[openssl-dev] [openssl.org #3562] leading dots in nameConstraints ... bug report and patch

[Rich Salz via RT]

This patch from Steve Henson seems better and a good candidate for 1.0.2 and
master:

> diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index
> 26a6f67..9b7ca88 100644
> --- a/crypto/x509v3/v3_ncons.c
> +++ b/crypto/x509v3/v3_ncons.c
> @@ -405,7 +405,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING
*base)
> if (dns->length > base->length)
> {
> dnsptr += dns->length - base->length;
> - if (dnsptr[-1] != '.')
> + if (*baseptr != '.' && dnsptr[-1] != '.')
> return X509_V_ERR_PERMITTED_VIOLATION;
> }
>
>
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

_______________________________________________
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev