Rewrite name constraints matching with CBS. See also 8393de42498f8be75cf0353f5c9f906a43a748d2 from upstream and CBS-2021-3712. But rather than do that, I've rewritten it with CBS, so it's a bit clearer. The previous commit added tests. Change-Id: Ie52e28f07b9bf805c8730eab7be5d40cb5d558b6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49008 Reviewed-by: Adam Langley <agl@google.com>

commit: b27438e1268d3ef645c6f8ce10c184bb7d57825d [log] [tgz]
author: David Benjamin <davidben@google.com> Tue Aug 24 14:24:38 2021 -0400
committer: Adam Langley <agl@google.com> Wed Aug 25 14:34:56 2021 +0000
tree: b4bd4b4f7e036a93976f89b15aef094648cfe7aa
parent: 04601b026a5d3212a8fa00c1c06c28b7474c9cfe [diff] [blame]
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index d897ff5..728bf7a 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc

@@ -1557,6 +1557,9 @@
        X509_V_ERR_PERMITTED_VIOLATION},
       {GEN_DNS, "foo.example.com", ".unrelated.much.longer.name.example",
        X509_V_ERR_PERMITTED_VIOLATION},
+      // NUL bytes, if not rejected, should not confuse the matching logic.
+      {GEN_DNS, std::string({'a', '\0', 'a'}), std::string({'a', '\0', 'b'}),
+       X509_V_ERR_PERMITTED_VIOLATION},
 
       // Names must be emails.
       {GEN_EMAIL, "not-an-email.example", "not-an-email.example",
commit	b27438e1268d3ef645c6f8ce10c184bb7d57825d	[log] [tgz]
author	David Benjamin <davidben@google.com>	Tue Aug 24 14:24:38 2021 -0400
committer	Adam Langley <agl@google.com>	Wed Aug 25 14:34:56 2021 +0000
tree	b4bd4b4f7e036a93976f89b15aef094648cfe7aa
parent	04601b026a5d3212a8fa00c1c06c28b7474c9cfe [diff] [blame]