100-x509-crt-verify-SAN-iPAddress.patch 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197
  1. From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
  2. From: Glenn Strauss <gstrauss@gluelogic.com>
  3. Date: Sun, 23 Oct 2022 19:48:18 -0400
  4. Subject: [PATCH] x509 crt verify SAN iPAddress
  5. Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
  6. ---
  7. include/mbedtls/x509_crt.h | 2 +-
  8. library/x509_crt.c | 126 ++++++++++++++++++++++++++++++-------
  9. 2 files changed, 103 insertions(+), 25 deletions(-)
  10. --- a/include/mbedtls/x509_crt.h
  11. +++ b/include/mbedtls/x509_crt.h
  12. @@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b
  13. * \param cn The expected Common Name. This will be checked to be
  14. * present in the certificate's subjectAltNames extension or,
  15. * if this extension is absent, as a CN component in its
  16. - * Subject name. Currently only DNS names are supported. This
  17. + * Subject name. DNS names and IP addresses are supported. This
  18. * may be \c NULL if the CN need not be verified.
  19. * \param flags The address at which to store the result of the verification.
  20. * If the verification couldn't be completed, the flag value is
  21. --- a/library/x509_crt.c
  22. +++ b/library/x509_crt.c
  23. @@ -57,6 +57,10 @@
  24. #if defined(MBEDTLS_HAVE_TIME)
  25. #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
  26. +#define WIN32_LEAN_AND_MEAN
  27. +#ifndef _WIN32_WINNT
  28. +#define _WIN32_WINNT 0x0600
  29. +#endif
  30. #include <windows.h>
  31. #else
  32. #include <time.h>
  33. @@ -3002,6 +3006,61 @@ find_parent:
  34. }
  35. }
  36. +#ifdef _WIN32
  37. +#ifdef _MSC_VER
  38. +#pragma comment(lib, "ws2_32.lib")
  39. +#include <winsock2.h>
  40. +#include <ws2tcpip.h>
  41. +#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
  42. +#include <winsock2.h>
  43. +#include <ws2tcpip.h>
  44. +#endif
  45. +#elif defined(__sun)
  46. +/* Solaris requires -lsocket -lnsl for inet_pton() */
  47. +#elif defined(__has_include)
  48. +#if __has_include(<sys/socket.h>)
  49. +#include <sys/socket.h>
  50. +#endif
  51. +#if __has_include(<arpa/inet.h>)
  52. +#include <arpa/inet.h>
  53. +#endif
  54. +#endif
  55. +
  56. +/* Use whether or not AF_INET6 is defined to indicate whether or not to use
  57. + * the platform inet_pton() or a local implementation (below). The local
  58. + * implementation may be used even in cases where the platform provides
  59. + * inet_pton(), e.g. when there are different includes required and/or the
  60. + * platform implementation requires dependencies on additional libraries.
  61. + * Specifically, Windows requires custom includes and additional link
  62. + * dependencies, and Solaris requires additional link dependencies.
  63. + * Also, as a coarse heuristic, use the local implementation if the compiler
  64. + * does not support __has_include(), or if the definition of AF_INET6 is not
  65. + * provided by headers included (or not) via __has_include() above. */
  66. +#ifndef AF_INET6
  67. +
  68. +#define x509_cn_inet_pton(cn, dst) (0)
  69. +
  70. +#else
  71. +
  72. +static int x509_inet_pton_ipv6(const char *src, void *dst)
  73. +{
  74. + return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
  75. +}
  76. +
  77. +static int x509_inet_pton_ipv4(const char *src, void *dst)
  78. +{
  79. + return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
  80. +}
  81. +
  82. +#endif /* AF_INET6 */
  83. +
  84. +static size_t x509_cn_inet_pton(const char *cn, void *dst)
  85. +{
  86. + return strchr(cn, ':') == NULL
  87. + ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
  88. + : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
  89. +}
  90. +
  91. /*
  92. * Check for CN match
  93. */
  94. @@ -3022,24 +3081,51 @@ static int x509_crt_check_cn(const mbedt
  95. return -1;
  96. }
  97. +static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
  98. + const char *cn, size_t cn_len)
  99. +{
  100. + uint32_t ip[4];
  101. + cn_len = x509_cn_inet_pton(cn, ip);
  102. + if (cn_len == 0) {
  103. + return -1;
  104. + }
  105. +
  106. + for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
  107. + const unsigned char san_type = (unsigned char) cur->buf.tag &
  108. + MBEDTLS_ASN1_TAG_VALUE_MASK;
  109. + if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
  110. + cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
  111. + return 0;
  112. + }
  113. + }
  114. +
  115. + return -1;
  116. +}
  117. +
  118. /*
  119. * Check for SAN match, see RFC 5280 Section 4.2.1.6
  120. */
  121. -static int x509_crt_check_san(const mbedtls_x509_buf *name,
  122. +static int x509_crt_check_san(const mbedtls_x509_sequence *san,
  123. const char *cn, size_t cn_len)
  124. {
  125. - const unsigned char san_type = (unsigned char) name->tag &
  126. - MBEDTLS_ASN1_TAG_VALUE_MASK;
  127. -
  128. - /* dNSName */
  129. - if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
  130. - return x509_crt_check_cn(name, cn, cn_len);
  131. + int san_ip = 0;
  132. + for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
  133. + switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
  134. + case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
  135. + if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
  136. + return 0;
  137. + }
  138. + break;
  139. + case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
  140. + san_ip = 1;
  141. + break;
  142. + /* (We may handle other types here later.) */
  143. + default: /* Unrecognized type */
  144. + break;
  145. + }
  146. }
  147. - /* (We may handle other types here later.) */
  148. -
  149. - /* Unrecognized type */
  150. - return -1;
  151. + return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
  152. }
  153. /*
  154. @@ -3050,31 +3136,23 @@ static void x509_crt_verify_name(const m
  155. uint32_t *flags)
  156. {
  157. const mbedtls_x509_name *name;
  158. - const mbedtls_x509_sequence *cur;
  159. size_t cn_len = strlen(cn);
  160. if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
  161. - for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
  162. - if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
  163. - break;
  164. - }
  165. - }
  166. -
  167. - if (cur == NULL) {
  168. - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
  169. + if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
  170. + return;
  171. }
  172. } else {
  173. for (name = &crt->subject; name != NULL; name = name->next) {
  174. if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
  175. x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
  176. - break;
  177. + return;
  178. }
  179. }
  180. - if (name == NULL) {
  181. - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
  182. - }
  183. }
  184. +
  185. + *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
  186. }
  187. /*