Relax the check of x509_constraints_dirname()

author tb <tb@openbsd.org>

Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)

committer tb <tb@openbsd.org>

Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)
author tb <tb@openbsd.org>
Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)
committer tb <tb@openbsd.org>
Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)
diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c

index 6cea794..27d87d4 100644 (file)
--- a/lib/libcrypto/x509/x509_constraints.c
+++ b/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.22 2022/03/13 16:25:58 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.23 2022/03/13 17:23:02 tb Exp $ */
  /*
   * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
   *
@@ -636,7 +636,11 @@ int
  x509_constraints_dirname(uint8_t *dirname, size_t dlen,
      uint8_t *constraint, size_t len)
  {
-       if (len != dlen)
+       /*
+        * The constraint must be a prefix in DER format, so it can't be
+        * longer than the name it is checked against.
+        */
+       if (len > dlen)
                 return 0;
         return (memcmp(constraint, dirname, len) == 0);
  }
author	tb <tb@openbsd.org>
	Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)
committer	tb <tb@openbsd.org>
	Sun, 13 Mar 2022 17:23:02 +0000 (17:23 +0000)