commit f3e4bd8632b71dc491e52e6df87dc3e409d2b869
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Jul 21 13:22:41 2020 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 11 10:24:21 2020 +0200
tree 99f486e562f32be0308776fb472058c06d6073c1
parent 7d2a4d873f1ded3f3c1fff591527867e16a0a7a7

Fix comparison between different name types

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 8fd8b86..2627224 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3008,6 +3008,25 @@
 }
 
 /*
+ * Check for SAN match, see RFC 5280 Section 4.2.1.6
+ */
+static int x509_crt_check_san( const mbedtls_x509_buf *name,
+                               const char *cn, size_t cn_len )
+{
+    const unsigned char san_type = (unsigned char) name->tag &
+                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
+
+    /* dNSName */
+    if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
+        return( x509_crt_check_cn( name, cn, cn_len ) );
+
+    /* (We may handle other types here later.) */
+
+    /* Unrecognized type */
+    return( -1 );
+}
+
+/*
  * Verify the requested CN - only call this if cn is not NULL!
  */
 static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
@@ -3022,7 +3041,7 @@
     {
         for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
         {
-            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
+            if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
                 break;
         }