Skip to content

Commit

Permalink
Rewrite pattern matching to always use explicit lengths instead of ex…
Browse files Browse the repository at this point in the history 
…pecting NULL terminated strings, thus replicating the behavior of openssl X509_check_host()
  • Loading branch information
@ColtonWilley
ColtonWilley committed May 30, 2024
1 parent 61fea76 commit af3828b
Show file tree
Hide file tree
Showing 4 changed files with 350 additions and 41 deletions.
113 changes: 74 additions & 39 deletions src/internal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12377,55 +12377,77 @@ int CipherRequires(byte first, byte second, int requirement)
*.z.com matches y.z.com but not x.y.z.com

return 1 on success */
int MatchDomainName(const char* pattern, int len, const char* str)
int MatchDomainName(const char* pattern, int patternLen, const char* str,
word32 strLen)
{
int ret = 0;

if (pattern == NULL || str == NULL || len <= 0)
if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0)
return 0;

while (len > 0) {

char p = (char)XTOLOWER((unsigned char)*pattern++);
while (patternLen > 0) {
/* Get the next pattern char to evaluate */
char p = (char)XTOLOWER((unsigned char)*pattern);
if (p == '\0')
break;

pattern++;

if (p == '*') {
char s;
/* We will always match '*' */
patternLen--;

while (--len > 0) {
/* Consume any extra '*' chars until the next non '*' char. */
while (patternLen > 0) {
p = (char)XTOLOWER((unsigned char)*pattern);
pattern++;
if (p == '\0' && len > 0)
if (p == '\0' && patternLen > 0)
return 0;
if (p != '*')
break;

patternLen--;
}

if (len == 0)
p = '\0';
/* Consume str until we reach next char in pattern after '*' or
* end of string */
while (strLen > 0) {
s = (char)XTOLOWER((unsigned char) *str);
str++;
strLen--;

while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') {
if (s == p)
break;
if (s == '.')
return 0;
str++;

/* p is next char in pattern after '*', or '*' if '*' is the
* last char in the pattern (in which case patternLen is 1) */
if ( ((s == p) && (patternLen > 0))) {
/* We had already counted the '*' as matched, this means
* we also matched the next non '*' char in pattern */
patternLen--;
break;
}

/* If strlen is 0, we have consumed the entire string. Count that
* as a match of '*' */
if (strLen == 0) {
break;
}
}
}
else {
/* Simple case, pattern match exactly */
if (p != (char)XTOLOWER((unsigned char) *str))
return 0;
}


if (len > 0) {
str++;
len--;
strLen--;
patternLen--;
}
}

if (*str == '\0' && len == 0) {
if (strLen == 0 && patternLen == 0) {
ret = 1; /* success */
}

Expand All @@ -12437,14 +12459,16 @@ int MatchDomainName(const char* pattern, int len, const char* str)
* Fail if there are wild patterns and they didn't match.
* Check the common name if no alternative names matched.
*
* dCert Decoded cert to get the alternative names from.
* domain Domain name to compare against.
* checkCN Whether to check the common name.
* returns 1 : match was found.
* 0 : no match found.
* -1 : No matches and wild pattern match failed.
* dCert Decoded cert to get the alternative names from.
* domain Domain name to compare against.
* domainLen Length of the domain name.
* checkCN Whether to check the common name.
* returns 1 : match was found.
* 0 : no match found.
* -1 : No matches and wild pattern match failed.
*/
int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen,
int* checkCN)
{
int match = 0;
DNS_entry* altName = NULL;
Expand Down Expand Up @@ -12475,7 +12499,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
len = (word32)altName->len;
}

if (MatchDomainName(buf, (int)len, domain)) {
if (MatchDomainName(buf, (int)len, domain, domainLen)) {
match = 1;
if (checkCN != NULL) {
*checkCN = 0;
Expand Down Expand Up @@ -12509,10 +12533,8 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
int checkCN;
int ret = DOMAIN_NAME_MISMATCH;

/* Assume name is NUL terminated. */
(void)domainNameLen;

if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
if (CheckForAltNames(dCert, domainName, (word32)domainNameLen,
&checkCN) != 1) {
WOLFSSL_MSG("DomainName match on alt names failed");
}
else {
Expand All @@ -12522,7 +12544,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
#ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
if (checkCN == 1) {
if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
domainName) == 1) {
domainName, (word32)domainNameLen) == 1) {
ret = 0;
}
else {
Expand Down Expand Up @@ -13560,7 +13582,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int cert_err,
ssl->param && ssl->param->hostName[0]) {
/* If altNames names is present, then subject common name is ignored */
if (args->dCert->altNames != NULL) {
if (CheckForAltNames(args->dCert, ssl->param->hostName, NULL) != 1) {
if (CheckForAltNames(args->dCert, ssl->param->hostName,
(word32)XSTRLEN(ssl->param->hostName), NULL) != 1) {
if (cert_err == 0) {
ret = DOMAIN_NAME_MISMATCH;
WOLFSSL_ERROR_VERBOSE(ret);
Expand All @@ -13570,9 +13593,11 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int cert_err,
#ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
else {
if (args->dCert->subjectCN) {
if (MatchDomainName(args->dCert->subjectCN,
args->dCert->subjectCNLen,
ssl->param->hostName) == 0) {
if (MatchDomainName(
args->dCert->subjectCN,
args->dCert->subjectCNLen,
ssl->param->hostName,
(word32)XSTRLEN(ssl->param->hostName)) == 0) {
if (cert_err == 0) {
ret = DOMAIN_NAME_MISMATCH;
WOLFSSL_ERROR_VERBOSE(ret);
Expand Down Expand Up @@ -15385,6 +15410,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (args->dCert->altNames) {
if (CheckForAltNames(args->dCert,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN((const char *)ssl->buffers.domainName.buffer)),
NULL) != 1) {
WOLFSSL_MSG("DomainName match on alt names failed");
/* try to get peer key still */
Expand All @@ -15394,9 +15421,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else {
if (MatchDomainName(
args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer) == 0) {
args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN((const char *)ssl->buffers.domainName.buffer))) == 0)
{
WOLFSSL_MSG("DomainName match on common name failed");
ret = DOMAIN_NAME_MISMATCH;
WOLFSSL_ERROR_VERBOSE(ret);
Expand All @@ -15406,10 +15436,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Old behavior. */
if (MatchDomainName(args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer) == 0) {
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(ssl->buffers.domainName.buffer))) == 0)
{
WOLFSSL_MSG("DomainName match on common name failed");
if (CheckForAltNames(args->dCert,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(ssl->buffers.domainName.buffer)),
NULL) != 1) {
WOLFSSL_MSG(
"DomainName match on alt names failed too");
Expand Down
17 changes: 17 additions & 0 deletions src/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13343,6 +13343,7 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
unsigned int flags, char **peername)
{
int ret;
word32 i;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert *dCert;
#else
Expand Down Expand Up @@ -13384,6 +13385,22 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
goto out;
}

/* Replicate openssl behavior for checklen */
if (chklen == 0) {
chklen = (size_t)(XSTRLEN(chk));
}
else {
for (i = 0; i < (chklen > 1 ? chklen - 1 : chklen); i++) {
if (chk[i] == '\0') {
ret = -1;
goto out;
}
}
}
if (chklen > 1 && (chk[chklen - 1] == '\0')) {
chklen--;
}

ret = CheckHostName(dCert, (char *)chk, chklen);

out:
Expand Down
Loading

0 comments on commit af3828b

Please sign in to comment.