[x509] Use case-insensitive comparison for certificate names

DNS names are case-insensitive, and RFC 5280 (unlike RFC 3280)
mandates support for case-insensitive name comparison in X.509
certificates.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2 files changed, 3 insertions, 1 deletions

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 17d8c7a..1f017eb 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -25,6 +25,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <stdlib.h>
 #include <string.h>
+#include <strings.h>
 #include <errno.h>
 #include <assert.h>
 #include <ipxe/list.h>
@@ -1464,7 +1465,7 @@ static int x509_check_dnsname ( struct x509_certificate *cert,
 
 	/* Compare names */
 	if ( ! ( ( strlen ( name ) == len ) &&
-		 ( memcmp ( name, dnsname, len ) == 0 ) ) )
+		 ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
 		return -ENOENT;
 
 	if ( name != fullname ) {
diff --git a/src/tests/x509_test.c b/src/tests/x509_test.c
index 256c3e8..b6cba57 100644
--- a/src/tests/x509_test.c
+++ b/src/tests/x509_test.c
@@ -1037,6 +1037,7 @@ static void x509_test_exec ( void ) {
 	/* Check certificate names */
 	x509_check_name_ok ( &server_crt, "boot.test.ipxe.org" );
 	x509_check_name_ok ( &server_crt, "demo.test.ipxe.org" );
+	x509_check_name_ok ( &server_crt, "demo.test.iPXE.org" );
 	x509_check_name_fail_ok ( &server_crt, "incorrect.test.ipxe.org" );
 	x509_check_name_ok ( &server_crt, "anything.alt.test.ipxe.org" );
 	x509_check_name_ok ( &server_crt, "wildcard.alt.test.ipxe.org" );