|
Packit |
549fdc |
/*
|
|
Packit |
549fdc |
* Copyright (C) 2003-2016 Free Software Foundation, Inc.
|
|
Packit |
549fdc |
* Copyright (C) 2015-2016 Red Hat, Inc.
|
|
Packit |
549fdc |
* Copyright (C) 2002 Andrew McDonald
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This file is part of GnuTLS.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
549fdc |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
549fdc |
* the License, or (at your option) any later version.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
549fdc |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
549fdc |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
549fdc |
* Lesser General Public License for more details.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include "gnutls_int.h"
|
|
Packit |
549fdc |
#include <str.h>
|
|
Packit |
549fdc |
#include <x509_int.h>
|
|
Packit |
549fdc |
#include <common.h>
|
|
Packit |
549fdc |
#include "errors.h"
|
|
Packit |
549fdc |
#include <system.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_x509_crt_check_hostname:
|
|
Packit |
549fdc |
* @cert: should contain an gnutls_x509_crt_t type
|
|
Packit |
549fdc |
* @hostname: A null terminated string that contains a DNS name
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will check if the given certificate's subject matches
|
|
Packit |
549fdc |
* the given hostname. This is a basic implementation of the matching
|
|
Packit |
549fdc |
* described in RFC6125, and takes into account wildcards,
|
|
Packit |
549fdc |
* and the DNSName/IPAddress subject alternative name PKIX extension.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* For details see also gnutls_x509_crt_check_hostname2().
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: non-zero for a successful match, and zero on failure.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
unsigned
|
|
Packit |
549fdc |
gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert,
|
|
Packit |
549fdc |
const char *hostname)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
return gnutls_x509_crt_check_hostname2(cert, hostname, 0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
char temp[16];
|
|
Packit |
549fdc |
size_t temp_size;
|
|
Packit |
549fdc |
unsigned i;
|
|
Packit |
549fdc |
int ret = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* try matching against:
|
|
Packit |
549fdc |
* 1) a IPaddress alternative name (subjectAltName) extension
|
|
Packit |
549fdc |
* in the certificate
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Check through all included subjectAltName extensions, comparing
|
|
Packit |
549fdc |
* against all those of type IPAddress.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
for (i = 0; !(ret < 0); i++) {
|
|
Packit |
549fdc |
temp_size = sizeof(temp);
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
|
|
Packit |
549fdc |
temp,
|
|
Packit |
549fdc |
&temp_size,
|
|
Packit |
549fdc |
NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == GNUTLS_SAN_IPADDRESS) {
|
|
Packit |
549fdc |
if (temp_size == ip_size && memcmp(temp, ip, ip_size) == 0)
|
|
Packit |
549fdc |
return 1;
|
|
Packit |
549fdc |
} else if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* not found a matching IP
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int has_embedded_null(const char *str, unsigned size)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
if (strlen(str) != size)
|
|
Packit |
549fdc |
return 1;
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_x509_crt_check_ip:
|
|
Packit |
549fdc |
* @cert: should contain an gnutls_x509_crt_t type
|
|
Packit |
549fdc |
* @ip: A pointer to the raw IP address
|
|
Packit |
549fdc |
* @ip_size: the number of bytes in ip (4 or 16)
|
|
Packit |
549fdc |
* @flags: should be zero
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will check if the IP allowed IP addresses in
|
|
Packit |
549fdc |
* the certificate's subject alternative name match the provided
|
|
Packit |
549fdc |
* IP address.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: non-zero for a successful match, and zero on failure.
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
unsigned
|
|
Packit |
549fdc |
gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
|
|
Packit |
549fdc |
const unsigned char *ip, unsigned int ip_size,
|
|
Packit |
549fdc |
unsigned int flags)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
return check_ip(cert, ip, ip_size);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* whether gnutls_x509_crt_check_hostname2() will consider these
|
|
Packit |
549fdc |
* alternative name types. This is to satisfy RFC6125 requirement
|
|
Packit |
549fdc |
* that we do not fallback to CN-ID if we encounter a supported name
|
|
Packit |
549fdc |
* type.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
#define IS_SAN_SUPPORTED(san) (san==GNUTLS_SAN_DNSNAME||san==GNUTLS_SAN_IPADDRESS)
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/**
|
|
Packit |
549fdc |
* gnutls_x509_crt_check_hostname2:
|
|
Packit |
549fdc |
* @cert: should contain an gnutls_x509_crt_t type
|
|
Packit |
549fdc |
* @hostname: A null terminated string that contains a DNS name
|
|
Packit |
549fdc |
* @flags: gnutls_certificate_verify_flags
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This function will check if the given certificate's subject matches
|
|
Packit |
549fdc |
* the given hostname. This is a basic implementation of the matching
|
|
Packit |
549fdc |
* described in RFC6125, and takes into account wildcards,
|
|
Packit |
549fdc |
* and the DNSName/IPAddress subject alternative name PKIX extension.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* IPv4 addresses are accepted by this function in the dotted-decimal
|
|
Packit |
549fdc |
* format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal
|
|
Packit |
549fdc |
* x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative
|
|
Packit |
549fdc |
* name extension is consulted. Previous versions to 3.6.0 of GnuTLS
|
|
Packit |
549fdc |
* in case of a non-match would consult (in a non-standard extension)
|
|
Packit |
549fdc |
* the DNSname and CN fields. This is no longer the case.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no
|
|
Packit |
549fdc |
* wildcards are considered. Otherwise they are only considered if the
|
|
Packit |
549fdc |
* domain name consists of three components or more, and the wildcard
|
|
Packit |
549fdc |
* starts at the leftmost position.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
* When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified,
|
|
Packit |
549fdc |
* the input will be treated as a DNS name, and matching of textual IP addresses
|
|
Packit |
549fdc |
* against the IPAddress part of the alternative name will not be allowed.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* The function gnutls_x509_crt_check_ip() is available for matching
|
|
Packit |
549fdc |
* IP addresses.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Returns: non-zero for a successful match, and zero on failure.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Since: 3.3.0
|
|
Packit |
549fdc |
**/
|
|
Packit |
549fdc |
unsigned
|
|
Packit |
549fdc |
gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
|
|
Packit |
549fdc |
const char *hostname, unsigned int flags)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
char dnsname[MAX_CN];
|
|
Packit |
549fdc |
size_t dnsnamesize;
|
|
Packit |
549fdc |
int found_dnsname = 0;
|
|
Packit |
549fdc |
int ret = 0;
|
|
Packit |
549fdc |
int i = 0;
|
|
Packit |
549fdc |
struct in_addr ipv4;
|
|
Packit |
549fdc |
char *p = NULL;
|
|
Packit |
549fdc |
char *a_hostname;
|
|
Packit |
549fdc |
unsigned have_other_addresses = 0;
|
|
Packit |
549fdc |
gnutls_datum_t out;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* check whether @hostname is an ip address */
|
|
Packit |
549fdc |
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) &&
|
|
Packit |
549fdc |
((p=strchr(hostname, ':')) != NULL || inet_aton(hostname, &ipv4) != 0)) {
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (p != NULL) {
|
|
Packit |
549fdc |
struct in6_addr ipv6;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = inet_pton(AF_INET6, hostname, &ipv6);
|
|
Packit |
549fdc |
if (ret == 0) {
|
|
Packit |
549fdc |
gnutls_assert();
|
|
Packit |
549fdc |
goto hostname_fallback;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
ret = check_ip(cert, &ipv6, 16);
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret = check_ip(cert, &ipv4, 4);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Prior to 3.6.0 we were accepting misconfigured servers, that place their IP
|
|
Packit |
549fdc |
* in the DNS field of subjectAlternativeName. That is no longer the case. */
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
hostname_fallback:
|
|
Packit |
549fdc |
/* convert the provided hostname to ACE-Labels domain. */
|
|
Packit |
549fdc |
ret = gnutls_idna_map (hostname, strlen(hostname), &out, 0);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
_gnutls_debug_log("unable to convert hostname %s to IDNA format\n", hostname);
|
|
Packit |
549fdc |
a_hostname = (char*)hostname;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
a_hostname = (char*)out.data;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* try matching against:
|
|
Packit |
549fdc |
* 1) a DNS name as an alternative name (subjectAltName) extension
|
|
Packit |
549fdc |
* in the certificate
|
|
Packit |
549fdc |
* 2) the common name (CN) in the certificate, if the certificate is acceptable for TLS_WWW_SERVER purpose
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* either of these may be of the form: *.domain.tld
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* only try (2) if there is no subjectAltName extension of
|
|
Packit |
549fdc |
* type dNSName, and there is a single CN.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Check through all included subjectAltName extensions, comparing
|
|
Packit |
549fdc |
* against all those of type dNSName.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
for (i = 0; !(ret < 0); i++) {
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
dnsnamesize = sizeof(dnsname);
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
|
|
Packit |
549fdc |
dnsname,
|
|
Packit |
549fdc |
&dnsnamesize,
|
|
Packit |
549fdc |
NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == GNUTLS_SAN_DNSNAME) {
|
|
Packit |
549fdc |
found_dnsname = 1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (has_embedded_null(dnsname, dnsnamesize)) {
|
|
Packit |
549fdc |
_gnutls_debug_log("certificate has %s with embedded null in name\n", dnsname);
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
|
|
Packit |
549fdc |
_gnutls_debug_log("invalid (non-ASCII) name in certificate %.*s\n", (int)dnsnamesize, dnsname);
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
|
|
Packit |
549fdc |
if (ret != 0) {
|
|
Packit |
549fdc |
ret = 1;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
if (IS_SAN_SUPPORTED(ret))
|
|
Packit |
549fdc |
have_other_addresses = 1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (!have_other_addresses && !found_dnsname && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
|
|
Packit |
549fdc |
/* did not get the necessary extension, use CN instead, if the
|
|
Packit |
549fdc |
* certificate would have been acceptable for a TLS WWW server purpose.
|
|
Packit |
549fdc |
* That is because only for that purpose the CN is a valid field to
|
|
Packit |
549fdc |
* store the hostname.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* enforce the RFC6125 (ยง1.8) requirement that only
|
|
Packit |
549fdc |
* a single CN must be present */
|
|
Packit |
549fdc |
dnsnamesize = sizeof(dnsname);
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_get_dn_by_oid
|
|
Packit |
549fdc |
(cert, OID_X520_COMMON_NAME, 1, 0, dnsname,
|
|
Packit |
549fdc |
&dnsnamesize);
|
|
Packit |
549fdc |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
dnsnamesize = sizeof(dnsname);
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_get_dn_by_oid
|
|
Packit |
549fdc |
(cert, OID_X520_COMMON_NAME, 0, 0, dnsname,
|
|
Packit |
549fdc |
&dnsnamesize);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (has_embedded_null(dnsname, dnsnamesize)) {
|
|
Packit |
549fdc |
_gnutls_debug_log("certificate has CN %s with embedded null in name\n", dnsname);
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
|
|
Packit |
549fdc |
_gnutls_debug_log("invalid (non-ASCII) name in certificate CN %.*s\n", (int)dnsnamesize, dnsname);
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
|
|
Packit |
549fdc |
if (ret != 0) {
|
|
Packit |
549fdc |
ret = 1;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* not found a matching name
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
cleanup:
|
|
Packit |
549fdc |
if (a_hostname != hostname) {
|
|
Packit |
549fdc |
gnutls_free(a_hostname);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|