X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fx509v3%2Fv3_ncons.c;fp=crypto%2Fx509v3%2Fv3_ncons.c;h=8465818f90361dfa43f7e4c5a0b4abd9432d427c;hp=9a2cd5af00c7bd54ec05f936e9451a38d4d1b881;hb=c23e497da7815bf6ef84461f92339442d3702eda;hpb=a83dc59afa2e0207180d7218efed19b20d48de95 diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 9a2cd5af00..8465818f90 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "internal/x509_int.h" #include "ext_dat.h" @@ -435,6 +436,27 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) return X509_V_OK; } +/* + * Return nonzero if the GeneralSubtree has valid 'minimum' field + * (must be absent or 0) and valid 'maximum' field (must be absent). + */ +static int nc_minmax_valid(GENERAL_SUBTREE *sub) { + BIGNUM *bn = NULL; + int ok = 1; + + if (sub->maximum) + ok = 0; + + if (sub->minimum) { + bn = ASN1_INTEGER_to_BN(sub->minimum, NULL); + if (bn == NULL || !BN_is_zero(bn)) + ok = 0; + BN_free(bn); + } + + return ok; +} + static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { GENERAL_SUBTREE *sub; @@ -449,7 +471,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); if (gen->type != sub->base->type) continue; - if (sub->minimum || sub->maximum) + if (!nc_minmax_valid(sub)) return X509_V_ERR_SUBTREE_MINMAX; /* If we already have a match don't bother trying any more */ if (match == 2) @@ -472,7 +494,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); if (gen->type != sub->base->type) continue; - if (sub->minimum || sub->maximum) + if (!nc_minmax_valid(sub)) return X509_V_ERR_SUBTREE_MINMAX; r = nc_match_single(gen, sub->base);