feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3823 from per-allansson/checkaltname-fix

Browse Source 
wolfSSL_X509_check_ip_asc/CheckForAltName fixes
This commit is contained in:
David Garske
2021-07-29 08:08:06 -07:00
committed by GitHub
parent 0ec848e2bd c41f10e708
commit 9df4312c4e
3 changed files with 28 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/internal.c
View File

@@ -10168,23 +10168,22 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
/* check if alt name is stored as IP addr octet */
if (altName->type == ASN_IP_TYPE) {
char tmp[4];
int i;
word32 idx = 0;
for (i = 0; (idx < WOLFSSL_MAX_IPSTR) && (i < altName->len); i++) {
XMEMSET(tmp, 0, sizeof(tmp));
XSNPRINTF(tmp, sizeof(tmp), (altName->len <= 4) ? "%u" : "%02X",
altName->name[i]);
idx += (word32)XSTRLEN(tmp);
XSTRNCAT(name, tmp, (altName->len <= 4) ? 3 : 2);
if ((idx < WOLFSSL_MAX_IPSTR ) && ((i + 1) < altName->len)) {
name[idx++] = (altName->len <= 4) ? '.' : ':';
const unsigned char *ip = (const unsigned char*)altName->name;
if (altName->len == WOLFSSL_IP4_ADDR_LEN) {
XSNPRINTF(name, sizeof(name), "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
}
else if (altName->len == WOLFSSL_IP6_ADDR_LEN) {
int i;
for (i = 0; i < 8; i++) {
XSNPRINTF(name + i * 5, sizeof(name) - i * 5, "%02X%02X%s",
ip[2 * i], ip[2 * i + 1], (i < 7) ? ":" : "");
}
}
if (idx >= WOLFSSL_MAX_IPSTR) {
idx = WOLFSSL_MAX_IPSTR -1;
else {
WOLFSSL_MSG("\tnot an IPv4 or IPv6 address");
altName = altName->next;
continue;
}
name[idx] = '\0';
buf = name;
len = (word32)XSTRLEN(name);
}

19
tests/api.c
View File

@@ -32975,9 +32975,15 @@ static void test_wolfSSL_X509_sign(void)
ASN_DNS_TYPE), SSL_SUCCESS);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
{
unsigned char ip_type[] = {127,0,0,1};
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip_type,
sizeof(ip_type), ASN_IP_TYPE), SSL_SUCCESS);
unsigned char ip4_type[] = {127,128,0,255};
unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab,
0xff, 0xee, 0x99, 0x88,
0x77, 0x66, 0x55, 0x44,
0x00, 0x33, 0x22, 0x11};
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type,
sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type,
sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS);
}
#endif
#endif /* WOLFSSL_ALT_NAMES */
@@ -32994,7 +33000,8 @@ static void test_wolfSSL_X509_sign(void)
AssertIntEQ(X509_get_ext_count(x509), 1);
#endif
#if defined(WOLFSSL_ALT_NAMES) && (defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME))
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1);
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1);
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1);
#endif
AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
@@ -33016,8 +33023,8 @@ static void test_wolfSSL_X509_sign(void)
/* Valid case - size should be 798-797 with 16 byte serial number */
AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz));
#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
/* Valid case - size should be 935-936 with 16 byte serial number */
AssertTrue((ret == 919 + snSz) || (ret == 920 + snSz));
/* Valid case - size should be 955-956 with 16 byte serial number */
AssertTrue((ret == 939 + snSz) || (ret == 940 + snSz));
#else
/* Valid case - size should be 926-927 with 16 byte serial number */
AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz));

2
wolfssl/ssl.h
View File

@@ -570,6 +570,8 @@ struct WOLFSSL_X509_STORE {
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME)
#define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
#define WOLFSSL_IP4_ADDR_LEN 4
#define WOLFSSL_IP6_ADDR_LEN 16
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)