Hi Folks -- I figured out a smarter way to fix the bypass bug ... and potentially make some other things better at the same time.
The idea is to create a structured reference that returns a stack containing the relevant effective name(s) of a given x509 certificate. This means there's a lot of code -- in various places -- that no longer needs to know or care whether the name(s) come from the subjectAltName list or from the common name. The new function is called from the code that checks nameConstraints, but it could usefully be called from elsewhere. In particular, the 'curl' application has about 100 lines of code that could almost all be replaced by a call to the effective_names function. A first draft of some code to do this can be found at https://www.av8n.com/openssl/effective-names.diff Beware that I don't have much experience programming in the openssl environment, so somebody should check this code pretty carefully. I'm calling functions that aren't terribly well documented, so I had to do a lot of reasoning by analogy. ================ There is an associated patch https://www.av8n.com/openssl/const-get-subject-name.diff that adds a few 'const' declarations. I reckon 'const' declarations can't hurt and might help. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org