diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2018-05-18 09:09:51 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2018-05-23 11:08:48 -0400 |
commit | c2c2c7b3f1df94f9a447cc3cf8196579543cc57e (patch) | |
tree | 91415123b7573ed93beb6663cfa80f6a07028e61 /crypto/asn1 | |
parent | 1caa3bbf25796c1fb4dcfee1a3d5a554b8a161f9 (diff) |
Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.
Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names. Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label. In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/asn1')
-rw-r--r-- | crypto/asn1/a_strex.c | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 75bc4319c7..ec7ac5a30c 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -613,53 +613,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) *out = stmp.data; return stmp.length; } - -/* Return 1 if host is a valid hostname and 0 otherwise */ -int asn1_valid_host(const ASN1_STRING *host) -{ - int hostlen = host->length; - const unsigned char *hostptr = host->data; - int type = host->type; - int i; - signed char width = -1; - unsigned short chflags = 0, prevchflags; - - if (type > 0 && type < 31) - width = tag2nbyte[type]; - if (width == -1 || hostlen == 0) - return 0; - /* Treat UTF8String as width 1 as any MSB set is invalid */ - if (width == 0) - width = 1; - for (i = 0 ; i < hostlen; i+= width) { - prevchflags = chflags; - /* Value must be <= 0x7F: check upper bytes are all zeroes */ - if (width == 4) { - if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0) - return 0; - } else if (width == 2) { - if (*hostptr++ != 0) - return 0; - } - if (*hostptr > 0x7f) - return 0; - chflags = char_type[*hostptr++]; - if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) { - /* Nothing else allowed at start or end of string */ - if (i == 0 || i == hostlen - 1) - return 0; - /* Otherwise invalid if not dot or hyphen */ - if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN))) - return 0; - /* - * If previous is dot or hyphen then illegal unless both - * are hyphens: as .- -. .. are all illegal - */ - if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN) - && ((prevchflags & CHARTYPE_HOST_DOT) - || (chflags & CHARTYPE_HOST_DOT))) - return 0; - } - } - return 1; -} |