From f0e25790ea89d59867bdced3cbb8dae45cb6ae78 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 26 Jun 2022 11:29:27 +0000
Subject: Fix URI name constraints, allow for URI's with no host part.

Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.

Adds regress testing for this same case.

fixes https://github.com/libressl-portable/openbsd/issues/131

ok tb@
---
 src/regress/lib/libcrypto/x509/constraints.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'src/regress')

diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c
index b552f30989..d4867a362c 100644
--- a/src/regress/lib/libcrypto/x509/constraints.c
+++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -397,6 +397,10 @@ test_constraints1(void)
 		"",
 		NULL,
 	};
+	unsigned char *noauthority[] = {
+		"urn:open62541.server.application",
+		NULL,
+	};
 	for (i = 0; constraints[i] != NULL; i++) {
 		char *constraint = constraints[i];
 		size_t clen = strlen(constraints[i]);
@@ -442,6 +446,28 @@ test_constraints1(void)
 				goto done;
 			}
 		}
+		for (j = 0; noauthority[j] != NULL; j++) {
+			error = 0;
+			char *hostpart = NULL;
+			if (!x509_constraints_uri_host(noauthority[j],
+				strlen(noauthority[j]), &hostpart)) {
+				FAIL("name '%s' should parse as a URI",
+				    noauthority[j]);
+				failure = 1;
+				free(hostpart);
+				goto done;
+			}
+			free(hostpart);
+
+			if (x509_constraints_uri(noauthority[j],
+			    strlen(noauthority[j]), constraint, clen, &error)) {
+				FAIL("constraint '%s' should not have matched URI"
+				    " '%s' (error %d)\n",
+				    constraint, failinguri[j], error);
+				failure = 1;
+				goto done;
+			}
+		}
 	}
 	c = ".openbsd.org";
 	cl = strlen(".openbsd.org");
-- 
cgit v1.2.3-55-g6feb