[457225] Add support for wildcard certificates.

This introduces wildcard certificate support for both bridges and clients. Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=457225
11 years ago · c591b06574
parent aca979a473
commit c591b06574
2 changed files with 32 additions and 2 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -16,6 +16,7 @@ Important changes:
 - New use_username_as_clientid option on the broker, for preventing hijacking
  of a client id.
 - The client library and clients now have experimental SOCKS5 support.
+- Wildcard TLS certificates are now supported for bridges and clients.


 Broker:
@ -51,6 +52,7 @@ Broker:
 - The bridge_attempt_unsubscribe option has been added, to allow the sending
  of UNSUBSCRIBE requests to be disabled for topics with "out" direction.
  Closes bug #456899.
+- Wildcard TLS certificates are now supported for bridges.

 Clients:
 - Both clients can now load default configuration options from a file.
@ -63,6 +65,7 @@ Client library:
 - mosquitto_loop_forever now quits after a fatal error, rather than blindly
  retrying.
 - SRV support is now not compiled in by default.
+- Wildcard TLS certificates are now supported.

 1.3.5 - 20141008
 ================
--- a/lib/tls_mosq.c
+++ b/lib/tls_mosq.c
@ -69,6 +69,33 @@ int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
 	}
 }

+int mosquitto__cmp_hostname_wildcard(char *certname, const char *hostname)
+{
+	int i;
+	int len;
+
+	if(!certname || !hostname){
+		return 1;
+	}
+
+	if(certname[0] == '*'){
+		if(certname[1] != '.'){
+			return 1;
+		}
+		certname += 2;
+		len = strlen(hostname);
+		for(i=0; i<len-1; i++){
+			if(hostname[i] == '.'){
+				hostname += i+1;
+				break;
+			}
+		}
+		return strcasecmp(certname, hostname);
+	}else{
+		return strcasecmp(certname, hostname);
+	}
+}
+
 /* This code is based heavily on the example provided in "Secure Programming
 * Cookbook for C and C++".
 */
@ -100,7 +127,7 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
 			nval = sk_GENERAL_NAME_value(san, i);
 			if(nval->type == GEN_DNS){
 				data = ASN1_STRING_data(nval->d.dNSName);
-				if(data && !strcasecmp((char *)data, hostname)){
+				if(data && !mosquitto__cmp_hostname_wildcard((char *)data, hostname)){
 					return 1;
 				}
 				have_san_dns = true;
@ -125,7 +152,7 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
 	subj = X509_get_subject_name(cert);
 	if(X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0){
 		name[sizeof(name) - 1] = '\0';
-		if (!strcasecmp(name, hostname)) return 1;
+		if (!mosquitto__cmp_hostname_wildcard(name, hostname)) return 1;
 	}
 	return 0;
 }