1 From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001
2 From: Glenn Strauss <gstrauss@gluelogic.com>
3 Date: Sun, 23 Oct 2022 19:48:18 -0400
4 Subject: [PATCH 1/4] x509 crt verify SAN iPAddress
6 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
8 include/mbedtls/x509_crt.h | 2 +-
9 library/x509_crt.c | 115 +++++++++++++++++++++++++++++--------
10 2 files changed, 93 insertions(+), 24 deletions(-)
12 --- a/include/mbedtls/x509_crt.h
13 +++ b/include/mbedtls/x509_crt.h
14 @@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char *
15 * \param cn The expected Common Name. This will be checked to be
16 * present in the certificate's subjectAltNames extension or,
17 * if this extension is absent, as a CN component in its
18 - * Subject name. Currently only DNS names are supported. This
19 + * Subject name. DNS names and IP addresses are supported. This
20 * may be \c NULL if the CN need not be verified.
21 * \param flags The address at which to store the result of the verification.
22 * If the verification couldn't be completed, the flag value is
23 --- a/library/x509_crt.c
24 +++ b/library/x509_crt.c
25 @@ -2986,6 +2986,54 @@ find_parent:
32 +/* Solaris requires -lsocket -lnsl for inet_pton() */
33 +#elif defined(__has_include)
34 +#if __has_include(<sys/socket.h>)
35 +#include <sys/socket.h>
37 +#if __has_include(<arpa/inet.h>)
38 +#include <arpa/inet.h>
42 +/* Use whether or not AF_INET6 is defined to indicate whether or not to use
43 + * the platform inet_pton() or a local implementation (below). The local
44 + * implementation may be used even in cases where the platform provides
45 + * inet_pton(), e.g. when there are different includes required and/or the
46 + * platform implementation requires dependencies on additional libraries.
47 + * Specifically, Windows requires custom includes and additional link
48 + * dependencies, and Solaris requires additional link dependencies.
49 + * Also, as a coarse heuristic, use the local implementation if the compiler
50 + * does not support __has_include(), or if the definition of AF_INET6 is not
51 + * provided by headers included (or not) via __has_include() above. */
54 +#define x509_cn_inet_pton( cn, dst ) ( 0 )
58 +static int x509_inet_pton_ipv6( const char *src, void *dst )
60 + return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 );
63 +static int x509_inet_pton_ipv4( const char *src, void *dst )
65 + return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 );
68 +#endif /* AF_INET6 */
70 +static size_t x509_cn_inet_pton( const char *cn, void *dst )
72 + return( strchr( cn, ':' ) == NULL
73 + ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0
74 + : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 );
80 @@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed
84 +static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san,
85 + const char *cn, size_t cn_len )
88 + cn_len = x509_cn_inet_pton( cn, ip );
92 + for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
94 + const unsigned char san_type = (unsigned char) cur->buf.tag &
95 + MBEDTLS_ASN1_TAG_VALUE_MASK;
96 + if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
97 + cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
105 * Check for SAN match, see RFC 5280 Section 4.2.1.6
107 -static int x509_crt_check_san( const mbedtls_x509_buf *name,
108 +static int x509_crt_check_san( const mbedtls_x509_sequence *san,
109 const char *cn, size_t cn_len )
111 - const unsigned char san_type = (unsigned char) name->tag &
112 - MBEDTLS_ASN1_TAG_VALUE_MASK;
115 - if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
116 - return( x509_crt_check_cn( name, cn, cn_len ) );
118 - /* (We may handle other types here later.) */
120 + for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
122 + switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK )
124 + case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
125 + if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
128 + case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
131 + /* (We may handle other types here later.) */
132 + default: /* Unrecognized type */
137 - /* Unrecognized type */
139 + return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 );
143 @@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const
146 const mbedtls_x509_name *name;
147 - const mbedtls_x509_sequence *cur;
148 size_t cn_len = strlen( cn );
150 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
152 - for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
154 - if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
159 - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
160 + if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 )
165 @@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const
166 if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
167 x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
175 - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
178 + *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;