[gnutls-devel] GnuTLS | X509:Fix incorrect handling in name constraints merging (!1997)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Aug 6 09:42:05 CEST 2025
chenjianhu commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1997#note_2671663997
Prior to this commit,after I modified `nc1` to `nc2` in `tests/name-constraints-merge.c:112`
```diff
diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c
index 03b3243cc..c8e99c63a 100644
--- a/tests/name-constraints-merge.c
+++ b/tests/name-constraints-merge.c
@@ -109,7 +109,7 @@ void doit(void)
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_add_permitted(
- nc1, GNUTLS_SAN_RFC822NAME, &name);
+ nc2, GNUTLS_SAN_RFC822NAME, &name);
check_for_error(ret);
```
I got the error:
```powershell
[root at localhost gnutls-3.8.2]# ./tests/name-constraints-merge check_test_result:59: Checking "xxx.ccc.com" should have failed (suite 0).
```
After applying this commit
```diff
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 3c6e30630..2be6a2aaa 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -414,7 +414,10 @@ static int name_constraints_node_list_intersect(
gnutls_assert();
goto cleanup;
}
- used = 1;
+
+ if (t->type == t2->type)
+ used = 1;
+
// if intersection is not empty
if (tmp !=
NULL) { // intersection for this type is not empty
```
the test case 'name-constraints-merge' can pass.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1997#note_2671663997
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250806/106d1127/attachment.html>
More information about the Gnutls-devel
mailing list