wolfSSL_X509_verify_cert: add host check from ctx->param#9952
wolfSSL_X509_verify_cert: add host check from ctx->param#9952julek-wolfssl wants to merge 1 commit intowolfSSL:masterfrom
ctx->param#9952Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds OpenSSL-compatible hostname/IP enforcement to wolfSSL_X509_verify_cert() based on values set in WOLFSSL_X509_STORE_CTX->param, and introduces a regression test to ensure hostname mismatches are rejected.
Changes:
- Enforce hostname (
hostName) and IP (ipasc) checks duringwolfSSL_X509_verify_cert()when configured viaX509_VERIFY_PARAM. - Add a regression test that verifies hostname match/mismatch behavior and the resulting error code.
- Register the new test in the API test declarations.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/x509_str.c |
Adds hostname/IP enforcement to wolfSSL_X509_verify_cert() when ctx->param is configured. |
tests/api/test_x509.c |
Adds a regression test covering success with no hostname, success with matching SAN DNS, and failure on mismatch. |
tests/api/test_x509.h |
Exposes and registers the new test in the x509 test group. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| if (wolfSSL_X509_check_ip_asc(ctx->current_cert, | ||
| ctx->param->ipasc, | ||
| ctx->param->hostFlags) != WOLFSSL_SUCCESS) { | ||
| ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; |
There was a problem hiding this comment.
Same as hostname mismatch: on IP address mismatch this updates ctx->error but not ctx->error_depth. Please set error_depth to 0 (leaf) when reporting X509_V_ERR_IP_ADDRESS_MISMATCH, to avoid leaking a previous chain-depth value.
| ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; | |
| ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; | |
| ctx->error_depth = 0; |
| XSTRLEN("wrong.com")), WOLFSSL_SUCCESS); | ||
| ExpectIntNE(wolfSSL_X509_verify_cert(ctx), WOLFSSL_SUCCESS); | ||
| ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error(ctx), | ||
| X509_V_ERR_HOSTNAME_MISMATCH); |
There was a problem hiding this comment.
The regression test validates the error code for hostname mismatch, but it doesn't assert the reported error depth. Adding an assertion that wolfSSL_X509_STORE_CTX_get_error_depth(ctx) == 0 in the mismatch case would catch incorrect depth reporting (e.g., if the verification logic leaves a stale chain depth behind).
| X509_V_ERR_HOSTNAME_MISMATCH); | |
| X509_V_ERR_HOSTNAME_MISMATCH); | |
| ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error_depth(ctx), 0); |
| if (wolfSSL_X509_check_host(ctx->current_cert, | ||
| ctx->param->hostName, | ||
| XSTRLEN(ctx->param->hostName), | ||
| ctx->param->hostFlags, NULL) != WOLFSSL_SUCCESS) { | ||
| ctx->error = X509_V_ERR_HOSTNAME_MISMATCH; | ||
| ret = WOLFSSL_FAILURE; | ||
| } |
There was a problem hiding this comment.
When hostname verification fails, this sets ctx->error but leaves ctx->error_depth unchanged (it may contain the depth from the last chain validation step). For OpenSSL-compatible behavior, hostname mismatch should report an error depth of 0 (leaf). Set error_depth explicitly (e.g., wolfSSL_X509_STORE_CTX_set_error_depth(ctx, 0)) or use SetupStoreCtxError_ex(ctx, X509_V_ERR_HOSTNAME_MISMATCH, 0).
ZD21324