void *X509V3_EXT_d2i(X509_EXTENSION *ext) { const X509V3_EXT_METHOD *method; const unsigned char *p; ASN1_STRING *extvalue; int extlen; if ((method = X509V3_EXT_get(ext)) == NULL) return NULL; extvalue = X509_EXTENSION_get_data(ext); p = ASN1_STRING_get0_data(extvalue); extlen = ASN1_STRING_length(extvalue); if (method->it) return ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it)); return method->d2i(NULL, &p, extlen); }
END_TEST START_TEST(ssl_key_identifier_sha1_01) { X509 *c; EVP_PKEY *k; unsigned char keyid[SSL_KEY_IDSZ]; c = ssl_x509_load(TESTCERT); fail_unless(!!c, "loading certificate failed"); k = ssl_key_load(TESTKEY); fail_unless(!!k, "loading key failed"); fail_unless(ssl_key_identifier_sha1(k, keyid) == 0, "ssl_key_identifier_sha1() failed"); int loc = X509_get_ext_by_NID(c, NID_subject_key_identifier, -1); X509_EXTENSION *ext = X509_get_ext(c, loc); fail_unless(!!ext, "loading ext failed"); ASN1_STRING *value = X509_EXTENSION_get_data(ext); fail_unless(ASN1_STRING_length(value) - 2 == SSL_KEY_IDSZ, "extension length mismatch"); fail_unless(!memcmp(ASN1_STRING_get0_data(value) + 2, keyid, SSL_KEY_IDSZ), "key id mismatch"); EVP_PKEY_free(k); X509_free(c); }
static int pkey_mac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { MAC_PKEY_CTX *sctx, *dctx; if (!pkey_mac_init(dst)) return 0; sctx = EVP_PKEY_CTX_get_data(src); dctx = EVP_PKEY_CTX_get_data(dst); if (!EVP_MAC_CTX_copy(dctx->ctx, sctx->ctx)) goto err; switch (dctx->type) { case MAC_TYPE_RAW: dctx->raw_data.md = sctx->raw_data.md; if (ASN1_STRING_get0_data(&sctx->raw_data.ktmp) != NULL && !ASN1_STRING_copy(&dctx->raw_data.ktmp, &sctx->raw_data.ktmp)) goto err; break; case MAC_TYPE_MAC: /* Nothing more to do */ break; default: /* This should be dead code */ return 0; } return 1; err: pkey_mac_cleanup (dst); return 0; }
static HostnameValidationResult validate_name(const char *hostname, ASN1_STRING *certname_asn1) { #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) char *certname_s = (char *) ASN1_STRING_get0_data(certname_asn1); #else char *certname_s = (char *) ASN1_STRING_data(certname_asn1); #endif int certname_len = ASN1_STRING_length(certname_asn1), hostname_len = strlen(hostname); // Make sure there isn't an embedded NUL character in the DNS name if (has_nul(certname_s, certname_len)) { return MalformedCertificate; } // remove last '.' from hostname if (hostname_len != 0 && hostname[hostname_len - 1] == '.') --hostname_len; // skip the first segment if wildcard if (certname_len > 2 && certname_s[0] == '*' && certname_s[1] == '.') { if (hostname_len != 0) { do { --hostname_len; if (*hostname++ == '.') break; } while (hostname_len != 0); } certname_s += 2; certname_len -= 2; } // Compare expected hostname with the DNS name if (certname_len != hostname_len) { return MatchNotFound; } return memeq_ncase(hostname, certname_s, hostname_len) ? MatchFound : MatchNotFound; }
/* int max_len: for returned value */ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, unsigned char *data, int max_len) { asn1_int_oct *atmp = NULL; int ret = -1, n; if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL)) { goto err; } atmp = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(asn1_int_oct), a); if (atmp == NULL) goto err; if (num != NULL) *num = atmp->num; ret = ASN1_STRING_length(atmp->oct); if (max_len > ret) n = ret; else n = max_len; if (data != NULL) memcpy(data, ASN1_STRING_get0_data(atmp->oct), n); if (ret == -1) { err: ASN1err(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING, ASN1_R_DATA_IS_WRONG); } M_ASN1_free_of(atmp, asn1_int_oct); return ret; }
static char * get_peer_common_name(const struct ssl_stream *sslv) { X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); if (!peer_cert) { return NULL; } int cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert), NID_commonName, -1); if (cn_index < 0) { return NULL; } X509_NAME_ENTRY *cn_entry = X509_NAME_get_entry( X509_get_subject_name(peer_cert), cn_index); if (!cn_entry) { return NULL; } ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(cn_entry); if (!cn_data) { return NULL; } const char *cn; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */ cn = (const char *)ASN1_STRING_data(cn_data); #else cn = (const char *)ASN1_STRING_get0_data(cn_data); #endif return xstrdup(cn); }
static void CheckCRL(X509 *x509) { int idx = -1; do { int critical = -1; STACK_OF(DIST_POINT) *crls = X509_get_ext_d2i(x509, NID_crl_distribution_points, &critical, &idx); if (crls == NULL) { if (critical >= 0) { /* Found but fails to parse */ SetError(ERR_INVALID); continue; } /* Not found */ break; } for (int i = 0; i < sk_DIST_POINT_num(crls); i++) { DIST_POINT *dp = sk_DIST_POINT_value(crls, i); if (dp->distpoint == NULL && dp->CRLissuer == NULL) { SetError(ERR_INVALID_CRL_DIST_POINT); } if (dp->distpoint != NULL && dp->distpoint->type == 0) { /* full name */ for (int j = 0; j < sk_GENERAL_NAME_num(dp->distpoint->name.fullname); j++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->distpoint->name.fullname, j); int type; ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { CheckValidURL(ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)); } else { SetInfo(INF_CRL_NOT_URL); } CheckGeneralNameType(gen); } } else { /* relative name */ SetWarning(WARN_CRL_RELATIVE); } } sk_DIST_POINT_pop_free(crls, DIST_POINT_free); } while (1); }
int X509_ocspid_print(BIO *bp, X509 *x) { unsigned char *der = NULL; unsigned char *dertmp; int derlen; int i; unsigned char SHA1md[SHA_DIGEST_LENGTH]; ASN1_BIT_STRING *keybstr; X509_NAME *subj; /* * display the hash of the subject as it would appear in OCSP requests */ if (BIO_printf(bp, " Subject OCSP hash: ") <= 0) goto err; subj = X509_get_subject_name(x); derlen = i2d_X509_NAME(subj, NULL); if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL) goto err; i2d_X509_NAME(subj, &dertmp); if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL)) goto err; for (i = 0; i < SHA_DIGEST_LENGTH; i++) { if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0) goto err; } OPENSSL_free(der); der = NULL; /* * display the hash of the public key as it would appear in OCSP requests */ if (BIO_printf(bp, "\n Public key OCSP hash: ") <= 0) goto err; keybstr = X509_get0_pubkey_bitstr(x); if (keybstr == NULL) goto err; if (!EVP_Digest(ASN1_STRING_get0_data(keybstr), ASN1_STRING_length(keybstr), SHA1md, NULL, EVP_sha1(), NULL)) goto err; for (i = 0; i < SHA_DIGEST_LENGTH; i++) { if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0) goto err; } BIO_printf(bp, "\n"); return 1; err: OPENSSL_free(der); return 0; }
/* int max_len: for returned value */ int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len) { int ret, num; const unsigned char *p; if ((a->type != V_ASN1_OCTET_STRING) || (a->value.octet_string == NULL)) { ASN1err(ASN1_F_ASN1_TYPE_GET_OCTETSTRING, ASN1_R_DATA_IS_WRONG); return -1; } p = ASN1_STRING_get0_data(a->value.octet_string); ret = ASN1_STRING_length(a->value.octet_string); if (ret < max_len) num = ret; else num = max_len; memcpy(data, p, num); return ret; }
static int openssl_push_xname_entry(lua_State* L, X509_NAME_ENTRY* ne, int obj) { ASN1_OBJECT* object = X509_NAME_ENTRY_get_object(ne); ASN1_STRING* value = X509_NAME_ENTRY_get_data(ne); lua_newtable(L); if(obj) { openssl_push_asn1object(L, object); PUSH_ASN1_STRING(L, value); } else { lua_pushstring(L, OBJ_nid2sn(OBJ_obj2nid(object))); lua_pushlstring(L, (const char*)ASN1_STRING_get0_data(value), ASN1_STRING_length(value)); } lua_settable(L, -3); return 1; }
/*** get text by given asn1_object or nid @function get_text @tparam string|integer|asn1_object identid for asn1_object @tparam[opt=-1] number lastpos retrieve the next index after lastpos @treturn string text and followed by lastpos */ static int openssl_xname_get_text(lua_State*L) { X509_NAME* xn = CHECK_OBJECT(1, X509_NAME, "openssl.x509_name"); ASN1_OBJECT *obj = openssl_get_asn1object(L, 2, 0); int lastpos = luaL_optint(L, 3, -1); X509_NAME_ENTRY *e; ASN1_STRING *s; lastpos = X509_NAME_get_index_by_OBJ(xn, obj, lastpos); ASN1_OBJECT_free(obj); if (lastpos == -1) return 0; e = X509_NAME_get_entry(xn, lastpos); s = X509_NAME_ENTRY_get_data(e); lua_pushlstring(L, (const char *)ASN1_STRING_get0_data(s), ASN1_STRING_length(s)); lua_pushinteger(L, lastpos); return 2; };
static void timestamp_print(uint64_t timestamp, BIO *out) { ASN1_GENERALIZEDTIME *gen = ASN1_GENERALIZEDTIME_new(); char genstr[20]; if (gen == NULL) return; ASN1_GENERALIZEDTIME_adj(gen, (time_t)0, (int)(timestamp / 86400000), (timestamp % 86400000) / 1000); /* * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15 * characters long with a final Z. Update it with fractional seconds. */ BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ", ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000)); if (ASN1_GENERALIZEDTIME_set_string(gen, genstr)) ASN1_GENERALIZEDTIME_print(out, gen); ASN1_GENERALIZEDTIME_free(gen); }
static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p; int plen; ASN1_OCTET_STRING *oct = NULL; const X509_ALGOR *palg; int rv; if (!PKCS8_pkey_get0(NULL, &p, &plen, &palg, p8)) return 0; oct = d2i_ASN1_OCTET_STRING(NULL, &p, plen); if (oct == NULL) { p = NULL; plen = 0; } else { p = ASN1_STRING_get0_data(oct); plen = ASN1_STRING_length(oct); } rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE); ASN1_OCTET_STRING_free(oct); return rv; }
/** check if a provided cert matches a passed hostname */ bool _mongoc_openssl_check_cert (SSL *ssl, const char *host, bool allow_invalid_hostname) { X509 *peer; X509_NAME *subject_name; X509_NAME_ENTRY *entry; ASN1_STRING *entry_data; int length; int idx; int r = 0; long verify_status; size_t addrlen = 0; unsigned char addr4[sizeof (struct in_addr)]; unsigned char addr6[sizeof (struct in6_addr)]; int i; int n_sans = -1; int target = GEN_DNS; STACK_OF (GENERAL_NAME) *sans = NULL; ENTRY; BSON_ASSERT (ssl); BSON_ASSERT (host); if (allow_invalid_hostname) { RETURN (true); } /** if the host looks like an IP address, match that, otherwise we assume we * have a DNS name */ if (inet_pton (AF_INET, host, &addr4)) { target = GEN_IPADD; addrlen = sizeof addr4; } else if (inet_pton (AF_INET6, host, &addr6)) { target = GEN_IPADD; addrlen = sizeof addr6; } peer = SSL_get_peer_certificate (ssl); if (!peer) { MONGOC_WARNING ("SSL Certification verification failed: %s", ERR_error_string (ERR_get_error (), NULL)); RETURN (false); } verify_status = SSL_get_verify_result (ssl); if (verify_status == X509_V_OK) { /* gets a stack of alt names that we can iterate through */ sans = (STACK_OF (GENERAL_NAME) *) X509_get_ext_d2i ( (X509 *) peer, NID_subject_alt_name, NULL, NULL); if (sans) { n_sans = sk_GENERAL_NAME_num (sans); /* loop through the stack, or until we find a match */ for (i = 0; i < n_sans && !r; i++) { const GENERAL_NAME *name = sk_GENERAL_NAME_value (sans, i); /* skip entries that can't apply, I.e. IP entries if we've got a * DNS host */ if (name->type == target) { const char *check; check = (const char *) ASN1_STRING_get0_data (name->d.ia5); length = ASN1_STRING_length (name->d.ia5); switch (target) { case GEN_DNS: /* check that we don't have an embedded null byte */ if ((length == bson_strnlen (check, length)) && _mongoc_openssl_hostcheck (check, host)) { r = 1; } break; case GEN_IPADD: if (length == addrlen) { if (length == sizeof addr6 && !memcmp (check, &addr6, length)) { r = 1; } else if (length == sizeof addr4 && !memcmp (check, &addr4, length)) { r = 1; } } break; default: BSON_ASSERT (0); break; } } } GENERAL_NAMES_free (sans); } else { subject_name = X509_get_subject_name (peer); if (subject_name) { i = -1; /* skip to the last common name */ while ((idx = X509_NAME_get_index_by_NID ( subject_name, NID_commonName, i)) >= 0) { i = idx; } if (i >= 0) { entry = X509_NAME_get_entry (subject_name, i); entry_data = X509_NAME_ENTRY_get_data (entry); if (entry_data) { char *check; /* TODO: I've heard tell that old versions of SSL crap out * when calling ASN1_STRING_to_UTF8 on already utf8 data. * Check up on that */ length = ASN1_STRING_to_UTF8 ((unsigned char **) &check, entry_data); if (length >= 0) { /* check for embedded nulls */ if ((length == bson_strnlen (check, length)) && _mongoc_openssl_hostcheck (check, host)) { r = 1; } OPENSSL_free (check); } } } } } }
/* See RFC 5280 section 4.2.1.6 for SubjectAltName details. */ static int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) { STACK_OF(GENERAL_NAME) *altname_stack = NULL; union tls_addr addrbuf; int addrlen, type; int count, i; int rv = -1; altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (altname_stack == NULL) return -1; if (inet_pton(AF_INET, name, &addrbuf) == 1) { type = GEN_IPADD; addrlen = 4; } else if (inet_pton(AF_INET6, name, &addrbuf) == 1) { type = GEN_IPADD; addrlen = 16; } else { type = GEN_DNS; addrlen = 0; } count = sk_GENERAL_NAME_num(altname_stack); for (i = 0; i < count; i++) { GENERAL_NAME *altname; altname = sk_GENERAL_NAME_value(altname_stack, i); if (altname->type != type) continue; if (type == GEN_DNS) { const void *data; int format, len; format = ASN1_STRING_type(altname->d.dNSName); if (format == V_ASN1_IA5STRING) { data = ASN1_STRING_get0_data(altname->d.dNSName); len = ASN1_STRING_length(altname->d.dNSName); if (len < 0 || len != (int)strlen(data)) { tls_set_errorx(ctx, "error verifying name '%s': " "NUL byte in subjectAltName, " "probably a malicious certificate", name); rv = -2; break; } /* * Per RFC 5280 section 4.2.1.6: * " " is a legal domain name, but that * dNSName must be rejected. */ if (strcmp(data, " ") == 0) { tls_set_error(ctx, "error verifying name '%s': " "a dNSName of \" \" must not be " "used", name); rv = -2; break; } if (tls_match_name(data, name) == 0) { rv = 0; break; } } else { #ifdef DEBUG fprintf(stdout, "%s: unhandled subjectAltName " "dNSName encoding (%d)\n", getprogname(), format); #endif } } else if (type == GEN_IPADD) { const unsigned char *data; int datalen; datalen = ASN1_STRING_length(altname->d.iPAddress); data = ASN1_STRING_get0_data(altname->d.iPAddress); if (datalen < 0) { tls_set_errorx(ctx, "Unexpected negative length for an " "IP address: %d", datalen); rv = -2; break; } /* * Per RFC 5280 section 4.2.1.6: * IPv4 must use 4 octets and IPv6 must use 16 octets. */ if (datalen == addrlen && memcmp(data, &addrbuf, addrlen) == 0) { rv = 0; break; } } } sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free); return rv; }
/** Extract attributes from an X509 certificate * * @param cursor to copy attributes to. * @param ctx to allocate attributes in. * @param session current TLS session. * @param cert to validate. * @param depth the certificate is in the certificate chain (0 == leaf). * @return * - 0 on success. * - < 0 on failure. */ int tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx, tls_session_t *session, X509 *cert, int depth) { char buffer[1024]; char attribute[256]; char **identity; int attr_index, loc; #if OPENSSL_VERSION_NUMBER >= 0x10100000L STACK_OF(X509_EXTENSION) const *ext_list = NULL; #else STACK_OF(X509_EXTENSION) *ext_list = NULL; #endif ASN1_INTEGER *sn = NULL; ASN1_TIME *asn_time = NULL; VALUE_PAIR *vp = NULL; REQUEST *request; #define CERT_ATTR_ADD(_attr, _attr_index, _value) tls_session_cert_attr_add(ctx, request, cursor, _attr, _attr_index, _value) attr_index = depth; if (attr_index > 1) attr_index = 1; request = (REQUEST *)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST); rad_assert(request != NULL); identity = (char **)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_IDENTITY); if (RDEBUG_ENABLED3) { buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; RDEBUG3("Creating attributes for \"%s\":", buffer[0] ? buffer : "Cert missing subject OID"); } /* * Get the Serial Number */ sn = X509_get_serialNumber(cert); if (sn && ((size_t) sn->length < (sizeof(buffer) / 2))) { char *p = buffer; int i; for (i = 0; i < sn->length; i++) { sprintf(p, "%02x", (unsigned int)sn->data[i]); p += 2; } CERT_ATTR_ADD(IDX_SERIAL, attr_index, buffer); } /* * Get the Expiration Date */ buffer[0] = '\0'; asn_time = X509_get_notAfter(cert); if (identity && asn_time && (asn_time->length < (int)sizeof(buffer))) { time_t expires; /* * Add expiration as a time since the epoch */ if (tls_utils_asn1time_to_epoch(&expires, asn_time) < 0) { RPWDEBUG("Failed parsing certificate expiry time"); } else { vp = CERT_ATTR_ADD(IDX_EXPIRATION, attr_index, NULL); vp->vp_date = expires; } } /* * Get the Subject & Issuer */ buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_SUBJECT, attr_index, buffer); /* * Get the Common Name, if there is a subject. */ X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (buffer[0]) { CERT_ATTR_ADD(IDX_COMMON_NAME, attr_index, buffer); } } X509_NAME_oneline(X509_get_issuer_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_ISSUER, attr_index, buffer); } /* * Get the RFC822 Subject Alternative Name */ loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0); if (loc >= 0) { X509_EXTENSION *ext = NULL; GENERAL_NAMES *names = NULL; int i; ext = X509_get_ext(cert, loc); if (ext && (names = X509V3_EXT_d2i(ext))) { for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); switch (name->type) { #ifdef GEN_EMAIL case GEN_EMAIL: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name); #else char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name); break; } #endif /* GEN_EMAIL */ #ifdef GEN_DNS case GEN_DNS: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName); #else char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName); break; } #endif /* GEN_DNS */ #ifdef GEN_OTHERNAME case GEN_OTHERNAME: /* look for a MS UPN */ if (NID_ms_upn != OBJ_obj2nid(name->d.otherName->type_id)) break; /* we've got a UPN - Must be ASN1-encoded UTF8 string */ if (name->d.otherName->value->type == V_ASN1_UTF8STRING) { CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_UPN, attr_index, (char *)name->d.otherName->value->value.utf8string); break; } RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)"); break; #endif /* GEN_OTHERNAME */ default: /* XXX TODO handle other SAN types */ break; } } } if (names != NULL) GENERAL_NAMES_free(names); } /* * Only add extensions for the actual client certificate */ if (attr_index == 0) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ext_list = X509_get0_extensions(cert); #else ext_list = cert->cert_info->extensions; #endif /* * Grab the X509 extensions, and create attributes out of them. * For laziness, we re-use the OpenSSL names */ if (sk_X509_EXTENSION_num(ext_list) > 0) { int i, len; char *p; BIO *out; out = BIO_new(BIO_s_mem()); strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute)); for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) { char value[1024]; ASN1_OBJECT *obj; X509_EXTENSION *ext; fr_dict_attr_t const *da; ext = sk_X509_EXTENSION_value(ext_list, i); obj = X509_EXTENSION_get_object(ext); i2a_ASN1_OBJECT(out, obj); len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1); if (len <= 0) continue; attribute[16 + len] = '\0'; for (p = attribute + 16; *p != '\0'; p++) if (*p == ' ') *p = '-'; X509V3_EXT_print(out, ext, 0, 0); len = BIO_read(out, value , sizeof(value) - 1); if (len <= 0) continue; value[len] = '\0'; da = fr_dict_attr_by_name(dict_freeradius, attribute); if (!da) { RWDEBUG3("Skipping attribute %s: " "Add dictionary definition if you want to access it", attribute); continue; } MEM(vp = fr_pair_afrom_da(request, da)); if (fr_pair_value_from_str(vp, value, -1, '\0', true) < 0) { RPWDEBUG3("Skipping: %s += '%s'", attribute, value); talloc_free(vp); continue; } fr_cursor_append(cursor, vp); } BIO_free_all(out); } } return 0; }
static int verify_server_cert(SSL *ssl, const char *host) { X509 *cert; X509_NAME *peer_name; ASN1_STRING *str; unsigned char *peer_cn = NULL; int matched = -1, type = GEN_DNS; GENERAL_NAMES *alts; struct in6_addr addr6; struct in_addr addr4; void *addr; int i = -1,j; if (SSL_get_verify_result(ssl) != X509_V_OK) { giterr_set(GITERR_SSL, "the SSL certificate is invalid"); return GIT_ECERTIFICATE; } /* Try to parse the host as an IP address to see if it is */ if (p_inet_pton(AF_INET, host, &addr4)) { type = GEN_IPADD; addr = &addr4; } else { if(p_inet_pton(AF_INET6, host, &addr6)) { type = GEN_IPADD; addr = &addr6; } } cert = SSL_get_peer_certificate(ssl); if (!cert) { giterr_set(GITERR_SSL, "the server did not provide a certificate"); return -1; } /* Check the alternative names */ alts = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (alts) { int num; num = sk_GENERAL_NAME_num(alts); for (i = 0; i < num && matched != 1; i++) { const GENERAL_NAME *gn = sk_GENERAL_NAME_value(alts, i); const char *name = (char *) ASN1_STRING_get0_data(gn->d.ia5); size_t namelen = (size_t) ASN1_STRING_length(gn->d.ia5); /* Skip any names of a type we're not looking for */ if (gn->type != type) continue; if (type == GEN_DNS) { /* If it contains embedded NULs, don't even try */ if (memchr(name, '\0', namelen)) continue; if (check_host_name(name, host) < 0) matched = 0; else matched = 1; } else if (type == GEN_IPADD) { /* Here name isn't so much a name but a binary representation of the IP */ matched = !!memcmp(name, addr, namelen); } } } GENERAL_NAMES_free(alts); if (matched == 0) goto cert_fail_name; if (matched == 1) return 0; /* If no alternative names are available, check the common name */ peer_name = X509_get_subject_name(cert); if (peer_name == NULL) goto on_error; if (peer_name) { /* Get the index of the last CN entry */ while ((j = X509_NAME_get_index_by_NID(peer_name, NID_commonName, i)) >= 0) i = j; } if (i < 0) goto on_error; str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(peer_name, i)); if (str == NULL) goto on_error; /* Work around a bug in OpenSSL whereby ASN1_STRING_to_UTF8 fails if it's already in utf-8 */ if (ASN1_STRING_type(str) == V_ASN1_UTF8STRING) { int size = ASN1_STRING_length(str); if (size > 0) { peer_cn = OPENSSL_malloc(size + 1); GITERR_CHECK_ALLOC(peer_cn); memcpy(peer_cn, ASN1_STRING_get0_data(str), size); peer_cn[size] = '\0'; } else { goto cert_fail_name; } } else { int size = ASN1_STRING_to_UTF8(&peer_cn, str); GITERR_CHECK_ALLOC(peer_cn); if (memchr(peer_cn, '\0', size)) goto cert_fail_name; } if (check_host_name((char *)peer_cn, host) < 0) goto cert_fail_name; OPENSSL_free(peer_cn); return 0; on_error: OPENSSL_free(peer_cn); return ssl_set_error(ssl, 0); cert_fail_name: OPENSSL_free(peer_cn); giterr_set(GITERR_SSL, "hostname does not match certificate"); return GIT_ECERTIFICATE; }