x509_verify() now case insensitive for cn (RFC 6125 6.4)
This commit is contained in:
parent
9f5a3c4a0a
commit
a5943858d8
3 changed files with 30 additions and 6 deletions
|
@ -40,6 +40,7 @@ Changes
|
||||||
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
|
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
|
||||||
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
|
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
|
||||||
* All RSA operations require a random generator for blinding purposes
|
* All RSA operations require a random generator for blinding purposes
|
||||||
|
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fixed parse error in ssl_parse_certificate_request()
|
* Fixed parse error in ssl_parse_certificate_request()
|
||||||
|
|
|
@ -3457,6 +3457,29 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
|
||||||
return flags;
|
return flags;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Equal == 0, inequal == 1
|
||||||
|
static int x509_name_cmp( const void *s1, const void *s2, size_t len )
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
unsigned char diff;
|
||||||
|
const unsigned char *n1 = s1, *n2 = s2;
|
||||||
|
|
||||||
|
for( i = 0; i < len; i++ )
|
||||||
|
{
|
||||||
|
diff = n1[i] ^ n2[i];
|
||||||
|
|
||||||
|
if( ( n1[i] >= 'a' || n1[i] <= 'z' ) && ( diff == 0 || diff == 32 ) )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if( ( n1[i] >= 'A' || n1[i] <= 'Z' ) && ( diff == 0 || diff == 32 ) )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return( 1 );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
static int x509_wildcard_verify( const char *cn, x509_buf *name )
|
static int x509_wildcard_verify( const char *cn, x509_buf *name )
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
|
@ -3478,7 +3501,7 @@ static int x509_wildcard_verify( const char *cn, x509_buf *name )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
if( strlen( cn ) - cn_idx == name->len - 1 &&
|
if( strlen( cn ) - cn_idx == name->len - 1 &&
|
||||||
memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
|
x509_name_cmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
|
||||||
{
|
{
|
||||||
return( 1 );
|
return( 1 );
|
||||||
}
|
}
|
||||||
|
@ -3657,7 +3680,7 @@ static int x509parse_verify_child(
|
||||||
ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
||||||
|
@ -3706,7 +3729,7 @@ int x509parse_verify( x509_cert *crt,
|
||||||
while( cur != NULL )
|
while( cur != NULL )
|
||||||
{
|
{
|
||||||
if( cur->buf.len == cn_len &&
|
if( cur->buf.len == cn_len &&
|
||||||
memcmp( cn, cur->buf.p, cn_len ) == 0 )
|
x509_name_cmp( cn, cur->buf.p, cn_len ) == 0 )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if( cur->buf.len > 2 &&
|
if( cur->buf.len > 2 &&
|
||||||
|
@ -3727,7 +3750,7 @@ int x509parse_verify( x509_cert *crt,
|
||||||
if( OID_CMP( OID_AT_CN, &name->oid ) )
|
if( OID_CMP( OID_AT_CN, &name->oid ) )
|
||||||
{
|
{
|
||||||
if( name->val.len == cn_len &&
|
if( name->val.len == cn_len &&
|
||||||
memcmp( name->val.p, cn, cn_len ) == 0 )
|
x509_name_cmp( name->val.p, cn, cn_len ) == 0 )
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if( name->val.len > 2 &&
|
if( name->val.len > 2 &&
|
||||||
|
|
|
@ -418,9 +418,9 @@ X509 Certificate verification #19 (Not trusted Cert, allowing callback)
|
||||||
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
||||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all"
|
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all"
|
||||||
|
|
||||||
X509 Certificate verification #21 (domain matching wildcard certificate)
|
X509 Certificate verification #21 (domain matching wildcard certificate, case insensitive)
|
||||||
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
||||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.com":0:0:"NULL"
|
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #22 (domain not matching wildcard certificate)
|
X509 Certificate verification #22 (domain not matching wildcard certificate)
|
||||||
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
|
||||||
|
|
Loading…
Reference in a new issue