Relax the check of x509_constraints_dirname()libressl-v3.5.1

The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also. From Alex Wilson ok jsing
author: tb <> 2022-03-13 17:23:02 +0000
committer: tb <> 2022-03-13 17:23:02 +0000
commit: d8939cfb3c750558be9e0279cf52acc92ab44253 (patch)
tree: 7ab1e8a45d24aedd0d5523270e025e3f73f0d89d
parent: cacd465b56ae37f22e36fbddae712760c3cf7cf8 (diff)
download: openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.tar.gz
openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.tar.bz2
openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 6cea794560..27d87d4c11 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.22 2022/03/13 16:25:58 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.23 2022/03/13 17:23:02 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -636,7 +636,11 @@ int
 x509_constraints_dirname(uint8_t *dirname, size_t dlen,
    uint8_t *constraint, size_t len)
 {
-        if (len != dlen)
+        /*
+         * The constraint must be a prefix in DER format, so it can't be
+         * longer than the name it is checked against.
+         */
+        if (len > dlen)
                return 0;
        return (memcmp(constraint, dirname, len) == 0);
 }
author	tb <>	2022-03-13 17:23:02 +0000
committer	tb <>	2022-03-13 17:23:02 +0000
commit	d8939cfb3c750558be9e0279cf52acc92ab44253 (patch)
tree	7ab1e8a45d24aedd0d5523270e025e3f73f0d89d
parent	cacd465b56ae37f22e36fbddae712760c3cf7cf8 (diff)
download	openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.tar.gz openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.tar.bz2 openbsd-d8939cfb3c750558be9e0279cf52acc92ab44253.zip