From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 9 Apr 2019 13:22:13 +0000 (+0300)
Subject: wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match
X-Git-Tag: hostap_2_8~123
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcc0ccd5b0faab259a48c0cb6427b8b825ba4217;p=thirdparty%2Fhostap.git

wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match

Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index 41fc946bc..9cf13a9bd 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -690,7 +690,7 @@ static int tls_match_suffix(WOLFSSL_X509 *cert, const char *match, int full)
 
 	for (j = 0; ext && j < wolfSSL_sk_num(ext); j++) {
 		gen = wolfSSL_sk_value(ext, j);
-		if (gen->type != ALT_NAMES_OID)
+		if (gen->type != ASN_DNS_TYPE)
 			continue;
 		dns_name++;
 		wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",