unrealircd- supernets unrealircd source & configuration |
git clone git://git.acid.vegas/unrealircd.git |
Log | Files | Refs | Archive | README | LICENSE |
openssl_hostname_validation.c (14062B)
1 /* This file contains both code from cURL and hostname 2 * validation code from the ssl conservatory (in that order). 3 * 4 * The goal is that all this code won't be needed anymore once 5 * everyone is running a recent OpenSSL/LibreSSL that has 6 * X509_check_host(). Until that time, unfortunately, we need 7 * these 400+ lines to do just that... -- Syzop, Sep/2017 8 */ 9 10 // Get rid of OSX 10.7 and greater deprecation warnings. 11 #if defined(__APPLE__) && defined(__clang__) 12 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 13 #endif 14 15 #include <openssl/x509v3.h> 16 #include <openssl/ssl.h> 17 #include <string.h> 18 19 #include "openssl_hostname_validation.h" 20 21 #define HOSTNAME_MAX_SIZE 255 22 23 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) 24 #define ASN1_STRING_get0_data ASN1_STRING_data 25 #endif 26 27 /*************************************************************************** 28 * _ _ ____ _ 29 * Project ___| | | | _ \| | 30 * / __| | | | |_) | | 31 * | (__| |_| | _ <| |___ 32 * \___|\___/|_| \_\_____| 33 * 34 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. 35 * 36 * This software is licensed as described in the file COPYING, which 37 * you should have received as part of this distribution. The terms 38 * are also available at http://curl.haxx.se/docs/copyright.html. 39 * 40 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 41 * copies of the Software, and permit persons to whom the Software is 42 * furnished to do so, under the terms of the COPYING file. 43 * 44 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 45 * KIND, either express or implied. 46 * 47 ***************************************************************************/ 48 49 /* This file is an amalgamation of hostcheck.c and most of rawstr.c 50 from cURL. The contents of the COPYING file mentioned above are: 51 52 COPYRIGHT AND PERMISSION NOTICE 53 54 Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>. 55 56 All rights reserved. 57 58 Permission to use, copy, modify, and distribute this software for any purpose 59 with or without fee is hereby granted, provided that the above copyright 60 notice and this permission notice appear in all copies. 61 62 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 63 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 64 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN 65 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 66 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 67 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE 68 OR OTHER DEALINGS IN THE SOFTWARE. 69 70 Except as contained in this notice, the name of a copyright holder shall not 71 be used in advertising or otherwise to promote the sale, use or other dealings 72 in this Software without prior written authorization of the copyright holder. 73 */ 74 75 /* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because 76 its behavior is altered by the current locale. */ 77 static char Curl_raw_toupper(char in) 78 { 79 switch (in) { 80 case 'a': 81 return 'A'; 82 case 'b': 83 return 'B'; 84 case 'c': 85 return 'C'; 86 case 'd': 87 return 'D'; 88 case 'e': 89 return 'E'; 90 case 'f': 91 return 'F'; 92 case 'g': 93 return 'G'; 94 case 'h': 95 return 'H'; 96 case 'i': 97 return 'I'; 98 case 'j': 99 return 'J'; 100 case 'k': 101 return 'K'; 102 case 'l': 103 return 'L'; 104 case 'm': 105 return 'M'; 106 case 'n': 107 return 'N'; 108 case 'o': 109 return 'O'; 110 case 'p': 111 return 'P'; 112 case 'q': 113 return 'Q'; 114 case 'r': 115 return 'R'; 116 case 's': 117 return 'S'; 118 case 't': 119 return 'T'; 120 case 'u': 121 return 'U'; 122 case 'v': 123 return 'V'; 124 case 'w': 125 return 'W'; 126 case 'x': 127 return 'X'; 128 case 'y': 129 return 'Y'; 130 case 'z': 131 return 'Z'; 132 } 133 return in; 134 } 135 136 /* 137 * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant 138 * to be locale independent and only compare strings we know are safe for 139 * this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for 140 * some further explanation to why this function is necessary. 141 * 142 * The function is capable of comparing a-z case insensitively even for 143 * non-ascii. 144 */ 145 146 static int Curl_raw_equal(const char *first, const char *second) 147 { 148 while(*first && *second) { 149 if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) 150 /* get out of the loop as soon as they don't match */ 151 break; 152 first++; 153 second++; 154 } 155 /* we do the comparison here (possibly again), just to make sure that if the 156 loop above is skipped because one of the strings reached zero, we must not 157 return this as a successful match */ 158 return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second)); 159 } 160 161 static int Curl_raw_nequal(const char *first, const char *second, size_t max) 162 { 163 while(*first && *second && max) { 164 if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) { 165 break; 166 } 167 max--; 168 first++; 169 second++; 170 } 171 if (0 == max) 172 return 1; /* they are equal this far */ 173 174 return Curl_raw_toupper(*first) == Curl_raw_toupper(*second); 175 } 176 177 /* 178 * Match a hostname against a wildcard pattern. 179 * E.g. 180 * "foo.host.com" matches "*.host.com". 181 * 182 * We use the matching rule described in RFC6125, section 6.4.3. 183 * http://tools.ietf.org/html/rfc6125#section-6.4.3 184 */ 185 186 static int hostmatch(const char *hostname, const char *pattern) 187 { 188 const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; 189 int wildcard_enabled; 190 size_t prefixlen, suffixlen; 191 pattern_wildcard = strchr(pattern, '*'); 192 if (pattern_wildcard == NULL) 193 return Curl_raw_equal(pattern, hostname) ? 194 CURL_HOST_MATCH : CURL_HOST_NOMATCH; 195 196 /* We require at least 2 dots in pattern to avoid too wide wildcard 197 match. */ 198 wildcard_enabled = 1; 199 pattern_label_end = strchr(pattern, '.'); 200 if (pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || 201 pattern_wildcard > pattern_label_end || 202 Curl_raw_nequal(pattern, "xn--", 4)) { 203 wildcard_enabled = 0; 204 } 205 if (!wildcard_enabled) 206 return Curl_raw_equal(pattern, hostname) ? 207 CURL_HOST_MATCH : CURL_HOST_NOMATCH; 208 209 hostname_label_end = strchr(hostname, '.'); 210 if (hostname_label_end == NULL || 211 !Curl_raw_equal(pattern_label_end, hostname_label_end)) 212 return CURL_HOST_NOMATCH; 213 214 /* The wildcard must match at least one character, so the left-most 215 label of the hostname is at least as large as the left-most label 216 of the pattern. */ 217 if (hostname_label_end - hostname < pattern_label_end - pattern) 218 return CURL_HOST_NOMATCH; 219 220 prefixlen = pattern_wildcard - pattern; 221 suffixlen = pattern_label_end - (pattern_wildcard+1); 222 return Curl_raw_nequal(pattern, hostname, prefixlen) && 223 Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, 224 suffixlen) ? 225 CURL_HOST_MATCH : CURL_HOST_NOMATCH; 226 } 227 228 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) 229 { 230 if (!match_pattern || !*match_pattern || 231 !hostname || !*hostname) /* sanity check */ 232 return 0; 233 234 if (Curl_raw_equal(hostname, match_pattern)) /* trivial case */ 235 return 1; 236 237 if (hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) 238 return 1; 239 return 0; 240 } 241 /* End of cURL related functions */ 242 243 /* Start of host validation code */ 244 /* Obtained from: https://github.com/iSECPartners/ssl-conservatory */ 245 246 /* 247 Copyright (C) 2012, iSEC Partners. 248 249 Permission is hereby granted, free of charge, to any person obtaining a copy of 250 this software and associated documentation files (the "Software"), to deal in 251 the Software without restriction, including without limitation the rights to 252 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 253 of the Software, and to permit persons to whom the Software is furnished to do 254 so, subject to the following conditions: 255 256 The above copyright notice and this permission notice shall be included in all 257 copies or substantial portions of the Software. 258 259 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 260 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 261 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 262 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 263 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 264 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 265 SOFTWARE. 266 */ 267 268 /* 269 * Helper functions to perform basic hostname validation using OpenSSL. 270 * 271 * Please read "everything-you-wanted-to-know-about-openssl.pdf" before 272 * attempting to use this code. This whitepaper describes how the code works, 273 * how it should be used, and what its limitations are. 274 * 275 * Author: Alban Diquet 276 * License: See LICENSE 277 * 278 */ 279 280 /** 281 * Tries to find a match for hostname in the certificate's Common Name field. 282 * 283 * Returns MatchFound if a match was found. 284 * Returns MatchNotFound if no matches were found. 285 * Returns MalformedCertificate if the Common Name had a NUL character embedded in it. 286 * Returns Error if the Common Name could not be extracted. 287 */ 288 static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) { 289 int common_name_loc = -1; 290 X509_NAME_ENTRY *common_name_entry = NULL; 291 ASN1_STRING *common_name_asn1 = NULL; 292 const char *common_name_str = NULL; 293 294 // Find the position of the CN field in the Subject field of the certificate 295 common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1); 296 if (common_name_loc < 0) { 297 return Error; 298 } 299 300 // Extract the CN field 301 common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc); 302 if (common_name_entry == NULL) { 303 return Error; 304 } 305 306 // Convert the CN field to a C string 307 common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); 308 if (common_name_asn1 == NULL) { 309 return Error; 310 } 311 common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1); 312 313 // Make sure there isn't an embedded NUL character in the CN 314 if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) { 315 return MalformedCertificate; 316 } 317 318 // Compare expected hostname with the CN 319 if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) { 320 return MatchFound; 321 } 322 else { 323 return MatchNotFound; 324 } 325 } 326 327 328 /** 329 * Tries to find a match for hostname in the certificate's Subject Alternative Name extension. 330 * 331 * Returns MatchFound if a match was found. 332 * Returns MatchNotFound if no matches were found. 333 * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. 334 * Returns NoSANPresent if the SAN extension was not present in the certificate. 335 */ 336 static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert) { 337 HostnameValidationResult result = MatchNotFound; 338 int i; 339 int san_names_nb = -1; 340 STACK_OF(GENERAL_NAME) *san_names = NULL; 341 342 // Try to extract the names within the SAN extension from the certificate 343 san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL); 344 if (san_names == NULL) { 345 return NoSANPresent; 346 } 347 san_names_nb = sk_GENERAL_NAME_num(san_names); 348 349 // Check each name within the extension 350 for (i=0; i<san_names_nb; i++) { 351 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i); 352 353 if (current_name->type == GEN_DNS) { 354 // Current name is a DNS name, let's check it 355 const char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName); 356 357 // Make sure there isn't an embedded NUL character in the DNS name 358 if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) { 359 result = MalformedCertificate; 360 break; 361 } 362 else { // Compare expected hostname with the DNS name 363 if (Curl_cert_hostcheck(dns_name, hostname) 364 == CURL_HOST_MATCH) { 365 result = MatchFound; 366 break; 367 } 368 } 369 } 370 } 371 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free); 372 373 return result; 374 } 375 376 377 /** 378 * Validates the server's identity by looking for the expected hostname in the 379 * server's certificate. As described in RFC 6125, it first tries to find a match 380 * in the Subject Alternative Name extension. If the extension is not present in 381 * the certificate, it checks the Common Name instead. 382 * 383 * Returns MatchFound if a match was found. 384 * Returns MatchNotFound if no matches were found. 385 * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it. 386 * Returns Error if there was an error. 387 */ 388 HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) { 389 HostnameValidationResult result; 390 391 if ((hostname == NULL) || (server_cert == NULL)) 392 return Error; 393 394 // First try the Subject Alternative Names extension 395 result = matches_subject_alternative_name(hostname, server_cert); 396 if (result == NoSANPresent) { 397 // Extension was not found: try the Common Name 398 result = matches_common_name(hostname, server_cert); 399 } 400 401 return result; 402 }