diff options
| author | David Benjamin <davidben@chromium.org> | 2015-01-12 19:43:46 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2015-01-15 00:53:12 +0300 |
| commit | 4de5f54e54e9136fdc3cd40f21d2f3d8c3119b0b (patch) | |
| tree | f987f24314e0a5840ad5daf32144b50bc887e76c /crypto | |
| parent | aa3f6daa863dbd476f1cf1009a61621e8bbccd97 (diff) | |
RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)
(Imported from upstream's 77ff1f3b8bfaa348956c5096a2b829f2e767b4f1)
Confirmed by inspection of source that this matches mozilla::pkix behavior. See
https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#939
Change-Id: Ic4e7d011f7c10cbc83e5267550063b0ebe9648fb
Reviewed-on: https://boringssl-review.googlesource.com/2848
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509v3/v3_ncons.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 2fb8c983..c42a6656 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -406,7 +406,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) if (dns->length > base->length) { dnsptr += dns->length - base->length; - if (dnsptr[-1] != '.') + if (*baseptr != '.' && dnsptr[-1] != '.') return X509_V_ERR_PERMITTED_VIOLATION; } |