BoringSSL: provide X509_VERYFY_PARAM_Set1_host length

X509_VERYFY_PARAM_Set1_host of openSSL allows the third argument, which is the length of the hostname string, to be 0. Then, it assumes hostname is a null-terminated C string. BoringSSL enforces the actual length to be specified, and the hostname string should end with a null char. Just provide the length, making both OpenSSL and BoringSSL happy.
2025-03-09 00:00:04 +01:00 · 2020-04-29 12:18:41 -07:00 · 2020-04-29 12:18:41 -07:00 · 5dd57715dd
commit 5dd57715dd
parent 59fb0988a6
2 changed files with 5 additions and 3 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -327,7 +327,7 @@ set(PACKAGE "libwebsockets")
 set(CPACK_PACKAGE_NAME "${PACKAGE}")
 set(CPACK_PACKAGE_VERSION_MAJOR "4")
 set(CPACK_PACKAGE_VERSION_MINOR "0")
-set(CPACK_PACKAGE_VERSION_PATCH "2")
+set(CPACK_PACKAGE_VERSION_PATCH "3")
 set(CPACK_PACKAGE_RELEASE 1)
 set(CPACK_GENERATOR "RPM")
 set(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@ -21,6 +21,7 @@
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 * IN THE SOFTWARE.
 */
+#include <string.h>

 #include "private-lib-core.h"
 #include "private-lib-tls-openssl.h"
@ -194,9 +195,10 @@ lws_ssl_client_bio_create(struct lws *wsi)
 		X509_VERIFY_PARAM_set_hostflags(param,
 					X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 #endif
-		// Handle the case where the hostname is an IP address.
+		/* Handle the case where the hostname is an IP address */
 		if (!X509_VERIFY_PARAM_set1_ip_asc(param, hostname))
-			X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+			X509_VERIFY_PARAM_set1_host(param, hostname,
+					strnlen(hostname, sizeof(hostname)));
 	}
 #else
 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {