forked from wolfSSL/wolfssl
Adding wolfSSL_X509_check_ip_asc
This commit is contained in:
Eric Blankenhorn
@ -9412,9 +9412,11 @@ int CheckAltNames(DecodedCert* dCert, char* domain)
|
||||
* dCert Decoded cert to get the alternative names from.
|
||||
* domain Domain name to compare against.
|
||||
* checkCN Whether to check the common name.
|
||||
* returns whether there was a problem in matching.
|
||||
* returns 1 : match was found.
|
||||
* 0 : no match found.
|
||||
* -1 : No matches and wild pattern match failed.
|
||||
*/
|
||||
static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN)
|
||||
static int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
|
||||
{
|
||||
int match;
|
||||
DNS_entry* altName = NULL;
|
||||
@ -9432,18 +9434,20 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN)
|
||||
if (MatchDomainName(altName->name, altName->len, domain)) {
|
||||
match = 1;
|
||||
*checkCN = 0;
|
||||
WOLFSSL_MSG("\tmatch found");
|
||||
break;
|
||||
}
|
||||
/* No matches and wild pattern match failed. */
|
||||
else if (altName->name && altName->len >=1 &&
|
||||
altName->name[0] == '*' && match == 0) {
|
||||
match = -1;
|
||||
WOLFSSL_MSG("\twildcard match failed");
|
||||
}
|
||||
|
||||
altName = altName->next;
|
||||
}
|
||||
|
||||
return match != -1;
|
||||
return match;
|
||||
}
|
||||
|
||||
/* Check the domain name matches the subject alternative name or the subject
|
||||
@ -9454,14 +9458,14 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN)
|
||||
* domainNameLen The length of the domain name.
|
||||
* returns DOMAIN_NAME_MISMATCH when no match found and 0 on success.
|
||||
*/
|
||||
int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
|
||||
int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen)
|
||||
{
|
||||
int checkCN;
|
||||
|
||||
/* Assume name is NUL terminated. */
|
||||
(void)domainNameLen;
|
||||
|
||||
if (CheckForAltNames(dCert, domainName, &checkCN) == 0) {
|
||||
if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
|
||||
WOLFSSL_MSG("DomainName match on alt names failed too");
|
||||
return DOMAIN_NAME_MISMATCH;
|
||||
}
|
||||
@ -9476,7 +9480,7 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CheckIPAddr(DecodedCert* dCert, char* ipasc)
|
||||
int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
|
||||
{
|
||||
WOLFSSL_MSG("Checking IPAddr");
|
||||
|
||||
|
||||
40
src/ssl.c
40
src/ssl.c
@ -43238,6 +43238,7 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data)
|
||||
}
|
||||
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
|
||||
|
||||
|
||||
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \
|
||||
|| defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
|
||||
|
||||
@ -43449,6 +43450,45 @@ int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen,
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc,
|
||||
unsigned int flags)
|
||||
{
|
||||
int ret = WOLFSSL_SUCCESS;
|
||||
DecodedCert dCert;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_X509_check_ip_asc");
|
||||
|
||||
/* flags not yet implemented */
|
||||
(void)flags;
|
||||
|
||||
if ((x == NULL) || (x->derCert == NULL) || (ipasc == NULL)) {
|
||||
WOLFSSL_MSG("Invalid parameter");
|
||||
ret = WOLFSSL_FAILURE;
|
||||
}
|
||||
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL);
|
||||
ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL);
|
||||
if (ret != 0) {
|
||||
ret = WOLFSSL_FAILURE;
|
||||
}
|
||||
else {
|
||||
ret = CheckIPAddr(&dCert, ipasc);
|
||||
if (ret != 0) {
|
||||
ret = WOLFSSL_FAILURE;
|
||||
}
|
||||
else {
|
||||
ret = WOLFSSL_SUCCESS;
|
||||
}
|
||||
}
|
||||
FreeDecodedCert(&dCert);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a)
|
||||
{
|
||||
static char num[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||
|
||||
20
tests/api.c
20
tests/api.c
@ -29524,6 +29524,25 @@ static void test_wolfSSL_X509_check_ca(void){
|
||||
#endif
|
||||
}
|
||||
|
||||
static void test_wolfSSL_X509_check_ip_asc(void){
|
||||
#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
|
||||
WOLFSSL_X509 *x509;
|
||||
|
||||
printf(testingFmt, "wolfSSL_X509_check_ip_asc()");
|
||||
|
||||
x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM);
|
||||
#if 0
|
||||
/* TODO: add cert gen for testing positive case */
|
||||
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1);
|
||||
#endif
|
||||
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0);
|
||||
AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0);
|
||||
wolfSSL_X509_free(x509);
|
||||
|
||||
printf(resultFmt, passed);
|
||||
#endif
|
||||
}
|
||||
|
||||
static void test_wolfSSL_DC_cert(void)
|
||||
{
|
||||
#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \
|
||||
@ -34943,6 +34962,7 @@ void ApiTest(void)
|
||||
test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS();
|
||||
test_wolfSSL_i2c_ASN1_INTEGER();
|
||||
test_wolfSSL_X509_check_ca();
|
||||
test_wolfSSL_X509_check_ip_asc();
|
||||
test_wolfSSL_DC_cert();
|
||||
test_wolfSSL_DES_ncbc();
|
||||
test_wolfSSL_AES_cbc_encrypt();
|
||||
|
||||
@ -1690,7 +1690,7 @@ WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str
|
||||
#ifndef NO_CERTS
|
||||
WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain);
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, char* ipasc);
|
||||
WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, const char* ipasc);
|
||||
#endif
|
||||
#endif
|
||||
WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl);
|
||||
@ -4244,7 +4244,7 @@ WOLFSSL_API void SSL_ResourceFree(WOLFSSL*); /* Micrium uses */
|
||||
WOLFSSL_CRL* crl, int verify);
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName,
|
||||
WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, const char *domainName,
|
||||
size_t domainNameLen);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@ -411,6 +411,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
|
||||
#define X509_check_private_key wolfSSL_X509_check_private_key
|
||||
#define X509_check_ca wolfSSL_X509_check_ca
|
||||
#define X509_check_host wolfSSL_X509_check_host
|
||||
#define X509_check_ip_asc wolfSSL_X509_check_ip_asc
|
||||
#define X509_email_free wolfSSL_X509_email_free
|
||||
#define X509_check_issued wolfSSL_X509_check_issued
|
||||
#define X509_dup wolfSSL_X509_dup
|
||||
|
||||
@ -3763,6 +3763,8 @@ WOLFSSL_API int wolfSSL_SSL_in_connect_init(WOLFSSL*);
|
||||
#endif
|
||||
WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
|
||||
size_t chklen, unsigned int flags, char **peername);
|
||||
WOLFSSL_API int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc,
|
||||
unsigned int flags);
|
||||
|
||||
WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
|
||||
const WOLFSSL_ASN1_INTEGER *a);
|
||||
|
||||
Reference in New Issue
Block a user