Prior to this we substring matched and allowed a leading .

on a SAN DNSname constraint. This is not correct, as with a DNSname constraint, it may exacly match or match zero or more additional components on the front of the candidte to match. Spotted by Haruto Kimura <hkimura2026@gmail.com> ok tb@ kenjiro@
author: beck <> 2026-04-13 17:04:23 +0000
committer: beck <> 2026-04-13 17:04:23 +0000
commit: cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7 (patch)
tree: efa04762242365a86b1b6bbcc2b67d2f12172f99 /src/lib
parent: d58a3236dc52156e5514e3212cbb63805e90915e (diff)
download: openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.gz
openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.bz2
openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.zip
2 files changed, 26 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 0773d2ba71..c4f32c9cfc 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.32 2023/09/29 15:53:59 beck Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.33 2026/04/13 17:04:23 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -578,11 +578,30 @@ x509_constraints_sandns(char *sandns, size_t dlen, char *constraint, size_t len)
        if (len == 0)
                return 1; /* an empty constraint matches everything */
-        /* match the end of the domain */
        if (dlen < len)
                return 0;
-        suffix = sandns + (dlen - len);
-        return (strncasecmp(suffix, constraint, len) == 0);
+        if (dlen == len)
+                return (strncasecmp(sandns, constraint, len) == 0);
+        /* Support a constraint with a leading "." */
+        if (constraint[0] == '.') {
+                constraint++;
+                len--;
+        }
+        /*
+         * Otherwise we must have at least one extra component
+         * to match, so there must be more than just a leading .
+         */
+        if (dlen - len > 1) {
+                suffix = sandns + (dlen - len);
+                if (suffix[-1] != '.')
+                        return 0;
+                return (strncasecmp(suffix, constraint, len) == 0);
+        }
+        return 0;
 }
 /*
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index 9b9980ece5..e933cd9f2d 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.28 2024/05/19 07:12:50 jsg Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.29 2026/04/13 17:04:23 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -116,6 +116,8 @@ int x509_constraints_valid_host(CBS *cbs, int permit_ip);
 int x509_constraints_valid_sandns(CBS *cbs);
 int x509_constraints_domain(char *domain, size_t dlen, char *constraint,
    size_t len);
+int x509_constraints_sandns(char *domain, size_t dlen, char *constraint,
+    size_t len);
 int x509_constraints_parse_mailbox(CBS *candidate,
    struct x509_constraints_name *name);
 int x509_constraints_valid_domain_constraint(CBS *cbs);
author	beck <>	2026-04-13 17:04:23 +0000
committer	beck <>	2026-04-13 17:04:23 +0000
commit	cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7 (patch)
tree	efa04762242365a86b1b6bbcc2b67d2f12172f99 /src/lib
parent	d58a3236dc52156e5514e3212cbb63805e90915e (diff)
download	openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.gz openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.bz2 openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.zip

diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 0773d2ba71..c4f32c9cfc 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_constraints.c,v 1.32 2023/09/29 15:53:59 beck Exp $ */	1	/* $OpenBSD: x509_constraints.c,v 1.33 2026/04/13 17:04:23 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -578,11 +578,30 @@ x509_constraints_sandns(char sandns, size_t dlen, char constraint, size_t len)
578	if (len == 0)	578	if (len == 0)
579	return 1; /* an empty constraint matches everything */	579	return 1; /* an empty constraint matches everything */
580		580
581	/* match the end of the domain */
582	if (dlen < len)	581	if (dlen < len)
583	return 0;	582	return 0;
584	suffix = sandns + (dlen - len);	583
585	return (strncasecmp(suffix, constraint, len) == 0);	584	if (dlen == len)
		585	return (strncasecmp(sandns, constraint, len) == 0);
		586
		587	/* Support a constraint with a leading "." */
		588	if (constraint[0] == '.') {
		589	constraint++;
		590	len--;
		591	}
		592
		593	/*
		594	* Otherwise we must have at least one extra component
		595	* to match, so there must be more than just a leading .
		596	*/
		597	if (dlen - len > 1) {
		598	suffix = sandns + (dlen - len);
		599	if (suffix[-1] != '.')
		600	return 0;
		601	return (strncasecmp(suffix, constraint, len) == 0);
		602	}
		603
		604	return 0;
586	}	605	}
587		606
588	/*	607	/*


diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index 9b9980ece5..e933cd9f2d 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_internal.h,v 1.28 2024/05/19 07:12:50 jsg Exp $ */	1	/* $OpenBSD: x509_internal.h,v 1.29 2026/04/13 17:04:23 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -116,6 +116,8 @@ int x509_constraints_valid_host(CBS *cbs, int permit_ip);
116	int x509_constraints_valid_sandns(CBS *cbs);	116	int x509_constraints_valid_sandns(CBS *cbs);
117	int x509_constraints_domain(char domain, size_t dlen, char constraint,	117	int x509_constraints_domain(char domain, size_t dlen, char constraint,
118	size_t len);	118	size_t len);
		119	int x509_constraints_sandns(char domain, size_t dlen, char constraint,
		120	size_t len);
119	int x509_constraints_parse_mailbox(CBS *candidate,	121	int x509_constraints_parse_mailbox(CBS *candidate,
120	struct x509_constraints_name *name);	122	struct x509_constraints_name *name);
121	int x509_constraints_valid_domain_constraint(CBS *cbs);	123	int x509_constraints_valid_domain_constraint(CBS *cbs);