From 3f1c50755582b17225ad91b66baa5dc4032f9834 Mon Sep 17 00:00:00 2001
From: Vincent Richard <vincent@vincent-richard.net>
Date: Fri, 26 Apr 2013 20:58:04 +0200
Subject: [PATCH] Issue #36: added support for wildcard in Common Name when
 verifying host name (thanks to Anthony Dervish).

---
 AUTHORS                                       |  1 +
 .../cert/openssl/X509Certificate_OpenSSL.cpp  | 20 ++++++++++++++++++-
 .../cert/openssl/X509Certificate_OpenSSL.hpp  | 10 ++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index 42b43b4b..1ddeb3d4 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -29,6 +29,7 @@ AUTHORS file.
  - Bartek Szurgot <vempirelord@wp.pl, http://baszerr.org>
  - Achim Brandt <http://sourceforge.net/users/a-brandt/>
  - Mehmet Bozkurt <mehmet.bozkurt78@gmail.com> (OpenSSL support, ICU support)
+ - Anthony Dervish <antmd@mac.com>
 
 Please apologize if I have forgotten someone here.  ;)  Send me an email
 to <vincent@vmime.org> if you want your name to be listed.
diff --git a/src/security/cert/openssl/X509Certificate_OpenSSL.cpp b/src/security/cert/openssl/X509Certificate_OpenSSL.cpp
index af38d503..056631ec 100644
--- a/src/security/cert/openssl/X509Certificate_OpenSSL.cpp
+++ b/src/security/cert/openssl/X509Certificate_OpenSSL.cpp
@@ -344,6 +344,24 @@ bool X509Certificate_OpenSSL::verify(ref <const X509Certificate> caCert_) const
 }
 
 
+// static
+bool X509Certificate_OpenSSL::cnMatch(const char* cnBuf, const char* host)
+{
+	// Right-to-left match, looking for a '*' wildcard
+	const bool hasWildcard = (strlen(cnBuf) > 1 && cnBuf[0] == '*' && cnBuf[1] == '.');
+	const char* cnBufReverseEndPtr = (cnBuf + (hasWildcard ? 2 : 0));
+	const char* hostPtr = host + strlen(host);
+	const char* cnPtr = cnBuf + strlen(cnBuf);
+
+	bool matches = true;
+
+	while (matches && --hostPtr >= host && --cnPtr >= cnBufReverseEndPtr)
+		matches = (toupper(*hostPtr) == toupper(*cnPtr));
+
+	return matches;
+}
+
+
 bool X509Certificate_OpenSSL::verifyHostName(const string& hostname) const
 {
 	// First, check subject common name against hostname
@@ -354,7 +372,7 @@ bool X509Certificate_OpenSSL::verifyHostName(const string& hostname) const
 
 	if (X509_NAME_get_text_by_NID(xname, NID_commonName, CNBuffer, sizeof(CNBuffer)) != -1)
 	{
-		if (strcasecmp(CNBuffer, hostname.c_str()) == 0)
+		if (cnMatch(CNBuffer, hostname.c_str()))
 			return true;
 	}
 
diff --git a/vmime/security/cert/openssl/X509Certificate_OpenSSL.hpp b/vmime/security/cert/openssl/X509Certificate_OpenSSL.hpp
index de8ad949..60ecda08 100644
--- a/vmime/security/cert/openssl/X509Certificate_OpenSSL.hpp
+++ b/vmime/security/cert/openssl/X509Certificate_OpenSSL.hpp
@@ -85,6 +85,16 @@ public:
 
 private:
 
+	/** Internal utility function to test whether a hostname matches
+	  * the specified X509 Common Name (wildcard is supported).
+	  *
+	  * @param cnBuf pointer to buffer holding Common Name
+	  * @param host pointer to buffer holding host name
+	  * @return true if the hostname matches the Common Name, or
+	  * false otherwise
+	  */
+	static bool cnMatch(const char* cnBuf, const char* host);
+
 	/** Internal utility function to convert ASN1_TIME
 	 *  structs to vmime::datetime
 	 *