diff --git a/src/internal.c b/src/internal.c index 44cca779c..5d6a8fe3a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10168,23 +10168,22 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) /* check if alt name is stored as IP addr octet */ if (altName->type == ASN_IP_TYPE) { - char tmp[4]; - int i; - word32 idx = 0; - for (i = 0; (idx < WOLFSSL_MAX_IPSTR) && (i < altName->len); i++) { - XMEMSET(tmp, 0, sizeof(tmp)); - XSNPRINTF(tmp, sizeof(tmp), (altName->len <= 4) ? "%u" : "%02X", - altName->name[i]); - idx += (word32)XSTRLEN(tmp); - XSTRNCAT(name, tmp, (altName->len <= 4) ? 3 : 2); - if ((idx < WOLFSSL_MAX_IPSTR ) && ((i + 1) < altName->len)) { - name[idx++] = (altName->len <= 4) ? '.' : ':'; + const unsigned char *ip = (const unsigned char*)altName->name; + if (altName->len == WOLFSSL_IP4_ADDR_LEN) { + XSNPRINTF(name, sizeof(name), "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]); + } + else if (altName->len == WOLFSSL_IP6_ADDR_LEN) { + int i; + for (i = 0; i < 8; i++) { + XSNPRINTF(name + i * 5, sizeof(name) - i * 5, "%02X%02X%s", + ip[2 * i], ip[2 * i + 1], (i < 7) ? ":" : ""); } } - if (idx >= WOLFSSL_MAX_IPSTR) { - idx = WOLFSSL_MAX_IPSTR -1; + else { + WOLFSSL_MSG("\tnot an IPv4 or IPv6 address"); + altName = altName->next; + continue; } - name[idx] = '\0'; buf = name; len = (word32)XSTRLEN(name); } diff --git a/tests/api.c b/tests/api.c index 8786331f5..0f3b0024c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32975,9 +32975,15 @@ static void test_wolfSSL_X509_sign(void) ASN_DNS_TYPE), SSL_SUCCESS); #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) { - unsigned char ip_type[] = {127,0,0,1}; - AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip_type, - sizeof(ip_type), ASN_IP_TYPE), SSL_SUCCESS); + unsigned char ip4_type[] = {127,128,0,255}; + unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab, + 0xff, 0xee, 0x99, 0x88, + 0x77, 0x66, 0x55, 0x44, + 0x00, 0x33, 0x22, 0x11}; + AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type, + sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type, + sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS); } #endif #endif /* WOLFSSL_ALT_NAMES */ @@ -32994,7 +33000,8 @@ static void test_wolfSSL_X509_sign(void) AssertIntEQ(X509_get_ext_count(x509), 1); #endif #if defined(WOLFSSL_ALT_NAMES) && (defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)) - AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1); + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1); #endif AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), @@ -33016,8 +33023,8 @@ static void test_wolfSSL_X509_sign(void) /* Valid case - size should be 798-797 with 16 byte serial number */ AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz)); #elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) - /* Valid case - size should be 935-936 with 16 byte serial number */ - AssertTrue((ret == 919 + snSz) || (ret == 920 + snSz)); + /* Valid case - size should be 955-956 with 16 byte serial number */ + AssertTrue((ret == 939 + snSz) || (ret == 940 + snSz)); #else /* Valid case - size should be 926-927 with 16 byte serial number */ AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz)); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b4f5daea8..d9b0812fe 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -570,6 +570,8 @@ struct WOLFSSL_X509_STORE { #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME) #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */ + #define WOLFSSL_IP4_ADDR_LEN 4 + #define WOLFSSL_IP6_ADDR_LEN 16 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)