From cc053da651621c8b1ca262a8d5d32253783f1022 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 14 Feb 2006 11:36:00 +0000 Subject: [PATCH] Try handle name constraints a little bit better. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16740 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/hx509/cert.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index a88b252ce..5c1f5ce0a 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -293,7 +293,7 @@ find_extension(const Certificate *cert, const heim_oid *oid, int *idx) for (;*idx < c->extensions->len; (*idx)++) { if (heim_oid_cmp(&c->extensions->val[*idx].extnID, oid) == 0) - return &c->extensions->val[*idx]; + return &c->extensions->val[(*idx)++]; } return NULL; } @@ -907,16 +907,15 @@ match_RDN(const RelativeDistinguishedName *c, static int match_X501Name(const Name *c, const Name *n) { - int i, j, ret; + int i, ret; if (c->element != choice_Name_rdnSequence || n->element != choice_Name_rdnSequence) return 0; if (c->u.rdnSequence.len > n->u.rdnSequence.len) return HX509_NAME_CONSTRAINT_ERROR; - for (i = c->u.rdnSequence.len - 1, j = n->u.rdnSequence.len - 1; - i >= 0; i--, j--) { - ret = match_RDN(&c->u.rdnSequence.val[i], &c->u.rdnSequence.val[j]); + for (i = 0; i < c->u.rdnSequence.len; i++) { + ret = match_RDN(&c->u.rdnSequence.val[i], &n->u.rdnSequence.val[i]); if (ret) return ret; } @@ -927,6 +926,10 @@ match_X501Name(const Name *c, const Name *n) static int match_general_name(const GeneralName *c, const GeneralName *n) { + /* + * Name constraints only apply to the same name type, see RFC3280, + * 4.2.1.11. + */ if (c->element != n->element) return 0; @@ -1041,7 +1044,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match) for (i = 0; i < t->len; i++) { if (t->val[i].minimum && t->val[i].maximum) return HX509_RANGE; - if (match_name(&t->val[i].base, c)) + if (match_name(&t->val[i].base, c) == 0) *match = 1; } return 0;