Allow multiple IDN xn-- indicators

Update the X509v3 name parsing to allow multiple xn-- international
domain name indicators in a name.  Previously, only allowed one at
the beginning of a name, which was wrong.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

crypto/x509v3/v3_utl.c

@@ -752,7 +752,7 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
 			{
 			int atstart = (state & LABEL_START);
 			int atend = (i == len - 1 || p[i+i] == '.');
-			/*
+			/*-
 			 * At most one wildcard per pattern.
 			 * No wildcards in IDNA labels.
 			 * No wildcards after the first label.
@@ -769,45 +769,26 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
 			star = &p[i];
 			state &= ~LABEL_START;
 			}
-		else if ((state & LABEL_START) != 0)
-			{
-			/*
-			 * At the start of a label, skip any "xn--" and
-			 * remain in the LABEL_START state, but set the
-			 * IDNA label state
-			 */
-			if ((state & LABEL_IDNA) == 0 && len - i >= 4
-			    && strncasecmp((char *)&p[i], "xn--", 4) == 0)
-				{
-				i += 3;
-				state |= LABEL_IDNA;
-				continue;
-				}
-			/* Labels must start with a letter or digit */
-			state &= ~LABEL_START;
-			if (('a' <= p[i] && p[i] <= 'z')
-			    || ('A' <= p[i] && p[i] <= 'Z')
-			    || ('0' <= p[i] && p[i] <= '9'))
-				continue;
-			return NULL;
-			}
 		else if (('a' <= p[i] && p[i] <= 'z')
 			 || ('A' <= p[i] && p[i] <= 'Z')
 			 || ('0' <= p[i] && p[i] <= '9'))
 			{
-			state &= LABEL_IDNA;
-			continue;
+			if ((state & LABEL_START) != 0
+			    && len - i >= 4
+			    && strncasecmp((char *)&p[i], "xn--", 4) == 0)
+				state |= LABEL_IDNA;
+			state &= ~(LABEL_HYPHEN|LABEL_START);
 			}
 		else if (p[i] == '.')
 			{
-			if (state & (LABEL_HYPHEN | LABEL_START))
+			if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
 				return NULL;
 			state = LABEL_START;
 			++dots;
 			}
 		else if (p[i] == '-')
 			{
-			if (state & LABEL_HYPHEN)
+			if ((state & LABEL_HYPHEN) != 0)
 				return NULL;
 			state |= LABEL_HYPHEN;
 			}