Fix URI name constraints, allow for URI's with no host part.

Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.

Adds regress testing for this same case.

fixes https://github.com/libressl-portable/openbsd/issues/131

ok tb@

1 files changed, 12 insertions, 3 deletions

diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 533bbbf4ca..c68f282a05 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
                         break;
                 }
         }
-        if (authority == NULL)
-                return 0;
+        if (authority == NULL) {
+                /*
+                 * There is no authority, so no host part in this
+                 * URI. This might be ok or might not, but it must
+                 * fail if we run into a name constraint later, so
+                 * we indicate that we have a URI with an empty
+                 * host part, and succeed.
+                 */
+                *hostpart = strdup("");
+                return 1;
+        }
         for (i = authority - uri; i < len; i++) {
                 if (!isascii(uri[i]))
                         return 0;