forked from wolfSSL/wolfssl
Adding support for IP address verification
This commit is contained in:
Eric Blankenhorn
@ -8746,7 +8746,6 @@ int CheckAltNames(DecodedCert* dCert, char* domain)
|
||||
return match;
|
||||
}
|
||||
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
/* Check that alternative names, if they exists, match the domain.
|
||||
* Fail if there are wild patterns and they didn't match.
|
||||
@ -8818,6 +8817,13 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CheckIPAddr(DecodedCert* dCert, char* ipasc)
|
||||
{
|
||||
WOLFSSL_MSG("Checking IPAddr");
|
||||
|
||||
return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc));
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
@ -9357,6 +9363,14 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* perform IP address check on the peer certificate */
|
||||
if ((args->dCertInit != 0) && (args->dCert != NULL) &&
|
||||
(ssl->param != NULL) && (XSTRLEN(ssl->param->ipasc) > 0)) {
|
||||
if (CheckIPAddr(args->dCert, ssl->param->ipasc) == 0) {
|
||||
return VERIFY_CERT_ERROR;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* if verify callback has been set */
|
||||
if (use_cb && ssl->verifyCallback) {
|
||||
|
||||
@ -23006,8 +23006,13 @@ int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(WOLFSSL_X509_VERIFY_PARAM *param,
|
||||
int ret = WOLFSSL_FAILURE;
|
||||
|
||||
if (param != NULL) {
|
||||
XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1);
|
||||
param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0';
|
||||
if (ipasc == NULL) {
|
||||
param->ipasc[0] = '\0';
|
||||
}
|
||||
else {
|
||||
XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1);
|
||||
param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0';
|
||||
}
|
||||
ret = WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
@ -21920,6 +21920,9 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void)
|
||||
AssertIntEQ(1, ret);
|
||||
AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR));
|
||||
|
||||
ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL);
|
||||
AssertIntEQ(1, ret);
|
||||
|
||||
ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6);
|
||||
AssertIntEQ(1, ret);
|
||||
AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
|
||||
|
||||
@ -1666,6 +1666,9 @@ WOLFSSL_LOCAL int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str);
|
||||
#ifndef NO_CERTS
|
||||
WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain);
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, char* ipasc);
|
||||
#endif
|
||||
#endif
|
||||
WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz);
|
||||
|
||||
Reference in New Issue
Block a user