unrealircd

- supernets unrealircd source & configuration
git clone git://git.acid.vegas/unrealircd.git
Log | Files | Refs | Archive | README | LICENSE

openssl_hostname_validation.c (14062B)

      1 /* This file contains both code from cURL and hostname
      2  * validation code from the ssl conservatory (in that order).
      3  *
      4  * The goal is that all this code won't be needed anymore once
      5  * everyone is running a recent OpenSSL/LibreSSL that has
      6  * X509_check_host(). Until that time, unfortunately, we need
      7  * these 400+ lines to do just that... -- Syzop, Sep/2017
      8  */
      9 
     10 // Get rid of OSX 10.7 and greater deprecation warnings.
     11 #if defined(__APPLE__) && defined(__clang__)
     12 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
     13 #endif
     14 
     15 #include <openssl/x509v3.h>
     16 #include <openssl/ssl.h>
     17 #include <string.h>
     18 
     19 #include "openssl_hostname_validation.h"
     20 
     21 #define HOSTNAME_MAX_SIZE 255
     22 
     23 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
     24 #define ASN1_STRING_get0_data ASN1_STRING_data
     25 #endif
     26 
     27 /***************************************************************************
     28  *                                  _   _ ____  _
     29  *  Project                     ___| | | |  _ \| |
     30  *                             / __| | | | |_) | |
     31  *                            | (__| |_| |  _ <| |___
     32  *                             \___|\___/|_| \_\_____|
     33  *
     34  * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
     35  *
     36  * This software is licensed as described in the file COPYING, which
     37  * you should have received as part of this distribution. The terms
     38  * are also available at http://curl.haxx.se/docs/copyright.html.
     39  *
     40  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
     41  * copies of the Software, and permit persons to whom the Software is
     42  * furnished to do so, under the terms of the COPYING file.
     43  *
     44  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
     45  * KIND, either express or implied.
     46  *
     47  ***************************************************************************/
     48 
     49 /* This file is an amalgamation of hostcheck.c and most of rawstr.c
     50    from cURL.  The contents of the COPYING file mentioned above are:
     51 
     52 COPYRIGHT AND PERMISSION NOTICE
     53 
     54 Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
     55 
     56 All rights reserved.
     57 
     58 Permission to use, copy, modify, and distribute this software for any purpose
     59 with or without fee is hereby granted, provided that the above copyright
     60 notice and this permission notice appear in all copies.
     61 
     62 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     63 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     64 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
     65 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
     66 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
     67 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
     68 OR OTHER DEALINGS IN THE SOFTWARE.
     69 
     70 Except as contained in this notice, the name of a copyright holder shall not
     71 be used in advertising or otherwise to promote the sale, use or other dealings
     72 in this Software without prior written authorization of the copyright holder.
     73 */
     74 
     75 /* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because
     76    its behavior is altered by the current locale. */
     77 static char Curl_raw_toupper(char in)
     78 {
     79   switch (in) {
     80   case 'a':
     81     return 'A';
     82   case 'b':
     83     return 'B';
     84   case 'c':
     85     return 'C';
     86   case 'd':
     87     return 'D';
     88   case 'e':
     89     return 'E';
     90   case 'f':
     91     return 'F';
     92   case 'g':
     93     return 'G';
     94   case 'h':
     95     return 'H';
     96   case 'i':
     97     return 'I';
     98   case 'j':
     99     return 'J';
    100   case 'k':
    101     return 'K';
    102   case 'l':
    103     return 'L';
    104   case 'm':
    105     return 'M';
    106   case 'n':
    107     return 'N';
    108   case 'o':
    109     return 'O';
    110   case 'p':
    111     return 'P';
    112   case 'q':
    113     return 'Q';
    114   case 'r':
    115     return 'R';
    116   case 's':
    117     return 'S';
    118   case 't':
    119     return 'T';
    120   case 'u':
    121     return 'U';
    122   case 'v':
    123     return 'V';
    124   case 'w':
    125     return 'W';
    126   case 'x':
    127     return 'X';
    128   case 'y':
    129     return 'Y';
    130   case 'z':
    131     return 'Z';
    132   }
    133   return in;
    134 }
    135 
    136 /*
    137  * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
    138  * to be locale independent and only compare strings we know are safe for
    139  * this.  See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for
    140  * some further explanation to why this function is necessary.
    141  *
    142  * The function is capable of comparing a-z case insensitively even for
    143  * non-ascii.
    144  */
    145 
    146 static int Curl_raw_equal(const char *first, const char *second)
    147 {
    148   while(*first && *second) {
    149     if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second))
    150       /* get out of the loop as soon as they don't match */
    151       break;
    152     first++;
    153     second++;
    154   }
    155   /* we do the comparison here (possibly again), just to make sure that if the
    156      loop above is skipped because one of the strings reached zero, we must not
    157      return this as a successful match */
    158   return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
    159 }
    160 
    161 static int Curl_raw_nequal(const char *first, const char *second, size_t max)
    162 {
    163   while(*first && *second && max) {
    164     if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
    165       break;
    166     }
    167     max--;
    168     first++;
    169     second++;
    170   }
    171   if (0 == max)
    172     return 1; /* they are equal this far */
    173 
    174   return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
    175 }
    176 
    177 /*
    178  * Match a hostname against a wildcard pattern.
    179  * E.g.
    180  *  "foo.host.com" matches "*.host.com".
    181  *
    182  * We use the matching rule described in RFC6125, section 6.4.3.
    183  * http://tools.ietf.org/html/rfc6125#section-6.4.3
    184  */
    185 
    186 static int hostmatch(const char *hostname, const char *pattern)
    187 {
    188   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
    189   int wildcard_enabled;
    190   size_t prefixlen, suffixlen;
    191   pattern_wildcard = strchr(pattern, '*');
    192   if (pattern_wildcard == NULL)
    193     return Curl_raw_equal(pattern, hostname) ?
    194       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
    195 
    196   /* We require at least 2 dots in pattern to avoid too wide wildcard
    197      match. */
    198   wildcard_enabled = 1;
    199   pattern_label_end = strchr(pattern, '.');
    200   if (pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
    201      pattern_wildcard > pattern_label_end ||
    202      Curl_raw_nequal(pattern, "xn--", 4)) {
    203     wildcard_enabled = 0;
    204   }
    205   if (!wildcard_enabled)
    206     return Curl_raw_equal(pattern, hostname) ?
    207       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
    208 
    209   hostname_label_end = strchr(hostname, '.');
    210   if (hostname_label_end == NULL ||
    211      !Curl_raw_equal(pattern_label_end, hostname_label_end))
    212     return CURL_HOST_NOMATCH;
    213 
    214   /* The wildcard must match at least one character, so the left-most
    215      label of the hostname is at least as large as the left-most label
    216      of the pattern. */
    217   if (hostname_label_end - hostname < pattern_label_end - pattern)
    218     return CURL_HOST_NOMATCH;
    219 
    220   prefixlen = pattern_wildcard - pattern;
    221   suffixlen = pattern_label_end - (pattern_wildcard+1);
    222   return Curl_raw_nequal(pattern, hostname, prefixlen) &&
    223     Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
    224                     suffixlen) ?
    225     CURL_HOST_MATCH : CURL_HOST_NOMATCH;
    226 }
    227 
    228 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
    229 {
    230   if (!match_pattern || !*match_pattern ||
    231       !hostname || !*hostname) /* sanity check */
    232     return 0;
    233 
    234   if (Curl_raw_equal(hostname, match_pattern)) /* trivial case */
    235     return 1;
    236 
    237   if (hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
    238     return 1;
    239   return 0;
    240 }
    241 /* End of cURL related functions */
    242 
    243 /* Start of host validation code */
    244 /* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
    245 
    246 /*
    247 Copyright (C) 2012, iSEC Partners.
    248 
    249 Permission is hereby granted, free of charge, to any person obtaining a copy of
    250 this software and associated documentation files (the "Software"), to deal in
    251 the Software without restriction, including without limitation the rights to
    252 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
    253 of the Software, and to permit persons to whom the Software is furnished to do
    254 so, subject to the following conditions:
    255 
    256 The above copyright notice and this permission notice shall be included in all
    257 copies or substantial portions of the Software.
    258 
    259 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    260 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    261 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    262 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    263 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    264 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    265 SOFTWARE.
    266  */
    267 
    268 /*
    269  * Helper functions to perform basic hostname validation using OpenSSL.
    270  *
    271  * Please read "everything-you-wanted-to-know-about-openssl.pdf" before
    272  * attempting to use this code. This whitepaper describes how the code works,
    273  * how it should be used, and what its limitations are.
    274  *
    275  * Author:  Alban Diquet
    276  * License: See LICENSE
    277  *
    278  */
    279 
    280 /**
    281 * Tries to find a match for hostname in the certificate's Common Name field.
    282 *
    283 * Returns MatchFound if a match was found.
    284 * Returns MatchNotFound if no matches were found.
    285 * Returns MalformedCertificate if the Common Name had a NUL character embedded in it.
    286 * Returns Error if the Common Name could not be extracted.
    287 */
    288 static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) {
    289         int common_name_loc = -1;
    290         X509_NAME_ENTRY *common_name_entry = NULL;
    291         ASN1_STRING *common_name_asn1 = NULL;
    292         const char *common_name_str = NULL;
    293 
    294         // Find the position of the CN field in the Subject field of the certificate
    295         common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
    296         if (common_name_loc < 0) {
    297                 return Error;
    298         }
    299 
    300         // Extract the CN field
    301         common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
    302         if (common_name_entry == NULL) {
    303                 return Error;
    304         }
    305 
    306         // Convert the CN field to a C string
    307         common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
    308         if (common_name_asn1 == NULL) {
    309                 return Error;
    310         }
    311         common_name_str = (char *) ASN1_STRING_get0_data(common_name_asn1);
    312 
    313         // Make sure there isn't an embedded NUL character in the CN
    314         if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
    315                 return MalformedCertificate;
    316         }
    317 
    318         // Compare expected hostname with the CN
    319         if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
    320                 return MatchFound;
    321         }
    322         else {
    323                 return MatchNotFound;
    324         }
    325 }
    326 
    327 
    328 /**
    329 * Tries to find a match for hostname in the certificate's Subject Alternative Name extension.
    330 *
    331 * Returns MatchFound if a match was found.
    332 * Returns MatchNotFound if no matches were found.
    333 * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it.
    334 * Returns NoSANPresent if the SAN extension was not present in the certificate.
    335 */
    336 static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert) {
    337         HostnameValidationResult result = MatchNotFound;
    338         int i;
    339         int san_names_nb = -1;
    340         STACK_OF(GENERAL_NAME) *san_names = NULL;
    341 
    342         // Try to extract the names within the SAN extension from the certificate
    343         san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
    344         if (san_names == NULL) {
    345                 return NoSANPresent;
    346         }
    347         san_names_nb = sk_GENERAL_NAME_num(san_names);
    348 
    349         // Check each name within the extension
    350         for (i=0; i<san_names_nb; i++) {
    351                 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
    352 
    353                 if (current_name->type == GEN_DNS) {
    354                         // Current name is a DNS name, let's check it
    355                         const char *dns_name = (char *) ASN1_STRING_get0_data(current_name->d.dNSName);
    356 
    357                         // Make sure there isn't an embedded NUL character in the DNS name
    358                         if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
    359                                 result = MalformedCertificate;
    360                                 break;
    361                         }
    362                         else { // Compare expected hostname with the DNS name
    363                                 if (Curl_cert_hostcheck(dns_name, hostname)
    364                                     == CURL_HOST_MATCH) {
    365                                         result = MatchFound;
    366                                         break;
    367                                 }
    368                         }
    369                 }
    370         }
    371         sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
    372 
    373         return result;
    374 }
    375 
    376 
    377 /**
    378 * Validates the server's identity by looking for the expected hostname in the
    379 * server's certificate. As described in RFC 6125, it first tries to find a match
    380 * in the Subject Alternative Name extension. If the extension is not present in
    381 * the certificate, it checks the Common Name instead.
    382 *
    383 * Returns MatchFound if a match was found.
    384 * Returns MatchNotFound if no matches were found.
    385 * Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it.
    386 * Returns Error if there was an error.
    387 */
    388 HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) {
    389         HostnameValidationResult result;
    390 
    391         if ((hostname == NULL) || (server_cert == NULL))
    392                 return Error;
    393 
    394         // First try the Subject Alternative Names extension
    395         result = matches_subject_alternative_name(hostname, server_cert);
    396         if (result == NoSANPresent) {
    397                 // Extension was not found: try the Common Name
    398                 result = matches_common_name(hostname, server_cert);
    399         }
    400 
    401         return result;
    402 }