From f65fbee52b3e76ad983d28c2a800defbeaef6ab0 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 11 Sep 2013 11:52:17 +0200
Subject: [PATCH] x509_verify() now case insensitive for cn (RFC 6125 6.4)
 (cherry picked from commit a5943858d8ebac35692fde7dbd6fbc4f2410945a)

Conflicts:
	ChangeLog
	library/x509parse.c
	tests/suites/test_suite_x509parse.data
---
 ChangeLog                              |  3 +++
 library/x509parse.c                    | 31 ++++++++++++++++++++++----
 tests/suites/test_suite_x509parse.data |  2 +-
 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ab851fc37..794bcf645 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 PolarSSL ChangeLog
 
 = Branch 1.2
+Changes
+   * x509_verify() now case insensitive for cn (RFC 6125 6.4)
+
 Bugfix
    * Fixed potential memory leak when failing to resume a session
    * Minor fixes
diff --git a/library/x509parse.c b/library/x509parse.c
index 86a1ab292..efde3f578 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3261,6 +3261,29 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
     return flags;
 }
 
+// Equal == 0, inequal == 1
+static int x509_name_cmp( const void *s1, const void *s2, size_t len )
+{
+    size_t i;
+    unsigned char diff;
+    const unsigned char *n1 = s1, *n2 = s2;
+
+    for( i = 0; i < len; i++ )
+    {
+        diff = n1[i] ^ n2[i];
+
+        if( ( n1[i] >= 'a' || n1[i] <= 'z' ) && ( diff == 0 || diff == 32 ) )
+            continue;
+
+        if( ( n1[i] >= 'A' || n1[i] <= 'Z' ) && ( diff == 0 || diff == 32 ) )
+            continue;
+
+        return( 1 );
+    }
+
+    return( 0 );
+}
+
 int x509_wildcard_verify( const char *cn, x509_buf *name )
 {
     size_t i;
@@ -3282,7 +3305,7 @@ int x509_wildcard_verify( const char *cn, x509_buf *name )
         return( 0 );
 
     if( strlen( cn ) - cn_idx == name->len - 1 &&
-        memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+        x509_name_cmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
     {
         return( 1 );
     }
@@ -3439,7 +3462,7 @@ static int x509parse_verify_child(
         ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
         if( ret != 0 )
             return( ret );
-    } 
+    }
     else
     {
         ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
@@ -3488,7 +3511,7 @@ int x509parse_verify( x509_cert *crt,
             while( cur != NULL )
             {
                 if( cur->buf.len == cn_len &&
-                    memcmp( cn, cur->buf.p, cn_len ) == 0 )
+                    x509_name_cmp( cn, cur->buf.p, cn_len ) == 0 )
                     break;
 
                 if( cur->buf.len > 2 &&
@@ -3510,7 +3533,7 @@ int x509parse_verify( x509_cert *crt,
                     memcmp( name->oid.p, OID_CN,  3 ) == 0 )
                 {
                     if( name->val.len == cn_len &&
-                        memcmp( name->val.p, cn, cn_len ) == 0 )
+                        x509_name_cmp( name->val.p, cn, cn_len ) == 0 )
                         break;
 
                     if( name->val.len > 2 &&
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index acb285218..1b87f8d7b 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -304,7 +304,7 @@ x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_ex
 
 X509 Certificate verification #21 (domain matching wildcard certificate)
 depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.com":0:0:NULL
+x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:NULL
 
 X509 Certificate verification #22 (domain not matching wildcard certificate)
 depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO