1 ebfc5784 2024-01-07 op /* $OpenBSD: tls_verify.c,v 1.29 2023/11/22 18:23:09 op Exp $ */
3 f9ab77a8 2023-08-23 op * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
5 f9ab77a8 2023-08-23 op * Permission to use, copy, modify, and distribute this software for any
6 f9ab77a8 2023-08-23 op * purpose with or without fee is hereby granted, provided that the above
7 f9ab77a8 2023-08-23 op * copyright notice and this permission notice appear in all copies.
9 f9ab77a8 2023-08-23 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 f9ab77a8 2023-08-23 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 f9ab77a8 2023-08-23 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 f9ab77a8 2023-08-23 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 f9ab77a8 2023-08-23 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 f9ab77a8 2023-08-23 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 f9ab77a8 2023-08-23 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 f9ab77a8 2023-08-23 op #include "config.h"
20 f9ab77a8 2023-08-23 op #include <sys/socket.h>
22 f9ab77a8 2023-08-23 op #include <arpa/inet.h>
23 f9ab77a8 2023-08-23 op #include <netinet/in.h>
25 f9ab77a8 2023-08-23 op #include <string.h>
27 f9ab77a8 2023-08-23 op #include <openssl/x509v3.h>
29 f9ab77a8 2023-08-23 op #include <tls.h>
30 f9ab77a8 2023-08-23 op #include "tls_internal.h"
33 f9ab77a8 2023-08-23 op tls_match_name(const char *cert_name, const char *name)
35 f9ab77a8 2023-08-23 op const char *cert_domain, *domain, *next_dot;
37 f9ab77a8 2023-08-23 op if (strcasecmp(cert_name, name) == 0)
40 f9ab77a8 2023-08-23 op /* Wildcard match? */
41 f9ab77a8 2023-08-23 op if (cert_name[0] == '*') {
43 f9ab77a8 2023-08-23 op * Valid wildcards:
44 f9ab77a8 2023-08-23 op * - "*.domain.tld"
45 f9ab77a8 2023-08-23 op * - "*.sub.domain.tld"
47 f9ab77a8 2023-08-23 op * Reject "*.tld".
48 f9ab77a8 2023-08-23 op * No attempt to prevent the use of eg. "*.co.uk".
50 f9ab77a8 2023-08-23 op cert_domain = &cert_name[1];
51 f9ab77a8 2023-08-23 op /* Disallow "*" */
52 f9ab77a8 2023-08-23 op if (cert_domain[0] == '\0')
54 f9ab77a8 2023-08-23 op /* Disallow "*foo" */
55 f9ab77a8 2023-08-23 op if (cert_domain[0] != '.')
57 f9ab77a8 2023-08-23 op /* Disallow "*.." */
58 f9ab77a8 2023-08-23 op if (cert_domain[1] == '.')
60 f9ab77a8 2023-08-23 op next_dot = strchr(&cert_domain[1], '.');
61 f9ab77a8 2023-08-23 op /* Disallow "*.bar" */
62 f9ab77a8 2023-08-23 op if (next_dot == NULL)
64 f9ab77a8 2023-08-23 op /* Disallow "*.bar.." */
65 f9ab77a8 2023-08-23 op if (next_dot[1] == '.')
68 f9ab77a8 2023-08-23 op domain = strchr(name, '.');
70 f9ab77a8 2023-08-23 op /* No wildcard match against a name with no host part. */
71 f9ab77a8 2023-08-23 op if (name[0] == '.')
73 f9ab77a8 2023-08-23 op /* No wildcard match against a name with no domain part. */
74 f9ab77a8 2023-08-23 op if (domain == NULL || strlen(domain) == 1)
77 f9ab77a8 2023-08-23 op if (strcasecmp(cert_domain, domain) == 0)
85 f9ab77a8 2023-08-23 op * See RFC 5280 section 4.2.1.6 for SubjectAltName details.
86 f9ab77a8 2023-08-23 op * alt_match is set to 1 if a matching alternate name is found.
87 f9ab77a8 2023-08-23 op * alt_exists is set to 1 if any known alternate name exists in the certificate.
90 f9ab77a8 2023-08-23 op tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
91 f9ab77a8 2023-08-23 op int *alt_match, int *alt_exists)
93 f9ab77a8 2023-08-23 op STACK_OF(GENERAL_NAME) *altname_stack = NULL;
94 f9ab77a8 2023-08-23 op union tls_addr addrbuf;
95 f9ab77a8 2023-08-23 op int addrlen, type;
97 ebfc5784 2024-01-07 op int critical = 0;
100 f9ab77a8 2023-08-23 op *alt_match = 0;
101 f9ab77a8 2023-08-23 op *alt_exists = 0;
103 ebfc5784 2024-01-07 op altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical,
105 ebfc5784 2024-01-07 op if (altname_stack == NULL) {
106 ebfc5784 2024-01-07 op if (critical != -1) {
107 ebfc5784 2024-01-07 op tls_set_errorx(ctx, "error decoding subjectAltName");
113 f9ab77a8 2023-08-23 op if (inet_pton(AF_INET, name, &addrbuf) == 1) {
114 f9ab77a8 2023-08-23 op type = GEN_IPADD;
116 f9ab77a8 2023-08-23 op } else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
117 f9ab77a8 2023-08-23 op type = GEN_IPADD;
118 f9ab77a8 2023-08-23 op addrlen = 16;
120 f9ab77a8 2023-08-23 op type = GEN_DNS;
124 f9ab77a8 2023-08-23 op count = sk_GENERAL_NAME_num(altname_stack);
125 f9ab77a8 2023-08-23 op for (i = 0; i < count; i++) {
126 f9ab77a8 2023-08-23 op GENERAL_NAME *altname;
128 f9ab77a8 2023-08-23 op altname = sk_GENERAL_NAME_value(altname_stack, i);
130 f9ab77a8 2023-08-23 op if (altname->type == GEN_DNS || altname->type == GEN_IPADD)
131 f9ab77a8 2023-08-23 op *alt_exists = 1;
133 f9ab77a8 2023-08-23 op if (altname->type != type)
136 f9ab77a8 2023-08-23 op if (type == GEN_DNS) {
137 f9ab77a8 2023-08-23 op const unsigned char *data;
138 f9ab77a8 2023-08-23 op int format, len;
140 f9ab77a8 2023-08-23 op format = ASN1_STRING_type(altname->d.dNSName);
141 f9ab77a8 2023-08-23 op if (format == V_ASN1_IA5STRING) {
142 f9ab77a8 2023-08-23 op data = ASN1_STRING_get0_data(altname->d.dNSName);
143 f9ab77a8 2023-08-23 op len = ASN1_STRING_length(altname->d.dNSName);
145 f9ab77a8 2023-08-23 op if (len < 0 || (size_t)len != strlen(data)) {
146 f9ab77a8 2023-08-23 op tls_set_errorx(ctx,
147 f9ab77a8 2023-08-23 op "error verifying name '%s': "
148 f9ab77a8 2023-08-23 op "NUL byte in subjectAltName, "
149 f9ab77a8 2023-08-23 op "probably a malicious certificate",
155 f9ab77a8 2023-08-23 op * Per RFC 5280 section 4.2.1.6:
156 f9ab77a8 2023-08-23 op * " " is a legal domain name, but that
157 f9ab77a8 2023-08-23 op * dNSName must be rejected.
159 f9ab77a8 2023-08-23 op if (strcmp(data, " ") == 0) {
160 f9ab77a8 2023-08-23 op tls_set_errorx(ctx,
161 f9ab77a8 2023-08-23 op "error verifying name '%s': "
162 f9ab77a8 2023-08-23 op "a dNSName of \" \" must not be "
163 f9ab77a8 2023-08-23 op "used", name);
167 f9ab77a8 2023-08-23 op if (tls_match_name(data, name) == 0) {
168 f9ab77a8 2023-08-23 op *alt_match = 1;
173 f9ab77a8 2023-08-23 op fprintf(stdout, "%s: unhandled subjectAltName "
174 f9ab77a8 2023-08-23 op "dNSName encoding (%d)\n", getprogname(),
179 f9ab77a8 2023-08-23 op } else if (type == GEN_IPADD) {
180 f9ab77a8 2023-08-23 op const unsigned char *data;
183 f9ab77a8 2023-08-23 op datalen = ASN1_STRING_length(altname->d.iPAddress);
184 f9ab77a8 2023-08-23 op data = ASN1_STRING_get0_data(altname->d.iPAddress);
186 f9ab77a8 2023-08-23 op if (datalen < 0) {
187 f9ab77a8 2023-08-23 op tls_set_errorx(ctx,
188 f9ab77a8 2023-08-23 op "Unexpected negative length for an "
189 f9ab77a8 2023-08-23 op "IP address: %d", datalen);
194 f9ab77a8 2023-08-23 op * Per RFC 5280 section 4.2.1.6:
195 f9ab77a8 2023-08-23 op * IPv4 must use 4 octets and IPv6 must use 16 octets.
197 f9ab77a8 2023-08-23 op if (datalen == addrlen &&
198 f9ab77a8 2023-08-23 op memcmp(data, &addrbuf, addrlen) == 0) {
199 f9ab77a8 2023-08-23 op *alt_match = 1;
209 f9ab77a8 2023-08-23 op sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
214 f9ab77a8 2023-08-23 op tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
215 f9ab77a8 2023-08-23 op int *cn_match)
217 ebfc5784 2024-01-07 op unsigned char *utf8_bytes = NULL;
218 f9ab77a8 2023-08-23 op X509_NAME *subject_name;
219 f9ab77a8 2023-08-23 op char *common_name = NULL;
220 f9ab77a8 2023-08-23 op union tls_addr addrbuf;
221 f9ab77a8 2023-08-23 op int common_name_len;
222 ebfc5784 2024-01-07 op ASN1_STRING *data;
223 ebfc5784 2024-01-07 op int lastpos = -1;
226 f9ab77a8 2023-08-23 op *cn_match = 0;
228 f9ab77a8 2023-08-23 op subject_name = X509_get_subject_name(cert);
229 f9ab77a8 2023-08-23 op if (subject_name == NULL)
232 ebfc5784 2024-01-07 op lastpos = X509_NAME_get_index_by_NID(subject_name,
233 ebfc5784 2024-01-07 op NID_commonName, lastpos);
234 ebfc5784 2024-01-07 op if (lastpos == -1)
236 ebfc5784 2024-01-07 op if (lastpos < 0)
238 ebfc5784 2024-01-07 op if (X509_NAME_get_index_by_NID(subject_name, NID_commonName, lastpos)
241 ebfc5784 2024-01-07 op * Having multiple CN's is possible, and even happened back in
242 ebfc5784 2024-01-07 op * the glory days of mullets and Hammer pants. In anything like
243 ebfc5784 2024-01-07 op * a modern TLS cert, CN is as close to deprecated as it gets,
244 ebfc5784 2024-01-07 op * and having more than one is bad. We therefore fail if we have
245 ebfc5784 2024-01-07 op * more than one CN fed to us in the subject, treating the
246 ebfc5784 2024-01-07 op * certificate as hostile.
248 ebfc5784 2024-01-07 op tls_set_errorx(ctx, "error verifying name '%s': "
249 ebfc5784 2024-01-07 op "Certificate subject contains multiple Common Name fields, "
250 ebfc5784 2024-01-07 op "probably a malicious or malformed certificate", name);
254 ebfc5784 2024-01-07 op data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name,
257 ebfc5784 2024-01-07 op * Fail if we cannot encode the CN bytes as UTF-8.
259 ebfc5784 2024-01-07 op if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) {
260 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "error verifying name '%s': "
261 ebfc5784 2024-01-07 op "Common Name field cannot be encoded as a UTF-8 string, "
262 ebfc5784 2024-01-07 op "probably a malicious certificate", name);
266 ebfc5784 2024-01-07 op * Fail if the CN is of invalid length. RFC 5280 specifies that a CN
267 ebfc5784 2024-01-07 op * must be between 1 and 64 bytes long.
269 ebfc5784 2024-01-07 op if (common_name_len < 1 || common_name_len > 64) {
270 ebfc5784 2024-01-07 op tls_set_errorx(ctx, "error verifying name '%s': "
271 ebfc5784 2024-01-07 op "Common Name field has invalid length, "
272 ebfc5784 2024-01-07 op "probably a malicious certificate", name);
276 ebfc5784 2024-01-07 op * Fail if the resulting text contains a NUL byte.
278 ebfc5784 2024-01-07 op if (memchr(utf8_bytes, 0, common_name_len) != NULL) {
279 ebfc5784 2024-01-07 op tls_set_errorx(ctx, "error verifying name '%s': "
280 f9ab77a8 2023-08-23 op "NUL byte in Common Name field, "
281 f9ab77a8 2023-08-23 op "probably a malicious certificate", name);
285 ebfc5784 2024-01-07 op common_name = strndup(utf8_bytes, common_name_len);
286 ebfc5784 2024-01-07 op if (common_name == NULL) {
287 ebfc5784 2024-01-07 op tls_set_error(ctx, "out of memory");
292 f9ab77a8 2023-08-23 op * We don't want to attempt wildcard matching against IP addresses,
293 f9ab77a8 2023-08-23 op * so perform a simple comparison here.
295 f9ab77a8 2023-08-23 op if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
296 f9ab77a8 2023-08-23 op inet_pton(AF_INET6, name, &addrbuf) == 1) {
297 f9ab77a8 2023-08-23 op if (strcmp(common_name, name) == 0)
298 f9ab77a8 2023-08-23 op *cn_match = 1;
302 f9ab77a8 2023-08-23 op if (tls_match_name(common_name, name) == 0)
303 f9ab77a8 2023-08-23 op *cn_match = 1;
309 ebfc5784 2024-01-07 op free(utf8_bytes);
310 f9ab77a8 2023-08-23 op free(common_name);
315 f9ab77a8 2023-08-23 op tls_check_name(struct tls *ctx, X509 *cert, const char *name, int *match)
317 f9ab77a8 2023-08-23 op int alt_exists;
321 f9ab77a8 2023-08-23 op if (tls_check_subject_altname(ctx, cert, name, match,
322 f9ab77a8 2023-08-23 op &alt_exists) == -1)
326 f9ab77a8 2023-08-23 op * As per RFC 6125 section 6.4.4, if any known alternate name existed
327 f9ab77a8 2023-08-23 op * in the certificate, we do not attempt to match on the CN.
329 f9ab77a8 2023-08-23 op if (*match || alt_exists)
332 f9ab77a8 2023-08-23 op return tls_check_common_name(ctx, cert, name, match);