From f6b2dbc635dc388fe53d3df21e4a43cb4b51ad91 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Thu, 20 Jul 2017 19:45:08 +0000
Subject: Allow leading . in nameConstraints. from openssl via jabberwock. ok
 jsing

---
 src/lib/libcrypto/x509v3/v3_ncons.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
index d22ca5e9cd..4913135cf9 100644
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ b/src/lib/libcrypto/x509v3/v3_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: v3_ncons.c,v 1.12 2017/05/02 04:11:08 deraadt Exp $ */
+/* $OpenBSD: v3_ncons.c,v 1.13 2017/07/20 19:45:08 tedu Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -457,7 +457,7 @@ nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
 	 */
 	if (dns->length > base->length) {
 		dnsptr += dns->length - base->length;
-		if (dnsptr[-1] != '.')
+		if (baseptr[0] != '.' && dnsptr[-1] != '.')
 			return X509_V_ERR_PERMITTED_VIOLATION;
 	}
 
-- 
cgit v1.2.3-55-g6feb