for (i = 0; i < alt_name_count; i++) {
GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i);
- if (san->type != GEN_DNS) {
- /* we only care about DNS names */
- continue;
- }
-
- san_name_len = ASN1_STRING_length(san->d.dNSName);
- ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
- /* prevent null byte poisoning */
- if (san_name_len != strlen((const char*)cert_name)) {
- php_error_docref(NULL, E_WARNING, "Peer SAN entry is malformed");
- } else {
- is_match = matches_wildcard_name(subject_name, (const char *)cert_name);
- }
-
- OPENSSL_free(cert_name);
+ if (san->type == GEN_DNS) {
+ ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
+ if (ASN1_STRING_length(san->d.dNSName) != strlen((const char*)cert_name)) {
+ OPENSSL_free(cert_name);
+ /* prevent null-byte poisoning*/
+ continue;
+ }
- if (is_match) {
- break;
+ if (matches_wildcard_name(subject_name, (const char *)cert_name)) {
+ OPENSSL_free(cert_name);
+ return 1;
+ }
+ OPENSSL_free(cert_name);
+ } else if (san->type == GEN_IPADD) {
+ if (san->d.iPAddress->length == 4) {
+ sprintf(ipbuffer, "%d.%d.%d.%d",
+ san->d.iPAddress->data[0],
+ san->d.iPAddress->data[1],
+ san->d.iPAddress->data[2],
+ san->d.iPAddress->data[3]
+ );
+ if (strcasecmp(subject_name, (const char*)ipbuffer) == 0) {
+ return 1;
+ }
+ }
+ /* No, we aren't bothering to check IPv6 addresses. Why?
- * Because IP SAN names are officially deprecated and are
- * not allowed by CAs starting in 2015. Deal with it.
- */
++ * * Because IP SAN names are officially deprecated and are
++ * * not allowed by CAs starting in 2015. Deal with it.
++ * */
}
}
projects / php / commitdiff