From b2a89f9426f1ee215d9d57cad8342591dc19aac3 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 27 Oct 2021 10:22:08 +0000
Subject: Revert version 1.3 - not allowing the creation of bogus certificates
 breaks the ruby regression tests that expect to make bogus certificates and
 see that they are rejected :(

I am reverting this for now to make the regress tests pass, and will
bring it back if we decide to patch the regress tests to remove the
problem cases
---
 src/lib/libcrypto/x509/x509_alt.c | 50 +++------------------------------------
 1 file changed, 3 insertions(+), 47 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 02a4a3a377..891c7dd787 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.3 2021/10/26 09:09:53 beck Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.4 2021/10/27 10:22:08 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -63,8 +63,6 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
-#include "x509_internal.h"
-
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
@@ -614,11 +612,8 @@ GENERAL_NAME *
 v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
 {
-	uint8_t *bytes = NULL;
-	char *name, *value;
-	GENERAL_NAME *ret;
-	size_t len = 0;
 	int type;
+	char *name, *value;
 
 	name = cnf->name;
 	value = cnf->value;
@@ -648,46 +643,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
 		return NULL;
 	}
 
-	ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
-
-	/* Validate what we have for sanity */
-	type = x509_constraints_general_to_bytes(ret, &bytes, &len);
-	switch(type) {
-	case GEN_DNS:
-		if (!x509_constraints_valid_sandns(bytes, len)) {
-			X509V3error(X509V3_R_BAD_OBJECT);
-			ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-			goto err;
-		}
-		break;
-	case GEN_URI:
-		if (!x509_constraints_uri_host(bytes, len, NULL)) {
-			X509V3error(X509V3_R_BAD_OBJECT);
-			ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-			goto err;
-		}
-		break;
-	case GEN_EMAIL:
-		if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
-			X509V3error(X509V3_R_BAD_OBJECT);
-			ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-			goto err;
-		}
-		break;
-	case GEN_IPADD:
-		if (len != 4 && len != 16) {
-			X509V3error(X509V3_R_BAD_IP_ADDRESS);
-			ERR_asprintf_error_data("name=%s len=%zu", name, len);
-			goto err;
-		}
-		break;
-	default:
-		break;
-	}
-	return ret;
- err:
-	GENERAL_NAME_free(ret);
-	return NULL;
+	return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
 }
 
 static int
-- 
cgit v1.2.3-55-g6feb