op public repos

Blob

Date:: Sun Jan 7 18:52:51 2024 UTC
Message:: sync libtls
Actions:: History | Blame | Raw File
1 /* $OpenBSD: tls_verify.c,v 1.29 2023/11/22 18:23:09 op Exp $ */
2 /*
3  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "config.h"
19 
20 #include <sys/socket.h>
21 
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24 
25 #include <string.h>
26 
27 #include <openssl/x509v3.h>
28 
29 #include <tls.h>
30 #include "tls_internal.h"
31 
32 static int
33 tls_match_name(const char *cert_name, const char *name)
34 {
35 	const char *cert_domain, *domain, *next_dot;
36 
37 	if (strcasecmp(cert_name, name) == 0)
38 		return 0;
39 
40 	/* Wildcard match? */
41 	if (cert_name[0] == '*') {
42 		/*
43 		 * Valid wildcards:
44 		 * - "*.domain.tld"
45 		 * - "*.sub.domain.tld"
46 		 * - etc.
47 		 * Reject "*.tld".
48 		 * No attempt to prevent the use of eg. "*.co.uk".
49 		 */
50 		cert_domain = &cert_name[1];
51 		/* Disallow "*"  */
52 		if (cert_domain[0] == '\0')
53 			return -1;
54 		/* Disallow "*foo" */
55 		if (cert_domain[0] != '.')
56 			return -1;
57 		/* Disallow "*.." */
58 		if (cert_domain[1] == '.')
59 			return -1;
60 		next_dot = strchr(&cert_domain[1], '.');
61 		/* Disallow "*.bar" */
62 		if (next_dot == NULL)
63 			return -1;
64 		/* Disallow "*.bar.." */
65 		if (next_dot[1] == '.')
66 			return -1;
67 
68 		domain = strchr(name, '.');
69 
70 		/* No wildcard match against a name with no host part. */
71 		if (name[0] == '.')
72 			return -1;
73 		/* No wildcard match against a name with no domain part. */
74 		if (domain == NULL || strlen(domain) == 1)
75 			return -1;
76 
77 		if (strcasecmp(cert_domain, domain) == 0)
78 			return 0;
79 	}
80 
81 	return -1;
82 }
83 
84 /*
85  * See RFC 5280 section 4.2.1.6 for SubjectAltName details.
86  * alt_match is set to 1 if a matching alternate name is found.
87  * alt_exists is set to 1 if any known alternate name exists in the certificate.
88  */
89 static int
90 tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
91     int *alt_match, int *alt_exists)
92 {
93 	STACK_OF(GENERAL_NAME) *altname_stack = NULL;
94 	union tls_addr addrbuf;
95 	int addrlen, type;
96 	int count, i;
97 	int critical = 0;
98 	int rv = -1;
99 
100 	*alt_match = 0;
101 	*alt_exists = 0;
102 
103 	altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical,
104 	    NULL);
105 	if (altname_stack == NULL) {
106 		if (critical != -1) {
107 			tls_set_errorx(ctx, "error decoding subjectAltName");
108 			goto err;
109 		}
110 		goto done;
111 	}
112 
113 	if (inet_pton(AF_INET, name, &addrbuf) == 1) {
114 		type = GEN_IPADD;
115 		addrlen = 4;
116 	} else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
117 		type = GEN_IPADD;
118 		addrlen = 16;
119 	} else {
120 		type = GEN_DNS;
121 		addrlen = 0;
122 	}
123 
124 	count = sk_GENERAL_NAME_num(altname_stack);
125 	for (i = 0; i < count; i++) {
126 		GENERAL_NAME *altname;
127 
128 		altname = sk_GENERAL_NAME_value(altname_stack, i);
129 
130 		if (altname->type == GEN_DNS || altname->type == GEN_IPADD)
131 			*alt_exists = 1;
132 
133 		if (altname->type != type)
134 			continue;
135 
136 		if (type == GEN_DNS) {
137 			const unsigned char *data;
138 			int format, len;
139 
140 			format = ASN1_STRING_type(altname->d.dNSName);
141 			if (format == V_ASN1_IA5STRING) {
142 				data = ASN1_STRING_get0_data(altname->d.dNSName);
143 				len = ASN1_STRING_length(altname->d.dNSName);
144 
145 				if (len < 0 || (size_t)len != strlen(data)) {
146 					tls_set_errorx(ctx,
147 					    "error verifying name '%s': "
148 					    "NUL byte in subjectAltName, "
149 					    "probably a malicious certificate",
150 					    name);
151 					goto err;
152 				}
153 
154 				/*
155 				 * Per RFC 5280 section 4.2.1.6:
156 				 * " " is a legal domain name, but that
157 				 * dNSName must be rejected.
158 				 */
159 				if (strcmp(data, " ") == 0) {
160 					tls_set_errorx(ctx,
161 					    "error verifying name '%s': "
162 					    "a dNSName of \" \" must not be "
163 					    "used", name);
164 					goto err;
165 				}
166 
167 				if (tls_match_name(data, name) == 0) {
168 					*alt_match = 1;
169 					goto done;
170 				}
171 			} else {
172 #ifdef DEBUG
173 				fprintf(stdout, "%s: unhandled subjectAltName "
174 				    "dNSName encoding (%d)\n", getprogname(),
175 				    format);
176 #endif
177 			}
178 
179 		} else if (type == GEN_IPADD) {
180 			const unsigned char *data;
181 			int datalen;
182 
183 			datalen = ASN1_STRING_length(altname->d.iPAddress);
184 			data = ASN1_STRING_get0_data(altname->d.iPAddress);
185 
186 			if (datalen < 0) {
187 				tls_set_errorx(ctx,
188 				    "Unexpected negative length for an "
189 				    "IP address: %d", datalen);
190 				goto err;
191 			}
192 
193 			/*
194 			 * Per RFC 5280 section 4.2.1.6:
195 			 * IPv4 must use 4 octets and IPv6 must use 16 octets.
196 			 */
197 			if (datalen == addrlen &&
198 			    memcmp(data, &addrbuf, addrlen) == 0) {
199 				*alt_match = 1;
200 				goto done;
201 			}
202 		}
203 	}
204 
205  done:
206 	rv = 0;
207 
208  err:
209 	sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
210 	return rv;
211 }
212 
213 static int
214 tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
215     int *cn_match)
216 {
217 	unsigned char *utf8_bytes = NULL;
218 	X509_NAME *subject_name;
219 	char *common_name = NULL;
220 	union tls_addr addrbuf;
221 	int common_name_len;
222 	ASN1_STRING *data;
223 	int lastpos = -1;
224 	int rv = -1;
225 
226 	*cn_match = 0;
227 
228 	subject_name = X509_get_subject_name(cert);
229 	if (subject_name == NULL)
230 		goto done;
231 
232 	lastpos = X509_NAME_get_index_by_NID(subject_name,
233 	    NID_commonName, lastpos);
234 	if (lastpos == -1)
235 		goto done;
236 	if (lastpos < 0)
237 		goto err;
238 	if (X509_NAME_get_index_by_NID(subject_name, NID_commonName, lastpos)
239 	    != -1) {
240 		/*
241 		 * Having multiple CN's is possible, and even happened back in
242 		 * the glory days of mullets and Hammer pants. In anything like
243 		 * a modern TLS cert, CN is as close to deprecated as it gets,
244 		 * and having more than one is bad. We therefore fail if we have
245 		 * more than one CN fed to us in the subject, treating the
246 		 * certificate as hostile.
247 		 */
248 		tls_set_errorx(ctx, "error verifying name '%s': "
249 		    "Certificate subject contains multiple Common Name fields, "
250 		    "probably a malicious or malformed certificate", name);
251 		goto err;
252 	}
253 
254 	data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name,
255 	    lastpos));
256 	/*
257 	 * Fail if we cannot encode the CN bytes as UTF-8.
258 	 */
259 	if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) {
260 		tls_set_errorx(ctx, "error verifying name '%s': "
261 		    "Common Name field cannot be encoded as a UTF-8 string, "
262 		    "probably a malicious certificate", name);
263 		goto err;
264 	}
265 	/*
266 	 * Fail if the CN is of invalid length. RFC 5280 specifies that a CN
267 	 * must be between 1 and 64 bytes long.
268 	 */
269 	if (common_name_len < 1 || common_name_len > 64) {
270 		tls_set_errorx(ctx, "error verifying name '%s': "
271 		    "Common Name field has invalid length, "
272 		    "probably a malicious certificate", name);
273 		goto err;
274 	}
275 	/*
276 	 * Fail if the resulting text contains a NUL byte.
277 	 */
278 	if (memchr(utf8_bytes, 0, common_name_len) != NULL) {
279 		tls_set_errorx(ctx, "error verifying name '%s': "
280 		    "NUL byte in Common Name field, "
281 		    "probably a malicious certificate", name);
282 		goto err;
283 	}
284 
285 	common_name = strndup(utf8_bytes, common_name_len);
286 	if (common_name == NULL) {
287 		tls_set_error(ctx, "out of memory");
288 		goto err;
289 	}
290 
291 	/*
292 	 * We don't want to attempt wildcard matching against IP addresses,
293 	 * so perform a simple comparison here.
294 	 */
295 	if (inet_pton(AF_INET,  name, &addrbuf) == 1 ||
296 	    inet_pton(AF_INET6, name, &addrbuf) == 1) {
297 		if (strcmp(common_name, name) == 0)
298 			*cn_match = 1;
299 		goto done;
300 	}
301 
302 	if (tls_match_name(common_name, name) == 0)
303 		*cn_match = 1;
304 
305  done:
306 	rv = 0;
307 
308  err:
309 	free(utf8_bytes);
310 	free(common_name);
311 	return rv;
312 }
313 
314 int
315 tls_check_name(struct tls *ctx, X509 *cert, const char *name, int *match)
316 {
317 	int alt_exists;
318 
319 	*match = 0;
320 
321 	if (tls_check_subject_altname(ctx, cert, name, match,
322 	    &alt_exists) == -1)
323 		return -1;
324 
325 	/*
326 	 * As per RFC 6125 section 6.4.4, if any known alternate name existed
327 	 * in the certificate, we do not attempt to match on the CN.
328 	 */
329 	if (*match || alt_exists)
330 		return 0;
331 
332 	return tls_check_common_name(ctx, cert, name, match);
333 }