Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a least one DNS-ID subjectAlternativeName. Don't apply DNS name constraints to subject CN's that are sufficiently unlike DNS names. Checked name must have at least two labels, with all labels non-empty, no trailing '.' and all hyphens must be internal in each label. In addition to the usual LDH characters, we also allow "_", since some sites use these for hostnames despite all the standards. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2018-05-16 05:41:20 +0200
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2018-05-23 17:12:13 +0200
commit: d02d80b2e80adfdde49f76cf7c7af4e013f45005 (patch)
tree: e9e137e02f0751435765ff251b07d58f710213e0 /crypto/include
parent: Use the client app traffic secret for PHA Finished message (diff)
download: openssl-d02d80b2e80adfdde49f76cf7c7af4e013f45005.tar.xz
openssl-d02d80b2e80adfdde49f76cf7c7af4e013f45005.zip
1 files changed, 0 insertions, 1 deletions
diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
index fdd5f1e648..962c3c6302 100644
--- a/crypto/include/internal/asn1_int.h
+++ b/crypto/include/internal/asn1_int.h
@@ -107,5 +107,4 @@ struct asn1_pctx_st {
     unsigned long str_flags;
 } /* ASN1_PCTX */ ;
 
-int asn1_valid_host(const ASN1_STRING *host);
 int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2018-05-16 05:41:20 +0200
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2018-05-23 17:12:13 +0200
commit	d02d80b2e80adfdde49f76cf7c7af4e013f45005 (patch)
tree	e9e137e02f0751435765ff251b07d58f710213e0 /crypto/include
parent	Use the client app traffic secret for PHA Finished message (diff)
download	openssl-d02d80b2e80adfdde49f76cf7c7af4e013f45005.tar.xz openssl-d02d80b2e80adfdde49f76cf7c7af4e013f45005.zip