From 90bd374c166676b4e79345b79878ece990adbca6 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 11 Jul 2025 12:48:12 -0600 Subject: [PATCH 1/4] Add logic to match IPv6 domain addresses --- src/internal.c | 39 +++++++++++++++++++++++++++++++++++++++ wolfssl/wolfio.h | 3 +++ 2 files changed, 42 insertions(+) diff --git a/src/internal.c b/src/internal.c index c74bcf36f..d8f1d0ba9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12947,6 +12947,39 @@ int CipherRequires(byte first, byte second, int requirement) #endif /* !NO_TLS */ #ifndef NO_CERTS +#ifdef WOLFSSL_IP_ALT_NAME +static int MatchIPv6(const char* pattern, int patternLen, + const char* str, word32 strLen) +{ + WOLFSSL_SOCKADDR_IN6 addr1, addr2; + char patBuf[WOLFSSL_MAX_IPSTR] = {0}; + char strBuf[WOLFSSL_MAX_IPSTR] = {0}; + + if ((word32)patternLen >= sizeof(patBuf) || strLen >= sizeof(strBuf)) + return 0; + + XMEMSET(patBuf, 0, WOLFSSL_MAX_IPSTR); + XMEMSET(strBuf, 0, WOLFSSL_MAX_IPSTR); + + /* Make sure strings are null-terminated and safely copied */ + XMEMCPY(patBuf, pattern, patternLen); + patBuf[patternLen] = '\0'; + XMEMCPY(strBuf, str, strLen); + strBuf[strLen] = '\0'; + + XMEMSET(&addr1, 0, sizeof(addr1)); + XMEMSET(&addr2, 0, sizeof(addr2)); + + /* Try parsing both as IPv6 */ + if (XINET_PTON(WOLFSSL_IP6, patBuf, &addr1) != 1) + return 0; + if (XINET_PTON(WOLFSSL_IP6, strBuf, &addr2) != 1) + return 0; + + /* Compare raw address bytes */ + return XMEMCMP(&addr1, &addr2, sizeof(WOLFSSL_SOCKADDR_IN6)) == 0; +} +#endif /* Match names with wildcards, each wildcard can represent a single name component or fragment but not multiple names, i.e., @@ -12966,6 +12999,12 @@ int MatchDomainName(const char* pattern, int patternLen, const char* str, if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0) return 0; +#ifdef WOLFSSL_IP_ALT_NAME + /* First try to match IPv6 addresses */ + if (MatchIPv6(pattern, patternLen, str, strLen)) + return 1; +#endif + while (patternLen > 0) { /* Get the next pattern char to evaluate */ char p = (char)XTOLOWER((unsigned char)*pattern); diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h index 0673b88ad..b5330bed1 100644 --- a/wolfssl/wolfio.h +++ b/wolfssl/wolfio.h @@ -959,6 +959,9 @@ WOLFSSL_API void wolfSSL_SetIOWriteFlags(WOLFSSL* ssl, int flags); #define WOLFSSL_IP6 AF_INET6 #endif +#ifndef WOLFSSL_SOCKADDR_IN6 + #define WOLFSSL_SOCKADDR_IN6 struct sockaddr_in6 +#endif #ifdef __cplusplus } /* extern "C" */ From f9afdfd8e2ef21f443b7935f68c96900cf8d8b25 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 11 Jul 2025 13:11:08 -0600 Subject: [PATCH 2/4] Don't need to initialize with {0} --- src/internal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index d8f1d0ba9..3488b5612 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12952,8 +12952,8 @@ static int MatchIPv6(const char* pattern, int patternLen, const char* str, word32 strLen) { WOLFSSL_SOCKADDR_IN6 addr1, addr2; - char patBuf[WOLFSSL_MAX_IPSTR] = {0}; - char strBuf[WOLFSSL_MAX_IPSTR] = {0}; + char patBuf[WOLFSSL_MAX_IPSTR]; + char strBuf[WOLFSSL_MAX_IPSTR]; if ((word32)patternLen >= sizeof(patBuf) || strLen >= sizeof(strBuf)) return 0; From b306e88d1a61df4bddec583d4c2cb7153a221d52 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 11 Jul 2025 15:44:26 -0600 Subject: [PATCH 3/4] Guard for WOLFSSL_USER_IO case --- src/internal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 3488b5612..e9ea3f3cf 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12947,7 +12947,7 @@ int CipherRequires(byte first, byte second, int requirement) #endif /* !NO_TLS */ #ifndef NO_CERTS -#ifdef WOLFSSL_IP_ALT_NAME +#if defined(WOLFSSL_IP_ALT_NAME) && !defined(WOLFSSL_USER_IO) static int MatchIPv6(const char* pattern, int patternLen, const char* str, word32 strLen) { @@ -12979,7 +12979,7 @@ static int MatchIPv6(const char* pattern, int patternLen, /* Compare raw address bytes */ return XMEMCMP(&addr1, &addr2, sizeof(WOLFSSL_SOCKADDR_IN6)) == 0; } -#endif +#endif /* WOLFSSL_IP_ALT_NAME && !WOLFSSL_USER_IO */ /* Match names with wildcards, each wildcard can represent a single name component or fragment but not multiple names, i.e., @@ -12999,7 +12999,7 @@ int MatchDomainName(const char* pattern, int patternLen, const char* str, if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0) return 0; -#ifdef WOLFSSL_IP_ALT_NAME +#if defined(WOLFSSL_IP_ALT_NAME) && !defined(WOLFSSL_USER_IO) /* First try to match IPv6 addresses */ if (MatchIPv6(pattern, patternLen, str, strLen)) return 1; From 22b01bcda96b367512a31b08254e0908bc2dd962 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Tue, 22 Jul 2025 10:05:36 -0600 Subject: [PATCH 4/4] Remove unnecessary memset --- src/internal.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index e9ea3f3cf..e5d0071b8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12958,9 +12958,6 @@ static int MatchIPv6(const char* pattern, int patternLen, if ((word32)patternLen >= sizeof(patBuf) || strLen >= sizeof(strBuf)) return 0; - XMEMSET(patBuf, 0, WOLFSSL_MAX_IPSTR); - XMEMSET(strBuf, 0, WOLFSSL_MAX_IPSTR); - /* Make sure strings are null-terminated and safely copied */ XMEMCPY(patBuf, pattern, patternLen); patBuf[patternLen] = '\0';