feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Adding support for IP address verification

Browse Source
This commit is contained in:
Eric Blankenhorn
2019-10-30 16:21:31 -05:00
parent 9fc33e461c
commit 58d800fbb7
4 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/internal.c
View File

@@ -8746,7 +8746,6 @@ int CheckAltNames(DecodedCert* dCert, char* domain)
return match; return match;
} }
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* Check that alternative names, if they exists, match the domain. /* Check that alternative names, if they exists, match the domain.
* Fail if there are wild patterns and they didn't match. * Fail if there are wild patterns and they didn't match.
@@ -8818,6 +8817,13 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
return 0; return 0;
} }
int CheckIPAddr(DecodedCert* dCert, char* ipasc)
{
WOLFSSL_MSG("Checking IPAddr");
return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc));
}
#endif #endif
#ifdef SESSION_CERTS #ifdef SESSION_CERTS
@@ -9357,6 +9363,14 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
} }
} }
} }
/* perform IP address check on the peer certificate */
if ((args->dCertInit != 0) && (args->dCert != NULL) &&
(ssl->param != NULL) && (XSTRLEN(ssl->param->ipasc) > 0)) {
if (CheckIPAddr(args->dCert, ssl->param->ipasc) == 0) {
return VERIFY_CERT_ERROR;
}
}
#endif #endif
/* if verify callback has been set */ /* if verify callback has been set */
if (use_cb && ssl->verifyCallback) { if (use_cb && ssl->verifyCallback) {

5
src/ssl.c
View File

@@ -23006,8 +23006,13 @@ int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(WOLFSSL_X509_VERIFY_PARAM *param,
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
if (param != NULL) { if (param != NULL) {
if (ipasc == NULL) {
param->ipasc[0] = '\0';
}
else {
XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1); XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1);
param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0'; param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0';
}
ret = WOLFSSL_SUCCESS; ret = WOLFSSL_SUCCESS;
} }

3
tests/api.c
View File

@@ -21920,6 +21920,9 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void)
AssertIntEQ(1, ret); AssertIntEQ(1, ret);
AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR));
ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL);
AssertIntEQ(1, ret);
ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6); ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6);
AssertIntEQ(1, ret); AssertIntEQ(1, ret);
AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));

3
wolfssl/internal.h
View File

@@ -1666,6 +1666,9 @@ WOLFSSL_LOCAL int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str); WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str);
#ifndef NO_CERTS #ifndef NO_CERTS
WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain); WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain);
#ifdef OPENSSL_EXTRA
WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, char* ipasc);
#endif
#endif #endif
WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl); WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl);
WOLFSSL_LOCAL int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz); WOLFSSL_LOCAL int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz);