op public repos

Blame

Date:: Wed Aug 23 17:38:49 2023 UTC
Message:: bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:: History | Blob | Raw File
  1 f9ab77a8 2023-08-23 op /* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */
  2 f9ab77a8 2023-08-23 op /*
  3 f9ab77a8 2023-08-23 op  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  4 f9ab77a8 2023-08-23 op  *
  5 f9ab77a8 2023-08-23 op  * Permission to use, copy, modify, and distribute this software for any
  6 f9ab77a8 2023-08-23 op  * purpose with or without fee is hereby granted, provided that the above
  7 f9ab77a8 2023-08-23 op  * copyright notice and this permission notice appear in all copies.
  8 f9ab77a8 2023-08-23 op  *
  9 f9ab77a8 2023-08-23 op  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 10 f9ab77a8 2023-08-23 op  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 11 f9ab77a8 2023-08-23 op  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 12 f9ab77a8 2023-08-23 op  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 13 f9ab77a8 2023-08-23 op  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 14 f9ab77a8 2023-08-23 op  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 15 f9ab77a8 2023-08-23 op  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 16 f9ab77a8 2023-08-23 op  */
 17 f9ab77a8 2023-08-23 op 
 18 f9ab77a8 2023-08-23 op #include "config.h"
 19 f9ab77a8 2023-08-23 op 
 20 f9ab77a8 2023-08-23 op #include <sys/socket.h>
 21 f9ab77a8 2023-08-23 op 
 22 f9ab77a8 2023-08-23 op #include <arpa/inet.h>
 23 f9ab77a8 2023-08-23 op #include <netinet/in.h>
 24 f9ab77a8 2023-08-23 op 
 25 f9ab77a8 2023-08-23 op #include <string.h>
 26 f9ab77a8 2023-08-23 op 
 27 f9ab77a8 2023-08-23 op #include <openssl/x509v3.h>
 28 f9ab77a8 2023-08-23 op 
 29 f9ab77a8 2023-08-23 op #include <tls.h>
 30 f9ab77a8 2023-08-23 op #include "tls_internal.h"
 31 f9ab77a8 2023-08-23 op 
 32 f9ab77a8 2023-08-23 op static int
 33 f9ab77a8 2023-08-23 op tls_match_name(const char *cert_name, const char *name)
 34 f9ab77a8 2023-08-23 op {
 35 f9ab77a8 2023-08-23 op 	const char *cert_domain, *domain, *next_dot;
 36 f9ab77a8 2023-08-23 op 
 37 f9ab77a8 2023-08-23 op 	if (strcasecmp(cert_name, name) == 0)
 38 f9ab77a8 2023-08-23 op 		return 0;
 39 f9ab77a8 2023-08-23 op 
 40 f9ab77a8 2023-08-23 op 	/* Wildcard match? */
 41 f9ab77a8 2023-08-23 op 	if (cert_name[0] == '*') {
 42 f9ab77a8 2023-08-23 op 		/*
 43 f9ab77a8 2023-08-23 op 		 * Valid wildcards:
 44 f9ab77a8 2023-08-23 op 		 * - "*.domain.tld"
 45 f9ab77a8 2023-08-23 op 		 * - "*.sub.domain.tld"
 46 f9ab77a8 2023-08-23 op 		 * - etc.
 47 f9ab77a8 2023-08-23 op 		 * Reject "*.tld".
 48 f9ab77a8 2023-08-23 op 		 * No attempt to prevent the use of eg. "*.co.uk".
 49 f9ab77a8 2023-08-23 op 		 */
 50 f9ab77a8 2023-08-23 op 		cert_domain = &cert_name[1];
 51 f9ab77a8 2023-08-23 op 		/* Disallow "*"  */
 52 f9ab77a8 2023-08-23 op 		if (cert_domain[0] == '\0')
 53 f9ab77a8 2023-08-23 op 			return -1;
 54 f9ab77a8 2023-08-23 op 		/* Disallow "*foo" */
 55 f9ab77a8 2023-08-23 op 		if (cert_domain[0] != '.')
 56 f9ab77a8 2023-08-23 op 			return -1;
 57 f9ab77a8 2023-08-23 op 		/* Disallow "*.." */
 58 f9ab77a8 2023-08-23 op 		if (cert_domain[1] == '.')
 59 f9ab77a8 2023-08-23 op 			return -1;
 60 f9ab77a8 2023-08-23 op 		next_dot = strchr(&cert_domain[1], '.');
 61 f9ab77a8 2023-08-23 op 		/* Disallow "*.bar" */
 62 f9ab77a8 2023-08-23 op 		if (next_dot == NULL)
 63 f9ab77a8 2023-08-23 op 			return -1;
 64 f9ab77a8 2023-08-23 op 		/* Disallow "*.bar.." */
 65 f9ab77a8 2023-08-23 op 		if (next_dot[1] == '.')
 66 f9ab77a8 2023-08-23 op 			return -1;
 67 f9ab77a8 2023-08-23 op 
 68 f9ab77a8 2023-08-23 op 		domain = strchr(name, '.');
 69 f9ab77a8 2023-08-23 op 
 70 f9ab77a8 2023-08-23 op 		/* No wildcard match against a name with no host part. */
 71 f9ab77a8 2023-08-23 op 		if (name[0] == '.')
 72 f9ab77a8 2023-08-23 op 			return -1;
 73 f9ab77a8 2023-08-23 op 		/* No wildcard match against a name with no domain part. */
 74 f9ab77a8 2023-08-23 op 		if (domain == NULL || strlen(domain) == 1)
 75 f9ab77a8 2023-08-23 op 			return -1;
 76 f9ab77a8 2023-08-23 op 
 77 f9ab77a8 2023-08-23 op 		if (strcasecmp(cert_domain, domain) == 0)
 78 f9ab77a8 2023-08-23 op 			return 0;
 79 f9ab77a8 2023-08-23 op 	}
 80 f9ab77a8 2023-08-23 op 
 81 f9ab77a8 2023-08-23 op 	return -1;
 82 f9ab77a8 2023-08-23 op }
 83 f9ab77a8 2023-08-23 op 
 84 f9ab77a8 2023-08-23 op /*
 85 f9ab77a8 2023-08-23 op  * See RFC 5280 section 4.2.1.6 for SubjectAltName details.
 86 f9ab77a8 2023-08-23 op  * alt_match is set to 1 if a matching alternate name is found.
 87 f9ab77a8 2023-08-23 op  * alt_exists is set to 1 if any known alternate name exists in the certificate.
 88 f9ab77a8 2023-08-23 op  */
 89 f9ab77a8 2023-08-23 op static int
 90 f9ab77a8 2023-08-23 op tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 91 f9ab77a8 2023-08-23 op     int *alt_match, int *alt_exists)
 92 f9ab77a8 2023-08-23 op {
 93 f9ab77a8 2023-08-23 op 	STACK_OF(GENERAL_NAME) *altname_stack = NULL;
 94 f9ab77a8 2023-08-23 op 	union tls_addr addrbuf;
 95 f9ab77a8 2023-08-23 op 	int addrlen, type;
 96 f9ab77a8 2023-08-23 op 	int count, i;
 97 f9ab77a8 2023-08-23 op 	int rv = 0;
 98 f9ab77a8 2023-08-23 op 
 99 f9ab77a8 2023-08-23 op 	*alt_match = 0;
100 f9ab77a8 2023-08-23 op 	*alt_exists = 0;
101 f9ab77a8 2023-08-23 op 
102 f9ab77a8 2023-08-23 op 	altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
103 f9ab77a8 2023-08-23 op 	    NULL, NULL);
104 f9ab77a8 2023-08-23 op 	if (altname_stack == NULL)
105 f9ab77a8 2023-08-23 op 		return 0;
106 f9ab77a8 2023-08-23 op 
107 f9ab77a8 2023-08-23 op 	if (inet_pton(AF_INET, name, &addrbuf) == 1) {
108 f9ab77a8 2023-08-23 op 		type = GEN_IPADD;
109 f9ab77a8 2023-08-23 op 		addrlen = 4;
110 f9ab77a8 2023-08-23 op 	} else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
111 f9ab77a8 2023-08-23 op 		type = GEN_IPADD;
112 f9ab77a8 2023-08-23 op 		addrlen = 16;
113 f9ab77a8 2023-08-23 op 	} else {
114 f9ab77a8 2023-08-23 op 		type = GEN_DNS;
115 f9ab77a8 2023-08-23 op 		addrlen = 0;
116 f9ab77a8 2023-08-23 op 	}
117 f9ab77a8 2023-08-23 op 
118 f9ab77a8 2023-08-23 op 	count = sk_GENERAL_NAME_num(altname_stack);
119 f9ab77a8 2023-08-23 op 	for (i = 0; i < count; i++) {
120 f9ab77a8 2023-08-23 op 		GENERAL_NAME *altname;
121 f9ab77a8 2023-08-23 op 
122 f9ab77a8 2023-08-23 op 		altname = sk_GENERAL_NAME_value(altname_stack, i);
123 f9ab77a8 2023-08-23 op 
124 f9ab77a8 2023-08-23 op 		if (altname->type == GEN_DNS || altname->type == GEN_IPADD)
125 f9ab77a8 2023-08-23 op 			*alt_exists = 1;
126 f9ab77a8 2023-08-23 op 
127 f9ab77a8 2023-08-23 op 		if (altname->type != type)
128 f9ab77a8 2023-08-23 op 			continue;
129 f9ab77a8 2023-08-23 op 
130 f9ab77a8 2023-08-23 op 		if (type == GEN_DNS) {
131 f9ab77a8 2023-08-23 op 			const unsigned char *data;
132 f9ab77a8 2023-08-23 op 			int format, len;
133 f9ab77a8 2023-08-23 op 
134 f9ab77a8 2023-08-23 op 			format = ASN1_STRING_type(altname->d.dNSName);
135 f9ab77a8 2023-08-23 op 			if (format == V_ASN1_IA5STRING) {
136 f9ab77a8 2023-08-23 op 				data = ASN1_STRING_get0_data(altname->d.dNSName);
137 f9ab77a8 2023-08-23 op 				len = ASN1_STRING_length(altname->d.dNSName);
138 f9ab77a8 2023-08-23 op 
139 f9ab77a8 2023-08-23 op 				if (len < 0 || (size_t)len != strlen(data)) {
140 f9ab77a8 2023-08-23 op 					tls_set_errorx(ctx,
141 f9ab77a8 2023-08-23 op 					    "error verifying name '%s': "
142 f9ab77a8 2023-08-23 op 					    "NUL byte in subjectAltName, "
143 f9ab77a8 2023-08-23 op 					    "probably a malicious certificate",
144 f9ab77a8 2023-08-23 op 					    name);
145 f9ab77a8 2023-08-23 op 					rv = -1;
146 f9ab77a8 2023-08-23 op 					break;
147 f9ab77a8 2023-08-23 op 				}
148 f9ab77a8 2023-08-23 op 
149 f9ab77a8 2023-08-23 op 				/*
150 f9ab77a8 2023-08-23 op 				 * Per RFC 5280 section 4.2.1.6:
151 f9ab77a8 2023-08-23 op 				 * " " is a legal domain name, but that
152 f9ab77a8 2023-08-23 op 				 * dNSName must be rejected.
153 f9ab77a8 2023-08-23 op 				 */
154 f9ab77a8 2023-08-23 op 				if (strcmp(data, " ") == 0) {
155 f9ab77a8 2023-08-23 op 					tls_set_errorx(ctx,
156 f9ab77a8 2023-08-23 op 					    "error verifying name '%s': "
157 f9ab77a8 2023-08-23 op 					    "a dNSName of \" \" must not be "
158 f9ab77a8 2023-08-23 op 					    "used", name);
159 f9ab77a8 2023-08-23 op 					rv = -1;
160 f9ab77a8 2023-08-23 op 					break;
161 f9ab77a8 2023-08-23 op 				}
162 f9ab77a8 2023-08-23 op 
163 f9ab77a8 2023-08-23 op 				if (tls_match_name(data, name) == 0) {
164 f9ab77a8 2023-08-23 op 					*alt_match = 1;
165 f9ab77a8 2023-08-23 op 					break;
166 f9ab77a8 2023-08-23 op 				}
167 f9ab77a8 2023-08-23 op 			} else {
168 f9ab77a8 2023-08-23 op #ifdef DEBUG
169 f9ab77a8 2023-08-23 op 				fprintf(stdout, "%s: unhandled subjectAltName "
170 f9ab77a8 2023-08-23 op 				    "dNSName encoding (%d)\n", getprogname(),
171 f9ab77a8 2023-08-23 op 				    format);
172 f9ab77a8 2023-08-23 op #endif
173 f9ab77a8 2023-08-23 op 			}
174 f9ab77a8 2023-08-23 op 
175 f9ab77a8 2023-08-23 op 		} else if (type == GEN_IPADD) {
176 f9ab77a8 2023-08-23 op 			const unsigned char *data;
177 f9ab77a8 2023-08-23 op 			int datalen;
178 f9ab77a8 2023-08-23 op 
179 f9ab77a8 2023-08-23 op 			datalen = ASN1_STRING_length(altname->d.iPAddress);
180 f9ab77a8 2023-08-23 op 			data = ASN1_STRING_get0_data(altname->d.iPAddress);
181 f9ab77a8 2023-08-23 op 
182 f9ab77a8 2023-08-23 op 			if (datalen < 0) {
183 f9ab77a8 2023-08-23 op 				tls_set_errorx(ctx,
184 f9ab77a8 2023-08-23 op 				    "Unexpected negative length for an "
185 f9ab77a8 2023-08-23 op 				    "IP address: %d", datalen);
186 f9ab77a8 2023-08-23 op 				rv = -1;
187 f9ab77a8 2023-08-23 op 				break;
188 f9ab77a8 2023-08-23 op 			}
189 f9ab77a8 2023-08-23 op 
190 f9ab77a8 2023-08-23 op 			/*
191 f9ab77a8 2023-08-23 op 			 * Per RFC 5280 section 4.2.1.6:
192 f9ab77a8 2023-08-23 op 			 * IPv4 must use 4 octets and IPv6 must use 16 octets.
193 f9ab77a8 2023-08-23 op 			 */
194 f9ab77a8 2023-08-23 op 			if (datalen == addrlen &&
195 f9ab77a8 2023-08-23 op 			    memcmp(data, &addrbuf, addrlen) == 0) {
196 f9ab77a8 2023-08-23 op 				*alt_match = 1;
197 f9ab77a8 2023-08-23 op 				break;
198 f9ab77a8 2023-08-23 op 			}
199 f9ab77a8 2023-08-23 op 		}
200 f9ab77a8 2023-08-23 op 	}
201 f9ab77a8 2023-08-23 op 
202 f9ab77a8 2023-08-23 op 	sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
203 f9ab77a8 2023-08-23 op 	return rv;
204 f9ab77a8 2023-08-23 op }
205 f9ab77a8 2023-08-23 op 
206 f9ab77a8 2023-08-23 op static int
207 f9ab77a8 2023-08-23 op tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
208 f9ab77a8 2023-08-23 op     int *cn_match)
209 f9ab77a8 2023-08-23 op {
210 f9ab77a8 2023-08-23 op 	X509_NAME *subject_name;
211 f9ab77a8 2023-08-23 op 	char *common_name = NULL;
212 f9ab77a8 2023-08-23 op 	union tls_addr addrbuf;
213 f9ab77a8 2023-08-23 op 	int common_name_len;
214 f9ab77a8 2023-08-23 op 	int rv = -1;
215 f9ab77a8 2023-08-23 op 
216 f9ab77a8 2023-08-23 op 	*cn_match = 0;
217 f9ab77a8 2023-08-23 op 
218 f9ab77a8 2023-08-23 op 	subject_name = X509_get_subject_name(cert);
219 f9ab77a8 2023-08-23 op 	if (subject_name == NULL)
220 f9ab77a8 2023-08-23 op 		goto done;
221 f9ab77a8 2023-08-23 op 
222 f9ab77a8 2023-08-23 op 	common_name_len = X509_NAME_get_text_by_NID(subject_name,
223 f9ab77a8 2023-08-23 op 	    NID_commonName, NULL, 0);
224 f9ab77a8 2023-08-23 op 	if (common_name_len < 0)
225 f9ab77a8 2023-08-23 op 		goto done;
226 f9ab77a8 2023-08-23 op 
227 f9ab77a8 2023-08-23 op 	common_name = calloc(common_name_len + 1, 1);
228 f9ab77a8 2023-08-23 op 	if (common_name == NULL) {
229 f9ab77a8 2023-08-23 op 		tls_set_error(ctx, "out of memory");
230 f9ab77a8 2023-08-23 op 		goto err;
231 f9ab77a8 2023-08-23 op 	}
232 f9ab77a8 2023-08-23 op 
233 f9ab77a8 2023-08-23 op 	X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
234 f9ab77a8 2023-08-23 op 	    common_name_len + 1);
235 f9ab77a8 2023-08-23 op 
236 f9ab77a8 2023-08-23 op 	/* NUL bytes in CN? */
237 f9ab77a8 2023-08-23 op 	if (common_name_len < 0 ||
238 f9ab77a8 2023-08-23 op 	    (size_t)common_name_len != strlen(common_name)) {
239 f9ab77a8 2023-08-23 op 		tls_set_errorx(ctx, "error verifying name '%s': "
240 f9ab77a8 2023-08-23 op 		    "NUL byte in Common Name field, "
241 f9ab77a8 2023-08-23 op 		    "probably a malicious certificate", name);
242 f9ab77a8 2023-08-23 op 		goto err;
243 f9ab77a8 2023-08-23 op 	}
244 f9ab77a8 2023-08-23 op 
245 f9ab77a8 2023-08-23 op 	/*
246 f9ab77a8 2023-08-23 op 	 * We don't want to attempt wildcard matching against IP addresses,
247 f9ab77a8 2023-08-23 op 	 * so perform a simple comparison here.
248 f9ab77a8 2023-08-23 op 	 */
249 f9ab77a8 2023-08-23 op 	if (inet_pton(AF_INET,  name, &addrbuf) == 1 ||
250 f9ab77a8 2023-08-23 op 	    inet_pton(AF_INET6, name, &addrbuf) == 1) {
251 f9ab77a8 2023-08-23 op 		if (strcmp(common_name, name) == 0)
252 f9ab77a8 2023-08-23 op 			*cn_match = 1;
253 f9ab77a8 2023-08-23 op 		goto done;
254 f9ab77a8 2023-08-23 op 	}
255 f9ab77a8 2023-08-23 op 
256 f9ab77a8 2023-08-23 op 	if (tls_match_name(common_name, name) == 0)
257 f9ab77a8 2023-08-23 op 		*cn_match = 1;
258 f9ab77a8 2023-08-23 op 
259 f9ab77a8 2023-08-23 op  done:
260 f9ab77a8 2023-08-23 op 	rv = 0;
261 f9ab77a8 2023-08-23 op 
262 f9ab77a8 2023-08-23 op  err:
263 f9ab77a8 2023-08-23 op 	free(common_name);
264 f9ab77a8 2023-08-23 op 	return rv;
265 f9ab77a8 2023-08-23 op }
266 f9ab77a8 2023-08-23 op 
267 f9ab77a8 2023-08-23 op int
268 f9ab77a8 2023-08-23 op tls_check_name(struct tls *ctx, X509 *cert, const char *name, int *match)
269 f9ab77a8 2023-08-23 op {
270 f9ab77a8 2023-08-23 op 	int alt_exists;
271 f9ab77a8 2023-08-23 op 
272 f9ab77a8 2023-08-23 op 	*match = 0;
273 f9ab77a8 2023-08-23 op 
274 f9ab77a8 2023-08-23 op 	if (tls_check_subject_altname(ctx, cert, name, match,
275 f9ab77a8 2023-08-23 op 	    &alt_exists) == -1)
276 f9ab77a8 2023-08-23 op 		return -1;
277 f9ab77a8 2023-08-23 op 
278 f9ab77a8 2023-08-23 op 	/*
279 f9ab77a8 2023-08-23 op 	 * As per RFC 6125 section 6.4.4, if any known alternate name existed
280 f9ab77a8 2023-08-23 op 	 * in the certificate, we do not attempt to match on the CN.
281 f9ab77a8 2023-08-23 op 	 */
282 f9ab77a8 2023-08-23 op 	if (*match || alt_exists)
283 f9ab77a8 2023-08-23 op 		return 0;
284 f9ab77a8 2023-08-23 op 
285 f9ab77a8 2023-08-23 op 	return tls_check_common_name(ctx, cert, name, match);
286 f9ab77a8 2023-08-23 op }