From d02d80b2e80adfdde49f76cf7c7af4e013f45005 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Tue, 15 May 2018 23:41:20 -0400
Subject: Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 crypto/include/internal/asn1_int.h | 1 -
 1 file changed, 1 deletion(-)

(limited to 'crypto/include')

diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
index fdd5f1e648..962c3c6302 100644
--- a/crypto/include/internal/asn1_int.h
+++ b/crypto/include/internal/asn1_int.h
@@ -107,5 +107,4 @@ struct asn1_pctx_st {
     unsigned long str_flags;
 } /* ASN1_PCTX */ ;
 
-int asn1_valid_host(const ASN1_STRING *host);
 int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
-- 
cgit v1.2.3