| commit | 4de5f54e54e9136fdc3cd40f21d2f3d8c3119b0b | [log] [tgz] |
|---|---|---|
| author | David Benjamin <davidben@chromium.org> | Mon Jan 12 11:43:46 2015 -0500 |
| committer | Adam Langley <agl@google.com> | Wed Jan 14 21:53:12 2015 +0000 |
| tree | f987f24314e0a5840ad5daf32144b50bc887e76c | |
| parent | aa3f6daa863dbd476f1cf1009a61621e8bbccd97 [diff] |
RT3662: Allow leading . in nameConstraints Change by SteveH from original by John Denker (in the RT) (Imported from upstream's 77ff1f3b8bfaa348956c5096a2b829f2e767b4f1) Confirmed by inspection of source that this matches mozilla::pkix behavior. See https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#939 Change-Id: Ic4e7d011f7c10cbc83e5267550063b0ebe9648fb Reviewed-on: https://boringssl-review.googlesource.com/2848 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 2fb8c98..c42a665 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c
@@ -406,7 +406,7 @@ if (dns->length > base->length) { dnsptr += dns->length - base->length; - if (dnsptr[-1] != '.') + if (*baseptr != '.' && dnsptr[-1] != '.') return X509_V_ERR_PERMITTED_VIOLATION; }