Skip to content

Commit 562bb17

Browse files
committed
tls_mgm: match SNI / SIP domain filters case-insensitively
SNI hostnames are DNS names, which compare case-insensitively (RFC 6066). Pass FNM_CASEFOLD to fnmatch() in tls_find_domain_by_filters().
1 parent 749dfbb commit 562bb17

2 files changed

Lines changed: 10 additions & 1 deletion

File tree

modules/tls_mgm/doc/tls_mgm_admin.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -986,6 +986,8 @@ modparam("tls_mgm", "match_ip_address", "[dom1]10.0.0.10:5061, 10.0.0.11:5061")
986986
The SIP domains used to match a TLS connection with a
987987
virtual TLS domain. For TLS server domains, these values will be
988988
matched against the hostname provided in the TLS Servername extension(SNI).
989+
As the SNI hostname is a DNS name, the matching is case-insensitive
990+
(as per RFC 6066).
989991
For TLS client domains, the values will be compared with the value of
990992
the <xref linkend="param_client_sip_domain_avp"/> AVP.
991993
</para>

modules/tls_mgm/tls_domain.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,11 @@
3333
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
3434
*/
3535

36+
/* needed to expose FNM_CASEFOLD from <fnmatch.h> on glibc */
37+
#ifndef _GNU_SOURCE
38+
#define _GNU_SOURCE
39+
#endif
40+
3641
#include "../../mem/mem.h"
3742
#include "../../lib/csv.h"
3843
#include "tls_domain.h"
@@ -403,7 +408,9 @@ tls_find_domain_by_filters(struct ip_addr *ip, unsigned short port,
403408
for (i = 0; i < dom_array->size; i++) {
404409
memcpy(fnm_s, domain_filter->s, domain_filter->len);
405410
fnm_s[domain_filter->len] = 0;
406-
if (!fnmatch(dom_array->arr[i].hostname->s.s, fnm_s, 0)) {
411+
/* SNI hostnames are DNS names, so match case-insensitively
412+
* (RFC 6066 / RFC 4343) */
413+
if (!fnmatch(dom_array->arr[i].hostname->s.s, fnm_s, FNM_CASEFOLD)) {
407414
ref_tls_dom(dom_array->arr[i].dom_link);
408415
if (dom_lock)
409416
lock_stop_read(dom_lock);

0 commit comments

Comments
 (0)