From 12d031cf8177fdec0137f9aa7e2912fa23c4416b Mon Sep 17 00:00:00 2001
From: Kevin Smith <git@kismith.co.uk>
Date: Thu, 9 Jan 2020 13:32:54 +0000
Subject: Accept certs with upper case entries

Although we were doing the right thing with punycode
(as far as I can see) for the IDNA entries, we were
forgetting that the comparisons needed to be case
insensitive (checked the RFCs). Now they are.

Test-Information:
Added unit tests for the three flows that were
modified.

Change-Id: Ib17ae3df66159f38339996580dc85a5d99356274

diff --git a/Swiften/TLS/ServerIdentityVerifier.cpp b/Swiften/TLS/ServerIdentityVerifier.cpp
index da116e5..18ea2aa 100644
--- a/Swiften/TLS/ServerIdentityVerifier.cpp
+++ b/Swiften/TLS/ServerIdentityVerifier.cpp
@@ -82,15 +82,15 @@ bool ServerIdentityVerifier::matchesDomain(const std::string& s) const {
         if (dotIndex != matchDomain.npos) {
             matchDomain = matchDomain.substr(dotIndex + 1, matchDomain.npos);
         }
-        return matchString == matchDomain;
+        return boost::iequals(matchString, matchDomain);
     }
     else {
-        return s == encodedDomain;
+        return boost::iequals(s, encodedDomain);
     }
 }
 
 bool ServerIdentityVerifier::matchesAddress(const std::string& s) const {
-    return s == domain;
+    return boost::iequals(s, domain);
 }
 
 }
diff --git a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
index 7379b69..47f3db2 100644
--- a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
+++ b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
@@ -60,6 +60,14 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
             CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
         }
 
+        void testCertificateVerifies_WithMatchingDNSNameMixedCase() {
+            ServerIdentityVerifier testling(JID("foo@baR.com/baz"), idnConverter.get());
+            SimpleCertificate::ref certificate(new SimpleCertificate());
+            certificate->addDNSName("Bar.com");
+
+            CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
+        }
+
         void testCertificateVerifies_WithSecondMatchingDNSName() {
             ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get());
             SimpleCertificate::ref certificate(new SimpleCertificate());
@@ -159,6 +167,14 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
             CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
         }
 
+        void testCertificateVerifies_WithMatchingXmppAddrMixedCase() {
+            ServerIdentityVerifier testling(JID("foo@baR.com/baz"), idnConverter.get());
+            SimpleCertificate::ref certificate(new SimpleCertificate());
+            certificate->addXMPPAddress("bAr.com");
+
+            CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
+        }
+
         void testCertificateVerifies_WithMatchingXmppAddrWithWildcard() {
             ServerIdentityVerifier testling(JID("foo@im.bar.com/baz"), idnConverter.get());
             SimpleCertificate::ref certificate(new SimpleCertificate());
@@ -167,6 +183,14 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
             CPPUNIT_ASSERT(!testling.certificateVerifies(certificate));
         }
 
+        void testCertificateVerifies_WithMatchingXmppAddrWithWildcardMixedCase() {
+            ServerIdentityVerifier testling(JID("foo@im.bAr.com/baz"), idnConverter.get());
+            SimpleCertificate::ref certificate(new SimpleCertificate());
+            certificate->addXMPPAddress("*.baR.com");
+
+            CPPUNIT_ASSERT(!testling.certificateVerifies(certificate));
+        }
+
         void testCertificateVerifies_WithMatchingInternationalXmppAddr() {
             ServerIdentityVerifier testling(JID("foo@tron\xc3\xa7.com/baz"), idnConverter.get());
             SimpleCertificate::ref certificate(new SimpleCertificate());
@@ -175,6 +199,14 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
             CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
         }
 
+        void testCertificateVerifies_WithMatchingInternationalXmppAddrMixedCase() {
+            ServerIdentityVerifier testling(JID("foo@tRon\xc3\xa7.com/baz"), idnConverter.get());
+            SimpleCertificate::ref certificate(new SimpleCertificate());
+            certificate->addXMPPAddress("trOn\xc3\xa7.com");
+
+            CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
+        }
+
         void testCertificateVerifies_WithMatchingCNWithoutSAN() {
             ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get());
             SimpleCertificate::ref certificate(new SimpleCertificate());
-- 
cgit v0.10.2-6-g49f6