1 files changed, 59 insertions, 7 deletions

diff --git a/lib/axtls.c b/lib/axtls.c
index e37aed50a..ea94c6cf9 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -47,6 +47,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
+#include "hostcheck.h"
+
 
 /* SSL_read is opied from axTLS compat layer */
 static int SSL_read(SSL *ssl, void *buf, int num)
@@ -150,7 +152,11 @@ Curl_axtls_connect(struct connectdata *conn,
   int i, ssl_fcn_return;
   const uint8_t *ssl_sessionid;
   size_t ssl_idsize;
-  const char *x509;
+  const char *peer_CN;
+  uint32_t dns_altname_index;
+  const char *dns_altname;
+  int8_t found_subject_alt_names = 0;
+  int8_t found_subject_alt_name_matching_conn = 0;
 
   /* Assuming users will not compile in custom key/cert to axTLS */
   uint32_t client_option = SSL_NO_DEFAULT_KEY|SSL_SERVER_VERIFY_LATER;
@@ -296,19 +302,65 @@ Curl_axtls_connect(struct connectdata *conn,
   /* Here, gtls.c does issuer verification. axTLS has no straightforward
    * equivalent, so omitting for now.*/
 
-  /* See if common name was set in server certificate */
-  x509 = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
-  if(x509 == NULL)
-    infof(data, "error fetching CN from cert\n");
-
   /* Here, gtls.c does the following
    * 1) x509 hostname checking per RFC2818.  axTLS doesn't support this, but
-   *    it seems useful.  Omitting for now.
+   *    it seems useful. This is now implemented, by Oscar Koeroo
    * 2) checks cert validity based on time.  axTLS does this in ssl_verify_cert
    * 3) displays a bunch of cert information.  axTLS doesn't support most of
    *    this, but a couple fields are available.
    */
 
+
+  /* There is no (DNS) Altnames count in the version 1.4.8 API. There is a
+     risk of an inifite loop */
+  for(dns_altname_index = 0; ; dns_altname_index++) {
+    dns_altname = ssl_get_cert_subject_alt_dnsname(ssl, dns_altname_index);
+    if(dns_altname == NULL) {
+      break;
+    }
+    found_subject_alt_names = 1;
+
+    infof(data, "\tComparing subject alt name DNS with hostname: %s <-> %s\n",
+          dns_altname, conn->host.name);
+    if(Curl_cert_hostcheck(dns_altname, conn->host.name)) {
+      found_subject_alt_name_matching_conn = 1;
+      break;
+    }
+  }
+
+  /* RFC2818 checks */
+  if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
+    /* Break connection ! */
+    Curl_axtls_close(conn, sockindex);
+    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
+    return CURLE_PEER_FAILED_VERIFICATION;
+  }
+  else if(found_subject_alt_names == 0) {
+    /* Per RFC2818, when no Subject Alt Names were available, examine the peer
+       CN as a legacy fallback */
+    peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
+    if(peer_CN == NULL) {
+      /* Similar behaviour to the OpenSSL interface */
+      Curl_axtls_close(conn, sockindex);
+      failf(data, "unable to obtain common name from peer certificate");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else {
+      if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
+        if(data->set.ssl.verifyhost) {
+          /* Break connection ! */
+          Curl_axtls_close(conn, sockindex);
+          failf(data, "\tcommon name \"%s\" does not match \"%s\"\n",
+                peer_CN, conn->host.dispname);
+          return CURLE_PEER_FAILED_VERIFICATION;
+        }
+        else
+          infof(data, "\tcommon name \"%s\" does not match \"%s\"\n",
+                peer_CN, conn->host.dispname);
+      }
+    }
+  }
+
   /* General housekeeping */
   conn->ssl[sockindex].state = ssl_connection_complete;
   conn->ssl[sockindex].ssl = ssl;