From 4921127200b0c3cff9bc154e1c31a9ae8681333c Mon Sep 17 00:00:00 2001 From: tb <> Date: Mon, 14 Mar 2022 21:29:46 +0000 Subject: Allow constraints of the form @domain.com Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well. Pointed out and based on a diff by Alex Wilson. ok jsing --- src/lib/libcrypto/x509/x509_constraints.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 6e88a94189..4f24277918 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.24 2022/03/14 21:15:49 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -938,17 +938,24 @@ x509_constraints_validate(GENERAL_NAME *constraint, name->type = GEN_DNS; break; case GEN_EMAIL: - if (memchr(bytes, '@', len) != NULL) { + if (len > 0 && memchr(bytes + 1, '@', len - 1) != NULL) { if (!x509_constraints_parse_mailbox(bytes, len, name)) goto err; - } else { - if (!x509_constraints_valid_domain_constraint(bytes, - len)) - goto err; - if ((name->name = strdup(bytes)) == NULL) { - error = X509_V_ERR_OUT_OF_MEM; - goto err; - } + break; + } + /* + * Mail constraints of the form @domain.com are accepted by + * OpenSSL and Microsoft. + */ + if (len > 0 && bytes[0] == '@') { + bytes++; + len--; + } + if (!x509_constraints_valid_domain_constraint(bytes, len)) + goto err; + if ((name->name = strdup(bytes)) == NULL) { + error = X509_V_ERR_OUT_OF_MEM; + goto err; } name->type = GEN_EMAIL; break; -- cgit v1.2.3-55-g6feb