diff options
| author | tb <> | 2022-03-14 21:29:46 +0000 |
|---|---|---|
| committer | tb <> | 2022-03-14 21:29:46 +0000 |
| commit | 4921127200b0c3cff9bc154e1c31a9ae8681333c (patch) | |
| tree | aa0db8760b1b15dbfcf97f4001a426913f036f02 | |
| parent | e4f8fb22773f4dee1da3875ddc02bfcfa39198f4 (diff) | |
| download | openbsd-4921127200b0c3cff9bc154e1c31a9ae8681333c.tar.gz openbsd-4921127200b0c3cff9bc154e1c31a9ae8681333c.tar.bz2 openbsd-4921127200b0c3cff9bc154e1c31a9ae8681333c.zip | |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 6e88a94189..4f24277918 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.24 2022/03/14 21:15:49 tb Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -938,17 +938,24 @@ x509_constraints_validate(GENERAL_NAME *constraint, | |||
| 938 | name->type = GEN_DNS; | 938 | name->type = GEN_DNS; |
| 939 | break; | 939 | break; |
| 940 | case GEN_EMAIL: | 940 | case GEN_EMAIL: |
| 941 | if (memchr(bytes, '@', len) != NULL) { | 941 | if (len > 0 && memchr(bytes + 1, '@', len - 1) != NULL) { |
| 942 | if (!x509_constraints_parse_mailbox(bytes, len, name)) | 942 | if (!x509_constraints_parse_mailbox(bytes, len, name)) |
| 943 | goto err; | 943 | goto err; |
| 944 | } else { | 944 | break; |
| 945 | if (!x509_constraints_valid_domain_constraint(bytes, | 945 | } |
| 946 | len)) | 946 | /* |
| 947 | goto err; | 947 | * Mail constraints of the form @domain.com are accepted by |
| 948 | if ((name->name = strdup(bytes)) == NULL) { | 948 | * OpenSSL and Microsoft. |
| 949 | error = X509_V_ERR_OUT_OF_MEM; | 949 | */ |
| 950 | goto err; | 950 | if (len > 0 && bytes[0] == '@') { |
| 951 | } | 951 | bytes++; |
| 952 | len--; | ||
| 953 | } | ||
| 954 | if (!x509_constraints_valid_domain_constraint(bytes, len)) | ||
| 955 | goto err; | ||
| 956 | if ((name->name = strdup(bytes)) == NULL) { | ||
| 957 | error = X509_V_ERR_OUT_OF_MEM; | ||
| 958 | goto err; | ||
| 952 | } | 959 | } |
| 953 | name->type = GEN_EMAIL; | 960 | name->type = GEN_EMAIL; |
| 954 | break; | 961 | break; |