package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch

   1 From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001
   2 From: Glenn Strauss <gstrauss@gluelogic.com>
   3 Date: Sun, 23 Oct 2022 19:48:18 -0400
   4 Subject: [PATCH 1/4] x509 crt verify SAN iPAddress
   5
   6 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
   7 ---
   8  include/mbedtls/x509_crt.h |   2 +-
   9  library/x509_crt.c         | 115 +++++++++++++++++++++++++++++--------
  10  2 files changed, 93 insertions(+), 24 deletions(-)
  11
  12 --- a/include/mbedtls/x509_crt.h
  13 +++ b/include/mbedtls/x509_crt.h
  14 @@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char *
  15   * \param cn       The expected Common Name. This will be checked to be
  16   *                 present in the certificate's subjectAltNames extension or,
  17   *                 if this extension is absent, as a CN component in its
  18 - *                 Subject name. Currently only DNS names are supported. This
  19 + *                 Subject name. DNS names and IP addresses are supported. This
  20   *                 may be \c NULL if the CN need not be verified.
  21   * \param flags    The address at which to store the result of the verification.
  22   *                 If the verification couldn't be completed, the flag value is
  23 --- a/library/x509_crt.c
  24 +++ b/library/x509_crt.c
  25 @@ -2986,6 +2986,54 @@ find_parent:
  26      }
  27  }
  28
  29 +#ifdef _WIN32
  30 +/* ??? */
  31 +#elif defined(__sun)
  32 +/* Solaris requires -lsocket -lnsl for inet_pton() */
  33 +#elif defined(__has_include)
  34 +#if __has_include(<sys/socket.h>)
  35 +#include <sys/socket.h>
  36 +#endif
  37 +#if __has_include(<arpa/inet.h>)
  38 +#include <arpa/inet.h>
  39 +#endif
  40 +#endif
  41 +
  42 +/* Use whether or not AF_INET6 is defined to indicate whether or not to use
  43 + * the platform inet_pton() or a local implementation (below).  The local
  44 + * implementation may be used even in cases where the platform provides
  45 + * inet_pton(), e.g. when there are different includes required and/or the
  46 + * platform implementation requires dependencies on additional libraries.
  47 + * Specifically, Windows requires custom includes and additional link
  48 + * dependencies, and Solaris requires additional link dependencies.
  49 + * Also, as a coarse heuristic, use the local implementation if the compiler
  50 + * does not support __has_include(), or if the definition of AF_INET6 is not
  51 + * provided by headers included (or not) via __has_include() above. */
  52 +#ifndef AF_INET6
  53 +
  54 +#define x509_cn_inet_pton( cn, dst ) ( 0 )
  55 +
  56 +#else
  57 +
  58 +static int x509_inet_pton_ipv6( const char *src, void *dst )
  59 +{
  60 +    return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 );
  61 +}
  62 +
  63 +static int x509_inet_pton_ipv4( const char *src, void *dst )
  64 +{
  65 +    return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 );
  66 +}
  67 +
  68 +#endif /* AF_INET6 */
  69 +
  70 +static size_t x509_cn_inet_pton( const char *cn, void *dst )
  71 +{
  72 +    return( strchr( cn, ':' ) == NULL
  73 +            ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0
  74 +            : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 );
  75 +}
  76 +
  77  /*
  78   * Check for CN match
  79   */
  80 @@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed
  81      return( -1 );
  82  }
  83
  84 +static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san,
  85 +                                  const char *cn, size_t cn_len )
  86 +{
  87 +    uint32_t ip[4];
  88 +    cn_len = x509_cn_inet_pton( cn, ip );
  89 +    if( cn_len == 0 )
  90 +        return( -1 );
  91 +
  92 +    for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
  93 +    {
  94 +        const unsigned char san_type = (unsigned char) cur->buf.tag &
  95 +                                       MBEDTLS_ASN1_TAG_VALUE_MASK;
  96 +        if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
  97 +            cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
  98 +            return( 0 );
  99 +    }
 100 +
 101 +    return( -1 );
 102 +}
 103 +
 104  /*
 105   * Check for SAN match, see RFC 5280 Section 4.2.1.6
 106   */
 107 -static int x509_crt_check_san( const mbedtls_x509_buf *name,
 108 +static int x509_crt_check_san( const mbedtls_x509_sequence *san,
 109                                 const char *cn, size_t cn_len )
 110  {
 111 -    const unsigned char san_type = (unsigned char) name->tag &
 112 -                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
 113 -
 114 -    /* dNSName */
 115 -    if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
 116 -        return( x509_crt_check_cn( name, cn, cn_len ) );
 117 -
 118 -    /* (We may handle other types here later.) */
 119 +    int san_ip = 0;
 120 +    for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
 121 +    {
 122 +        switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK )
 123 +        {
 124 +        case MBEDTLS_X509_SAN_DNS_NAME:                    /* dNSName */
 125 +            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
 126 +                return( 0 );
 127 +            break;
 128 +        case MBEDTLS_X509_SAN_IP_ADDRESS:                  /* iPAddress */
 129 +            san_ip = 1;
 130 +            break;
 131 +        /* (We may handle other types here later.) */
 132 +        default: /* Unrecognized type */
 133 +            break;
 134 +        }
 135 +    }
 136
 137 -    /* Unrecognized type */
 138 -    return( -1 );
 139 +    return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 );
 140  }
 141
 142  /*
 143 @@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const
 144                                    uint32_t *flags )
 145  {
 146      const mbedtls_x509_name *name;
 147 -    const mbedtls_x509_sequence *cur;
 148      size_t cn_len = strlen( cn );
 149
 150      if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
 151      {
 152 -        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
 153 -        {
 154 -            if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
 155 -                break;
 156 -        }
 157 -
 158 -        if( cur == NULL )
 159 -            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
 160 +        if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 )
 161 +            return;
 162      }
 163      else
 164      {
 165 @@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const
 166              if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
 167                  x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
 168              {
 169 -                break;
 170 +                return;
 171              }
 172          }
 173
 174 -        if( name == NULL )
 175 -            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
 176      }
 177 +
 178 +    *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
 179  }
 180
 181  /*