generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Set optional peername when X509_check_host() succeeds.

Browse Source 
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
This commit is contained in:
Viktor Dukhovni 2014-07-06 01:47:29 +10:00
parent 6e661d458f
commit ced3d9158a
6 changed files with 49 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/apps.c
View File

@ -2969,7 +2969,8 @@ void print_cert_checks(BIO *bio, X509 *x,
if (checkhost) if (checkhost)
{ {
BIO_printf(bio, "Hostname %s does%s match certificate\n", BIO_printf(bio, "Hostname %s does%s match certificate\n",
checkhost, X509_check_host(x, checkhost, 0, 0) checkhost,
X509_check_host(x, checkhost, 0, 0, NULL)
? "" : " NOT"); ? "" : " NOT");
} }

3
crypto/x509/x509_vfy.c
View File

@ -752,7 +752,8 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
for (i = 0; i < n; ++i) for (i = 0; i < n; ++i)
{ {
name = (unsigned char *)sk_OPENSSL_STRING_value(id->hosts, i); name = (unsigned char *)sk_OPENSSL_STRING_value(id->hosts, i);
if (X509_check_host(x, name, 0, id->hostflags) > 0) if (X509_check_host(x, name, 0, id->hostflags,
&id->peername) > 0)
return 1; return 1;
} }
return n == 0; return n == 0;

54
crypto/x509v3/v3_utl.c
View File

@ -853,8 +853,11 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal, static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
unsigned int flags, unsigned int flags,
const unsigned char *b, size_t blen) const unsigned char *b, size_t blen,
char **peername)
{ {
int rv = 0;
if (!a->data || !a->length) if (!a->data || !a->length)
return 0; return 0;
if (cmp_type > 0) if (cmp_type > 0)
@ -862,27 +865,30 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
if (cmp_type != a->type) if (cmp_type != a->type)
return 0; return 0;
if (cmp_type == V_ASN1_IA5STRING) if (cmp_type == V_ASN1_IA5STRING)
return equal(a->data, a->length, b, blen, flags); rv = equal(a->data, a->length, b, blen, flags);
if (a->length == (int)blen && !memcmp(a->data, b, blen)) else if (a->length == (int)blen && !memcmp(a->data, b, blen))
return 1; rv = 1;
else if (rv > 0 && peername)
return 0; *peername = BUF_strndup((char *)a->data, a->length);
} }
else else
{ {
int astrlen, rv; int astrlen;
unsigned char *astr; unsigned char *astr;
astrlen = ASN1_STRING_to_UTF8(&astr, a); astrlen = ASN1_STRING_to_UTF8(&astr, a);
if (astrlen < 0) if (astrlen < 0)
return -1; return -1;
rv = equal(astr, astrlen, b, blen, flags); rv = equal(astr, astrlen, b, blen, flags);
OPENSSL_free(astr); OPENSSL_free(astr);
return rv; if (rv > 0 && peername)
*peername = BUF_strndup((char *)astr, astrlen);
} }
return rv;
} }
static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen, static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags, int check_type) unsigned int flags, int check_type,
char **peername)
{ {
GENERAL_NAMES *gens = NULL; GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL; X509_NAME *name = NULL;
@ -890,6 +896,7 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
int cnid; int cnid;
int alt_type; int alt_type;
int san_present = 0; int san_present = 0;
int rv = 0;
equal_fn equal; equal_fn equal;
/* See below, this flag is internal-only */ /* See below, this flag is internal-only */
@ -925,7 +932,6 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gens) if (gens)
{ {
int rv = 0;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
{ {
GENERAL_NAME *gen; GENERAL_NAME *gen;
@ -940,16 +946,14 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
cstr = gen->d.dNSName; cstr = gen->d.dNSName;
else else
cstr = gen->d.iPAddress; cstr = gen->d.iPAddress;
if (do_check_string(cstr, alt_type, equal, flags, /* Positive on success, negative on error! */
chk, chklen)) if ((rv = do_check_string(cstr, alt_type, equal, flags,
{ chk, chklen, peername)) != 0)
rv = 1;
break; break;
}
} }
GENERAL_NAMES_free(gens); GENERAL_NAMES_free(gens);
if (rv) if (rv != 0)
return 1; return rv;
if (!cnid if (!cnid
|| (san_present || (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
@ -963,14 +967,16 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
ASN1_STRING *str; ASN1_STRING *str;
ne = X509_NAME_get_entry(name, i); ne = X509_NAME_get_entry(name, i);
str = X509_NAME_ENTRY_get_data(ne); str = X509_NAME_ENTRY_get_data(ne);
if (do_check_string(str, -1, equal, flags, chk, chklen)) /* Positive on success, negative on error! */
return 1; if ((rv = do_check_string(str, -1, equal, flags,
chk, chklen, peername)) != 0)
return rv;
} }
return 0; return 0;
} }
int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags) unsigned int flags, char **peername)
{ {
if (chk == NULL) if (chk == NULL)
return -2; return -2;
@ -985,7 +991,7 @@ int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
return -2; return -2;
if (chklen > 1 && chk[chklen-1] == '\0') if (chklen > 1 && chk[chklen-1] == '\0')
--chklen; --chklen;
return do_x509_check(x, chk, chklen, flags, GEN_DNS); return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
} }
int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
@ -1004,7 +1010,7 @@ int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
return -2; return -2;
if (chklen > 1 && chk[chklen-1] == '\0') if (chklen > 1 && chk[chklen-1] == '\0')
--chklen; --chklen;
return do_x509_check(x, chk, chklen, flags, GEN_EMAIL); return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
} }
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
@ -1012,7 +1018,7 @@ int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
{ {
if (chk == NULL) if (chk == NULL)
return -2; return -2;
return do_x509_check(x, chk, chklen, flags, GEN_IPADD); return do_x509_check(x, chk, chklen, flags, GEN_IPADD, NULL);
} }
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
@ -1024,7 +1030,7 @@ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
iplen = a2i_ipadd(ipout, ipasc); iplen = a2i_ipadd(ipout, ipasc);
if (iplen == 0) if (iplen == 0)
return -2; return -2;
return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD); return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD, NULL);
} }
/* Convert IP addresses both IPv4 and IPv6 into an /* Convert IP addresses both IPv4 and IPv6 into an

5
crypto/x509v3/v3nametest.c
View File

@ -276,7 +276,7 @@ static void run_cert(X509 *crt, const char *nameincert,
memcpy(name, *pname, namelen); memcpy(name, *pname, namelen);
ret = X509_check_host(crt, (const unsigned char *)name, ret = X509_check_host(crt, (const unsigned char *)name,
namelen, 0); namelen, 0, NULL);
match = -1; match = -1;
if (ret < 0) if (ret < 0)
{ {
@ -295,7 +295,8 @@ static void run_cert(X509 *crt, const char *nameincert,
check_message(fn, "host", nameincert, match, *pname); check_message(fn, "host", nameincert, match, *pname);
ret = X509_check_host(crt, (const unsigned char *)name, ret = X509_check_host(crt, (const unsigned char *)name,
namelen, X509_CHECK_FLAG_NO_WILDCARDS); namelen, X509_CHECK_FLAG_NO_WILDCARDS,
NULL);
match = -1; match = -1;
if (ret < 0) if (ret < 0)
{ {

2
crypto/x509v3/x509v3.h
View File

@ -720,7 +720,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000 #define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags); unsigned int flags, char **peername);
int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags); unsigned int flags);
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,

17
doc/crypto/X509_check_host.pod
View File

@ -9,7 +9,7 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 cert
#include <openssl/x509.h> #include <openssl/x509.h>
int X509_check_host(X509 *, const unsigned char *name, int X509_check_host(X509 *, const unsigned char *name,
size_t namelen, unsigned int flags); size_t namelen, unsigned int flags, char **peername);
int X509_check_email(X509 *, const unsigned char *address, int X509_check_email(X509 *, const unsigned char *address,
size_t addresslen, unsigned int flags); size_t addresslen, unsigned int flags);
int X509_check_ip(X509 *, const unsigned char *address, int X509_check_ip(X509 *, const unsigned char *address,
@ -32,11 +32,16 @@ characters in the name string or zero in which case the length is
calculated with strlen(name). When B<name> starts with a dot (e.g calculated with strlen(name). When B<name> starts with a dot (e.g
".example.com"), it will be matched by a certificate valid for any ".example.com"), it will be matched by a certificate valid for any
sub-domain of B<name>, (see also B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> sub-domain of B<name>, (see also B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>
below). Applications are strongly advised to use below). When the certificate is matched and B<peername> is not
X509_VERIFY_PARAM_set1_host() in preference to explicitly calling NULL a pointer to a copy of the matching hostname or CommonName
L<X509_check_host(3)>, hostname checks are out of scope with the from the peer certificate is stored at the address passed in
DANE-EE(3) certificate usage, and the internal check will be B<peername>. The application is responsible for freeing the peername
suppressed as appropriate when DANE support is added to OpenSSL. via OPENSSL_free() when it is no longer needed. Applications are
advised to use X509_VERIFY_PARAM_set1_host() in preference to
explicitly calling L<X509_check_host(3)>, hostname checks are out
of scope with the DANE-EE(3) certificate usage, and the internal
check will be suppressed as appropriate when DANE support is added
to OpenSSL.
X509_check_email() checks if the certificate matches the specified X509_check_email() checks if the certificate matches the specified
email address. Only the mailbox syntax of RFC 822 is supported, email address. Only the mailbox syntax of RFC 822 is supported,