Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only

author: Viktor Dukhovni <openssl-users@dukhovni.org> 2014-06-13 23:45:56 -0400
committer: Dr. Stephen Henson <steve@openssl.org> 2014-06-14 22:31:29 +0100
commit: 7241a4c7fd821f3469840fa78c5ca7300d6f1edd (patch)
tree: 85ec297af5e81d5c0bf0312b275d7e50e9b3f6fe /crypto/x509v3
parent: 3b77f01702cbbb75c7718f876a2053d5a882fe89 (diff)
1 files changed, 5 insertions, 6 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 004a1339ea..6e91ac9816 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -584,13 +584,9 @@ static void skip_prefix(const unsigned char **p, size_t *plen,
 	 * If subject starts with a leading '.' followed by more octets, and
 	 * pattern is longer, compare just an equal-length suffix with the
 	 * full subject (starting at the '.'), provided the prefix contains
-	 * no NULs.  (We check again that subject starts with '.' and
-	 * contains at least one subsequent character, just in case the
-	 * internal _X509_CHECK_FLAG_DOT_SUBDOMAINS flag was erroneously
-	 * set by the user).
+	 * no NULs.
 	 */
-	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0 ||
-	    subject_len <= 1 || subject[0] != '.')
+	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
 		return;
 
 	while (pattern_len > subject_len && *pattern)
@@ -895,6 +891,9 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 	int alt_type;
 	int san_present = 0;
 	equal_fn equal;
+
+	/* See below, this flag is internal-only */
+	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
 	if (check_type == GEN_EMAIL)
 		{
 		cnid = NID_pkcs9_emailAddress;
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2014-06-13 23:45:56 -0400
committer	Dr. Stephen Henson <steve@openssl.org>	2014-06-14 22:31:29 +0100
commit	7241a4c7fd821f3469840fa78c5ca7300d6f1edd (patch)
tree	85ec297af5e81d5c0bf0312b275d7e50e9b3f6fe /crypto/x509v3
parent	3b77f01702cbbb75c7718f876a2053d5a882fe89 (diff)