where is result free'd? What happens if it's NULL?

[KarthikaRajendran11]

append is called from compareWithModifiedHostname and calculateLenOfLabel (which is called from compareWithModifiedHostname). NULL check is done in compareWithModifiedHostname. And the memory used is also freed in compareWithModifiedHostname. modifiedHostName, pattern, lenRegex are the variables that are results of append. They are freed in compareWithModifiedHostname.

[dave-greenfieldlabs]

instead of using 100 the constant, should be sizeof(buffer) instead

[dave-greenfieldlabs]

Off by 1, lenOfFirstPortion + 1

[dave-greenfieldlabs]

Where does result get free()'d

[dave-greenfieldlabs]

Buffer overflow here. len can (in general) be the size of an integer. So you need more than 3 bytes to store a 32-bit decimal value.

[dave-greenfieldlabs]

Is 3 really what we want?

[dave-greenfieldlabs]

Karthika, there is a much safer memory pattern to use here. The reason for the pattern below is that it keeps all memory deallocations in one place for better readability, and better maintainability. This is 'C' version of exception handling (sort of). Consider the following pattern...

char* firstPorCertDNS = NULL;
char* firstPorHostName = NULL;
char* modifiedHostName = NULL;
int retcode = ERROR;

....
do stuff
....
if (I detected and error) {
  goto cleanup;
}

... do more stuff ...
   retcode = 1;

   return retcode;

cleanup:
  if (firstPorCertDNS != NULL) {
    free(firstPorCertDNS);
    firstPorCertDNS = NULL;
  }

  if (firstPorHostName != NULL) {
    free(firstPorHostName);
    firstPorHostName = NULL;
  }
 
  if (modifiedHostName != NULL) {
    free(modifiedHostName);
    modifiedHostName = NULL;
  }
  
  return retcode;
}

[DaveTuchlinsky]

Unneeded & spacing below is off. Labels are outdented.