diff options
author | Zi Lin <zi@cloudflare.com> | 2016-01-15 14:31:11 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-15 14:46:58 -0500 |
commit | 9f9a39267f6c752af0905d77062b00671b1b60c6 (patch) | |
tree | bd0e5bd03b169946f4ef73e5048fc15283e7c1c9 /crypto | |
parent | 87c00c93c4d47525f1838ea7c6c544122ff0ca1a (diff) |
NGX-2040 - fix wildcard match on punycode/IDNA DNS names
- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain
Signed-off-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509v3/v3_utl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index c9e74f4c4b..a5058bea64 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -840,7 +840,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, state = LABEL_START; ++dots; } else if (p[i] == '-') { - if ((state & LABEL_HYPHEN) != 0) + /* no domain/subdomain starts with '-' */ + if ((state & LABEL_START) != 0) return NULL; state |= LABEL_HYPHEN; } else |