commit e5b870d2bf3724179a70e2a72b6662046bd81cc7
Author: John Denker <jsd@av8n.com>
Date:   Sat Sep 6 22:10:42 2014 -0700

    In the permitted or excluded names, a leading dot
    makes sense.  Check for this, but also tolerate its absence.

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 11ab5a1..257d3d2 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -391,6 +391,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
 	{
 	char *baseptr = (char *)base->data;
 	char *dnsptr = (char *)dns->data;
+	int baselen = base->length;
+	/* In the base, a leading '.' is nice, but we tolerate its absence:
+	 */
+	if (*baseptr == '.')
+		{
+		baseptr++;
+		baselen--;
+		}
 	/* Empty matches everything */
 	if (!*baseptr)
 		return X509_V_OK;
@@ -398,9 +406,9 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
 	 * compare RHS and if dns is longer and expect '.' as preceding
 	 * character.
 	 */
-	if (dns->length > base->length)
+	if (dns->length > baselen)
 		{
-		dnsptr += dns->length - base->length;
+		dnsptr += dns->length - baselen;
 		if (dnsptr[-1] != '.')
 			return X509_V_ERR_PERMITTED_VIOLATION;
 		}