diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2015-09-01 21:59:08 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2015-09-02 09:53:44 -0400 |
commit | fffc2faeb2b5cad4516cc624352d445284aa7522 (patch) | |
tree | 0659e739e3b3962a4eebac9432d7653d7a17be6d /crypto/x509v3/v3_utl.c | |
parent | a0724ef1c9b9e2090bdd96b784f492b6a3952957 (diff) | |
download | openssl-fffc2faeb2b5cad4516cc624352d445284aa7522.zip openssl-fffc2faeb2b5cad4516cc624352d445284aa7522.tar.gz openssl-fffc2faeb2b5cad4516cc624352d445284aa7522.tar.bz2 |
Cleaner handling of "cnid" in do_x509_check
Avoid using cnid = 0, use NID_undef instead, and return early instead
of trying to find an instance of that in the subject DN.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/x509v3/v3_utl.c')
-rw-r--r-- | crypto/x509v3/v3_utl.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index 15029f9..6494d83 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -921,7 +921,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES *gens = NULL; X509_NAME *name = NULL; int i; - int cnid; + int cnid = NID_undef; int alt_type; int san_present = 0; int rv = 0; @@ -944,7 +944,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, else equal = equal_wildcard; } else { - cnid = 0; alt_type = V_ASN1_OCTET_STRING; equal = equal_case; } @@ -975,11 +974,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (!cnid + if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) return 0; } + + /* We're done if CN-ID is not pertinent */ + if (cnid == NID_undef) + return 0; + i = -1; name = X509_get_subject_name(x); while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) { |