/src/gnutls/lib/x509/hostname-verify.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2016 Red Hat, Inc. |
4 | | * Copyright (C) 2002 Andrew McDonald |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | #include "gnutls_int.h" |
24 | | #include "str.h" |
25 | | #include "x509_int.h" |
26 | | #include "common.h" |
27 | | #include "errors.h" |
28 | | #include "system.h" |
29 | | #include <netinet/in.h> |
30 | | #include <arpa/inet.h> |
31 | | |
32 | | /** |
33 | | * gnutls_x509_crt_check_hostname: |
34 | | * @cert: should contain an gnutls_x509_crt_t type |
35 | | * @hostname: A null terminated string that contains a DNS name |
36 | | * |
37 | | * This function will check if the given certificate's subject matches |
38 | | * the given hostname. This is a basic implementation of the matching |
39 | | * described in RFC6125, and takes into account wildcards, |
40 | | * and the DNSName/IPAddress subject alternative name PKIX extension. |
41 | | * |
42 | | * For details see also gnutls_x509_crt_check_hostname2(). |
43 | | * |
44 | | * Returns: non-zero for a successful match, and zero on failure. |
45 | | **/ |
46 | | unsigned gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, |
47 | | const char *hostname) |
48 | 0 | { |
49 | 0 | return gnutls_x509_crt_check_hostname2(cert, hostname, 0); |
50 | 0 | } |
51 | | |
52 | | static int check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) |
53 | 0 | { |
54 | 0 | char temp[16]; |
55 | 0 | size_t temp_size; |
56 | 0 | unsigned i; |
57 | 0 | int ret = 0; |
58 | | |
59 | | /* try matching against: |
60 | | * 1) a IPaddress alternative name (subjectAltName) extension |
61 | | * in the certificate |
62 | | */ |
63 | | |
64 | | /* Check through all included subjectAltName extensions, comparing |
65 | | * against all those of type IPAddress. |
66 | | */ |
67 | 0 | for (i = 0; !(ret < 0); i++) { |
68 | 0 | temp_size = sizeof(temp); |
69 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(cert, i, temp, |
70 | 0 | &temp_size, NULL); |
71 | |
|
72 | 0 | if (ret == GNUTLS_SAN_IPADDRESS) { |
73 | 0 | if (temp_size == ip_size && |
74 | 0 | memcmp(temp, ip, ip_size) == 0) |
75 | 0 | return 1; |
76 | 0 | } else if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { |
77 | 0 | ret = 0; |
78 | 0 | } |
79 | 0 | } |
80 | | |
81 | | /* not found a matching IP |
82 | | */ |
83 | 0 | return 0; |
84 | 0 | } |
85 | | |
86 | | /** |
87 | | * gnutls_x509_crt_check_ip: |
88 | | * @cert: should contain an gnutls_x509_crt_t type |
89 | | * @ip: A pointer to the raw IP address |
90 | | * @ip_size: the number of bytes in ip (4 or 16) |
91 | | * @flags: should be zero |
92 | | * |
93 | | * This function will check if the IP allowed IP addresses in |
94 | | * the certificate's subject alternative name match the provided |
95 | | * IP address. |
96 | | * |
97 | | * Returns: non-zero for a successful match, and zero on failure. |
98 | | **/ |
99 | | unsigned gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, |
100 | | const unsigned char *ip, unsigned int ip_size, |
101 | | unsigned int flags) |
102 | 0 | { |
103 | 0 | return check_ip(cert, ip, ip_size); |
104 | 0 | } |
105 | | |
106 | | /* whether gnutls_x509_crt_check_hostname2() will consider these |
107 | | * alternative name types. This is to satisfy RFC6125 requirement |
108 | | * that we do not fallback to CN-ID if we encounter a supported name |
109 | | * type. |
110 | | */ |
111 | | #define IS_SAN_SUPPORTED(san) \ |
112 | 0 | (san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS) |
113 | | |
114 | | /** |
115 | | * gnutls_x509_crt_check_hostname2: |
116 | | * @cert: should contain an gnutls_x509_crt_t type |
117 | | * @hostname: A null terminated string that contains a DNS name |
118 | | * @flags: gnutls_certificate_verify_flags |
119 | | * |
120 | | * This function will check if the given certificate's subject matches |
121 | | * the given hostname. This is a basic implementation of the matching |
122 | | * described in RFC6125, and takes into account wildcards, |
123 | | * and the DNSName/IPAddress subject alternative name PKIX extension. |
124 | | * |
125 | | * IPv4 addresses are accepted by this function in the dotted-decimal |
126 | | * format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal |
127 | | * x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative |
128 | | * name extension is consulted. Previous versions to 3.6.0 of GnuTLS |
129 | | * in case of a non-match would consult (in a non-standard extension) |
130 | | * the DNSname and CN fields. This is no longer the case. |
131 | | * |
132 | | * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no |
133 | | * wildcards are considered. Otherwise they are only considered if the |
134 | | * domain name consists of three components or more, and the wildcard |
135 | | * starts at the leftmost position. |
136 | | |
137 | | * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified, |
138 | | * the input will be treated as a DNS name, and matching of textual IP addresses |
139 | | * against the IPAddress part of the alternative name will not be allowed. |
140 | | * |
141 | | * The function gnutls_x509_crt_check_ip() is available for matching |
142 | | * IP addresses. |
143 | | * |
144 | | * Returns: non-zero for a successful match, and zero on failure. |
145 | | * |
146 | | * Since: 3.3.0 |
147 | | **/ |
148 | | unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, |
149 | | const char *hostname, |
150 | | unsigned int flags) |
151 | 0 | { |
152 | 0 | char dnsname[MAX_CN]; |
153 | 0 | size_t dnsnamesize; |
154 | 0 | int found_dnsname = 0; |
155 | 0 | int ret = 0; |
156 | 0 | int i = 0; |
157 | 0 | struct in_addr ipv4; |
158 | 0 | char *p = NULL; |
159 | 0 | char *a_hostname; |
160 | 0 | unsigned have_other_addresses = 0; |
161 | 0 | gnutls_datum_t out; |
162 | | |
163 | | /* check whether @hostname is an ip address */ |
164 | 0 | if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) && |
165 | 0 | ((p = strchr(hostname, ':')) != NULL || |
166 | 0 | inet_pton(AF_INET, hostname, &ipv4) != 0)) { |
167 | 0 | if (p != NULL) { |
168 | 0 | struct in6_addr ipv6; |
169 | |
|
170 | 0 | ret = inet_pton(AF_INET6, hostname, &ipv6); |
171 | 0 | if (ret == 0) { |
172 | 0 | gnutls_assert(); |
173 | 0 | goto hostname_fallback; |
174 | 0 | } |
175 | 0 | ret = check_ip(cert, &ipv6, 16); |
176 | 0 | } else { |
177 | 0 | ret = check_ip(cert, &ipv4, 4); |
178 | 0 | } |
179 | | |
180 | | /* Prior to 3.6.0 we were accepting misconfigured servers, that place their IP |
181 | | * in the DNS field of subjectAlternativeName. That is no longer the case. */ |
182 | 0 | return ret; |
183 | 0 | } |
184 | | |
185 | 0 | hostname_fallback: |
186 | | /* convert the provided hostname to ACE-Labels domain. */ |
187 | 0 | ret = gnutls_idna_map(hostname, strlen(hostname), &out, 0); |
188 | 0 | if (ret < 0) { |
189 | 0 | _gnutls_debug_log( |
190 | 0 | "unable to convert hostname %s to IDNA format\n", |
191 | 0 | hostname); |
192 | 0 | a_hostname = (char *)hostname; |
193 | 0 | } else { |
194 | 0 | a_hostname = (char *)out.data; |
195 | 0 | } |
196 | | |
197 | | /* try matching against: |
198 | | * 1) a DNS name as an alternative name (subjectAltName) extension |
199 | | * in the certificate |
200 | | * 2) the common name (CN) in the certificate, if the certificate is acceptable for TLS_WWW_SERVER purpose |
201 | | * |
202 | | * either of these may be of the form: *.domain.tld |
203 | | * |
204 | | * only try (2) if there is no subjectAltName extension of |
205 | | * type dNSName, and there is a single CN. |
206 | | */ |
207 | | |
208 | | /* Check through all included subjectAltName extensions, comparing |
209 | | * against all those of type dNSName. |
210 | | */ |
211 | 0 | for (i = 0; !(ret < 0); i++) { |
212 | 0 | dnsnamesize = sizeof(dnsname); |
213 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(cert, i, dnsname, |
214 | 0 | &dnsnamesize, NULL); |
215 | |
|
216 | 0 | if (ret == GNUTLS_SAN_DNSNAME) { |
217 | 0 | found_dnsname = 1; |
218 | |
|
219 | 0 | if (memchr(dnsname, '\0', dnsnamesize)) { |
220 | 0 | _gnutls_debug_log( |
221 | 0 | "certificate has %s with embedded null in name\n", |
222 | 0 | dnsname); |
223 | 0 | continue; |
224 | 0 | } |
225 | | |
226 | 0 | if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { |
227 | 0 | _gnutls_debug_log( |
228 | 0 | "invalid (non-ASCII) name in certificate %.*s\n", |
229 | 0 | (int)dnsnamesize, dnsname); |
230 | 0 | continue; |
231 | 0 | } |
232 | | |
233 | 0 | ret = _gnutls_hostname_compare(dnsname, dnsnamesize, |
234 | 0 | a_hostname, flags); |
235 | 0 | if (ret != 0) { |
236 | 0 | ret = 1; |
237 | 0 | goto cleanup; |
238 | 0 | } |
239 | 0 | } else { |
240 | 0 | if (IS_SAN_SUPPORTED(ret)) |
241 | 0 | have_other_addresses = 1; |
242 | 0 | } |
243 | 0 | } |
244 | | |
245 | 0 | if (!have_other_addresses && !found_dnsname && |
246 | 0 | _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) { |
247 | | /* did not get the necessary extension, use CN instead, if the |
248 | | * certificate would have been acceptable for a TLS WWW server purpose. |
249 | | * That is because only for that purpose the CN is a valid field to |
250 | | * store the hostname. |
251 | | */ |
252 | | |
253 | | /* enforce the RFC6125 (ยง1.8) requirement that only |
254 | | * a single CN must be present */ |
255 | 0 | dnsnamesize = sizeof(dnsname); |
256 | 0 | ret = gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, |
257 | 0 | 1, 0, dnsname, |
258 | 0 | &dnsnamesize); |
259 | 0 | if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
260 | 0 | ret = 0; |
261 | 0 | goto cleanup; |
262 | 0 | } |
263 | | |
264 | 0 | dnsnamesize = sizeof(dnsname); |
265 | 0 | ret = gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, |
266 | 0 | 0, 0, dnsname, |
267 | 0 | &dnsnamesize); |
268 | 0 | if (ret < 0) { |
269 | 0 | ret = 0; |
270 | 0 | goto cleanup; |
271 | 0 | } |
272 | | |
273 | 0 | if (memchr(dnsname, '\0', dnsnamesize)) { |
274 | 0 | _gnutls_debug_log( |
275 | 0 | "certificate has CN %s with embedded null in name\n", |
276 | 0 | dnsname); |
277 | 0 | ret = 0; |
278 | 0 | goto cleanup; |
279 | 0 | } |
280 | | |
281 | 0 | if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { |
282 | 0 | _gnutls_debug_log( |
283 | 0 | "invalid (non-ASCII) name in certificate CN %.*s\n", |
284 | 0 | (int)dnsnamesize, dnsname); |
285 | 0 | ret = 0; |
286 | 0 | goto cleanup; |
287 | 0 | } |
288 | | |
289 | 0 | ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, |
290 | 0 | flags); |
291 | 0 | if (ret != 0) { |
292 | 0 | ret = 1; |
293 | 0 | goto cleanup; |
294 | 0 | } |
295 | 0 | } |
296 | | |
297 | | /* not found a matching name |
298 | | */ |
299 | 0 | ret = 0; |
300 | 0 | cleanup: |
301 | 0 | if (a_hostname != hostname) { |
302 | 0 | gnutls_free(a_hostname); |
303 | 0 | } |
304 | 0 | return ret; |
305 | 0 | } |