From 3f1c50755582b17225ad91b66baa5dc4032f9834 Mon Sep 17 00:00:00 2001 From: Vincent Richard Date: Fri, 26 Apr 2013 20:58:04 +0200 Subject: Issue #36: added support for wildcard in Common Name when verifying host name (thanks to Anthony Dervish). --- .../cert/openssl/X509Certificate_OpenSSL.cpp | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'src/security/cert/openssl/X509Certificate_OpenSSL.cpp') diff --git a/src/security/cert/openssl/X509Certificate_OpenSSL.cpp b/src/security/cert/openssl/X509Certificate_OpenSSL.cpp index af38d503..056631ec 100644 --- a/src/security/cert/openssl/X509Certificate_OpenSSL.cpp +++ b/src/security/cert/openssl/X509Certificate_OpenSSL.cpp @@ -344,6 +344,24 @@ bool X509Certificate_OpenSSL::verify(ref caCert_) const } +// static +bool X509Certificate_OpenSSL::cnMatch(const char* cnBuf, const char* host) +{ + // Right-to-left match, looking for a '*' wildcard + const bool hasWildcard = (strlen(cnBuf) > 1 && cnBuf[0] == '*' && cnBuf[1] == '.'); + const char* cnBufReverseEndPtr = (cnBuf + (hasWildcard ? 2 : 0)); + const char* hostPtr = host + strlen(host); + const char* cnPtr = cnBuf + strlen(cnBuf); + + bool matches = true; + + while (matches && --hostPtr >= host && --cnPtr >= cnBufReverseEndPtr) + matches = (toupper(*hostPtr) == toupper(*cnPtr)); + + return matches; +} + + bool X509Certificate_OpenSSL::verifyHostName(const string& hostname) const { // First, check subject common name against hostname @@ -354,7 +372,7 @@ bool X509Certificate_OpenSSL::verifyHostName(const string& hostname) const if (X509_NAME_get_text_by_NID(xname, NID_commonName, CNBuffer, sizeof(CNBuffer)) != -1) { - if (strcasecmp(CNBuffer, hostname.c_str()) == 0) + if (cnMatch(CNBuffer, hostname.c_str())) return true; } -- cgit v1.2.3