From af3828b2b71774b0cb6427b55cf85c99775888d6 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Thu, 30 May 2024 15:33:17 -0700 Subject: [PATCH] Rewrite pattern matching to always use explicit lengths instead of expecting NULL terminated strings, thus replicating the behavior of openssl X509_check_host() --- src/internal.c | 113 +++++++++++++------- src/x509.c | 17 +++ tests/api.c | 257 +++++++++++++++++++++++++++++++++++++++++++++ wolfssl/internal.h | 4 +- 4 files changed, 350 insertions(+), 41 deletions(-) diff --git a/src/internal.c b/src/internal.c index b4f822119b..3c152ae1c6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12377,55 +12377,77 @@ int CipherRequires(byte first, byte second, int requirement) *.z.com matches y.z.com but not x.y.z.com return 1 on success */ -int MatchDomainName(const char* pattern, int len, const char* str) +int MatchDomainName(const char* pattern, int patternLen, const char* str, + word32 strLen) { int ret = 0; - if (pattern == NULL || str == NULL || len <= 0) + if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0) return 0; - while (len > 0) { - - char p = (char)XTOLOWER((unsigned char)*pattern++); + while (patternLen > 0) { + /* Get the next pattern char to evaluate */ + char p = (char)XTOLOWER((unsigned char)*pattern); if (p == '\0') break; + pattern++; + if (p == '*') { char s; + /* We will always match '*' */ + patternLen--; - while (--len > 0) { + /* Consume any extra '*' chars until the next non '*' char. */ + while (patternLen > 0) { p = (char)XTOLOWER((unsigned char)*pattern); pattern++; - if (p == '\0' && len > 0) + if (p == '\0' && patternLen > 0) return 0; if (p != '*') break; + + patternLen--; } - if (len == 0) - p = '\0'; + /* Consume str until we reach next char in pattern after '*' or + * end of string */ + while (strLen > 0) { + s = (char)XTOLOWER((unsigned char) *str); + str++; + strLen--; - while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') { - if (s == p) - break; if (s == '.') return 0; - str++; + + /* p is next char in pattern after '*', or '*' if '*' is the + * last char in the pattern (in which case patternLen is 1) */ + if ( ((s == p) && (patternLen > 0))) { + /* We had already counted the '*' as matched, this means + * we also matched the next non '*' char in pattern */ + patternLen--; + break; + } + + /* If strlen is 0, we have consumed the entire string. Count that + * as a match of '*' */ + if (strLen == 0) { + break; + } } } else { + /* Simple case, pattern match exactly */ if (p != (char)XTOLOWER((unsigned char) *str)) return 0; - } - - if (len > 0) { str++; - len--; + strLen--; + patternLen--; } } - if (*str == '\0' && len == 0) { + if (strLen == 0 && patternLen == 0) { ret = 1; /* success */ } @@ -12437,14 +12459,16 @@ int MatchDomainName(const char* pattern, int len, const char* str) * Fail if there are wild patterns and they didn't match. * Check the common name if no alternative names matched. * - * dCert Decoded cert to get the alternative names from. - * domain Domain name to compare against. - * checkCN Whether to check the common name. - * returns 1 : match was found. - * 0 : no match found. - * -1 : No matches and wild pattern match failed. + * dCert Decoded cert to get the alternative names from. + * domain Domain name to compare against. + * domainLen Length of the domain name. + * checkCN Whether to check the common name. + * returns 1 : match was found. + * 0 : no match found. + * -1 : No matches and wild pattern match failed. */ -int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) +int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen, + int* checkCN) { int match = 0; DNS_entry* altName = NULL; @@ -12475,7 +12499,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) len = (word32)altName->len; } - if (MatchDomainName(buf, (int)len, domain)) { + if (MatchDomainName(buf, (int)len, domain, domainLen)) { match = 1; if (checkCN != NULL) { *checkCN = 0; @@ -12509,10 +12533,8 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL int checkCN; int ret = DOMAIN_NAME_MISMATCH; - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { + if (CheckForAltNames(dCert, domainName, (word32)domainNameLen, + &checkCN) != 1) { WOLFSSL_MSG("DomainName match on alt names failed"); } else { @@ -12522,7 +12544,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY if (checkCN == 1) { if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, - domainName) == 1) { + domainName, (word32)domainNameLen) == 1) { ret = 0; } else { @@ -13560,7 +13582,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int cert_err, ssl->param && ssl->param->hostName[0]) { /* If altNames names is present, then subject common name is ignored */ if (args->dCert->altNames != NULL) { - if (CheckForAltNames(args->dCert, ssl->param->hostName, NULL) != 1) { + if (CheckForAltNames(args->dCert, ssl->param->hostName, + (word32)XSTRLEN(ssl->param->hostName), NULL) != 1) { if (cert_err == 0) { ret = DOMAIN_NAME_MISMATCH; WOLFSSL_ERROR_VERBOSE(ret); @@ -13570,9 +13593,11 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int cert_err, #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY else { if (args->dCert->subjectCN) { - if (MatchDomainName(args->dCert->subjectCN, - args->dCert->subjectCNLen, - ssl->param->hostName) == 0) { + if (MatchDomainName( + args->dCert->subjectCN, + args->dCert->subjectCNLen, + ssl->param->hostName, + (word32)XSTRLEN(ssl->param->hostName)) == 0) { if (cert_err == 0) { ret = DOMAIN_NAME_MISMATCH; WOLFSSL_ERROR_VERBOSE(ret); @@ -15385,6 +15410,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (args->dCert->altNames) { if (CheckForAltNames(args->dCert, (char*)ssl->buffers.domainName.buffer, + (ssl->buffers.domainName.buffer == NULL ? 0 : + (word32)XSTRLEN((const char *)ssl->buffers.domainName.buffer)), NULL) != 1) { WOLFSSL_MSG("DomainName match on alt names failed"); /* try to get peer key still */ @@ -15394,9 +15421,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { if (MatchDomainName( - args->dCert->subjectCN, - args->dCert->subjectCNLen, - (char*)ssl->buffers.domainName.buffer) == 0) { + args->dCert->subjectCN, + args->dCert->subjectCNLen, + (char*)ssl->buffers.domainName.buffer, + (ssl->buffers.domainName.buffer == NULL ? 0 : + (word32)XSTRLEN((const char *)ssl->buffers.domainName.buffer))) == 0) + { WOLFSSL_MSG("DomainName match on common name failed"); ret = DOMAIN_NAME_MISMATCH; WOLFSSL_ERROR_VERBOSE(ret); @@ -15406,10 +15436,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Old behavior. */ if (MatchDomainName(args->dCert->subjectCN, args->dCert->subjectCNLen, - (char*)ssl->buffers.domainName.buffer) == 0) { + (char*)ssl->buffers.domainName.buffer, + (ssl->buffers.domainName.buffer == NULL ? 0 : + (word32)XSTRLEN(ssl->buffers.domainName.buffer))) == 0) + { WOLFSSL_MSG("DomainName match on common name failed"); if (CheckForAltNames(args->dCert, (char*)ssl->buffers.domainName.buffer, + (ssl->buffers.domainName.buffer == NULL ? 0 : + (word32)XSTRLEN(ssl->buffers.domainName.buffer)), NULL) != 1) { WOLFSSL_MSG( "DomainName match on alt names failed too"); diff --git a/src/x509.c b/src/x509.c index 19c145ce24..667a66ac73 100644 --- a/src/x509.c +++ b/src/x509.c @@ -13343,6 +13343,7 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) { int ret; + word32 i; #ifdef WOLFSSL_SMALL_STACK DecodedCert *dCert; #else @@ -13384,6 +13385,22 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, goto out; } + /* Replicate openssl behavior for checklen */ + if (chklen == 0) { + chklen = (size_t)(XSTRLEN(chk)); + } + else { + for (i = 0; i < (chklen > 1 ? chklen - 1 : chklen); i++) { + if (chk[i] == '\0') { + ret = -1; + goto out; + } + } + } + if (chklen > 1 && (chk[chklen - 1] == '\0')) { + chklen--; + } + ret = CheckHostName(dCert, (char *)chk, chklen); out: diff --git a/tests/api.c b/tests/api.c index 785924a16a..f64c9da90e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -41261,6 +41261,261 @@ static int test_wolfSSL_X509_bad_altname(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_name_match(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + /* A certificate with the subject alternative name a* */ + unsigned char cert_der[] = { + 0x30, 0x82, 0x03, 0xac, 0x30, 0x82, 0x02, 0x94, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x0f, 0xa5, 0x10, 0x85, 0xef, 0x58, 0x10, 0x59, 0xfc, + 0x0f, 0x20, 0x1f, 0x53, 0xf5, 0x30, 0x39, 0x34, 0x49, 0x54, 0x05, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, + 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, + 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, + 0x30, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x34, + 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x30, + 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf4, 0xca, 0x3d, + 0xd4, 0xbc, 0x9b, 0xea, 0x74, 0xfe, 0x73, 0xf4, 0x16, 0x23, 0x0b, 0x4a, + 0x09, 0x54, 0xf6, 0x7b, 0x10, 0x99, 0x11, 0x93, 0xb2, 0xdb, 0x4d, 0x7d, + 0x23, 0xab, 0xf9, 0xcd, 0xf6, 0x54, 0xd4, 0xf6, 0x39, 0x57, 0xee, 0x97, + 0xb2, 0xb9, 0xfc, 0x7e, 0x9c, 0xb3, 0xfb, 0x56, 0xb6, 0x84, 0xd6, 0x2d, + 0x59, 0x1c, 0xed, 0xda, 0x9b, 0x19, 0xf5, 0x8a, 0xa7, 0x8a, 0x89, 0xd6, + 0xa1, 0xc0, 0xe6, 0x16, 0xad, 0x04, 0xcf, 0x5a, 0x1f, 0xdf, 0x62, 0x6c, + 0x68, 0x45, 0xe9, 0x55, 0x2e, 0x42, 0xa3, 0x1b, 0x3b, 0x86, 0x23, 0x22, + 0xa1, 0x20, 0x48, 0xd1, 0x52, 0xc0, 0x8b, 0xab, 0xe2, 0x8a, 0x15, 0x68, + 0xbd, 0x89, 0x6f, 0x9f, 0x45, 0x75, 0xb4, 0x27, 0xc1, 0x72, 0x41, 0xfd, + 0x79, 0x89, 0xb0, 0x74, 0xa2, 0xe9, 0x61, 0x48, 0x4c, 0x54, 0xad, 0x6b, + 0x61, 0xbf, 0x0e, 0x27, 0x58, 0xb4, 0xf6, 0x9c, 0x2c, 0x9f, 0xc2, 0x3e, + 0x3b, 0xb3, 0x90, 0x41, 0xbc, 0x61, 0xcd, 0x01, 0x57, 0x90, 0x82, 0xec, + 0x46, 0xba, 0x4f, 0x89, 0x8e, 0x7f, 0x49, 0x4f, 0x46, 0x69, 0x37, 0x8b, + 0xa0, 0xba, 0x85, 0xe8, 0x42, 0xff, 0x9a, 0xa1, 0x53, 0x81, 0x5c, 0xf3, + 0x8e, 0x85, 0x1c, 0xd4, 0x90, 0x60, 0xa0, 0x37, 0x59, 0x04, 0x65, 0xa6, + 0xb5, 0x12, 0x00, 0xc3, 0x04, 0x51, 0xa7, 0x83, 0x96, 0x62, 0x3d, 0x49, + 0x97, 0xe8, 0x6b, 0x9a, 0x5d, 0x51, 0x24, 0xee, 0xad, 0x45, 0x18, 0x0f, + 0x3f, 0x97, 0xec, 0xdf, 0xcf, 0x42, 0x8a, 0x96, 0xc7, 0xd8, 0x82, 0x87, + 0x7f, 0x57, 0x70, 0x22, 0xfb, 0x29, 0x3e, 0x3c, 0xa3, 0xc1, 0xd5, 0x71, + 0xb3, 0x84, 0x06, 0x53, 0xa3, 0x86, 0x20, 0x35, 0xe3, 0x41, 0xb9, 0xd8, + 0x00, 0x22, 0x4f, 0x6d, 0xe6, 0xfd, 0xf0, 0xf4, 0xa2, 0x39, 0x0a, 0x1a, + 0x23, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x30, 0x30, 0x2e, 0x30, 0x0d, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x06, 0x30, 0x04, 0x82, 0x02, 0x61, + 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, + 0x45, 0x05, 0xf3, 0x4d, 0x3e, 0x7e, 0x9c, 0xf5, 0x08, 0xee, 0x2c, 0x13, + 0x32, 0xe3, 0xf2, 0x14, 0xe8, 0x0e, 0x71, 0x21, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0xa8, 0x28, 0xe5, 0x22, 0x65, 0xcf, 0x47, 0xfe, + 0x82, 0x17, 0x99, 0x20, 0xdb, 0xb1, 0x57, 0xd4, 0x91, 0x1a, 0x83, 0xde, + 0xc1, 0xaf, 0xc4, 0x1f, 0xfb, 0xa4, 0x6a, 0xad, 0xdc, 0x58, 0x72, 0xd9, + 0x9b, 0xab, 0xa5, 0xbb, 0xf4, 0x98, 0xd4, 0xdf, 0x36, 0xcb, 0xb5, 0x78, + 0xce, 0x4b, 0x25, 0x5b, 0x24, 0x92, 0xfe, 0xe8, 0xd4, 0xe4, 0xbd, 0x6f, + 0x71, 0x1a, 0x81, 0x2a, 0x6f, 0x35, 0x93, 0xf7, 0xcc, 0xed, 0xe5, 0x06, + 0xd2, 0x96, 0x41, 0xb5, 0xa9, 0x8a, 0xc0, 0xc9, 0x17, 0xe3, 0x13, 0x5e, + 0x94, 0x5e, 0xfa, 0xfc, 0xf0, 0x00, 0x2e, 0xe1, 0xd8, 0x1b, 0x23, 0x3f, + 0x7c, 0x4d, 0x9f, 0xfb, 0xb7, 0x95, 0xc1, 0x94, 0x7f, 0x7f, 0xb5, 0x4f, + 0x93, 0x6d, 0xc3, 0x2b, 0xb2, 0x28, 0x36, 0xd2, 0x7c, 0x01, 0x3c, 0xae, + 0x35, 0xdb, 0xc8, 0x95, 0x1b, 0x5f, 0x6c, 0x0f, 0x57, 0xb3, 0xcc, 0x97, + 0x98, 0x80, 0x06, 0xaa, 0xe4, 0x93, 0x1f, 0xb7, 0xa0, 0x54, 0xf1, 0x4f, + 0x6f, 0x11, 0xdf, 0xab, 0xd3, 0xbf, 0xf0, 0x3a, 0x81, 0x60, 0xaf, 0x7a, + 0xf7, 0x09, 0xd5, 0xae, 0x0c, 0x7d, 0xae, 0x8d, 0x47, 0x06, 0xbe, 0x11, + 0x6e, 0xf8, 0x7e, 0x49, 0xf8, 0xac, 0x24, 0x0a, 0x4b, 0xc2, 0xf6, 0xe8, + 0x2c, 0xec, 0x35, 0xef, 0xa9, 0x13, 0xb8, 0xd2, 0x9c, 0x92, 0x61, 0x91, + 0xec, 0x7b, 0x0c, 0xea, 0x9a, 0x71, 0x36, 0x15, 0x34, 0x2b, 0x7a, 0x25, + 0xac, 0xfe, 0xc7, 0x26, 0x89, 0x70, 0x3e, 0x64, 0x68, 0x97, 0x4b, 0xaa, + 0xc1, 0x24, 0x14, 0xbd, 0x45, 0x2f, 0xe0, 0xfe, 0xf4, 0x2b, 0x8e, 0x08, + 0x3e, 0xe4, 0xb5, 0x3d, 0x5d, 0xf4, 0xc3, 0xd6, 0x9c, 0xb5, 0x33, 0x1b, + 0x3b, 0xda, 0x6e, 0x99, 0x7b, 0x09, 0xd1, 0x30, 0x97, 0x23, 0x52, 0x6d, + 0x1b, 0x71, 0x3a, 0xf4, 0x54, 0xf0, 0xe5, 0x9e + }; + + WOLFSSL_X509* x509 = NULL; + int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); + const char *name1 = "aaaaa"; + int nameLen1 = (int)(XSTRLEN(name1)); + const char *name2 = "a"; + int nameLen2 = (int)(XSTRLEN(name2)); + const char *name3 = "abbbb"; + int nameLen3 = (int)(XSTRLEN(name3)); + const char *name4 = "bbb"; + int nameLen4 = (int)(XSTRLEN(name4)); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); + + /* Ensure that "a*" matches "aaaaa" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" matches "a" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" matches "abbbb" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" does not match "bbb" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1); + + X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_name_match2(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + /* A certificate with the subject alternative name a*b* */ + unsigned char cert_der[] = { + 0x30, 0x82, 0x03, 0xae, 0x30, 0x82, 0x02, 0x96, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x41, 0x8c, 0x8b, 0xaa, 0x0e, 0xd8, 0x5a, 0xc0, 0x52, + 0x46, 0x0e, 0xe5, 0xd8, 0xb9, 0x48, 0x93, 0x7e, 0x8a, 0x7c, 0x65, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, + 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, + 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, + 0x30, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x34, + 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x30, + 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x60, 0x80, + 0xf3, 0xee, 0x19, 0xd2, 0xe4, 0x15, 0x94, 0x54, 0x12, 0x88, 0xee, 0xda, + 0x11, 0x11, 0x87, 0x99, 0x88, 0xb3, 0x71, 0xc7, 0x97, 0x78, 0x1b, 0x57, + 0x37, 0x1d, 0x0b, 0x1f, 0x2f, 0x2c, 0x35, 0x13, 0x75, 0xd3, 0x31, 0x3e, + 0x6f, 0x80, 0x21, 0xa5, 0xa3, 0xad, 0x10, 0x81, 0xb6, 0x37, 0xd4, 0x55, + 0x2e, 0xc1, 0xb8, 0x37, 0xa3, 0x3c, 0xe8, 0x81, 0x03, 0x3c, 0xda, 0x5f, + 0x6f, 0x45, 0x32, 0x2b, 0x0e, 0x99, 0x27, 0xfd, 0xe5, 0x6c, 0x07, 0xd9, + 0x4e, 0x0a, 0x8b, 0x23, 0x74, 0x96, 0x25, 0x97, 0xae, 0x6d, 0x19, 0xba, + 0xbf, 0x0f, 0xc8, 0xa1, 0xe5, 0xea, 0xa8, 0x00, 0x09, 0xc3, 0x9a, 0xef, + 0x09, 0x33, 0xc1, 0x33, 0x2e, 0x7b, 0x6d, 0xa7, 0x66, 0x87, 0xb6, 0x3a, + 0xb9, 0xdb, 0x4c, 0x5e, 0xb5, 0x55, 0x69, 0x37, 0x17, 0x92, 0x1f, 0xe3, + 0x53, 0x1a, 0x2d, 0x25, 0xd0, 0xcf, 0x72, 0x37, 0xc2, 0x89, 0x83, 0x78, + 0xcf, 0xac, 0x2e, 0x46, 0x92, 0x5c, 0x4a, 0xba, 0x7d, 0xa0, 0x22, 0x34, + 0xb1, 0x22, 0x26, 0x99, 0xda, 0xe8, 0x97, 0xe2, 0x0c, 0xd3, 0xbc, 0x97, + 0x7e, 0xa8, 0xb9, 0xe3, 0xe2, 0x7f, 0x56, 0xef, 0x22, 0xee, 0x15, 0x95, + 0xa6, 0xd1, 0xf4, 0xa7, 0xac, 0x4a, 0xab, 0xc1, 0x1a, 0xda, 0xc5, 0x5f, + 0xa5, 0x5e, 0x2f, 0x15, 0x9c, 0x36, 0xbe, 0xd3, 0x47, 0xb6, 0x86, 0xb9, + 0xc6, 0x59, 0x39, 0x36, 0xad, 0x84, 0x53, 0x95, 0x72, 0x91, 0x89, 0x51, + 0x32, 0x77, 0xf1, 0xa5, 0x93, 0xfe, 0xf0, 0x41, 0x7c, 0x64, 0xf1, 0xb0, + 0x8b, 0x81, 0x8d, 0x3a, 0x2c, 0x9e, 0xbe, 0x2e, 0x8b, 0xf7, 0x80, 0x63, + 0x35, 0x32, 0xfa, 0x26, 0xe0, 0x63, 0xbf, 0x5e, 0xaf, 0xf0, 0x08, 0xe0, + 0x80, 0x65, 0x38, 0xfa, 0x21, 0xaa, 0x91, 0x34, 0x48, 0x3d, 0x32, 0x5c, + 0xbf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x32, 0x30, 0x30, 0x30, 0x0f, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82, 0x04, 0x61, + 0x2a, 0x62, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0x3d, 0x55, 0x74, 0xf8, 0x3a, 0x26, 0x03, 0x8c, 0x6a, 0x2e, + 0x91, 0x0e, 0x18, 0x70, 0xb4, 0xa4, 0xcc, 0x04, 0x00, 0xd3, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0x3b, 0xff, 0x46, 0x0c, 0xb5, + 0x21, 0xdc, 0xcf, 0x61, 0x9a, 0x25, 0x93, 0x99, 0x68, 0x2f, 0x16, 0x71, + 0x15, 0x00, 0x5f, 0xb0, 0x9b, 0x43, 0x5c, 0x47, 0xe2, 0x8e, 0xc8, 0xea, + 0xb3, 0x30, 0x4d, 0x87, 0x90, 0xcf, 0x24, 0x37, 0x5c, 0xfd, 0xc8, 0xc6, + 0x09, 0x36, 0xb2, 0xfb, 0xfd, 0xc1, 0x82, 0x92, 0x77, 0x5b, 0x9d, 0xeb, + 0xac, 0x47, 0xbc, 0xda, 0x7c, 0x89, 0x19, 0x03, 0x9e, 0xcd, 0x96, 0x2a, + 0x90, 0x55, 0x23, 0x19, 0xac, 0x9d, 0x49, 0xfb, 0xa0, 0x31, 0x7d, 0x6b, + 0x1a, 0x16, 0x13, 0xb1, 0xa9, 0xc9, 0xc4, 0xaf, 0xf1, 0xb4, 0xa7, 0x9b, + 0x08, 0x64, 0x6a, 0x09, 0xcd, 0x4a, 0x03, 0x4c, 0x93, 0xb6, 0xcf, 0x29, + 0xdb, 0x56, 0x88, 0x8e, 0xed, 0x08, 0x6d, 0x8d, 0x76, 0xa3, 0xd7, 0xc6, + 0x69, 0xa1, 0xf5, 0xd2, 0xd0, 0x0a, 0x4b, 0xfa, 0x88, 0x66, 0x6c, 0xe5, + 0x4a, 0xee, 0x13, 0xad, 0xad, 0x22, 0x25, 0x73, 0x39, 0x56, 0x74, 0x0e, + 0xda, 0xcd, 0x35, 0x67, 0xe3, 0x81, 0x5c, 0xc5, 0xae, 0x3c, 0x4f, 0x47, + 0x3e, 0x97, 0xde, 0xac, 0xf6, 0xe1, 0x26, 0xe2, 0xe0, 0x66, 0x48, 0x20, + 0x7c, 0x02, 0x81, 0x3e, 0x7d, 0x34, 0xb7, 0x73, 0x3e, 0x2e, 0xd6, 0x20, + 0x1c, 0xdf, 0xf1, 0xae, 0x86, 0x8b, 0xb2, 0xc2, 0x9b, 0x68, 0x9c, 0xf6, + 0x1a, 0x5e, 0x30, 0x06, 0x39, 0x0a, 0x1f, 0x7b, 0xd7, 0x18, 0x4b, 0x06, + 0x9d, 0xff, 0x84, 0x57, 0xcc, 0x92, 0xad, 0x81, 0x0a, 0x19, 0x11, 0xc4, + 0xac, 0x59, 0x00, 0xe8, 0x5a, 0x70, 0x78, 0xd6, 0x9f, 0xe0, 0x82, 0x2a, + 0x1f, 0x09, 0x36, 0x1c, 0x52, 0x98, 0xf7, 0x95, 0x8f, 0xf9, 0x48, 0x4f, + 0x30, 0x52, 0xb5, 0xf3, 0x8d, 0x13, 0x93, 0x27, 0xbe, 0xb4, 0x75, 0x39, + 0x65, 0xc6, 0x48, 0x4e, 0x32, 0xd7, 0xf4, 0xc3, 0x26, 0x8d + }; + + WOLFSSL_X509* x509 = NULL; + int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); + const char *name1 = "ab"; + int nameLen1 = (int)(XSTRLEN(name1)); + const char *name2 = "acccbccc"; + int nameLen2 = (int)(XSTRLEN(name2)); + const char *name3 = "accb"; + int nameLen3 = (int)(XSTRLEN(name3)); + const char *name4 = "accda"; + int nameLen4 = (int)(XSTRLEN(name4)); + const char *name5 = "acc\0bcc"; + int nameLen5 = 7; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); + + /* Ensure that "a*b*" matches "ab" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" matches "acccbccc" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" matches "accb" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" does not match "accda" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + + /* Ensure that "a*b*" matches "ab", testing openssl behavior replication + * on check len input handling, 0 for len is OK as it should then use + * strlen(name1) */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, 0, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Openssl also allows for len to include NULL terminator */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1 + 1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that check string with NULL terminator in middle is + * rejected */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name5, nameLen5, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + + X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_X509(void) { EXPECT_DECLS; @@ -72838,6 +73093,8 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_check_ca), TEST_DECL(test_wolfSSL_X509_check_ip_asc), TEST_DECL(test_wolfSSL_X509_bad_altname), + TEST_DECL(test_wolfSSL_X509_name_match), + TEST_DECL(test_wolfSSL_X509_name_match2), TEST_DECL(test_wolfSSL_make_cert), #ifndef NO_BIO diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 15c1c7489d..f5db5fd067 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2207,9 +2207,9 @@ WOLFSSL_LOCAL void FreeAsyncCtx(WOLFSSL* ssl, byte freeAsync); WOLFSSL_LOCAL void FreeKeyExchange(WOLFSSL* ssl); WOLFSSL_LOCAL void FreeSuites(WOLFSSL* ssl); WOLFSSL_LOCAL int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz); -WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str); +WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str, word32 strLen); #ifndef NO_CERTS -WOLFSSL_LOCAL int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN); +WOLFSSL_LOCAL int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen, int* checkCN); WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, const char* ipasc); WOLFSSL_LOCAL void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType); #endif