op public repos

Blob

Date:: Wed Aug 23 17:38:49 2023 UTC
Message:: bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:: History | Blame | Raw File

1 /* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */
2 /*
3  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "config.h"
19 
20 #include <sys/socket.h>
21 
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24 
25 #include <string.h>
26 
27 #include <openssl/x509v3.h>
28 
29 #include <tls.h>
30 #include "tls_internal.h"
31 
32 static int
33 tls_match_name(const char *cert_name, const char *name)
34 {
35 	const char *cert_domain, *domain, *next_dot;
36 
37 	if (strcasecmp(cert_name, name) == 0)
38 		return 0;
39 
40 	/* Wildcard match? */
41 	if (cert_name[0] == '*') {
42 		/*
43 		 * Valid wildcards:
44 		 * - "*.domain.tld"
45 		 * - "*.sub.domain.tld"
46 		 * - etc.
47 		 * Reject "*.tld".
48 		 * No attempt to prevent the use of eg. "*.co.uk".
49 		 */
50 		cert_domain = &cert_name[1];
51 		/* Disallow "*"  */
52 		if (cert_domain[0] == '\0')
53 			return -1;
54 		/* Disallow "*foo" */
55 		if (cert_domain[0] != '.')
56 			return -1;
57 		/* Disallow "*.." */
58 		if (cert_domain[1] == '.')
59 			return -1;
60 		next_dot = strchr(&cert_domain[1], '.');
61 		/* Disallow "*.bar" */
62 		if (next_dot == NULL)
63 			return -1;
64 		/* Disallow "*.bar.." */
65 		if (next_dot[1] == '.')
66 			return -1;
67 
68 		domain = strchr(name, '.');
69 
70 		/* No wildcard match against a name with no host part. */
71 		if (name[0] == '.')
72 			return -1;
73 		/* No wildcard match against a name with no domain part. */
74 		if (domain == NULL || strlen(domain) == 1)
75 			return -1;
76 
77 		if (strcasecmp(cert_domain, domain) == 0)
78 			return 0;
79 	}
80 
81 	return -1;
82 }
83 
84 /*
85  * See RFC 5280 section 4.2.1.6 for SubjectAltName details.
86  * alt_match is set to 1 if a matching alternate name is found.
87  * alt_exists is set to 1 if any known alternate name exists in the certificate.
88  */
89 static int
90 tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
91     int *alt_match, int *alt_exists)
92 {
93 	STACK_OF(GENERAL_NAME) *altname_stack = NULL;
94 	union tls_addr addrbuf;
95 	int addrlen, type;
96 	int count, i;
97 	int rv = 0;
98 
99 	*alt_match = 0;
100 	*alt_exists = 0;
101 
102 	altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
103 	    NULL, NULL);
104 	if (altname_stack == NULL)
105 		return 0;
106 
107 	if (inet_pton(AF_INET, name, &addrbuf) == 1) {
108 		type = GEN_IPADD;
109 		addrlen = 4;
110 	} else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
111 		type = GEN_IPADD;
112 		addrlen = 16;
113 	} else {
114 		type = GEN_DNS;
115 		addrlen = 0;
116 	}
117 
118 	count = sk_GENERAL_NAME_num(altname_stack);
119 	for (i = 0; i < count; i++) {
120 		GENERAL_NAME *altname;
121 
122 		altname = sk_GENERAL_NAME_value(altname_stack, i);
123 
124 		if (altname->type == GEN_DNS || altname->type == GEN_IPADD)
125 			*alt_exists = 1;
126 
127 		if (altname->type != type)
128 			continue;
129 
130 		if (type == GEN_DNS) {
131 			const unsigned char *data;
132 			int format, len;
133 
134 			format = ASN1_STRING_type(altname->d.dNSName);
135 			if (format == V_ASN1_IA5STRING) {
136 				data = ASN1_STRING_get0_data(altname->d.dNSName);
137 				len = ASN1_STRING_length(altname->d.dNSName);
138 
139 				if (len < 0 || (size_t)len != strlen(data)) {
140 					tls_set_errorx(ctx,
141 					    "error verifying name '%s': "
142 					    "NUL byte in subjectAltName, "
143 					    "probably a malicious certificate",
144 					    name);
145 					rv = -1;
146 					break;
147 				}
148 
149 				/*
150 				 * Per RFC 5280 section 4.2.1.6:
151 				 * " " is a legal domain name, but that
152 				 * dNSName must be rejected.
153 				 */
154 				if (strcmp(data, " ") == 0) {
155 					tls_set_errorx(ctx,
156 					    "error verifying name '%s': "
157 					    "a dNSName of \" \" must not be "
158 					    "used", name);
159 					rv = -1;
160 					break;
161 				}
162 
163 				if (tls_match_name(data, name) == 0) {
164 					*alt_match = 1;
165 					break;
166 				}
167 			} else {
168 #ifdef DEBUG
169 				fprintf(stdout, "%s: unhandled subjectAltName "
170 				    "dNSName encoding (%d)\n", getprogname(),
171 				    format);
172 #endif
173 			}
174 
175 		} else if (type == GEN_IPADD) {
176 			const unsigned char *data;
177 			int datalen;
178 
179 			datalen = ASN1_STRING_length(altname->d.iPAddress);
180 			data = ASN1_STRING_get0_data(altname->d.iPAddress);
181 
182 			if (datalen < 0) {
183 				tls_set_errorx(ctx,
184 				    "Unexpected negative length for an "
185 				    "IP address: %d", datalen);
186 				rv = -1;
187 				break;
188 			}
189 
190 			/*
191 			 * Per RFC 5280 section 4.2.1.6:
192 			 * IPv4 must use 4 octets and IPv6 must use 16 octets.
193 			 */
194 			if (datalen == addrlen &&
195 			    memcmp(data, &addrbuf, addrlen) == 0) {
196 				*alt_match = 1;
197 				break;
198 			}
199 		}
200 	}
201 
202 	sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
203 	return rv;
204 }
205 
206 static int
207 tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
208     int *cn_match)
209 {
210 	X509_NAME *subject_name;
211 	char *common_name = NULL;
212 	union tls_addr addrbuf;
213 	int common_name_len;
214 	int rv = -1;
215 
216 	*cn_match = 0;
217 
218 	subject_name = X509_get_subject_name(cert);
219 	if (subject_name == NULL)
220 		goto done;
221 
222 	common_name_len = X509_NAME_get_text_by_NID(subject_name,
223 	    NID_commonName, NULL, 0);
224 	if (common_name_len < 0)
225 		goto done;
226 
227 	common_name = calloc(common_name_len + 1, 1);
228 	if (common_name == NULL) {
229 		tls_set_error(ctx, "out of memory");
230 		goto err;
231 	}
232 
233 	X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
234 	    common_name_len + 1);
235 
236 	/* NUL bytes in CN? */
237 	if (common_name_len < 0 ||
238 	    (size_t)common_name_len != strlen(common_name)) {
239 		tls_set_errorx(ctx, "error verifying name '%s': "
240 		    "NUL byte in Common Name field, "
241 		    "probably a malicious certificate", name);
242 		goto err;
243 	}
244 
245 	/*
246 	 * We don't want to attempt wildcard matching against IP addresses,
247 	 * so perform a simple comparison here.
248 	 */
249 	if (inet_pton(AF_INET,  name, &addrbuf) == 1 ||
250 	    inet_pton(AF_INET6, name, &addrbuf) == 1) {
251 		if (strcmp(common_name, name) == 0)
252 			*cn_match = 1;
253 		goto done;
254 	}
255 
256 	if (tls_match_name(common_name, name) == 0)
257 		*cn_match = 1;
258 
259  done:
260 	rv = 0;
261 
262  err:
263 	free(common_name);
264 	return rv;
265 }
266 
267 int
268 tls_check_name(struct tls *ctx, X509 *cert, const char *name, int *match)
269 {
270 	int alt_exists;
271 
272 	*match = 0;
273 
274 	if (tls_check_subject_altname(ctx, cert, name, match,
275 	    &alt_exists) == -1)
276 		return -1;
277 
278 	/*
279 	 * As per RFC 6125 section 6.4.4, if any known alternate name existed
280 	 * in the certificate, we do not attempt to match on the CN.
281 	 */
282 	if (*match || alt_exists)
283 		return 0;
284 
285 	return tls_check_common_name(ctx, cert, name, match);
286 }