Commit fce540139a for openssl.org

commit fce540139a7cf4de64d9ce8e17b9180778e12f4e
Author: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date:   Wed Jul 1 23:43:18 2026 +0900

    x509: avoid NULL memcmp argument in nc_dn()

    An empty directoryName constraint has canon_enc == NULL and
    canon_enclen == 0. nc_dn() must not pass that pointer to
    memcmp(), even with a zero length.

    Return X509_V_OK before comparing an empty base Name. This preserves
    current match semantics and avoids UBSan-visible undefined behaviour.

    Fixes #31687
    Fixes #31688

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
    MergeDate: Fri Jul 10 15:51:01 2026
    (Merged from https://github.com/openssl/openssl/pull/31814)

diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index 8217bedc7b..5f2710e9f5 100644
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -615,6 +615,12 @@ static int nc_dn(const X509_NAME *nm, const X509_NAME *base)
         return X509_V_ERR_OUT_OF_MEM;
     if (base->canon_enclen > nm->canon_enclen)
         return X509_V_ERR_PERMITTED_VIOLATION;
+    /*
+     * An empty base Name has no canonical encoding (canon_enc == NULL) and is
+     * a prefix of every Name, so it matches unconditionally.
+     */
+    if (base->canon_enclen == 0)
+        return X509_V_OK;
     if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
         return X509_V_ERR_PERMITTED_VIOLATION;
     return X509_V_OK;