NGX-2040 - fix wildcard match on punycode/IDNA DNS names

- bugfix: should not treat '--' as invalid domain substring. - '-' should not be the first letter of a domain Signed-off-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Zi Lin <zi@cloudflare.com> 2016-01-15 14:31:11 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-15 14:46:58 -0500
commit: 9f9a39267f6c752af0905d77062b00671b1b60c6 (patch)
tree: bd0e5bd03b169946f4ef73e5048fc15283e7c1c9 /crypto/x509v3/v3_utl.c
parent: 87c00c93c4d47525f1838ea7c6c544122ff0ca1a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index c9e74f4c4b..a5058bea64 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -840,7 +840,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
             state = LABEL_START;
             ++dots;
         } else if (p[i] == '-') {
-            if ((state & LABEL_HYPHEN) != 0)
+            /* no domain/subdomain starts with '-' */
+            if ((state & LABEL_START) != 0)
                 return NULL;
             state |= LABEL_HYPHEN;
         } else
author	Zi Lin <zi@cloudflare.com>	2016-01-15 14:31:11 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-15 14:46:58 -0500
commit	9f9a39267f6c752af0905d77062b00671b1b60c6 (patch)
tree	bd0e5bd03b169946f4ef73e5048fc15283e7c1c9 /crypto/x509v3/v3_utl.c
parent	87c00c93c4d47525f1838ea7c6c544122ff0ca1a (diff)