Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a least one DNS-ID subjectAlternativeName. Don't apply DNS name constraints to subject CN's that are sufficiently unlike DNS names. Checked name must have at least two labels, with all labels non-empty, no trailing '.' and all hyphens must be internal in each label. In addition to the usual LDH characters, we also allow "_", since some sites use these for hostnames despite all the standards. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2018-05-15 23:41:20 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2018-05-23 11:12:13 -0400
commit: d02d80b2e80adfdde49f76cf7c7af4e013f45005 (patch)
tree: e9e137e02f0751435765ff251b07d58f710213e0 /crypto/include
parent: de9f5b3554274e27949941cbe74a07c8a5f25dbf (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
index fdd5f1e648..962c3c6302 100644
--- a/crypto/include/internal/asn1_int.h
+++ b/crypto/include/internal/asn1_int.h
@@ -107,5 +107,4 @@ struct asn1_pctx_st {
     unsigned long str_flags;
 } /* ASN1_PCTX */ ;
 
-int asn1_valid_host(const ASN1_STRING *host);
 int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2018-05-15 23:41:20 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2018-05-23 11:12:13 -0400
commit	d02d80b2e80adfdde49f76cf7c7af4e013f45005 (patch)
tree	e9e137e02f0751435765ff251b07d58f710213e0 /crypto/include
parent	de9f5b3554274e27949941cbe74a07c8a5f25dbf (diff)