wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only

Browse source 
(cherry picked from commit d435e23959f1c2cb4feadbfba9ad884c59f37db9)
This commit is contained in:
Viktor Dukhovni 2014-06-13 23:45:56 -04:00 committed by Dr. Stephen Henson
parent 90d94ce39e
commit cfbc10fb32
1 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
crypto/x509v3/v3_utl.c
View file

@ -584,13 +584,9 @@ static void skip_prefix(const unsigned char **p, size_t *plen,
* If subject starts with a leading '.' followed by more octets, and * If subject starts with a leading '.' followed by more octets, and
* pattern is longer, compare just an equal-length suffix with the * pattern is longer, compare just an equal-length suffix with the
* full subject (starting at the '.'), provided the prefix contains * full subject (starting at the '.'), provided the prefix contains
* no NULs. (We check again that subject starts with '.' and * no NULs.
* contains at least one subsequent character, just in case the
* internal _X509_CHECK_FLAG_DOT_SUBDOMAINS flag was erroneously
* set by the user).
*/ */
if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0 || if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
subject_len <= 1 || subject[0] != '.')
return; return;
while (pattern_len > subject_len && *pattern) while (pattern_len > subject_len && *pattern)
@ -895,6 +891,9 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
int alt_type; int alt_type;
int san_present = 0; int san_present = 0;
equal_fn equal; equal_fn equal;
/* See below, this flag is internal-only */
flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
if (check_type == GEN_EMAIL) if (check_type == GEN_EMAIL)
{ {
cnid = NID_pkcs9_emailAddress; cnid = NID_pkcs9_emailAddress;