x509: IP in SAN: integration tests with SSL/TLS
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ff5f389..57fb6fd 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1633,12 +1633,14 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
- * \brief Set hostname for ServerName TLS extension
- * (client-side only)
- *
+ * \brief Set hostname for ServerName TLS extension and verification
+ * of the server's certificate (client-side only)
*
* \param ssl SSL context
* \param hostname the server hostname
+ * Usually a DNS hostname, but other options are available,
+ * see the \c exp_name parameter of \c
+ * mbedtls_x509_crt_verify_with_profile()
*
* \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
*/
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c0b6f94..1306828 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1691,6 +1691,52 @@
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
+# tests for IP adresses in subjectAlternativeName
+
+requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
+run_test "IP address in SAN: IPv4, good" \
+ "$P_SRV crt_file=data_files/server5-san-ip.crt \
+ key_file=data_files/server5.key" \
+ "$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.1" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
+run_test "IP address in SAN: IPv4, bad" \
+ "$P_SRV crt_file=data_files/server5-san-ip.crt \
+ key_file=data_files/server5.key" \
+ "$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.2" \
+ 1 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
+run_test "IP address in SAN: IPv6, good" \
+ "$P_SRV crt_file=data_files/server5-san-ip.crt \
+ key_file=data_files/server5.key" \
+ "$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0001" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
+run_test "IP address in SAN: IPv6, bad" \
+ "$P_SRV crt_file=data_files/server5-san-ip.crt \
+ key_file=data_files/server5.key" \
+ "$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0002" \
+ 1 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "X509 - Certificate verification failed"
+
# Tests for certificate selection based on SHA verson
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \