CheckForAltNames fixes

- Missing conversion from char to unsigned char caused any IP
  address with a byte > 127 to be wrong
- IPv6 address was converted to wrong format XX:YY:...
   (which also caused a buffer overrun)
- Anything that is not an IPv4 or IPv6 address should be ignored

src/internal.c

@@ -10168,23 +10168,22 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
         /* check if alt name is stored as IP addr octet */
         if (altName->type == ASN_IP_TYPE) {
-            char tmp[4];
+            const unsigned char *ip = (const unsigned char*)altName->name;
-            int i;
+            if (altName->len == WOLFSSL_IP4_ADDR_LEN) {
-            word32 idx = 0;
+                XSNPRINTF(name, sizeof(name), "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
-            for (i = 0; (idx < WOLFSSL_MAX_IPSTR) && (i < altName->len); i++) {
+            }
-                XMEMSET(tmp, 0, sizeof(tmp));
+            else if (altName->len == WOLFSSL_IP6_ADDR_LEN) {
-                XSNPRINTF(tmp, sizeof(tmp), (altName->len <= 4) ? "%u" : "%02X",
+                int i;
-                        altName->name[i]);
+                for (i = 0; i < 8; i++) {
-                idx += (word32)XSTRLEN(tmp);
+                    XSNPRINTF(name + i * 5, sizeof(name) - i * 5, "%02X%02X%s",
-                XSTRNCAT(name, tmp, (altName->len <= 4) ? 3 : 2);
+                              ip[2 * i], ip[2 * i + 1], (i < 7) ? ":" : "");
-                if ((idx < WOLFSSL_MAX_IPSTR ) && ((i + 1) < altName->len)) {
-                    name[idx++] = (altName->len <= 4) ? '.' : ':';
                 }
             }
-            if (idx >= WOLFSSL_MAX_IPSTR) {
+            else {
-                idx = WOLFSSL_MAX_IPSTR -1;
+                WOLFSSL_MSG("\tnot an IPv4 or IPv6 address");
+                altName = altName->next;
+                continue;
             }
-            name[idx] = '\0';
             buf = name;
             len = (word32)XSTRLEN(name);
         }

wolfssl/ssl.h

@@ -570,6 +570,8 @@ struct WOLFSSL_X509_STORE {
 #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
     defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME)
     #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
+    #define WOLFSSL_IP4_ADDR_LEN 4
+    #define WOLFSSL_IP6_ADDR_LEN 16
 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
 
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)