Commit fffc2fae authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Cleaner handling of "cnid" in do_x509_check 



Avoid using cnid = 0, use NID_undef instead, and return early instead
of trying to find an instance of that in the subject DN.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent a0724ef1

crypto/x509v3/v3_utl.c

+7 −3
Original line number Diff line number Diff line
@@ -921,7 +921,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, 
    GENERAL_NAMES *gens = NULL;

    X509_NAME *name = NULL;

    int i;

    int cnid;

    int cnid = NID_undef;

    int alt_type;

    int san_present = 0;

    int rv = 0;
@@ -944,7 +944,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, 
        else

            equal = equal_wildcard;

    } else {

        cnid = 0;

        alt_type = V_ASN1_OCTET_STRING;

        equal = equal_case;

    }
@@ -975,11 +974,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, 
        GENERAL_NAMES_free(gens);

        if (rv != 0)

            return rv;

        if (!cnid

        if (cnid == NID_undef

            || (san_present

                && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))

            return 0;

    }



    /* We're done if CN-ID is not pertinent */

    if (cnid == NID_undef)

        return 0;



    i = -1;

    name = X509_get_subject_name(x);

    while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {