feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix CheckHostName matching

Browse Source
This commit is contained in:
Eric Blankenhorn
2020-07-17 08:37:02 -05:00
parent d077efcbb3
commit ea5c290d60
3 changed files with 47 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/internal.c
View File

@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
altName = dCert->altNames; altName = dCert->altNames;
if (checkCN != NULL) { if (checkCN != NULL) {
*checkCN = altName == NULL; *checkCN = (altName == NULL) ? 1 : 0;
} }
while (altName) { while (altName) {
@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen)
{ {
int checkCN; int checkCN;
int ret = DOMAIN_NAME_MISMATCH;
/* Assume name is NUL terminated. */ /* Assume name is NUL terminated. */
(void)domainNameLen; (void)domainNameLen;
if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
WOLFSSL_MSG("DomainName match on alt names failed too"); WOLFSSL_MSG("DomainName match on alt names failed");
return DOMAIN_NAME_MISMATCH;
} }
else {
ret = 0;
}
if (checkCN == 1) { if (checkCN == 1) {
if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
domainName) == 0) { domainName) == 1) {
ret = 0;
}
else {
WOLFSSL_MSG("DomainName match on common name failed"); WOLFSSL_MSG("DomainName match on common name failed");
return DOMAIN_NAME_MISMATCH;
} }
} }
return 0; return ret;
} }
int CheckIPAddr(DecodedCert* dCert, const char* ipasc) int CheckIPAddr(DecodedCert* dCert, const char* ipasc)

5
src/ssl.c
View File

@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
(void)flags; (void)flags;
(void)peername; (void)peername;
if ((x == NULL) || (chk == NULL)) {
WOLFSSL_MSG("Invalid parameter");
return WOLFSSL_FAILURE;
}
if (flags == WOLFSSL_NO_WILDCARDS) { if (flags == WOLFSSL_NO_WILDCARDS) {
WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;

30
tests/api.c
View File

@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void)
#endif #endif
} }
static void test_wolfSSL_X509_check_host(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
&& !defined(NO_SHA) && !defined(NO_RSA)
X509* x509;
const char altName[] = "example.com";
printf(testingFmt, "wolfSSL_X509_check_host()");
AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
SSL_FILETYPE_PEM));
AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL),
WOLFSSL_SUCCESS);
AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL),
WOLFSSL_FAILURE);
X509_free(x509);
AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL),
WOLFSSL_FAILURE);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_DES(void) static void test_wolfSSL_DES(void)
{ {
#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) #if defined(OPENSSL_EXTRA) && !defined(NO_DES3)
@ -36407,6 +36436,7 @@ void ApiTest(void)
test_wolfSSL_X509_INFO(); test_wolfSSL_X509_INFO();
test_wolfSSL_X509_subject_name_hash(); test_wolfSSL_X509_subject_name_hash();
test_wolfSSL_X509_issuer_name_hash(); test_wolfSSL_X509_issuer_name_hash();
test_wolfSSL_X509_check_host();
test_wolfSSL_DES(); test_wolfSSL_DES();
test_wolfSSL_certs(); test_wolfSSL_certs();
test_wolfSSL_ASN1_TIME_print(); test_wolfSSL_ASN1_TIME_print();