From 04f7297a7faf857871e10ce5e829cddc1dbf3520 Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 26 Jun 2022 11:29:27 +0000 Subject: Fix URI name constraints, allow for URI's with no host part. Such uri's must be parsed and allowed, but then should fail if a name constraint is present. Adds regress testing for this same case. fixes https://github.com/libressl-portable/openbsd/issues/131 ok tb@ --- src/lib/libcrypto/x509/x509_constraints.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 533bbbf4ca..c68f282a05 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) break; } } - if (authority == NULL) - return 0; + if (authority == NULL) { + /* + * There is no authority, so no host part in this + * URI. This might be ok or might not, but it must + * fail if we run into a name constraint later, so + * we indicate that we have a URI with an empty + * host part, and succeed. + */ + *hostpart = strdup(""); + return 1; + } for (i = authority - uri; i < len; i++) { if (!isascii(uri[i])) return 0; -- cgit v1.2.3-55-g6feb