Client-side namecheck wildcards.
[openssl.git] / crypto / x509v3 / v3nametest.c
index 5bf1201c6eb03c4bc17c8aa626e9ed6452376af2..ad820fdfd9b379bf0f132bcec410e9f863ed92d5 100644 (file)
@@ -1,16 +1,17 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "../e_os.h"
 #include <string.h>
 
 static const char *const names[] =
        {
        "a", "b", ".", "*", "@",
        ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
-       "@@", "**",
-       "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
-       "*@example.com", "test@*.example.com",
-       "example.com", "www.example.com", "test.www.example.com",
-       "*.example.com", "*.www.example.com", "test.*.example.com", "www.*.com",
+       "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
+       "*@example.com", "test@*.example.com", "example.com", "www.example.com",
+       "test.www.example.com", "*.example.com", "*.www.example.com",
+       "test.*.example.com", "www.*.com",
+       ".www.example.com", "*www.example.com",
        "example.net", "xn--rger-koa.example.com",
        "a.example.com", "b.example.com",
        "postmaster@example.com", "Postmaster@example.com",
@@ -20,26 +21,30 @@ static const char *const names[] =
 
 static const char *const exceptions[] =
        {
-       "set CN: host: [*.example.com] does not match [*.example.com]",
        "set CN: host: [*.example.com] matches [a.example.com]",
        "set CN: host: [*.example.com] matches [b.example.com]",
        "set CN: host: [*.example.com] matches [www.example.com]",
-       "set CN: host: [test.*.example.com] does not match [test.*.example.com]",
-       "set CN: host: [test.*.example.com] matches [test.www.example.com]",
-       "set CN: host: [*.www.example.com] does not match [*.www.example.com]",
+       "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
        "set CN: host: [*.www.example.com] matches [test.www.example.com]",
+       "set CN: host: [*.www.example.com] matches [.www.example.com]",
+       "set CN: host: [*www.example.com] matches [www.example.com]",
+       "set CN: host: [test.www.example.com] matches [.www.example.com]",
+       "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
+       "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
        "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
        "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
        "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
        "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
        "set dnsName: host: [*.example.com] matches [www.example.com]",
-       "set dnsName: host: [*.example.com] does not match [*.example.com]",
        "set dnsName: host: [*.example.com] matches [a.example.com]",
        "set dnsName: host: [*.example.com] matches [b.example.com]",
+       "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
        "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
-       "set dnsName: host: [*.www.example.com] does not match [*.www.example.com]",
-       "set dnsName: host: [test.*.example.com] matches [test.www.example.com]",
-       "set dnsName: host: [test.*.example.com] does not match [test.*.example.com]",
+       "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
+       "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
+       "set dnsName: host: [*.www.example.com] matches [.www.example.com]",
+       "set dnsName: host: [*www.example.com] matches [www.example.com]",
+       "set dnsName: host: [test.www.example.com] matches [.www.example.com]",
        "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
        "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
        "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
@@ -249,7 +254,7 @@ static void check_message(const struct set_name_fn *fn, const char *op,
        char msg[1024];
        if (match < 0)
                return;
-       snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
+       BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
                 fn->name, op, nameincert,
                 match ? "matches" : "does not match", name);
        if (is_exception(msg))
@@ -273,28 +278,38 @@ static void run_cert(X509 *crt, const char *nameincert,
                ret = X509_check_host(crt, (const unsigned char *)name,
                                      namelen, 0);
                match = -1;
-               if (fn->host)
+               if (ret < 0)
                        {
-                       if (ret && !samename)
+                       fprintf(stderr, "internal error in X509_check_host");
+                       ++errors;
+                       }
+               else if (fn->host)
+                       {
+                       if (ret == 1 && !samename)
                                match = 1;
-                       if (!ret && samename)
+                       if (ret == 0 && samename)
                                match = 0;
                        }
-               else if (ret)
+               else if (ret == 1)
                        match = 1;
                check_message(fn, "host", nameincert, match, *pname);
 
                ret = X509_check_host(crt, (const unsigned char *)name,
                                      namelen, X509_CHECK_FLAG_NO_WILDCARDS);
                match = -1;
-               if (fn->host)
+               if (ret < 0)
                        {
-                       if (ret && !samename)
+                       fprintf(stderr, "internal error in X509_check_host");
+                       ++errors;
+                       }
+               else if (fn->host)
+                       {
+                       if (ret == 1 && !samename)
                                match = 1;
-                       if (!ret && samename)
+                       if (ret == 0 && samename)
                                match = 0;
                        }
-               else if (ret)
+               else if (ret == 1)
                        match = 1;
                check_message(fn, "host-no-wildcards",
                              nameincert, match, *pname);