From cf3eec32e7a6acbaecd14871fb75ad34fb76c3e7 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Mon, 13 Apr 2026 17:04:23 +0000
Subject: Prior to this we substring matched and allowed a leading . on a SAN
 DNSname constraint. This is not correct, as with a DNSname constraint, it may
 exacly match or match zero or more additional components on the front of the
 candidte to match.

Spotted by Haruto Kimura <hkimura2026@gmail.com>

ok tb@ kenjiro@
---
 src/regress/lib/libcrypto/x509/constraints.c | 51 ++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

(limited to 'src/regress/lib/libcrypto')

diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c
index 16e135bb44..54bb654a31 100644
--- a/src/regress/lib/libcrypto/x509/constraints.c
+++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraints.c,v 1.18 2023/12/13 05:59:50 tb Exp $	*/
+/*	$OpenBSD: constraints.c,v 1.19 2026/04/13 17:04:23 beck Exp $	*/
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -558,7 +558,54 @@ test_constraints1(void)
 		failure = 1;
 		goto done;
 	}
-
+	c = "openbsd.org";
+	cl = strlen("openbsd.org");
+	d = "oopenbsd.org";
+	dl = strlen("oopenbsd.org");
+	if (x509_constraints_sandns(d, dl, c, cl)) {
+		FAIL("constraint '%s' should not have matched '%s'\n",
+		    c, d);
+		failure = 1;
+		goto done;
+	}
+	d = "*.openbsd.org";
+	dl = strlen("*.openbsd.org");
+	if (!x509_constraints_sandns(d, dl, c, cl)) {
+		FAIL("constraint '%s' should have matched '%s'\n",
+		    c, d);
+		failure = 1;
+		goto done;
+	}
+	c = "www.openbsd.org";
+	cl = strlen("www.openbsd.org");
+	if (x509_constraints_sandns(d, dl, c, cl)) {
+		FAIL("constraint '%s' should not have matched '%s'\n",
+		    c, d);
+		failure = 1;
+		goto done;
+	}
+	c = "";
+	cl = 0;
+	if (!x509_constraints_sandns(d, dl, c, cl)) {
+		FAIL("constraint '%s' should have matched '%s'\n",
+		    c, d);
+		failure = 1;
+		goto done;
+	}
+	/*
+	 * Note that this *will* match, but we do not allow ".openbsd.org"
+	 * as a sandns name - see invalid sandnsname tests above.
+	 */
+	c = ".openbsd.org";
+	cl = strlen(".openbsd.org");
+	d = ".openbsd.org";
+	dl = strlen(".openbsd.org");
+	if (!x509_constraints_sandns(d, dl, c, cl)) {
+		FAIL("constraint '%s' should have matched '%s'\n",
+		    c, d);
+		failure = 1;
+		goto done;
+	}
  done:
 	return failure;
 }
-- 
cgit v1.2.3-55-g6feb