Welcome! Log In Create A New Profile

[PATCH] SSL: Verify IP SAN's in upstream certificates

Forum List Message List New Topic Print View

salmaanp

July 05, 2020 04:10AM

Registered: 4 years ago
Posts: 5

# HG changeset patch
# User Salmaan Pehlari <salmaanpehlari@gmail.com>
# Date 1593931168 25200
# Sat Jul 04 23:39:28 2020 -0700
# Node ID 3b843e88de3761b2b71bac3c5fe453e09ae7990e
# Parent c5840ca2063d26e432264ad0b0fe00c0bd94252c
SSL: Verify IP SAN's in upstream certificates.

Verify IP's in upstream certificates if no host names match.

diff -r c5840ca2063d -r 3b843e88de37 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Jul 03 16:16:47 2020 +0300
+++ b/src/event/ngx_event_openssl.c Sat Jul 04 23:39:28 2020 -0700
@@ -4116,13 +4116,20 @@
}

if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) !=
1) {
- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "X509_check_host(): no match");
- goto failed;
+
+ char *ip = (char *) ngx_palloc(c->pool, (name->len+1 *
sizeof(char)));
+ ngx_memcpy(ip, name->data, name->len);
+ ip[name->len] = '\0';
+
+ if (X509_check_ip_asc(cert, ip, 0) != 1 {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "X509_check_host() & X590_check_ip_asc: no
match");
+ goto failed;
+ }
}

ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "X509_check_host(): match");
+ "X509_check_host() | X509_check_ip_asc: match");

goto found;

@@ -4148,21 +4155,47 @@
for (i = 0; i < n; i++) {
altname = sk_GENERAL_NAME_value(altnames, i);

- if (altname->type != GEN_DNS) {
- continue;
- }
-
- str = altname->d.dNSName;
-
- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "SSL subjectAltName: \"%*s\"",
- ASN1_STRING_length(str), ASN1_STRING_data(str));
-
- if (ngx_ssl_check_name(name, str) == NGX_OK) {
- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "SSL subjectAltName: match");
- GENERAL_NAMES_free(altnames);
- goto found;
+ if (altname->type == GEN_DNS) {
+
+ str = altname->d.dNSName;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: \"%*s\"",
+ ASN1_STRING_length(str),
ASN1_STRING_data(str));
+
+ if (ngx_ssl_check_name(name, str) == NGX_OK) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: match");
+ GENERAL_NAMES_free(altnames);
+ goto found;
+ }
+ } else if (altname->type == GEN_IPADD) {
+ x509_ip = altname->d.iPAddress;
+
+ if (x509_ip && x509_ip->data && x509_ip->length) {
+ ip = (char *) ngx_palloc(c->pool, (name->len+1 *
sizeof(char)));
+ ngx_memcpy(ip, name->data, name->len);
+ ip[name->len] = '\0';
+
+ if (inet_pton(AF_INET, (const char *), ip,
&(sa.sin_addr)) != 1) {
+ if (inet_pton(AF_INET6, (const char *), ip,
&(sa.sin_addr)) != 1) {
+ GENERAL_NAME_free(altnames);
+ goto failed;
+ }
+ }
+
+ ip_octet = ASN1_OCTET_STRING_new();
+ ASN1_STRING_set(ip_octet, &san.sin_addr,
sizeof(sa.sinaddr));
+
+ if (ASN1_STRING_cmp(x509_ip, ip_octet) == 0) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL subjectAltName IP: match");
+ ASN1_STRING_free(ip_octet);
+ GENERAL_NAMES_free(altnames);
+ goto found;
+ }
+
+ ASN1_STRING_free(ip_octet);
+ }
}
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: Verify IP SAN's in upstream certificates	salmaanp	408	July 05, 2020 04:10AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 321

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018