diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2014-06-13 23:45:56 -0400 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-06-14 22:31:29 +0100 |
commit | 7241a4c7fd821f3469840fa78c5ca7300d6f1edd (patch) | |
tree | 85ec297af5e81d5c0bf0312b275d7e50e9b3f6fe /crypto/x509v3 | |
parent | 3b77f01702cbbb75c7718f876a2053d5a882fe89 (diff) | |
download | openssl-7241a4c7fd821f3469840fa78c5ca7300d6f1edd.tar.gz |
Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_utl.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index 004a1339ea..6e91ac9816 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -584,13 +584,9 @@ static void skip_prefix(const unsigned char **p, size_t *plen, * If subject starts with a leading '.' followed by more octets, and * pattern is longer, compare just an equal-length suffix with the * full subject (starting at the '.'), provided the prefix contains - * no NULs. (We check again that subject starts with '.' and - * contains at least one subsequent character, just in case the - * internal _X509_CHECK_FLAG_DOT_SUBDOMAINS flag was erroneously - * set by the user). + * no NULs. */ - if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0 || - subject_len <= 1 || subject[0] != '.') + if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0) return; while (pattern_len > subject_len && *pattern) @@ -895,6 +891,9 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen, int alt_type; int san_present = 0; equal_fn equal; + + /* See below, this flag is internal-only */ + flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS; if (check_type == GEN_EMAIL) { cnid = NID_pkcs9_emailAddress; |