perform domain name check on the peer certificate

2019-08-13 09:55:28 -07:00 · 2019-08-13 09:55:28 -07:00 · b9ddbb974a
commit b9ddbb974a
parent 4bff2b6bef
3 changed files with 28 additions and 6 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -9054,7 +9054,16 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
        use_cb = 1;
    }
 #endif
+#if defined(OPENSSL_EXTRA)
+    /* perform domain name check on the peer certificate */
+    if (args->dCertInit && args->dCert && args->dCert->subjectCN \
+        && ssl->param && ssl->param->hostName[0]) {

+        if(XSTRSTR(args->dCert->subjectCN, ssl->param->hostName) == NULL) {
+            return VERIFY_CERT_ERROR;
+        }
+    }
+#endif
    /* if verify callback has been set */
    if (use_cb && ssl->verifyCallback) {
    #ifdef WOLFSSL_SMALL_STACK
--- a/src/ssl.c
+++ b/src/ssl.c
@ -16672,6 +16672,9 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert)
 *
 * RETURNS:
 * The beginning of the hash digest. Otherwise, returns zero.
+* Note:
+* Returns a different hash value from OpenSSL's X509_subject_name_hash() API
+* depending on the subject name.
 */
 unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
 {
@ -19738,21 +19741,31 @@ void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX* ctx,
 * RETURNS:
 *
 */
-void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam,
+int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam,
                                         const char* name,
                                         unsigned int nameSz)
 {
    if (pParam == NULL)
-        return;
+        return WOLFSSL_FAILURE;

    XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX);
+    /* If name is NUL-terminated, namelen can be set to zero. */
+    if(name && (nameSz == 0))
+        nameSz = XSTRLEN(name);

-    if (nameSz > WOLFSSL_HOST_NAME_MAX)
-        nameSz = WOLFSSL_HOST_NAME_MAX;
+    if (nameSz > 0 && name[nameSz - 1] == '\0')
+        nameSz--;
+
+    if (nameSz > WOLFSSL_HOST_NAME_MAX-1)
+        nameSz = WOLFSSL_HOST_NAME_MAX-1;

    if (nameSz > 0)
        XMEMCPY(pParam->hostName, name, nameSz);
-        pParam->hostName[WOLFSSL_HOST_NAME_MAX-1] = '\0';
+
+        pParam->hostName[nameSz] = '\0';
+
+    return WOLFSSL_SUCCESS;
+
 }
 /******************************************************************************
 * wolfSSL_get0_param - return a pointer to the SSL verification parameters
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -1018,7 +1018,7 @@ WOLFSSL_API int       wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*);
 WOLFSSL_API void      wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX*,
                                                      unsigned long flags,
                                                      time_t t);
-WOLFSSL_API void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam,
+WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam,
                                                    const char* name,
                                                    unsigned int nameSz);