From patchwork Sun Sep 18 12:07:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2775 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 0N2yB+qWJ2PPIAAAIUCqbw (envelope-from ) for ; Sun, 18 Sep 2022 18:08:42 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director13.mail.ord1d.rsapps.net with LMTP id mNgPB+qWJ2P0NAAA91zNiA (envelope-from ) for ; Sun, 18 Sep 2022 18:08:42 -0400 Received: from smtp18.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTPS id CLuoKuKWJ2N7TgAAjcXvpA (envelope-from ) for ; Sun, 18 Sep 2022 18:08:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 74298db0-379e-11ed-a7d7-bc305bf00c68-1-1 Received: from [216.105.38.7] ([216.105.38.7:58578] helo=lists.sourceforge.net) by smtp18.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E7/34-17019-9E697236; Sun, 18 Sep 2022 18:08:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oa2S7-00035j-E6; Sun, 18 Sep 2022 22:07:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oa2S5-00035b-HD for openvpn-devel@lists.sourceforge.net; Sun, 18 Sep 2022 22:07:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V1gV3xkzV8mvAaNjsqrGqfq1bmd7Lth8mVW/jFwSRlk=; b=F4FEgMNW1T6je9ws9i7yqFx3vH UZw+J8sferVFjVGbSY/T9RY8A/siiDR2F15Ybonhz5HAfZHXy65wHLVVpaBuZdRmr3AFYNzthqR4e xfVKSl8Ps1O4FkCYJ7/+EAPEGU1IJaU9J6be4VT6NTQ/MN4ro3uhLiVbXR5U38szdsSM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=V1gV3xkzV8mvAaNjsqrGqfq1bmd7Lth8mVW/jFwSRlk=; b=K0OBSMY5gxe4ZulU6RJqWzJx8R WV6/NIQR58R4G3whlrdl43YRD43npsukXYJRG9yJ5GSBeRq5OfVxMZK/due9GGLvMKNC1n7wKJS1j MNSQTEkGHEcnHWxBgSnGR/idIjyQp2C82nZVsAtpW1XxeTO3UiaaquboFXSnL/RzjY8A=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oa2S4-00Cbzq-Ki for openvpn-devel@lists.sourceforge.net; Sun, 18 Sep 2022 22:07:49 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id 79C6D389F; Mon, 19 Sep 2022 00:07:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663538862; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=7084; bh=V1gV3xkzV8mvAaNjsqrGqfq1bmd7Lth8mVW/jFwSRlk=; b=diDVVwft/csqPyEeHU3VH7YyoGSGb7KCl5YikvpZQB+LNyI9sS8gdTdm6GpJfyM5 A7Ugw1Es0gZ0X+BnQRogQUF4GEAU09CWI5A2pwEiE1AAhpSmwtrNu1PbyVA+zM9OlHG TfRNtHFfn2zhghoKpDnVw34o8o9GilJDHhP/Meq2coNxdPUD946PoxOil0tRgCkEDr8 igC96ltwvQY3YsMPA94DAFMpMzM8q0DxZE4Z40bVQgWhRusgEEvZsDNLmcrUxgcRjXM /5kxRGzi46mnea6GSV3Jb1fFrDl7h765msyR4XvBeQ/iEnzSI6ZXwZlM3xhihtK1xzF vtotF8AHQQ== Received: by smtp.mailfence.com with ESMTPSA ; Mon, 19 Sep 2022 00:07:40 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Sep 2022 00:07:40 +0200 Message-Id: <20220918220740.32549-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220917233244.13774-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.21 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Mateusz Markowicz When using "--verify-x509-name [hostname] subject-alt-name" hostname will now be accepted also when matched against one of the X509v3 Subject Alternative Name IP or DNS entries (instead of just Subjec [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1oa2S4-00Cbzq-Ki Subject: [Openvpn-devel] [PATCH v2] openssl: alternative names support for --verify-x509-name CN checks X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Mateusz Markowicz When using "--verify-x509-name [hostname] subject-alt-name" hostname will now be accepted also when matched against one of the X509v3 Subject Alternative Name IP or DNS entries (instead of just Subject's CN). While at it, fix a few uncrustify complaints to allow committing this change. Signed-off-by: Mateusz Markowicz --- Changes from v1: * added missing hunks --- doc/man-sections/tls-options.rst | 9 ++++--- src/openvpn/options.c | 4 +++ src/openvpn/ssl_verify.c | 32 +++++++++++++++++------ src/openvpn/ssl_verify.h | 1 + src/openvpn/ssl_verify_backend.h | 9 +++++++ src/openvpn/ssl_verify_mbedtls.c | 12 +++++++++ src/openvpn/ssl_verify_openssl.c | 45 ++++++++++++++++++++++++++++++++ 7 files changed, 100 insertions(+), 12 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d51aff77..257c779a 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -647,10 +647,11 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. Which X.509 name is compared to ``name`` depends on the setting of type. ``type`` can be :code:`subject` to match the complete subject DN - (default), :code:`name` to match a subject RDN or :code:`name-prefix` to - match a subject RDN prefix. Which RDN is verified as name depends on the - ``--x509-username-field`` option. But it defaults to the common name - (CN), e.g. a certificate with a subject DN + (default), :code:`name` to match a subject RDN, :code:`name-prefix` to + match a subject RDN prefix or :code:`subject-alt-name` to match the subject + SAN (or the CN if SAN is not specified). Which RDN is verified as name + depends on the ``--x509-username-field`` option. But it defaults to the + common name (CN), e.g. a certificate with a subject DN :: C=KG, ST=NA, L=Bishkek, CN=Server-1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4566172b..02f91259 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8935,6 +8935,10 @@ add_option(struct options *options, { type = VERIFY_X509_SUBJECT_RDN_PREFIX; } + else if (streq(p[2], "subject-alt-name")) + { + type = VERIFY_X509_SAN; + } else { msg(msglevel, "unknown X.509 name type: %s", p[2]); diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 76cb9f19..c13f1c45 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -377,15 +377,31 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { - if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN - && strcmp(opt->verify_x509_name, subject) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN - && strcmp(opt->verify_x509_name, common_name) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX - && strncmp(opt->verify_x509_name, common_name, - strlen(opt->verify_x509_name)) == 0) ) + bool match; + if (opt->verify_x509_type == VERIFY_X509_SAN) { - msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); + bool have_alt_names; + match = x509v3_is_host_in_alternative_names(peer_cert, opt->verify_x509_name, + &have_alt_names); + if (!match && !have_alt_names) + { + match = (strcmp(opt->verify_x509_name, common_name) == 0); + } + } + else + { + match = (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN + && strcmp(opt->verify_x509_name, subject) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp(opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp(opt->verify_x509_name, common_name, + strlen(opt->verify_x509_name)) == 0); + } + + if (match) + { + msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", opt->verify_x509_name); } else { diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index 30dfc9bc..214243d8 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -64,6 +64,7 @@ struct cert_hash_set { #define VERIFY_X509_SUBJECT_DN 1 #define VERIFY_X509_SUBJECT_RDN 2 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 +#define VERIFY_X509_SAN 4 enum tls_auth_status { diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index be857960..948daae2 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -268,4 +268,13 @@ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); */ bool tls_verify_crl_missing(const struct tls_options *opt); +/** + * Return true iff {host} was found in {cert} Subject Alternative Names DNS or + * IP entries. + * If has_alt_names is not NULL it'll be set to true iff Subject Alternative + * Names were defined for cert. + */ +bool x509v3_is_host_in_alternative_names(openvpn_x509_cert_t *cert, + const char *host, bool *has_alt_name); + #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 5463c8da..228e7fb6 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -262,6 +262,18 @@ x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc) return subject; } +bool +x509v3_is_host_in_alternative_names(mbedtls_x509_crt *cert, const char *host, + bool *has_alt_names) +{ + msg(M_WARN, "Missing support for subject alternative names in mbedtls."); + if (has_alt_names) + { + *has_alt_names = false; + } + return false; +} + static void do_setenv_x509(struct env_set *es, const char *name, char *value, int depth) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 78efa70a..3c6f629b 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -376,6 +376,51 @@ err: return subject; } +bool +x509v3_is_host_in_alternative_names(X509 *cert, const char *host, + bool *has_alt_names) +{ + GENERAL_NAMES *altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); + if (has_alt_names) + { + *has_alt_names = (altnames != NULL); + } + if (altnames == NULL) + { + return false; + } + + int n = sk_GENERAL_NAME_num(altnames); + for (int i = 0; i < n; i++) + { + GENERAL_NAME *altname = sk_GENERAL_NAME_value(altnames, i); + ASN1_STRING *altname_asn1 = NULL; + if (altname->type == GEN_DNS) + { + altname_asn1 = altname->d.dNSName; + } + else if (altname->type == GEN_IPADD) + { + altname_asn1 = altname->d.iPAddress; + } + + if (altname_asn1 != NULL) + { + char *altname_cstr = NULL; + if (ASN1_STRING_to_UTF8((unsigned char **)&altname_cstr, altname_asn1) >= 0) + { + bool match = strcmp(host, altname_cstr) == 0; + OPENSSL_free(altname_cstr); + if (match) + { + return true; + } + } + } + } + return false; +} + /* * x509-track implementation -- save X509 fields to environment,