diff options
author | Michael Brown | 2014-04-01 12:36:11 +0200 |
---|---|---|
committer | Michael Brown | 2014-04-01 12:36:11 +0200 |
commit | 93acb5d8d0635b8f7726bd993cde4a90a6b1d723 (patch) | |
tree | 90773ae6c34c7b7b049c3a62759a8aeef6af0906 /src/crypto | |
parent | [crypto] Add support for subjectAltName and wildcard certificates (diff) | |
download | ipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.tar.gz ipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.tar.xz ipxe-93acb5d8d0635b8f7726bd993cde4a90a6b1d723.zip |
[crypto] Allow wildcard matches on commonName as well as subjectAltName
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/x509.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 8e503f3b..0502efa2 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1410,13 +1410,9 @@ static int x509_check_dnsname ( struct x509_certificate *cert, ( memcmp ( name, dnsname, len ) == 0 ) ) ) return -ENOENT; - if ( name == fullname ) { - DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches \"%s\"\n", - cert, x509_name ( cert ), name ); - } else { - DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches \"%s\" " - "(via \"*.%s\")\n", cert, x509_name ( cert ), - fullname, name ); + if ( name != fullname ) { + DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for " + "\"*.%s\"\n", cert, x509_name ( cert ), name ); } return 0; } @@ -1465,8 +1461,7 @@ int x509_check_name ( struct x509_certificate *cert, const char *name ) { int rc; /* Check commonName */ - if ( ( strlen ( name ) == common_name->len ) && - ( memcmp ( name, common_name->data, common_name->len ) == 0 ) ) { + if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) { DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n", cert, x509_name ( cert ), name ); return 0; @@ -1477,8 +1472,11 @@ int x509_check_name ( struct x509_certificate *cert, const char *name ) { sizeof ( alt_name ) ); for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) { if ( ( rc = x509_check_alt_name ( cert, &alt_name, - name ) ) == 0 ) + name ) ) == 0 ) { + DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches " + "\"%s\"\n", cert, x509_name ( cert ), name ); return 0; + } } DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n", |