[openssl-dev] [openssl.org #3562] leading dots in nameConstraints ... bug report and patch
Rich Salz via RT
rt at openssl.org
Wed Dec 31 17:31:23 UTC 2014
This patch from Steve Henson seems better and a good candidate for 1.0.2 and
master:
> diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index
> 26a6f67..9b7ca88 100644
> --- a/crypto/x509v3/v3_ncons.c
> +++ b/crypto/x509v3/v3_ncons.c
> @@ -405,7 +405,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING
*base)
> if (dns->length > base->length)
> {
> dnsptr += dns->length - base->length;
> - if (dnsptr[-1] != '.')
> + if (*baseptr != '.' && dnsptr[-1] != '.')
> return X509_V_ERR_PERMITTED_VIOLATION;
> }
>
>
--
Rich Salz, OpenSSL dev team; rsalz at openssl.org
More information about the openssl-dev
mailing list