Prior to this we substring matched and allowed a leading .

on a SAN DNSname constraint. This is not correct, as with a DNSname constraint, it may exacly match or match zero or more additional components on the front of the candidte to match. Spotted by Haruto Kimura <hkimura2026@gmail.com> ok tb@ kenjiro@
author: beck <> 2026-04-13 17:04:23 +0000
committer: beck <> 2026-04-13 17:04:23 +0000
commit: cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7 (patch)
tree: efa04762242365a86b1b6bbcc2b67d2f12172f99 /src/regress/lib/libcrypto
parent: d58a3236dc52156e5514e3212cbb63805e90915e (diff)
download: openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.gz
openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.bz2
openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.zip
1 files changed, 49 insertions, 2 deletions
diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c
index 16e135bb44..54bb654a31 100644
--- a/src/regress/lib/libcrypto/x509/constraints.c
+++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: constraints.c,v 1.18 2023/12/13 05:59:50 tb Exp $     */
+/*      $OpenBSD: constraints.c,v 1.19 2026/04/13 17:04:23 beck Exp $   */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -558,7 +558,54 @@ test_constraints1(void)
                failure = 1;
                goto done;
        }
+        c = "openbsd.org";
+        cl = strlen("openbsd.org");
+        d = "oopenbsd.org";
+        dl = strlen("oopenbsd.org");
+        if (x509_constraints_sandns(d, dl, c, cl)) {
+                FAIL("constraint '%s' should not have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        d = "*.openbsd.org";
+        dl = strlen("*.openbsd.org");
+        if (!x509_constraints_sandns(d, dl, c, cl)) {
+                FAIL("constraint '%s' should have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        c = "www.openbsd.org";
+        cl = strlen("www.openbsd.org");
+        if (x509_constraints_sandns(d, dl, c, cl)) {
+                FAIL("constraint '%s' should not have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        c = "";
+        cl = 0;
+        if (!x509_constraints_sandns(d, dl, c, cl)) {
+                FAIL("constraint '%s' should have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        /*
+         * Note that this *will* match, but we do not allow ".openbsd.org"
+         * as a sandns name - see invalid sandnsname tests above.
+         */
+        c = ".openbsd.org";
+        cl = strlen(".openbsd.org");
+        d = ".openbsd.org";
+        dl = strlen(".openbsd.org");
+        if (!x509_constraints_sandns(d, dl, c, cl)) {
+                FAIL("constraint '%s' should have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
 done:
        return failure;
 }
author	beck <>	2026-04-13 17:04:23 +0000
committer	beck <>	2026-04-13 17:04:23 +0000
commit	cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7 (patch)
tree	efa04762242365a86b1b6bbcc2b67d2f12172f99 /src/regress/lib/libcrypto
parent	d58a3236dc52156e5514e3212cbb63805e90915e (diff)
download	openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.gz openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.tar.bz2 openbsd-cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7.zip

diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c index 16e135bb44..54bb654a31 100644 --- a/src/regress/lib/libcrypto/x509/constraints.c +++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: constraints.c,v 1.18 2023/12/13 05:59:50 tb Exp $ */	1	/* $OpenBSD: constraints.c,v 1.19 2026/04/13 17:04:23 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -558,7 +558,54 @@ test_constraints1(void)
558	failure = 1;	558	failure = 1;
559	goto done;	559	goto done;
560	}	560	}
561		561	c = "openbsd.org";
		562	cl = strlen("openbsd.org");
		563	d = "oopenbsd.org";
		564	dl = strlen("oopenbsd.org");
		565	if (x509_constraints_sandns(d, dl, c, cl)) {
		566	FAIL("constraint '%s' should not have matched '%s'\n",
		567	c, d);
		568	failure = 1;
		569	goto done;
		570	}
		571	d = "*.openbsd.org";
		572	dl = strlen("*.openbsd.org");
		573	if (!x509_constraints_sandns(d, dl, c, cl)) {
		574	FAIL("constraint '%s' should have matched '%s'\n",
		575	c, d);
		576	failure = 1;
		577	goto done;
		578	}
		579	c = "www.openbsd.org";
		580	cl = strlen("www.openbsd.org");
		581	if (x509_constraints_sandns(d, dl, c, cl)) {
		582	FAIL("constraint '%s' should not have matched '%s'\n",
		583	c, d);
		584	failure = 1;
		585	goto done;
		586	}
		587	c = "";
		588	cl = 0;
		589	if (!x509_constraints_sandns(d, dl, c, cl)) {
		590	FAIL("constraint '%s' should have matched '%s'\n",
		591	c, d);
		592	failure = 1;
		593	goto done;
		594	}
		595	/*
		596	* Note that this will match, but we do not allow ".openbsd.org"
		597	* as a sandns name - see invalid sandnsname tests above.
		598	*/
		599	c = ".openbsd.org";
		600	cl = strlen(".openbsd.org");
		601	d = ".openbsd.org";
		602	dl = strlen(".openbsd.org");
		603	if (!x509_constraints_sandns(d, dl, c, cl)) {
		604	FAIL("constraint '%s' should have matched '%s'\n",
		605	c, d);
		606	failure = 1;
		607	goto done;
		608	}
562	done:	609	done:
563	return failure;	610	return failure;
564	}	611	}