From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 25 Mar 2015 07:38:47 +0000 (+0100)
Subject: name constraints: when no name of the type is found, accept the certificate
X-Git-Tag: gnutls_3_4_0~129
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb4cb2af05cce9cbeb147d70f29128f2ceaf426e;p=thirdparty%2Fgnutls.git

name constraints: when no name of the type is found, accept the certificate

This follows RFC5280 advice closely. Reported by Fotis Loukos.
---

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 0734283216..0090f9dd6a 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -672,8 +672,12 @@ unsigned found_one;
 		/* passed */
 		if (found_one != 0)
 			return 1;
-		else /* nothing was found */
-			return gnutls_assert_val(0);
+		else {
+			/* no name was found. According to RFC5280: 
+			 * If no name of the type is in the certificate, the certificate is acceptable.
+			 */
+			return gnutls_assert_val(1);
+		}
 	} else if (type == GNUTLS_SAN_DNSNAME) {
 		idx = found_one = 0;
 		do {
@@ -733,8 +737,12 @@ unsigned found_one;
 		/* passed */
 		if (found_one != 0)
 			return 1;
-		else /* nothing was found */
-			return gnutls_assert_val(0);
+		else {
+			/* no name was found. According to RFC5280: 
+			 * If no name of the type is in the certificate, the certificate is acceptable.
+			 */
+			return gnutls_assert_val(1);
+		}
 	} else
 		return check_unsupported_constraint(nc, type);
 }