summaryrefslogtreecommitdiff
path: root/lib/libcrypto
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-03-14 21:29:47 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-03-14 21:29:47 +0000
commit76eceb6b3b3e8300fe88edd9b97007cf0b4af4eb (patch)
tree7db14e3aedb70ce3e9c48569f1745f47d9464e60 /lib/libcrypto
parent7ff746bcab2997798de03e86e2e4c55da024a6d7 (diff)
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well. Pointed out and based on a diff by Alex Wilson. ok jsing
Diffstat (limited to 'lib/libcrypto')
-rw-r--r--lib/libcrypto/x509/x509_constraints.c27
1 files changed, 17 insertions, 10 deletions
diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c
index 6e88a941892..4f24277918f 100644
--- a/lib/libcrypto/x509/x509_constraints.c
+++ b/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.24 2022/03/14 21:15:49 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
@@ -938,17 +938,24 @@ x509_constraints_validate(GENERAL_NAME *constraint,
name->type = GEN_DNS;
break;
case GEN_EMAIL:
- if (memchr(bytes, '@', len) != NULL) {
+ if (len > 0 && memchr(bytes + 1, '@', len - 1) != NULL) {
if (!x509_constraints_parse_mailbox(bytes, len, name))
goto err;
- } else {
- if (!x509_constraints_valid_domain_constraint(bytes,
- len))
- goto err;
- if ((name->name = strdup(bytes)) == NULL) {
- error = X509_V_ERR_OUT_OF_MEM;
- goto err;
- }
+ break;
+ }
+ /*
+ * Mail constraints of the form @domain.com are accepted by
+ * OpenSSL and Microsoft.
+ */
+ if (len > 0 && bytes[0] == '@') {
+ bytes++;
+ len--;
+ }
+ if (!x509_constraints_valid_domain_constraint(bytes, len))
+ goto err;
+ if ((name->name = strdup(bytes)) == NULL) {
+ error = X509_V_ERR_OUT_OF_MEM;
+ goto err;
}
name->type = GEN_EMAIL;
break;