diff --git a/src/internal.c b/src/internal.c index dbcc565a8..e2645ae7e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9412,9 +9412,11 @@ int CheckAltNames(DecodedCert* dCert, char* domain) * dCert Decoded cert to get the alternative names from. * domain Domain name to compare against. * checkCN Whether to check the common name. - * returns whether there was a problem in matching. + * returns 1 : match was found. + * 0 : no match found. + * -1 : No matches and wild pattern match failed. */ -static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) +static int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) { int match; DNS_entry* altName = NULL; @@ -9432,18 +9434,20 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) if (MatchDomainName(altName->name, altName->len, domain)) { match = 1; *checkCN = 0; + WOLFSSL_MSG("\tmatch found"); break; } /* No matches and wild pattern match failed. */ else if (altName->name && altName->len >=1 && altName->name[0] == '*' && match == 0) { match = -1; + WOLFSSL_MSG("\twildcard match failed"); } altName = altName->next; } - return match != -1; + return match; } /* Check the domain name matches the subject alternative name or the subject @@ -9454,14 +9458,14 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) * domainNameLen The length of the domain name. * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. */ -int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) +int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) { int checkCN; /* Assume name is NUL terminated. */ (void)domainNameLen; - if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { + if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { WOLFSSL_MSG("DomainName match on alt names failed too"); return DOMAIN_NAME_MISMATCH; } @@ -9476,7 +9480,7 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) return 0; } -int CheckIPAddr(DecodedCert* dCert, char* ipasc) +int CheckIPAddr(DecodedCert* dCert, const char* ipasc) { WOLFSSL_MSG("Checking IPAddr"); diff --git a/src/ssl.c b/src/ssl.c index 2d5077255..b232ad3a5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -43238,6 +43238,7 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ + #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) @@ -43449,6 +43450,45 @@ int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen, return WOLFSSL_SUCCESS; } + +int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, + unsigned int flags) +{ + int ret = WOLFSSL_SUCCESS; + DecodedCert dCert; + + WOLFSSL_ENTER("wolfSSL_X509_check_ip_asc"); + + /* flags not yet implemented */ + (void)flags; + + if ((x == NULL) || (x->derCert == NULL) || (ipasc == NULL)) { + WOLFSSL_MSG("Invalid parameter"); + ret = WOLFSSL_FAILURE; + } + + if (ret == WOLFSSL_SUCCESS) { + InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + if (ret != 0) { + ret = WOLFSSL_FAILURE; + } + else { + ret = CheckIPAddr(&dCert, ipasc); + if (ret != 0) { + ret = WOLFSSL_FAILURE; + } + else { + ret = WOLFSSL_SUCCESS; + } + } + FreeDecodedCert(&dCert); + } + + return ret; +} + + int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) { static char num[16] = { '0', '1', '2', '3', '4', '5', '6', '7', diff --git a/tests/api.c b/tests/api.c index 8e70e3d74..0258555ec 100644 --- a/tests/api.c +++ b/tests/api.c @@ -29524,6 +29524,25 @@ static void test_wolfSSL_X509_check_ca(void){ #endif } +static void test_wolfSSL_X509_check_ip_asc(void){ +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + WOLFSSL_X509 *x509; + + printf(testingFmt, "wolfSSL_X509_check_ip_asc()"); + + x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM); +#if 0 + /* TODO: add cert gen for testing positive case */ + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); +#endif + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0); + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0); + wolfSSL_X509_free(x509); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_DC_cert(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ @@ -34943,6 +34962,7 @@ void ApiTest(void) test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS(); test_wolfSSL_i2c_ASN1_INTEGER(); test_wolfSSL_X509_check_ca(); + test_wolfSSL_X509_check_ip_asc(); test_wolfSSL_DC_cert(); test_wolfSSL_DES_ncbc(); test_wolfSSL_AES_cbc_encrypt(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 52016cc54..9cab2b065 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1690,7 +1690,7 @@ WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str #ifndef NO_CERTS WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain); #ifdef OPENSSL_EXTRA -WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, char* ipasc); +WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, const char* ipasc); #endif #endif WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl); @@ -4244,7 +4244,7 @@ WOLFSSL_API void SSL_ResourceFree(WOLFSSL*); /* Micrium uses */ WOLFSSL_CRL* crl, int verify); #ifdef OPENSSL_EXTRA - WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName, + WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen); #endif #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 5f0e3c12c..289cb3d98 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -411,6 +411,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_check_private_key wolfSSL_X509_check_private_key #define X509_check_ca wolfSSL_X509_check_ca #define X509_check_host wolfSSL_X509_check_host +#define X509_check_ip_asc wolfSSL_X509_check_ip_asc #define X509_email_free wolfSSL_X509_email_free #define X509_check_issued wolfSSL_X509_check_issued #define X509_dup wolfSSL_X509_dup diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a25cdb8c3..0f2e20dad 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3763,6 +3763,8 @@ WOLFSSL_API int wolfSSL_SSL_in_connect_init(WOLFSSL*); #endif WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername); +WOLFSSL_API int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, + unsigned int flags); WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp, const WOLFSSL_ASN1_INTEGER *a);