From 1a554bb45494ad1135efa4ed3352baf2be7f2f6a Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 13 Mar 2022 17:23:02 +0000 Subject: [PATCH] Relax the check of x509_constraints_dirname() The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also. From Alex Wilson ok jsing --- lib/libcrypto/x509/x509_constraints.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c index 6cea7945606..27d87d4c11e 100644 --- a/lib/libcrypto/x509/x509_constraints.c +++ b/lib/libcrypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.22 2022/03/13 16:25:58 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.23 2022/03/13 17:23:02 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -636,7 +636,11 @@ int x509_constraints_dirname(uint8_t *dirname, size_t dlen, uint8_t *constraint, size_t len) { - if (len != dlen) + /* + * The constraint must be a prefix in DER format, so it can't be + * longer than the name it is checked against. + */ + if (len > dlen) return 0; return (memcmp(constraint, dirname, len) == 0); } -- 2.20.1