RT3662: Allow leading . in nameConstraints

Change by SteveH from original by John Denker (in the RT)

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 06520fee4114a933b49b3e6d0f0f416aaf9f5e8c..25c18551493325ef546d1f76177e8949be74274a 100644 (file)
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -405,7 +405,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
        if (dns->length > base->length)
                {
                dnsptr += dns->length - base->length;
-               if (dnsptr[-1] != '.')
+               if (*baseptr != '.' && dnsptr[-1] != '.')
                        return X509_V_ERR_PERMITTED_VIOLATION;
                }