[x509] Use case-insensitive comparison for certificate names

DNS names are case-insensitive, and RFC 5280 (unlike RFC 3280)
mandates support for case-insensitive name comparison in X.509
certificates.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 17d8c7a4301f5bfdc7c7e355f09cb6c5169177f0..1f017eb03f50d6817713cacf0aef4e19c52cb2c7 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -25,6 +25,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <stdlib.h>
 #include <string.h>
+#include <strings.h>
 #include <errno.h>
 #include <assert.h>
 #include <ipxe/list.h>
@@ -1464,7 +1465,7 @@ static int x509_check_dnsname ( struct x509_certificate *cert,
 
        /* Compare names */
        if ( ! ( ( strlen ( name ) == len ) &&
-                ( memcmp ( name, dnsname, len ) == 0 ) ) )
+                ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
                return -ENOENT;
 
        if ( name != fullname ) {

diff --git a/src/tests/x509_test.c b/src/tests/x509_test.c
index 256c3e85e8eb270df711c0ea6a068d96811c9f06..b6cba575c41e7172f67ea3a4f1f001951ab10571 100644 (file)
--- a/src/tests/x509_test.c
+++ b/src/tests/x509_test.c
@@ -1037,6 +1037,7 @@ static void x509_test_exec ( void ) {
        /* Check certificate names */
        x509_check_name_ok ( &server_crt, "boot.test.ipxe.org" );
        x509_check_name_ok ( &server_crt, "demo.test.ipxe.org" );
+       x509_check_name_ok ( &server_crt, "demo.test.iPXE.org" );
        x509_check_name_fail_ok ( &server_crt, "incorrect.test.ipxe.org" );
        x509_check_name_ok ( &server_crt, "anything.alt.test.ipxe.org" );
        x509_check_name_ok ( &server_crt, "wildcard.alt.test.ipxe.org" );