/src/gnutls/lib/x509/hostname-verify.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2016 Red Hat, Inc. |
4 | | * Copyright (C) 2002 Andrew McDonald |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | #include "gnutls_int.h" |
24 | | #include <str.h> |
25 | | #include <x509_int.h> |
26 | | #include <common.h> |
27 | | #include "errors.h" |
28 | | #include <system.h> |
29 | | #include <netinet/in.h> |
30 | | #include <arpa/inet.h> |
31 | | |
32 | | /** |
33 | | * gnutls_x509_crt_check_hostname: |
34 | | * @cert: should contain an gnutls_x509_crt_t type |
35 | | * @hostname: A null terminated string that contains a DNS name |
36 | | * |
37 | | * This function will check if the given certificate's subject matches |
38 | | * the given hostname. This is a basic implementation of the matching |
39 | | * described in RFC6125, and takes into account wildcards, |
40 | | * and the DNSName/IPAddress subject alternative name PKIX extension. |
41 | | * |
42 | | * For details see also gnutls_x509_crt_check_hostname2(). |
43 | | * |
44 | | * Returns: non-zero for a successful match, and zero on failure. |
45 | | **/ |
46 | | unsigned |
47 | | gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, const char *hostname) |
48 | 0 | { |
49 | 0 | return gnutls_x509_crt_check_hostname2(cert, hostname, 0); |
50 | 0 | } |
51 | | |
52 | | static int check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) |
53 | 0 | { |
54 | 0 | char temp[16]; |
55 | 0 | size_t temp_size; |
56 | 0 | unsigned i; |
57 | 0 | int ret = 0; |
58 | | |
59 | | /* try matching against: |
60 | | * 1) a IPaddress alternative name (subjectAltName) extension |
61 | | * in the certificate |
62 | | */ |
63 | | |
64 | | /* Check through all included subjectAltName extensions, comparing |
65 | | * against all those of type IPAddress. |
66 | | */ |
67 | 0 | for (i = 0; !(ret < 0); i++) { |
68 | 0 | temp_size = sizeof(temp); |
69 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(cert, i, |
70 | 0 | temp, |
71 | 0 | &temp_size, NULL); |
72 | |
|
73 | 0 | if (ret == GNUTLS_SAN_IPADDRESS) { |
74 | 0 | if (temp_size == ip_size |
75 | 0 | && memcmp(temp, ip, ip_size) == 0) |
76 | 0 | return 1; |
77 | 0 | } else if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { |
78 | 0 | ret = 0; |
79 | 0 | } |
80 | 0 | } |
81 | | |
82 | | /* not found a matching IP |
83 | | */ |
84 | 0 | return 0; |
85 | 0 | } |
86 | | |
87 | | /** |
88 | | * gnutls_x509_crt_check_ip: |
89 | | * @cert: should contain an gnutls_x509_crt_t type |
90 | | * @ip: A pointer to the raw IP address |
91 | | * @ip_size: the number of bytes in ip (4 or 16) |
92 | | * @flags: should be zero |
93 | | * |
94 | | * This function will check if the IP allowed IP addresses in |
95 | | * the certificate's subject alternative name match the provided |
96 | | * IP address. |
97 | | * |
98 | | * Returns: non-zero for a successful match, and zero on failure. |
99 | | **/ |
100 | | unsigned |
101 | | gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, |
102 | | const unsigned char *ip, unsigned int ip_size, |
103 | | unsigned int flags) |
104 | 0 | { |
105 | 0 | return check_ip(cert, ip, ip_size); |
106 | 0 | } |
107 | | |
108 | | /* whether gnutls_x509_crt_check_hostname2() will consider these |
109 | | * alternative name types. This is to satisfy RFC6125 requirement |
110 | | * that we do not fallback to CN-ID if we encounter a supported name |
111 | | * type. |
112 | | */ |
113 | 0 | #define IS_SAN_SUPPORTED(san) (san==GNUTLS_SAN_DNSNAME||san==GNUTLS_SAN_IPADDRESS) |
114 | | |
115 | | /** |
116 | | * gnutls_x509_crt_check_hostname2: |
117 | | * @cert: should contain an gnutls_x509_crt_t type |
118 | | * @hostname: A null terminated string that contains a DNS name |
119 | | * @flags: gnutls_certificate_verify_flags |
120 | | * |
121 | | * This function will check if the given certificate's subject matches |
122 | | * the given hostname. This is a basic implementation of the matching |
123 | | * described in RFC6125, and takes into account wildcards, |
124 | | * and the DNSName/IPAddress subject alternative name PKIX extension. |
125 | | * |
126 | | * IPv4 addresses are accepted by this function in the dotted-decimal |
127 | | * format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal |
128 | | * x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative |
129 | | * name extension is consulted. Previous versions to 3.6.0 of GnuTLS |
130 | | * in case of a non-match would consult (in a non-standard extension) |
131 | | * the DNSname and CN fields. This is no longer the case. |
132 | | * |
133 | | * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no |
134 | | * wildcards are considered. Otherwise they are only considered if the |
135 | | * domain name consists of three components or more, and the wildcard |
136 | | * starts at the leftmost position. |
137 | | |
138 | | * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified, |
139 | | * the input will be treated as a DNS name, and matching of textual IP addresses |
140 | | * against the IPAddress part of the alternative name will not be allowed. |
141 | | * |
142 | | * The function gnutls_x509_crt_check_ip() is available for matching |
143 | | * IP addresses. |
144 | | * |
145 | | * Returns: non-zero for a successful match, and zero on failure. |
146 | | * |
147 | | * Since: 3.3.0 |
148 | | **/ |
149 | | unsigned |
150 | | gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, |
151 | | const char *hostname, unsigned int flags) |
152 | 0 | { |
153 | 0 | char dnsname[MAX_CN]; |
154 | 0 | size_t dnsnamesize; |
155 | 0 | int found_dnsname = 0; |
156 | 0 | int ret = 0; |
157 | 0 | int i = 0; |
158 | 0 | struct in_addr ipv4; |
159 | 0 | char *p = NULL; |
160 | 0 | char *a_hostname; |
161 | 0 | unsigned have_other_addresses = 0; |
162 | 0 | gnutls_datum_t out; |
163 | | |
164 | | /* check whether @hostname is an ip address */ |
165 | 0 | if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) && |
166 | 0 | ((p = strchr(hostname, ':')) != NULL |
167 | 0 | || inet_pton(AF_INET, hostname, &ipv4) != 0)) { |
168 | |
|
169 | 0 | if (p != NULL) { |
170 | 0 | struct in6_addr ipv6; |
171 | |
|
172 | 0 | ret = inet_pton(AF_INET6, hostname, &ipv6); |
173 | 0 | if (ret == 0) { |
174 | 0 | gnutls_assert(); |
175 | 0 | goto hostname_fallback; |
176 | 0 | } |
177 | 0 | ret = check_ip(cert, &ipv6, 16); |
178 | 0 | } else { |
179 | 0 | ret = check_ip(cert, &ipv4, 4); |
180 | 0 | } |
181 | | |
182 | | /* Prior to 3.6.0 we were accepting misconfigured servers, that place their IP |
183 | | * in the DNS field of subjectAlternativeName. That is no longer the case. */ |
184 | 0 | return ret; |
185 | 0 | } |
186 | | |
187 | 0 | hostname_fallback: |
188 | | /* convert the provided hostname to ACE-Labels domain. */ |
189 | 0 | ret = gnutls_idna_map(hostname, strlen(hostname), &out, 0); |
190 | 0 | if (ret < 0) { |
191 | 0 | _gnutls_debug_log |
192 | 0 | ("unable to convert hostname %s to IDNA format\n", |
193 | 0 | hostname); |
194 | 0 | a_hostname = (char *)hostname; |
195 | 0 | } else { |
196 | 0 | a_hostname = (char *)out.data; |
197 | 0 | } |
198 | | |
199 | | /* try matching against: |
200 | | * 1) a DNS name as an alternative name (subjectAltName) extension |
201 | | * in the certificate |
202 | | * 2) the common name (CN) in the certificate, if the certificate is acceptable for TLS_WWW_SERVER purpose |
203 | | * |
204 | | * either of these may be of the form: *.domain.tld |
205 | | * |
206 | | * only try (2) if there is no subjectAltName extension of |
207 | | * type dNSName, and there is a single CN. |
208 | | */ |
209 | | |
210 | | /* Check through all included subjectAltName extensions, comparing |
211 | | * against all those of type dNSName. |
212 | | */ |
213 | 0 | for (i = 0; !(ret < 0); i++) { |
214 | |
|
215 | 0 | dnsnamesize = sizeof(dnsname); |
216 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(cert, i, |
217 | 0 | dnsname, |
218 | 0 | &dnsnamesize, NULL); |
219 | |
|
220 | 0 | if (ret == GNUTLS_SAN_DNSNAME) { |
221 | 0 | found_dnsname = 1; |
222 | |
|
223 | 0 | if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) { |
224 | 0 | _gnutls_debug_log |
225 | 0 | ("certificate has %s with embedded null in name\n", |
226 | 0 | dnsname); |
227 | 0 | continue; |
228 | 0 | } |
229 | | |
230 | 0 | if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { |
231 | 0 | _gnutls_debug_log |
232 | 0 | ("invalid (non-ASCII) name in certificate %.*s\n", |
233 | 0 | (int)dnsnamesize, dnsname); |
234 | 0 | continue; |
235 | 0 | } |
236 | | |
237 | 0 | ret = |
238 | 0 | _gnutls_hostname_compare(dnsname, dnsnamesize, |
239 | 0 | a_hostname, flags); |
240 | 0 | if (ret != 0) { |
241 | 0 | ret = 1; |
242 | 0 | goto cleanup; |
243 | 0 | } |
244 | 0 | } else { |
245 | 0 | if (IS_SAN_SUPPORTED(ret)) |
246 | 0 | have_other_addresses = 1; |
247 | 0 | } |
248 | 0 | } |
249 | | |
250 | 0 | if (!have_other_addresses && !found_dnsname |
251 | 0 | && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, |
252 | 0 | 0) != 0) { |
253 | | /* did not get the necessary extension, use CN instead, if the |
254 | | * certificate would have been acceptable for a TLS WWW server purpose. |
255 | | * That is because only for that purpose the CN is a valid field to |
256 | | * store the hostname. |
257 | | */ |
258 | | |
259 | | /* enforce the RFC6125 (ยง1.8) requirement that only |
260 | | * a single CN must be present */ |
261 | 0 | dnsnamesize = sizeof(dnsname); |
262 | 0 | ret = gnutls_x509_crt_get_dn_by_oid |
263 | 0 | (cert, OID_X520_COMMON_NAME, 1, 0, dnsname, &dnsnamesize); |
264 | 0 | if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
265 | 0 | ret = 0; |
266 | 0 | goto cleanup; |
267 | 0 | } |
268 | | |
269 | 0 | dnsnamesize = sizeof(dnsname); |
270 | 0 | ret = gnutls_x509_crt_get_dn_by_oid |
271 | 0 | (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, &dnsnamesize); |
272 | 0 | if (ret < 0) { |
273 | 0 | ret = 0; |
274 | 0 | goto cleanup; |
275 | 0 | } |
276 | | |
277 | 0 | if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) { |
278 | 0 | _gnutls_debug_log |
279 | 0 | ("certificate has CN %s with embedded null in name\n", |
280 | 0 | dnsname); |
281 | 0 | ret = 0; |
282 | 0 | goto cleanup; |
283 | 0 | } |
284 | | |
285 | 0 | if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { |
286 | 0 | _gnutls_debug_log |
287 | 0 | ("invalid (non-ASCII) name in certificate CN %.*s\n", |
288 | 0 | (int)dnsnamesize, dnsname); |
289 | 0 | ret = 0; |
290 | 0 | goto cleanup; |
291 | 0 | } |
292 | | |
293 | 0 | ret = |
294 | 0 | _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, |
295 | 0 | flags); |
296 | 0 | if (ret != 0) { |
297 | 0 | ret = 1; |
298 | 0 | goto cleanup; |
299 | 0 | } |
300 | 0 | } |
301 | | |
302 | | /* not found a matching name |
303 | | */ |
304 | 0 | ret = 0; |
305 | 0 | cleanup: |
306 | 0 | if (a_hostname != hostname) { |
307 | 0 | gnutls_free(a_hostname); |
308 | 0 | } |
309 | 0 | return ret; |
310 | 0 | } |