fix sni
diff --git a/lib/openssl.c b/lib/openssl.c
index 0150ca2..7f5105d 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -1218,6 +1218,7 @@
static int verify_cert_chain(X509_STORE *store, X509 *cert, STACK_OF(X509) * chain, int is_server, const char *server_name)
{
X509_STORE_CTX *verify_ctx;
+ X509_VERIFY_PARAM *params;
int ret;
assert(server_name != NULL && "ptls_set_server_name MUST be called");
@@ -1227,11 +1228,27 @@
ret = PTLS_ERROR_NO_MEMORY;
goto Exit;
}
+ if ((params = X509_VERIFY_PARAM_new()) == NULL) {
+ ret = PTLS_ERROR_NO_MEMORY;
+ goto Exit;
+ }
if (X509_STORE_CTX_init(verify_ctx, store, cert, chain) != 1) {
ret = PTLS_ERROR_LIBRARY;
goto Exit;
}
- X509_STORE_CTX_set_purpose(verify_ctx, is_server ? X509_PURPOSE_SSL_SERVER : X509_PURPOSE_SSL_CLIENT);
+
+ X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_SERVER : X509_PURPOSE_SSL_CLIENT);
+ X509_VERIFY_PARAM_set_depth(params, 2);
+
+ if (server_name != NULL) {
+ if (ptls_server_name_is_ipaddr(server_name))
+ X509_VERIFY_PARAM_set1_host(params, server_name, 0);
+ else
+ X509_VERIFY_PARAM_set1_ip_asc(params, server_name);
+ }
+
+ X509_STORE_CTX_set0_param(verify_ctx, params);
+
if (X509_verify_cert(verify_ctx) != 1) {
int x509_err = X509_STORE_CTX_get_error(verify_ctx);
switch (x509_err) {
@@ -1252,6 +1269,7 @@
ret = PTLS_ALERT_UNKNOWN_CA;
break;
case X509_V_ERR_INVALID_CA:
+
ret = PTLS_ALERT_BAD_CERTIFICATE;
break;
default:
@@ -1261,32 +1279,13 @@
goto Exit;
}
-#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
- /* verify CN */
- if (server_name != NULL) {
- if (ptls_server_name_is_ipaddr(server_name)) {
- ret = X509_check_ip_asc(cert, server_name, 0);
- } else {
- ret = X509_check_host(cert, server_name, strlen(server_name), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
- }
- if (ret != 1) {
- if (ret == 0) { /* failed match */
- ret = PTLS_ALERT_BAD_CERTIFICATE;
- } else {
- ret = PTLS_ERROR_LIBRARY;
- }
- goto Exit;
- }
- }
-#else
-#warning "hostname validation is disabled; OpenSSL >= 1.0.2 or LibreSSL >= 2.5.0 is required"
-#endif
-
ret = 0;
Exit:
+ // X509_VERIFY_PARAM *params is freed by the store
if (verify_ctx != NULL)
X509_STORE_CTX_free(verify_ctx);
+
return ret;
}
@@ -1302,6 +1301,8 @@
assert(num_certs != 0);
+ printf("verify_cert -> check point 1\n");
+
/* convert certificates to OpenSSL representation */
if ((cert = to_x509(certs[0])) == NULL) {
ret = PTLS_ALERT_BAD_CERTIFICATE;
@@ -1316,10 +1317,14 @@
sk_X509_push(chain, interm);
}
+ printf("verify_cert -> check point 2\n");
+
/* verify the chain */
if ((ret = verify_cert_chain(self->cert_store, cert, chain, ptls_is_server(tls), ptls_get_server_name(tls))) != 0)
goto Exit;
+ printf("verify_cert -> check point 3\n");
+
/* extract public key for verifying the TLS handshake signature */
if ((*verify_data = X509_get_pubkey(cert)) == NULL) {
ret = PTLS_ALERT_BAD_CERTIFICATE;