added better wildcard matching for CN

1 files changed, 25 insertions, 10 deletions

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4aac4e3137..5460f3a6e1 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4829,6 +4829,30 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */
 }
 /* }}} */
 
+static int php_openssl_match_cn(const char *subjectname, const char *certname)
+{
+	int match = strcmp(subjectname, certname) == 0;
+
+	if (!match) {
+		char *wildcard = strchr(certname, '*');
+		int prefix_len = wildcard - certname;
+
+		/* 1) prefix, if not empty, must match */
+		if (wildcard && (prefix_len == 0 || strncmp(subjectname, certname, prefix_len) == 0)) {
+			const char *suffix = subjectname + strlen(subjectname) - strlen(wildcard + 1);
+
+			/*
+			 * 2) suffix must match
+			 * 3) no period between prefix and suffix
+			**/
+			match = strcmp(wildcard + 1, suffix) == 0 &&
+				memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL;
+		}
+	}
+
+	return match;
+}
+
 int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stream TSRMLS_DC) /* {{{ */
 {
 	zval **val = NULL;
@@ -4881,16 +4905,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 			return FAILURE;
 		}
 
-		match = strcmp(cnmatch, buf) == 0;
-		if (!match && strlen(buf) > 3 && buf[0] == '*' && buf[1] == '.') {
-			/* Try wildcard */
-
-			if (strchr(buf+2, '.')) {
-				char *tmp = strstr(cnmatch, buf+1);
-
-				match = tmp && strcmp(tmp, buf+2) && tmp == strchr(cnmatch, '.');
-			}
-		}
+		match = php_openssl_match_cn(cnmatch, buf);
 
 		if (!match) {
 			/* didn't match */