name constraints: when no name of the type is found, accept the certificate

This follows RFC5280 advice closely. Reported by Fotis Loukos.
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-03-25 08:38:47 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-03-25 10:41:03 +0100
commit: 29f4864c78e8eef78f7e3a329998d001ab9ecd07 (patch)
tree: 3151d9a7435ea8dac34f9395905e173a6272975a
parent: 57b8c09d6597efe36cfa2d2738d786081718b204 (diff)
download: gnutls-29f4864c78e8eef78f7e3a329998d001ab9ecd07.tar.gz
1 files changed, 12 insertions, 4 deletions
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 65ee409eb1..7a7ff7c6c0 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -672,8 +672,12 @@ unsigned found_one;
 		/* passed */
 		if (found_one != 0)
 			return 1;
-		else /* nothing was found */
-			return gnutls_assert_val(0);
+		else {
+			/* no name was found. According to RFC5280: 
+			 * If no name of the type is in the certificate, the certificate is acceptable.
+			 */
+			return gnutls_assert_val(1);
+		}
 	} else if (type == GNUTLS_SAN_DNSNAME) {
 		idx = found_one = 0;
 		do {
@@ -733,8 +737,12 @@ unsigned found_one;
 		/* passed */
 		if (found_one != 0)
 			return 1;
-		else /* nothing was found */
-			return gnutls_assert_val(0);
+		else {
+			/* no name was found. According to RFC5280: 
+			 * If no name of the type is in the certificate, the certificate is acceptable.
+			 */
+			return gnutls_assert_val(1);
+		}
 	} else
 		return check_unsupported_constraint(nc, type);
 }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-03-25 08:38:47 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-03-25 10:41:03 +0100
commit	29f4864c78e8eef78f7e3a329998d001ab9ecd07 (patch)
tree	3151d9a7435ea8dac34f9395905e173a6272975a
parent	57b8c09d6597efe36cfa2d2738d786081718b204 (diff)
download	gnutls-29f4864c78e8eef78f7e3a329998d001ab9ecd07.tar.gz