[Bug]: The value of WOLFSSL_MAX_ALT_NAMES causes an error of ASN_ALT_NAME_E

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

https://www.wolfssl.com

GNU General Public License v2.0

2.29k stars 818 forks source link

[Bug]: The value of WOLFSSL_MAX_ALT_NAMES causes an error of ASN_ALT_NAME_E #7756

Closed ycdev1 closed 2 months ago

ycdev1 commented 2 months ago

Contact Details

No response

Version

5.7.2

Description

I updated to version 5.7.2 via vcpkg but I got ASN_ALT_NAME_E error while handshaking YouTube domain (www.youtube.com) The error is generated at this line: https://github.com/wolfSSL/wolfssl/blob/ec9fcf53539755ed3a38e386a00d91478ff357b3/wolfcrypt/src/asn.c#L18986 due to numNames reaching 129 which is larger than WOLFSSL_MAX_ALT_NAMES At this point idx = 2358 and sz = 2460 so there is still 102 bytes to decode

I don't know if numNames reaching 129 is normal and the bug is from the new introduced WOLFSSL_MAX_ALT_NAMES (as per the release notes!) or there is something wrong with the received certificate? The same code is working with previous versions

I tested handshake with different domains, and it is just working.

embhorn commented 2 months ago

Hi @ycdev1

Thanks for reporting this issue. The default value is arbitrary, we were not aware of real-world use cases that employed more than a few alt names in a cert. We will review this and provide an update.

In the mean time, you can redefine WOLFSSL_MAX_ALT_NAMES to a larger value in the configuration as a workaround.

embhorn commented 2 months ago

I was able to reproduce this issue with the example client:

./examples/client/client -h www.youtube.com -p 443 -g -j
In verification callback, error = -188, ASN no signer error to confirm failure
    Peer certs: 3
    Subject's domain name at 2 is GTS Root R1
    Allowing failed certificate check, testing only (shouldn't do this in production)
In verification callback, error = -161, ASN alternate name error
    Peer certs: 3
    Subject's domain name at 0 is *.google.com
    Allowing failed certificate check, testing only (shouldn't do this in production)
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET...
HTTP/1.0 200 OK
Date: Thu, 18 Jul 2024 12:36:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-wqPUQyP5Se9p2LB8jjL

ColtonWilley commented 2 months ago

Hi @ycdev1

I have put up a PR that should fix this issue for you here: #7762

Please let me know if that works for you.

Thanks, Colton