1 From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001
2 From: Eric Blankenhorn <eric@wolfssl.com>
3 Date: Fri, 17 Jul 2020 08:37:02 -0500
4 Subject: [PATCH] Fix CheckHostName matching
7 src/internal.c | 18 ++++++++++++------
9 tests/api.c | 30 ++++++++++++++++++++++++++++++
10 3 files changed, 47 insertions(+), 6 deletions(-)
12 diff --git a/src/internal.c b/src/internal.c
13 index dc57df0242..cda815d875 100644
16 @@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
17 altName = dCert->altNames;
19 if (checkCN != NULL) {
20 - *checkCN = altName == NULL;
21 + *checkCN = (altName == NULL) ? 1 : 0;
25 @@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
26 int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen)
29 + int ret = DOMAIN_NAME_MISMATCH;
31 /* Assume name is NUL terminated. */
34 if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
35 - WOLFSSL_MSG("DomainName match on alt names failed too");
36 - return DOMAIN_NAME_MISMATCH;
37 + WOLFSSL_MSG("DomainName match on alt names failed");
44 if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
50 WOLFSSL_MSG("DomainName match on common name failed");
51 - return DOMAIN_NAME_MISMATCH;
59 int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
60 diff --git a/src/ssl.c b/src/ssl.c
61 index 11bc08a3cb..59ad9bae60 100644
64 @@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
68 + if ((x == NULL) || (chk == NULL)) {
69 + WOLFSSL_MSG("Invalid parameter");
70 + return WOLFSSL_FAILURE;
73 if (flags == WOLFSSL_NO_WILDCARDS) {
74 WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented");
75 return WOLFSSL_FAILURE;
76 diff --git a/tests/api.c b/tests/api.c
77 index 774a332968..db888952d4 100644
80 @@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void)
84 +static void test_wolfSSL_X509_check_host(void)
86 +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
87 + && !defined(NO_SHA) && !defined(NO_RSA)
90 + const char altName[] = "example.com";
92 + printf(testingFmt, "wolfSSL_X509_check_host()");
94 + AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
97 + AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL),
100 + AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL),
105 + AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL),
108 + printf(resultFmt, passed);
113 static void test_wolfSSL_DES(void)
115 #if defined(OPENSSL_EXTRA) && !defined(NO_DES3)
116 @@ -36407,6 +36436,7 @@ void ApiTest(void)
117 test_wolfSSL_X509_INFO();
118 test_wolfSSL_X509_subject_name_hash();
119 test_wolfSSL_X509_issuer_name_hash();
120 + test_wolfSSL_X509_check_host();
122 test_wolfSSL_certs();
123 test_wolfSSL_ASN1_TIME_print();