]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 441b6c3)
BUG/MINOR: ssl: verifyhost is case sensitive
authorWilliam Lallemand <wlallemand@haproxy.com>
Mon, 14 Sep 2020 13:20:10 +0000 (15:20 +0200)
committerWilliam Lallemand <wlallemand@haproxy.org>
Mon, 14 Sep 2020 13:20:10 +0000 (15:20 +0200)
In bug #835, @arjenzorgdoc reported that the verifyhost option on the
server line is case-sensitive, that shouldn't be the case.

This patch fixes the issue by replacing memcmp by strncasecmp and strcmp
by strcasecmp. The patch was suggested by @arjenzorgdoc.

This must be backported in all versions supporting the verifyhost
option.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b8d6b4c5484e0bf5440155dd7d74491d922dbbdf..b953637b7ef53c8785aca624bf09f0c5722ec3ad 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4519,7 +4519,7 @@ static int ssl_sock_srv_hostcheck(const char *pattern, const char *hostname)
        size_t prefixlen, suffixlen;
 
        /* Trivial case */
-       if (strcmp(pattern, hostname) == 0)
+       if (strcasecmp(pattern, hostname) == 0)
                return 1;
 
        /* The rest of this logic is based on RFC 6125, section 6.4.3
@@ -4550,7 +4550,7 @@ static int ssl_sock_srv_hostcheck(const char *pattern, const char *hostname)
        /* Make sure all labels match except the leftmost */
        hostname_left_label_end = strchr(hostname, '.');
        if (!hostname_left_label_end
-           || strcmp(pattern_left_label_end, hostname_left_label_end) != 0)
+           || strcasecmp(pattern_left_label_end, hostname_left_label_end) != 0)
                return 0;
 
        /* Make sure the leftmost label of the hostname is long enough
@@ -4562,8 +4562,8 @@ static int ssl_sock_srv_hostcheck(const char *pattern, const char *hostname)
         * wildcard */
        prefixlen = pattern_wildcard - pattern;
        suffixlen = pattern_left_label_end - (pattern_wildcard + 1);
-       if ((prefixlen && (memcmp(pattern, hostname, prefixlen) != 0))
-           || (suffixlen && (memcmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
+       if ((prefixlen && (strncasecmp(pattern, hostname, prefixlen) != 0))
+           || (suffixlen && (strncasecmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
                return 0;
 
        return 1;
Mirror of https://github.com/haproxy/haproxy.git