Download | Plain Text | No Line Numbers 

  1. --- a/config.c	2015-01-26 17:47:53.000000000 +0100
  2. +++ b/config.c	2015-11-18 18:20:16.431223194 +0100
  3. @@ -889,6 +889,25 @@
  4.  }
  5.  
  6.  #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
  7. +/*
  8. + * Basic wildcard matching
  9. + * replace with X509_check_host at some point in the future
  10. + * beware of https://rt.openssl.org/Ticket/Display.html?id=3288
  11. + */
  12. +static int
  13. +SNI_match_name(const char *pattern, const char *name)
  14. +{
  15. +    short       is_wildcard;
  16. +    const char *cp;
  17. +
  18. +    /* easy wildcard checking - check left-most DNS label only */
  19. +    is_wildcard = (pattern[0] == '*' && pattern[1] == '.');
  20. +    if (is_wildcard)
  21. +        return ((cp = strchr(name, '.')) != NULL && strcasecmp(pattern+1, cp) == 0);
  22. +    else
  23. +        return (strcasecmp(pattern, name) == 0);
  24. +}
  25. +
  26.  static int
  27.  SNI_server_name(SSL *ssl, int *dummy, POUND_CTX *ctx)
  28.  {
  29. @@ -902,7 +922,7 @@
  30.  
  31.      SSL_set_SSL_CTX(ssl, NULL);
  32.      for(pc = ctx; pc; pc = pc->next) {
  33. -        if(fnmatch(pc->server_name, server_name, 0) == 0) {
  34. +        if(SNI_match_name(pc->server_name, server_name)) {
  35.              /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
  36.              SSL_set_SSL_CTX(ssl, pc->ctx);
  37.              return SSL_TLSEXT_ERR_OK;
  38. @@ -911,7 +931,7 @@
  39.              int i;
  40.  
  41.              for(i = 0; i < pc->subjectAltNameCount; i++) {
  42. -                if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) {
  43. +                if(SNI_match_name(pc->subjectAltNames[i], server_name)) {
  44.                      SSL_set_SSL_CTX(ssl, pc->ctx);
  45.                      return SSL_TLSEXT_ERR_OK;
  46.                  }
  47.