fix failing testcases

mariux64 · Oct 6, 2020 · ea9747b · ea9747b
1 parent 7edae07
commit ea9747b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 8 deletions.
diff --git a/tests/t_verify_cert.c b/tests/t_verify_cert.c
@@ -272,6 +272,7 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         ok(1,verifyconfcert(certsandns, &conf),"san dns");
         ok(0,verifyconfcert(certsandnsother, &conf),"negative san dns");
         ok(1,verifyconfcert(certcomplex,&conf),"san dns in complex cert");
+        ok(0,verifyconfcert(certsimple, &conf),"missing san dns");
 
         while(list_shift(conf.hostports));
     }
@@ -308,9 +309,9 @@ Qe0Vy/UCDijCHK6Y5GkzWD7H008l\n\
         hp2.prefixlen = 255;
         list_push(conf.hostports, &hp2);
 
-        ok(1,verifyconfcert(certsandns, &conf),"multi hostport san dns # TODO fix in refactoring");
+        ok(1,verifyconfcert(certsandns, &conf),"multi hostport san dns");
         ok(0,verifyconfcert(certsandnsother, &conf),"negative multi hostport san dns");
-        ok(1,verifyconfcert(certcomplex,&conf),"multi hostport san dns in complex cert # TODO fix in refactoring");
+        ok(1,verifyconfcert(certcomplex,&conf),"multi hostport san dns in complex cert");
 
         while(list_shift(conf.hostports));
     }

diff --git a/tlscommon.c b/tlscommon.c
@@ -582,7 +582,7 @@ static int _general_name_regex_match(char *v, int l, struct certattrmatch *match
     if (l <= 0 ) 
         return 0;
     if (match->exact) {
-        if (memcmp(v, match->exact, l) == 0)
+        if (l == strlen(match->exact) && memcmp(v, match->exact, l) == 0)
             return 1;
         return 0;
     }
@@ -635,6 +635,10 @@ static int certattr_matchcn(X509 *cert, struct certattrmatch *match){
     return 0;
 }
 
+/* returns
+   1 if expected type is present and matches
+   0 if expected type is not present
+   -1 if expected type is present but does not match */
 static int matchsubjaltname(X509 *cert, struct certattrmatch* match) {
     GENERAL_NAME *gn;
     int loc, n,i,r = 0;
@@ -660,6 +664,7 @@ static int matchsubjaltname(X509 *cert, struct certattrmatch* match) {
             r = match->matchfn(gn, match);
             if (r)
                 break;
+            r = -1;
         }
         /*legacy print non-matching SAN*/
         if (gn->type == GEN_DNS || gn->type == GEN_URI) {
@@ -674,15 +679,14 @@ static int matchsubjaltname(X509 *cert, struct certattrmatch* match) {
         }
     }
 
-    if (!r)
+    if (r<1)
         debug(DBG_WARN, "matchsubjaltname: no matching Subject Alt Name found! (%s)", fail);
     free(fail);
 
     GENERAL_NAMES_free(alt);
     return r;
 }
 
-/* this is a bit sloppy, should not always accept match to any */
 int certnamecheck(X509 *cert, struct list *hostports) {
     struct list_node *entry;
     struct hostportres *hp;
@@ -692,6 +696,7 @@ int certnamecheck(X509 *cert, struct list *hostports) {
     memset(&match, 0, sizeof(struct certattrmatch));
 
     for (entry = list_first(hostports); entry; entry = list_next(entry)) {
+        r = 0;
         hp = (struct hostportres *)entry->data;
         if (hp->prefixlen != 255) {
             /* we disable the check for prefixes */
@@ -931,6 +936,9 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 
 static regex_t *compileregex(char *regstr) {
     regex_t *result;
+    if (regstr[0] != '/')
+        return NULL;
+    regstr++;
 
     if (regstr[strlen(regstr) - 1] == '/')
         regstr[strlen(regstr) - 1] = '\0';
@@ -966,7 +974,7 @@ int addmatchcertattr(struct clsrvconf *conf, char *match) {
     if (!colon) goto errexit;
 
     if (strncasecmp(pos, "CN", colon - pos) == 0) {
-        certattrmatch->regex = compileregex(colon+1);
+        if(!(certattrmatch->regex = compileregex(colon+1))) goto errexit;
         certattrmatch->type = -1;
         certattrmatch->matchfn = NULL; /*special case: don't search in SAN, but CN field in subject */
     } 
@@ -987,12 +995,12 @@ int addmatchcertattr(struct clsrvconf *conf, char *match) {
             certattrmatch->matchfn = &certattr_matchip;
         }
         else if(strncasecmp(pos, "URI", colon - pos) == 0) {
-            certattrmatch->regex = compileregex(colon+1);
+            if(!(certattrmatch->regex = compileregex(colon+1))) goto errexit;
             certattrmatch->type = GEN_URI;
             certattrmatch->matchfn = &certattr_matchregex;
         }
         else if(strncasecmp(pos, "DNS", colon - pos) == 0) {
-            certattrmatch->regex = compileregex(colon+1);
+            if(!(certattrmatch->regex = compileregex(colon+1))) goto errexit;
             certattrmatch->type = GEN_DNS;
             certattrmatch->matchfn = &certattr_matchregex;
         }