commit 464f3a147cd9b6e036d8c8b7a9664238e21ed823
author Adam Langley <agl@chromium.org> Fri Jun 20 12:00:00 2014 -0700
committer Adam Langley <agl@chromium.org> Fri Jun 20 13:17:43 2014 -0700
tree ff77b3f157b4d49548f5b78902b96563b9aebf75
parent a433cbdc4f242c3a03693888c32bb32edf182897

Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only

(Imported from upstream's cfbc10fb327cf8535d6e9b402d1d03140d23d753)

crypto/x509v3/v3_utl.c

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 10b3d6b..f3d9269 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -591,13 +591,9 @@
 	 * If subject starts with a leading '.' followed by more octets, and
 	 * pattern is longer, compare just an equal-length suffix with the
 	 * full subject (starting at the '.'), provided the prefix contains
-	 * no NULs.  (We check again that subject starts with '.' and
-	 * contains at least one subsequent character, just in case the
-	 * internal _X509_CHECK_FLAG_DOT_SUBDOMAINS flag was erroneously
-	 * set by the user).
+	 * no NULs.
 	 */
-	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0 ||
-	    subject_len <= 1 || subject[0] != '.')
+	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
 		return;
 
 	while (pattern_len > subject_len && *pattern)
@@ -903,6 +899,9 @@
 	int alt_type;
 	int san_present = 0;
 	equal_fn equal;
+
+	/* See below, this flag is internal-only */
+	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
 	if (check_type == GEN_EMAIL)
 		{
 		cnid = NID_pkcs9_emailAddress;