-From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001
+From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Oct 2022 19:48:18 -0400
-Subject: [PATCH 1/4] x509 crt verify SAN iPAddress
+Subject: [PATCH] x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
include/mbedtls/x509_crt.h | 2 +-
- library/x509_crt.c | 115 +++++++++++++++++++++++++++++--------
- 2 files changed, 93 insertions(+), 24 deletions(-)
+ library/x509_crt.c | 126 ++++++++++++++++++++++++++++++-------
+ 2 files changed, 103 insertions(+), 25 deletions(-)
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
-@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char *
+@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
* If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
-@@ -2986,6 +2986,54 @@ find_parent:
+@@ -57,6 +57,10 @@
+
+ #if defined(MBEDTLS_HAVE_TIME)
+ #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
++#define WIN32_LEAN_AND_MEAN
++#ifndef _WIN32_WINNT
++#define _WIN32_WINNT 0x0600
++#endif
+ #include <windows.h>
+ #else
+ #include <time.h>
+@@ -2995,6 +2999,61 @@ find_parent:
}
}
+#ifdef _WIN32
-+/* ??? */
++#ifdef _MSC_VER
++#pragma comment(lib, "ws2_32.lib")
++#include <winsock2.h>
++#include <ws2tcpip.h>
++#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
++#include <winsock2.h>
++#include <ws2tcpip.h>
++#endif
+#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include)
+ * provided by headers included (or not) via __has_include() above. */
+#ifndef AF_INET6
+
-+#define x509_cn_inet_pton( cn, dst ) ( 0 )
++#define x509_cn_inet_pton(cn, dst) (0)
+
+#else
+
-+static int x509_inet_pton_ipv6( const char *src, void *dst )
++static int x509_inet_pton_ipv6(const char *src, void *dst)
+{
-+ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 );
++ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
+}
+
-+static int x509_inet_pton_ipv4( const char *src, void *dst )
++static int x509_inet_pton_ipv4(const char *src, void *dst)
+{
-+ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 );
++ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
+}
+
+#endif /* AF_INET6 */
+
-+static size_t x509_cn_inet_pton( const char *cn, void *dst )
++static size_t x509_cn_inet_pton(const char *cn, void *dst)
+{
-+ return( strchr( cn, ':' ) == NULL
-+ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0
-+ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 );
++ return strchr(cn, ':') == NULL
++ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
++ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
+}
+
/*
* Check for CN match
*/
-@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed
- return( -1 );
+@@ -3015,24 +3074,51 @@ static int x509_crt_check_cn(const mbedt
+ return -1;
}
-+static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san,
-+ const char *cn, size_t cn_len )
++static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
++ const char *cn, size_t cn_len)
+{
+ uint32_t ip[4];
-+ cn_len = x509_cn_inet_pton( cn, ip );
-+ if( cn_len == 0 )
-+ return( -1 );
++ cn_len = x509_cn_inet_pton(cn, ip);
++ if (cn_len == 0) {
++ return -1;
++ }
+
-+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
-+ {
++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
-+ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
-+ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
-+ return( 0 );
++ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
++ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
++ return 0;
++ }
+ }
+
-+ return( -1 );
++ return -1;
+}
+
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
--static int x509_crt_check_san( const mbedtls_x509_buf *name,
-+static int x509_crt_check_san( const mbedtls_x509_sequence *san,
- const char *cn, size_t cn_len )
+-static int x509_crt_check_san(const mbedtls_x509_buf *name,
++static int x509_crt_check_san(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
{
- const unsigned char san_type = (unsigned char) name->tag &
- MBEDTLS_ASN1_TAG_VALUE_MASK;
-
- /* dNSName */
-- if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
-- return( x509_crt_check_cn( name, cn, cn_len ) );
--
-- /* (We may handle other types here later.) */
+- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
+- return x509_crt_check_cn(name, cn, cn_len);
+ int san_ip = 0;
-+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
-+ {
-+ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK )
-+ {
-+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
-+ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
-+ return( 0 );
-+ break;
-+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
-+ san_ip = 1;
-+ break;
-+ /* (We may handle other types here later.) */
-+ default: /* Unrecognized type */
-+ break;
++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
++ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
++ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
++ return 0;
++ }
++ break;
++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
++ san_ip = 1;
++ break;
++ /* (We may handle other types here later.) */
++ default: /* Unrecognized type */
++ break;
+ }
-+ }
+ }
+- /* (We may handle other types here later.) */
+-
- /* Unrecognized type */
-- return( -1 );
-+ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 );
+- return -1;
++ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
}
/*
-@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const
- uint32_t *flags )
+@@ -3043,31 +3129,23 @@ static void x509_crt_verify_name(const m
+ uint32_t *flags)
{
const mbedtls_x509_name *name;
- const mbedtls_x509_sequence *cur;
- size_t cn_len = strlen( cn );
+ size_t cn_len = strlen(cn);
- if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
- {
-- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
-- {
-- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
+ if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
+- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
- break;
+- }
- }
-
-- if( cur == NULL )
+- if (cur == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-+ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 )
++ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
+ return;
- }
- else
- {
-@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const
- if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
- x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
- {
+ }
+ } else {
+ for (name = &crt->subject; name != NULL; name = name->next) {
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
+ x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
- break;
+ return;
}
}
-- if( name == NULL )
+- if (name == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+- }
}
+
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
projects / openwrt / staging / dedeckeh.git / commitdiff