BUG/MINOR: ssl: verifyhost is case sensitive
In bug #835, @arjenzorgdoc reported that the verifyhost option on the
server line is case-sensitive, that shouldn't be the case.
This patch fixes the issue by replacing memcmp by strncasecmp and strcmp
by strcasecmp. The patch was suggested by @arjenzorgdoc.
This must be backported in all versions supporting the verifyhost
option.
(cherry picked from commit 2d6fd0a90df8d3ab77f13c59e5f1efa3d271c42c)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 656c331cbd02b4bef43e6ceac347b6e9bd440296)
[wt: adjusted context]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 1d909c8ed9408da02045cda08908c3319acb9fcd)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 49b7da5..f581fb3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4573,7 +4573,7 @@
size_t prefixlen, suffixlen;
/* Trivial case */
- if (strcmp(pattern, hostname) == 0)
+ if (strcasecmp(pattern, hostname) == 0)
return 1;
/* The rest of this logic is based on RFC 6125, section 6.4.3
@@ -4604,7 +4604,7 @@
/* Make sure all labels match except the leftmost */
hostname_left_label_end = strchr(hostname, '.');
if (!hostname_left_label_end
- || strcmp(pattern_left_label_end, hostname_left_label_end) != 0)
+ || strcasecmp(pattern_left_label_end, hostname_left_label_end) != 0)
return 0;
/* Make sure the leftmost label of the hostname is long enough
@@ -4616,8 +4616,8 @@
* wildcard */
prefixlen = pattern_wildcard - pattern;
suffixlen = pattern_left_label_end - (pattern_wildcard + 1);
- if ((prefixlen && (memcmp(pattern, hostname, prefixlen) != 0))
- || (suffixlen && (memcmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
+ if ((prefixlen && (strncasecmp(pattern, hostname, prefixlen) != 0))
+ || (suffixlen && (strncasecmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
return 0;
return 1;