x059: Fix asymmetry in name constraints intersection

- In _gnutls_name_constraints_intersect, if *_nc had a node of some type not present in _nc2, this was preserved. However, if it was vice versa (_nc2 having a type not present in *_nc), this node was discarded.
- This is now fixed.
- Removed redundant return value check that was accidentally left when refactoring from set_datum to explicit NULL setting.

Signed-off-by: Martin Ukrop <mukrop@redhat.com>

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 2f743a2dd5cb354be2c05db1d0e530354d87fb1e..1b448a4132caa36c9c02334841d8fd5416ffc50c 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -156,7 +156,7 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
                                           name_constraints_node_st ** _nc_excluded)
 {
        name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, *prev = NULL;
-       int ret, type;
+       int ret, type, used;
 
        /* temporary array to see, if we need to add universal excluded constraints
         * (see phase 3 for details)
@@ -206,11 +206,15 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
         * and create intersections of nodes with same type */
        nc2 = _nc2;
        while (nc2 != NULL) {
+               // current nc2 node has not yet been used for any intersection
+               // (and is not in DEST either)
+               used = 0;
                t = nc;
                while (t != NULL) {
                        // save intersection of name constraints into tmp
                        ret = name_constraints_intersect_nodes(t, nc2, &tmp);
                        if (ret < 0) return gnutls_assert_val(ret);
+                       used = 1;
                        // if intersection is not empty
                        if (tmp != NULL) { // intersection for this type is not empty
                                // check bounds
@@ -226,6 +230,22 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
                        }
                        t = t->next;
                }
+               // if the node from nc2 was not used for intersection, copy it to DEST
+               if (!used) {
+                       tmp = gnutls_malloc(sizeof(struct name_constraints_node_st));
+                       if (tmp == NULL) {
+                               _gnutls_name_constraints_node_free(dest);
+                               return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+                       }
+                       tmp->type = nc2->type;
+                       ret = _gnutls_set_datum(&tmp->name, nc2->name.data, nc2->name.size);
+                       if (ret < 0) {
+                               _gnutls_name_constraints_node_free(dest);
+                               return gnutls_assert_val(ret);
+                       }
+                       tmp->next = dest;
+                       dest = tmp;
+               }
                nc2 = nc2->next;
        }
 
@@ -250,10 +270,6 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
                tmp->type = type;
                tmp->name.data = NULL;
                tmp->name.size = 0;
-               if (ret < 0) {
-                       _gnutls_name_constraints_node_free(tmp);
-                       return gnutls_assert_val(ret);
-               }
                tmp->next = *_nc_excluded;
                *_nc_excluded = tmp;
        }