1 |
|
|
/* $OpenBSD: tls_verify.c,v 1.19 2017/04/10 17:11:13 jsing Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
4 |
|
|
* |
5 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
6 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
7 |
|
|
* copyright notice and this permission notice appear in all copies. |
8 |
|
|
* |
9 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 |
|
|
*/ |
17 |
|
|
|
18 |
|
|
#include <sys/socket.h> |
19 |
|
|
|
20 |
|
|
#include <arpa/inet.h> |
21 |
|
|
#include <netinet/in.h> |
22 |
|
|
|
23 |
|
|
#include <string.h> |
24 |
|
|
|
25 |
|
|
#include <openssl/x509v3.h> |
26 |
|
|
|
27 |
|
|
#include <tls.h> |
28 |
|
|
#include "tls_internal.h" |
29 |
|
|
|
30 |
|
|
static int |
31 |
|
|
tls_match_name(const char *cert_name, const char *name) |
32 |
|
|
{ |
33 |
|
|
const char *cert_domain, *domain, *next_dot; |
34 |
|
|
|
35 |
✓✓ |
150 |
if (strcasecmp(cert_name, name) == 0) |
36 |
|
15 |
return 0; |
37 |
|
|
|
38 |
|
|
/* Wildcard match? */ |
39 |
✓✓ |
60 |
if (cert_name[0] == '*') { |
40 |
|
|
/* |
41 |
|
|
* Valid wildcards: |
42 |
|
|
* - "*.domain.tld" |
43 |
|
|
* - "*.sub.domain.tld" |
44 |
|
|
* - etc. |
45 |
|
|
* Reject "*.tld". |
46 |
|
|
* No attempt to prevent the use of eg. "*.co.uk". |
47 |
|
|
*/ |
48 |
|
21 |
cert_domain = &cert_name[1]; |
49 |
|
|
/* Disallow "*" */ |
50 |
✓✓ |
21 |
if (cert_domain[0] == '\0') |
51 |
|
3 |
return -1; |
52 |
|
|
/* Disallow "*foo" */ |
53 |
✗✓ |
18 |
if (cert_domain[0] != '.') |
54 |
|
|
return -1; |
55 |
|
|
/* Disallow "*.." */ |
56 |
✗✓ |
18 |
if (cert_domain[1] == '.') |
57 |
|
|
return -1; |
58 |
|
18 |
next_dot = strchr(&cert_domain[1], '.'); |
59 |
|
|
/* Disallow "*.bar" */ |
60 |
✓✓ |
18 |
if (next_dot == NULL) |
61 |
|
9 |
return -1; |
62 |
|
|
/* Disallow "*.bar.." */ |
63 |
✗✓ |
9 |
if (next_dot[1] == '.') |
64 |
|
|
return -1; |
65 |
|
|
|
66 |
|
9 |
domain = strchr(name, '.'); |
67 |
|
|
|
68 |
|
|
/* No wildcard match against a name with no host part. */ |
69 |
✓✓ |
9 |
if (name[0] == '.') |
70 |
|
3 |
return -1; |
71 |
|
|
/* No wildcard match against a name with no domain part. */ |
72 |
✓✗✗✓
|
12 |
if (domain == NULL || strlen(domain) == 1) |
73 |
|
|
return -1; |
74 |
|
|
|
75 |
✓✗ |
6 |
if (strcasecmp(cert_domain, domain) == 0) |
76 |
|
6 |
return 0; |
77 |
|
|
} |
78 |
|
|
|
79 |
|
39 |
return -1; |
80 |
|
75 |
} |
81 |
|
|
|
82 |
|
|
/* |
83 |
|
|
* See RFC 5280 section 4.2.1.6 for SubjectAltName details. |
84 |
|
|
* alt_match is set to 1 if a matching alternate name is found. |
85 |
|
|
* alt_exists is set to 1 if any known alternate name exists in the certificate. |
86 |
|
|
*/ |
87 |
|
|
static int |
88 |
|
|
tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, |
89 |
|
|
int *alt_match, int *alt_exists) |
90 |
|
|
{ |
91 |
|
|
STACK_OF(GENERAL_NAME) *altname_stack = NULL; |
92 |
|
168 |
union tls_addr addrbuf; |
93 |
|
|
int addrlen, type; |
94 |
|
|
int count, i; |
95 |
|
|
int rv = 0; |
96 |
|
|
|
97 |
|
84 |
*alt_match = 0; |
98 |
|
84 |
*alt_exists = 0; |
99 |
|
|
|
100 |
|
84 |
altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, |
101 |
|
|
NULL, NULL); |
102 |
✓✓ |
84 |
if (altname_stack == NULL) |
103 |
|
45 |
return 0; |
104 |
|
|
|
105 |
✓✓ |
39 |
if (inet_pton(AF_INET, name, &addrbuf) == 1) { |
106 |
|
|
type = GEN_IPADD; |
107 |
|
|
addrlen = 4; |
108 |
✓✓ |
39 |
} else if (inet_pton(AF_INET6, name, &addrbuf) == 1) { |
109 |
|
|
type = GEN_IPADD; |
110 |
|
|
addrlen = 16; |
111 |
|
3 |
} else { |
112 |
|
|
type = GEN_DNS; |
113 |
|
|
addrlen = 0; |
114 |
|
|
} |
115 |
|
|
|
116 |
|
39 |
count = sk_GENERAL_NAME_num(altname_stack); |
117 |
✓✓ |
156 |
for (i = 0; i < count; i++) { |
118 |
|
|
GENERAL_NAME *altname; |
119 |
|
|
|
120 |
|
66 |
altname = sk_GENERAL_NAME_value(altname_stack, i); |
121 |
|
|
|
122 |
✓✓✓✗
|
72 |
if (altname->type == GEN_DNS || altname->type == GEN_IPADD) |
123 |
|
66 |
*alt_exists = 1; |
124 |
|
|
|
125 |
✓✓ |
66 |
if (altname->type != type) |
126 |
|
12 |
continue; |
127 |
|
|
|
128 |
✓✓ |
54 |
if (type == GEN_DNS) { |
129 |
|
|
unsigned char *data; |
130 |
|
|
int format, len; |
131 |
|
|
|
132 |
|
48 |
format = ASN1_STRING_type(altname->d.dNSName); |
133 |
✓✗ |
48 |
if (format == V_ASN1_IA5STRING) { |
134 |
|
48 |
data = ASN1_STRING_data(altname->d.dNSName); |
135 |
|
48 |
len = ASN1_STRING_length(altname->d.dNSName); |
136 |
|
|
|
137 |
✓✗✓✓
|
96 |
if (len < 0 || (size_t)len != strlen(data)) { |
138 |
|
3 |
tls_set_errorx(ctx, |
139 |
|
|
"error verifying name '%s': " |
140 |
|
|
"NUL byte in subjectAltName, " |
141 |
|
|
"probably a malicious certificate", |
142 |
|
|
name); |
143 |
|
|
rv = -1; |
144 |
|
3 |
break; |
145 |
|
|
} |
146 |
|
|
|
147 |
|
|
/* |
148 |
|
|
* Per RFC 5280 section 4.2.1.6: |
149 |
|
|
* " " is a legal domain name, but that |
150 |
|
|
* dNSName must be rejected. |
151 |
|
|
*/ |
152 |
✓✓ |
45 |
if (strcmp(data, " ") == 0) { |
153 |
|
3 |
tls_set_errorx(ctx, |
154 |
|
|
"error verifying name '%s': " |
155 |
|
|
"a dNSName of \" \" must not be " |
156 |
|
|
"used", name); |
157 |
|
|
rv = -1; |
158 |
|
3 |
break; |
159 |
|
|
} |
160 |
|
|
|
161 |
✓✓ |
42 |
if (tls_match_name(data, name) == 0) { |
162 |
|
15 |
*alt_match = 1; |
163 |
|
15 |
break; |
164 |
|
|
} |
165 |
|
|
} else { |
166 |
|
|
#ifdef DEBUG |
167 |
|
|
fprintf(stdout, "%s: unhandled subjectAltName " |
168 |
|
|
"dNSName encoding (%d)\n", getprogname(), |
169 |
|
|
format); |
170 |
|
|
#endif |
171 |
|
|
} |
172 |
|
|
|
173 |
✓✓✓✗
|
33 |
} else if (type == GEN_IPADD) { |
174 |
|
|
unsigned char *data; |
175 |
|
|
int datalen; |
176 |
|
|
|
177 |
|
6 |
datalen = ASN1_STRING_length(altname->d.iPAddress); |
178 |
|
6 |
data = ASN1_STRING_data(altname->d.iPAddress); |
179 |
|
|
|
180 |
✗✓ |
6 |
if (datalen < 0) { |
181 |
|
|
tls_set_errorx(ctx, |
182 |
|
|
"Unexpected negative length for an " |
183 |
|
|
"IP address: %d", datalen); |
184 |
|
|
rv = -1; |
185 |
|
|
break; |
186 |
|
|
} |
187 |
|
|
|
188 |
|
|
/* |
189 |
|
|
* Per RFC 5280 section 4.2.1.6: |
190 |
|
|
* IPv4 must use 4 octets and IPv6 must use 16 octets. |
191 |
|
|
*/ |
192 |
✓✗✓✗
|
12 |
if (datalen == addrlen && |
193 |
|
6 |
memcmp(data, &addrbuf, addrlen) == 0) { |
194 |
|
6 |
*alt_match = 1; |
195 |
|
6 |
break; |
196 |
|
|
} |
197 |
|
|
} |
198 |
✓✓ |
27 |
} |
199 |
|
|
|
200 |
|
39 |
sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free); |
201 |
|
39 |
return rv; |
202 |
|
84 |
} |
203 |
|
|
|
204 |
|
|
static int |
205 |
|
|
tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, |
206 |
|
|
int *cn_match) |
207 |
|
|
{ |
208 |
|
|
X509_NAME *subject_name; |
209 |
|
|
char *common_name = NULL; |
210 |
|
90 |
union tls_addr addrbuf; |
211 |
|
|
int common_name_len; |
212 |
|
|
int rv = 0; |
213 |
|
|
|
214 |
|
45 |
*cn_match = 0; |
215 |
|
|
|
216 |
|
45 |
subject_name = X509_get_subject_name(cert); |
217 |
✓✗ |
45 |
if (subject_name == NULL) |
218 |
|
|
goto out; |
219 |
|
|
|
220 |
|
45 |
common_name_len = X509_NAME_get_text_by_NID(subject_name, |
221 |
|
|
NID_commonName, NULL, 0); |
222 |
✓✗ |
45 |
if (common_name_len < 0) |
223 |
|
|
goto out; |
224 |
|
|
|
225 |
|
45 |
common_name = calloc(common_name_len + 1, 1); |
226 |
✓✗ |
45 |
if (common_name == NULL) |
227 |
|
|
goto out; |
228 |
|
|
|
229 |
|
45 |
X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, |
230 |
|
|
common_name_len + 1); |
231 |
|
|
|
232 |
|
|
/* NUL bytes in CN? */ |
233 |
✓✗✓✓
|
90 |
if (common_name_len < 0 || |
234 |
|
45 |
(size_t)common_name_len != strlen(common_name)) { |
235 |
|
3 |
tls_set_errorx(ctx, "error verifying name '%s': " |
236 |
|
|
"NUL byte in Common Name field, " |
237 |
|
|
"probably a malicious certificate", name); |
238 |
|
|
rv = -1; |
239 |
|
3 |
goto out; |
240 |
|
|
} |
241 |
|
|
|
242 |
|
|
/* |
243 |
|
|
* We don't want to attempt wildcard matching against IP addresses, |
244 |
|
|
* so perform a simple comparison here. |
245 |
|
|
*/ |
246 |
✓✓✓✓
|
78 |
if (inet_pton(AF_INET, name, &addrbuf) == 1 || |
247 |
|
36 |
inet_pton(AF_INET6, name, &addrbuf) == 1) { |
248 |
✓✓ |
9 |
if (strcmp(common_name, name) == 0) |
249 |
|
6 |
*cn_match = 1; |
250 |
|
|
goto out; |
251 |
|
|
} |
252 |
|
|
|
253 |
✓✓ |
33 |
if (tls_match_name(common_name, name) == 0) |
254 |
|
6 |
*cn_match = 1; |
255 |
|
|
|
256 |
|
|
out: |
257 |
|
45 |
free(common_name); |
258 |
|
45 |
return rv; |
259 |
|
45 |
} |
260 |
|
|
|
261 |
|
|
int |
262 |
|
|
tls_check_name(struct tls *ctx, X509 *cert, const char *name, int *match) |
263 |
|
|
{ |
264 |
|
168 |
int alt_exists; |
265 |
|
|
|
266 |
|
84 |
*match = 0; |
267 |
|
|
|
268 |
✓✓ |
168 |
if (tls_check_subject_altname(ctx, cert, name, match, |
269 |
|
84 |
&alt_exists) == -1) |
270 |
|
6 |
return -1; |
271 |
|
|
|
272 |
|
|
/* |
273 |
|
|
* As per RFC 6125 section 6.4.4, if any known alternate name existed |
274 |
|
|
* in the certificate, we do not attempt to match on the CN. |
275 |
|
|
*/ |
276 |
✓✓ |
78 |
if (*match || alt_exists) |
277 |
|
33 |
return 0; |
278 |
|
|
|
279 |
|
45 |
return tls_check_common_name(ctx, cert, name, match); |
280 |
|
84 |
} |