diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2018-05-22 01:09:25 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2018-05-23 11:12:17 -0400 |
commit | 55a6250f1e7336e8a7d89fb609eb23398715ff6f (patch) | |
tree | 06575da5e57dc6bd8c1cef488c655df0e79cd4f5 /crypto/x509v3/v3_ncons.c | |
parent | d02d80b2e80adfdde49f76cf7c7af4e013f45005 (diff) |
Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.
Add pertinent documentation, and touch up some stale text about
name checks and DANE.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/x509v3/v3_ncons.c')
-rw-r--r-- | crypto/x509v3/v3_ncons.c | 31 |
1 files changed, 8 insertions, 23 deletions
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 77edcd4dfb..dea6c6c8af 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -299,9 +299,9 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) { - int utf8_length; /* Return type of ASN1_STRING_to_UTF8 */ - int i; + int utf8_length; unsigned char *utf8_value; + int i; int isdnsname = 0; /* Don't leave outputs uninitialized */ @@ -337,8 +337,10 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) --utf8_length; /* Reject *embedded* NULs */ - if ((size_t)utf8_length != strlen((char *)utf8_value)) - return X509_V_ERR_UNSPECIFIED; + if ((size_t)utf8_length != strlen((char *)utf8_value)) { + OPENSSL_free(utf8_value); + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } /* * XXX: Deviation from strict DNS name syntax, also check names with '_' @@ -389,14 +391,12 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) } /* - * Check CN against DNS-ID name constraints, provided no DNS-ID - * subjectAlternativeName values are present in the certificate. + * Check CN against DNS-ID name constraints. */ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) { int r, i; - GENERAL_NAMES *gens = NULL; - X509_NAME *nm; + X509_NAME *nm = X509_get_subject_name(x); ASN1_STRING stmp; GENERAL_NAME gntmp; @@ -405,21 +405,6 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) gntmp.type = GEN_DNS; gntmp.d.dNSName = &stmp; - gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); - if (gens != NULL) { - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i); - - if (gen->type == GEN_DNS) { - GENERAL_NAMES_free(gens); - return X509_V_OK; - } - } - GENERAL_NAMES_free(gens); - } - - nm = X509_get_subject_name(x); - /* Process any commonName attributes in subject name */ for (i = -1;;) { |