diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-03-25 08:38:47 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-03-25 10:41:03 +0100 |
commit | 29f4864c78e8eef78f7e3a329998d001ab9ecd07 (patch) | |
tree | 3151d9a7435ea8dac34f9395905e173a6272975a | |
parent | 57b8c09d6597efe36cfa2d2738d786081718b204 (diff) | |
download | gnutls-29f4864c78e8eef78f7e3a329998d001ab9ecd07.tar.gz |
name constraints: when no name of the type is found, accept the certificate
This follows RFC5280 advice closely. Reported by Fotis Loukos.
-rw-r--r-- | lib/x509/name_constraints.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index 65ee409eb1..7a7ff7c6c0 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -672,8 +672,12 @@ unsigned found_one; /* passed */ if (found_one != 0) return 1; - else /* nothing was found */ - return gnutls_assert_val(0); + else { + /* no name was found. According to RFC5280: + * If no name of the type is in the certificate, the certificate is acceptable. + */ + return gnutls_assert_val(1); + } } else if (type == GNUTLS_SAN_DNSNAME) { idx = found_one = 0; do { @@ -733,8 +737,12 @@ unsigned found_one; /* passed */ if (found_one != 0) return 1; - else /* nothing was found */ - return gnutls_assert_val(0); + else { + /* no name was found. According to RFC5280: + * If no name of the type is in the certificate, the certificate is acceptable. + */ + return gnutls_assert_val(1); + } } else return check_unsupported_constraint(nc, type); } |