1 files changed, 46 insertions, 3 deletions

diff --git a/lib/x509/dn.c b/lib/x509/dn.c
index 8d428e9b3f..33739e2271 100644
--- a/lib/x509/dn.c
+++ b/lib/x509/dn.c
@@ -982,13 +982,56 @@ int
 _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1,
 			    const gnutls_datum_t * dn2)
 {
+	int ret;
+	gnutls_datum_t str1, str2;
+
+	/* Simple case of completely identical? */
+
+	if (dn1->size == dn2->size) {
+		if (memcmp(dn1->data, dn2->data, dn2->size) == 0) {
+			return 1;
+		}
+	}
+
+	/* RFC5280 (https://tools.ietf.org/html/rfc5280#section-7.1)
+	 * requires that the LDAP StringPrep profile and caseIgnoreMatch
+	 * must be used for this comparison. We do not use that but
+	 * instead we do a simpler comparison that ignores the tags used
+	 * such as `UTF8String` and `PrintableString`. */
 
-	if (dn1->size != dn2->size) {
+	if ((dn1->size == 0) || (dn2->size == 0)) {
+		gnutls_assert();
+		return 0;
+	}
+
+	ret = gnutls_x509_rdn_get2(dn1, &str1, 0);
+	if (ret < 0) {
+		gnutls_assert();
 		return 0;
 	}
-	if (memcmp(dn1->data, dn2->data, dn2->size) != 0) {
+
+	ret = gnutls_x509_rdn_get2(dn2, &str2, 0);
+	if (ret < 0) {
 		gnutls_assert();
+		_gnutls_free_datum(&str1);
 		return 0;
 	}
-	return 1;		/* they match */
+
+	if (str1.size != str2.size) {
+		ret = 0;
+		goto cleanup;
+	}
+	if (memcmp(str1.data, str2.data, str2.size) != 0) {
+		gnutls_assert();
+		ret = 0;
+		goto cleanup;
+	}
+
+	ret = 1;		/* they match */
+
+cleanup:
+	_gnutls_free_datum(&str1);
+	_gnutls_free_datum(&str2);
+
+	return ret;
 }