From dafcd8782ae1ca93021a15690a476285c3a530a2 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 17 Apr 2013 09:37:57 -0700 Subject: [PATCH] add altnames check to domain match --- src/internal.c | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 91fbb2aa2..cfc70e5e6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2777,6 +2777,32 @@ static int MatchDomainName(const char* pattern, int len, const char* str) } +/* try to find an altName match to domain, return 1 on success */ +static int CheckAltNames(DecodedCert* dCert, char* domain) +{ + int match = 0; + DNS_entry* altName = NULL; + + CYASSL_MSG("Checking AltNames"); + + if (dCert) + altName = dCert->altNames; + + while (altName) { + CYASSL_MSG(" individual AltName check"); + + if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){ + match = 1; + break; + } + + altName = altName->next; + } + + return match; +} + + static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) { word32 listSz, i = *inOutIdx; @@ -3003,11 +3029,17 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) else domain[0] = '\0'; - if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) + if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) { if (MatchDomainName(dCert.subjectCN, dCert.subjectCNLen, (char*)ssl->buffers.domainName.buffer) == 0) { - ret = DOMAIN_NAME_MISMATCH; /* try to get peer key still */ + CYASSL_MSG("DomainName match on common name failed"); + if (CheckAltNames(&dCert, + (char*)ssl->buffers.domainName.buffer) == 0 ) { + CYASSL_MSG("DomainName match on alt names failed too"); + ret = DOMAIN_NAME_MISMATCH; /* try to get peer key still */ + } } + } /* decode peer key */ switch (dCert.keyOID) {