From d87530f0ee5d3f7449a67239d6187340570dd2d3 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Tue, 30 Jul 2019 02:41:51 -0400
Subject: s_client: Verify host

wolfSSL doesn't do this automatically?!
---
diff --git a/src/s_client.c b/src/s_client.c
index 683f08b..51f0adb 100644
--- a/src/s_client.c
+++ b/src/s_client.c
@@ -283,6 +283,11 @@ s_client(int argc, char **argv)
 	WOLFSSL_CTX    *ctx;
 	WOLFSSL        *ssl;
 	int             sfd;
+	int             err;
+	char            buf[WOLFSSL_MAX_ERROR_SZ];
+#ifdef OPENSSL_EXTRA
+	WOLFSSL_X509   *cert;
+#endif
 
 	for (; argc > 0; --argc, ++argv) {
 		if (strcmp(*argv, "-quiet") == 0) {
@@ -365,6 +370,29 @@ s_client(int argc, char **argv)
 	}
 	wolfSSL_set_fd(ssl, sfd);
 
+	if ((err = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS) {
+		err = wolfSSL_get_error(ssl, err);
+		wolfSSL_ERR_error_string(err, buf);
+		fprintf(stderr, "Handshake error: %s\n", buf);
+		ret = EXIT_FAILURE;
+		goto ssl_free;
+	}
+
+#ifdef OPENSSL_EXTRA
+	cert = wolfSSL_get_peer_certificate(ssl);
+	if (cert == NULL) {
+		fputs("Failed to get certificate\n", stderr);
+		ret = EXIT_FAILURE;
+		goto ssl_free;
+	}
+	if (wolfSSL_X509_check_host(cert, host, strlen(host), 0, NULL) !=
+			WOLFSSL_SUCCESS) {
+		fputs("Domain name mismatch\n", stderr);
+		ret = EXIT_FAILURE;
+		goto ssl_free;
+	}
+#endif  /* OPENSSL_EXTRA */
+
 	if (poll_fds(sfd, ssl) == false) {
 		ret = EXIT_FAILURE;
 	}
diff --git a/tests/badssl.sh b/tests/badssl.sh
index dd4db14..6b9a332 100755
--- a/tests/badssl.sh
+++ b/tests/badssl.sh
@@ -53,7 +53,7 @@ plan_ 39
 # Certificate
 
 do_test  ''      'not'  'expired'                443
-do_test  'TODO'  'not'  'wrong.host'             443
+do_test  ''      'not'  'wrong.host'             443
 do_test  ''      'not'  'self-signed'            443
 do_test  ''      'not'  'untrusted-root'         443
 do_test  ''      'not'  'revoked'                443
--
cgit v0.9.1