1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** X.509 Digital Certificates */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24 #include "nx_secure_x509.h"
25
26
27 /**************************************************************************/
28 /* */
29 /* FUNCTION RELEASE */
30 /* */
31 /* _nx_secure_x509_wildcard_compare PORTABLE C */
32 /* 6.1.6 */
33 /* AUTHOR */
34 /* */
35 /* Timothy Stapko, Microsoft Corporation */
36 /* */
37 /* DESCRIPTION */
38 /* */
39 /* This function compares a name (string) against a name string using */
40 /* wildcards as found in the Common Name and subjectAltName fields of */
41 /* an X.509 certificate. This is primarily used when checking a DNS */
42 /* name against an X.509 certificate provided by a remote host. */
43 /* */
44 /* INPUT */
45 /* */
46 /* dns_name Name to check */
47 /* dns_name_len Length of name */
48 /* wildcard_name String with name or wildcard */
49 /* wildcard_len Length of wildcard */
50 /* */
51 /* OUTPUT */
52 /* */
53 /* compare value 0 if equal, else non-zero */
54 /* */
55 /* CALLS */
56 /* */
57 /* None */
58 /* */
59 /* CALLED BY */
60 /* */
61 /* _nx_secure_x509_common_name_dns_check Check Common Name by DNS */
62 /* _nx_secure_x509_subject_alt_names_find */
63 /* Find subject alt names */
64 /* */
65 /* RELEASE HISTORY */
66 /* */
67 /* DATE NAME DESCRIPTION */
68 /* */
69 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
70 /* 09-30-2020 Timothy Stapko Modified comment(s), */
71 /* resulting in version 6.1 */
72 /* 04-02-2021 Timothy Stapko Modified comment(s), */
73 /* removed dependency on TLS, */
74 /* resulting in version 6.1.6 */
75 /* */
76 /**************************************************************************/
_nx_secure_x509_wildcard_compare(const UCHAR * dns_name,UINT dns_name_len,const UCHAR * wildcard_name,UINT wildcard_len)77 INT _nx_secure_x509_wildcard_compare(const UCHAR *dns_name, UINT dns_name_len,
78 const UCHAR *wildcard_name, UINT wildcard_len)
79 {
80 INT dns_offset;
81 INT wildcard_offset;
82
83 dns_offset = (INT)dns_name_len - 1;
84 wildcard_offset = (INT)wildcard_len - 1;
85
86 /* Walk backwards through each name. */
87 while (dns_offset >= 0 && wildcard_offset >= 0)
88 {
89 /* Check each character. */
90 if (dns_name[dns_offset] != wildcard_name[wildcard_offset])
91 {
92 /* Characters do not match, check for wildcard. */
93 if (wildcard_name[wildcard_offset] == '*')
94 {
95 if (wildcard_offset != 0 || wildcard_name[1] != '.')
96 {
97 /* Only match wildcard character when it is
98 the only character of the left-most label. */
99 return(1);
100 }
101
102 while (dns_offset >= 0)
103 {
104 if (dns_name[dns_offset] == '.')
105 {
106 /* Wildcard does not match full stops. */
107 return(1);
108 }
109 dns_offset--;
110 }
111 /* Wildcard match, they are OK. */
112 return(0);
113 }
114
115 /* No match and no wildcard. */
116 return(1);
117 }
118
119 /* Adjust offsets. */
120 dns_offset--;
121 wildcard_offset--;
122 }
123
124 if (dns_offset != -1 || wildcard_offset != -1)
125 {
126 /* Length mismatch. */
127 return(1);
128 }
129 /* Both names are exactly the same. */
130 return(0);
131 }
132
133
