From fc8bd4ba1a65db9d9091705f30fec19ded75530c Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Tue, 18 May 2021 11:46:28 +0100 Subject: [x509] Use case-insensitive comparison for certificate names DNS names are case-insensitive, and RFC 5280 (unlike RFC 3280) mandates support for case-insensitive name comparison in X.509 certificates. Signed-off-by: Michael Brown --- src/crypto/x509.c | 3 ++- src/tests/x509_test.c | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 17d8c7a..1f017eb 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -25,6 +25,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include #include +#include #include #include #include @@ -1464,7 +1465,7 @@ static int x509_check_dnsname ( struct x509_certificate *cert, /* Compare names */ if ( ! ( ( strlen ( name ) == len ) && - ( memcmp ( name, dnsname, len ) == 0 ) ) ) + ( strncasecmp ( name, dnsname, len ) == 0 ) ) ) return -ENOENT; if ( name != fullname ) { diff --git a/src/tests/x509_test.c b/src/tests/x509_test.c index 256c3e8..b6cba57 100644 --- a/src/tests/x509_test.c +++ b/src/tests/x509_test.c @@ -1037,6 +1037,7 @@ static void x509_test_exec ( void ) { /* Check certificate names */ x509_check_name_ok ( &server_crt, "boot.test.ipxe.org" ); x509_check_name_ok ( &server_crt, "demo.test.ipxe.org" ); + x509_check_name_ok ( &server_crt, "demo.test.iPXE.org" ); x509_check_name_fail_ok ( &server_crt, "incorrect.test.ipxe.org" ); x509_check_name_ok ( &server_crt, "anything.alt.test.ipxe.org" ); x509_check_name_ok ( &server_crt, "wildcard.alt.test.ipxe.org" ); -- cgit v1.1