feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3823 from per-allansson/checkaltname-fix

Browse Source 
wolfSSL_X509_check_ip_asc/CheckForAltName fixes
This commit is contained in:
David Garske
2021-07-29 08:08:06 -07:00
committed by GitHub
parent 0ec848e2bd c41f10e708
commit 9df4312c4e
3 changed files with 28 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/internal.c
View File

@@ -10168,23 +10168,22 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
/* check if alt name is stored as IP addr octet */ /* check if alt name is stored as IP addr octet */
if (altName->type == ASN_IP_TYPE) { if (altName->type == ASN_IP_TYPE) {
char tmp[4]; const unsigned char *ip = (const unsigned char*)altName->name;
int i; if (altName->len == WOLFSSL_IP4_ADDR_LEN) {
word32 idx = 0; XSNPRINTF(name, sizeof(name), "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
for (i = 0; (idx < WOLFSSL_MAX_IPSTR) && (i < altName->len); i++) { }
XMEMSET(tmp, 0, sizeof(tmp)); else if (altName->len == WOLFSSL_IP6_ADDR_LEN) {
XSNPRINTF(tmp, sizeof(tmp), (altName->len <= 4) ? "%u" : "%02X", int i;
altName->name[i]); for (i = 0; i < 8; i++) {
idx += (word32)XSTRLEN(tmp); XSNPRINTF(name + i * 5, sizeof(name) - i * 5, "%02X%02X%s",
XSTRNCAT(name, tmp, (altName->len <= 4) ? 3 : 2); ip[2 * i], ip[2 * i + 1], (i < 7) ? ":" : "");
if ((idx < WOLFSSL_MAX_IPSTR ) && ((i + 1) < altName->len)) {
name[idx++] = (altName->len <= 4) ? '.' : ':';
} }
} }
if (idx >= WOLFSSL_MAX_IPSTR) { else {
idx = WOLFSSL_MAX_IPSTR -1; WOLFSSL_MSG("\tnot an IPv4 or IPv6 address");
altName = altName->next;
continue;
} }
name[idx] = '\0';
buf = name; buf = name;
len = (word32)XSTRLEN(name); len = (word32)XSTRLEN(name);
} }

19
tests/api.c
View File

@@ -32975,9 +32975,15 @@ static void test_wolfSSL_X509_sign(void)
ASN_DNS_TYPE), SSL_SUCCESS); ASN_DNS_TYPE), SSL_SUCCESS);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
{ {
unsigned char ip_type[] = {127,0,0,1}; unsigned char ip4_type[] = {127,128,0,255};
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip_type, unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab,
sizeof(ip_type), ASN_IP_TYPE), SSL_SUCCESS); 0xff, 0xee, 0x99, 0x88,
0x77, 0x66, 0x55, 0x44,
0x00, 0x33, 0x22, 0x11};
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type,
sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type,
sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS);
} }
#endif #endif
#endif /* WOLFSSL_ALT_NAMES */ #endif /* WOLFSSL_ALT_NAMES */
@@ -32994,7 +33000,8 @@ static void test_wolfSSL_X509_sign(void)
AssertIntEQ(X509_get_ext_count(x509), 1); AssertIntEQ(X509_get_ext_count(x509), 1);
#endif #endif
#if defined(WOLFSSL_ALT_NAMES) && (defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)) #if defined(WOLFSSL_ALT_NAMES) && (defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME))
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1);
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1);
#endif #endif
AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), AssertIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
@@ -33016,8 +33023,8 @@ static void test_wolfSSL_X509_sign(void)
/* Valid case - size should be 798-797 with 16 byte serial number */ /* Valid case - size should be 798-797 with 16 byte serial number */
AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz)); AssertTrue((ret == 781 + snSz) || (ret == 782 + snSz));
#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
/* Valid case - size should be 935-936 with 16 byte serial number */ /* Valid case - size should be 955-956 with 16 byte serial number */
AssertTrue((ret == 919 + snSz) || (ret == 920 + snSz)); AssertTrue((ret == 939 + snSz) || (ret == 940 + snSz));
#else #else
/* Valid case - size should be 926-927 with 16 byte serial number */ /* Valid case - size should be 926-927 with 16 byte serial number */
AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz)); AssertTrue((ret == 910 + snSz) || (ret == 911 + snSz));

2
wolfssl/ssl.h
View File

@@ -570,6 +570,8 @@ struct WOLFSSL_X509_STORE {
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME) defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME)
#define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */ #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
#define WOLFSSL_IP4_ADDR_LEN 4
#define WOLFSSL_IP6_ADDR_LEN 16
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)