X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fx509v3%2Fv3_ncons.c;h=dea6c6c8afe69891b299dd5e6df20266e69e16f3;hp=77edcd4dfbfe74d103435ef956f14ede80df14f0;hb=55a6250f1e7336e8a7d89fb609eb23398715ff6f;hpb=d02d80b2e80adfdde49f76cf7c7af4e013f45005

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 77edcd4dfb..dea6c6c8af 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -299,9 +299,9 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
 
 static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
 {
-    int utf8_length;    /* Return type of ASN1_STRING_to_UTF8 */
-    int i;
+    int utf8_length;
     unsigned char *utf8_value;
+    int i;
     int isdnsname = 0;
 
     /* Don't leave outputs uninitialized */
@@ -337,8 +337,10 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
         --utf8_length;
 
     /* Reject *embedded* NULs */
-    if ((size_t)utf8_length != strlen((char *)utf8_value))
-        return X509_V_ERR_UNSPECIFIED;
+    if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+        OPENSSL_free(utf8_value);
+        return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+    }
 
     /*
      * XXX: Deviation from strict DNS name syntax, also check names with '_'
@@ -389,14 +391,12 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
 }
 
 /*
- * Check CN against DNS-ID name constraints, provided no DNS-ID
- * subjectAlternativeName values are present in the certificate.
+ * Check CN against DNS-ID name constraints.
  */
 int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
 {
     int r, i;
-    GENERAL_NAMES *gens = NULL;
-    X509_NAME *nm;
+    X509_NAME *nm = X509_get_subject_name(x);
     ASN1_STRING stmp;
     GENERAL_NAME gntmp;
 
@@ -405,21 +405,6 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
     gntmp.type = GEN_DNS;
     gntmp.d.dNSName = &stmp;
 
-    gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
-    if (gens != NULL) {
-        for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-            GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
-
-            if (gen->type == GEN_DNS) {
-                GENERAL_NAMES_free(gens);
-                return X509_V_OK;
-            }
-        }
-        GENERAL_NAMES_free(gens);
-    }
-
-    nm = X509_get_subject_name(x);
-
     /* Process any commonName attributes in subject name */
 
     for (i = -1;;) {