walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Don't use CN if we have dNSName or iPAddress field

This commit is contained in:
Tatsuhiro Tsujikawa 2016-04-26 22:12:51 +09:00
parent 13f97ccf45
commit b39ad3135d
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/shrpx_ssl.cc
View File

@ -925,6 +925,7 @@ int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
if (altnames) { if (altnames) {
auto altnames_deleter = defer(GENERAL_NAMES_free, altnames); auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
size_t n = sk_GENERAL_NAME_num(altnames); size_t n = sk_GENERAL_NAME_num(altnames);
auto ip_found = false;
for (size_t i = 0; i < n; ++i) { for (size_t i = 0; i < n; ++i) {
auto altname = sk_GENERAL_NAME_value(altnames, i); auto altname = sk_GENERAL_NAME_value(altnames, i);
if (altname->type != GEN_IPADD) { if (altname->type != GEN_IPADD) {
@ -937,10 +938,15 @@ int verify_numeric_hostname(X509 *cert, const StringRef &hostname,
} }
size_t ip_addrlen = altname->d.iPAddress->length; size_t ip_addrlen = altname->d.iPAddress->length;
ip_found = true;
if (addr->len == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) { if (addr->len == ip_addrlen && memcmp(saddr, ip_addr, ip_addrlen) == 0) {
return 0; return 0;
} }
} }
if (ip_found) {
return -1;
}
} }
auto cn = get_common_name(cert); auto cn = get_common_name(cert);
@ -970,6 +976,7 @@ int verify_hostname(X509 *cert, const StringRef &hostname,
auto altnames = static_cast<GENERAL_NAMES *>( auto altnames = static_cast<GENERAL_NAMES *>(
X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr)); X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
if (altnames) { if (altnames) {
auto dns_found = false;
auto altnames_deleter = defer(GENERAL_NAMES_free, altnames); auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
size_t n = sk_GENERAL_NAME_num(altnames); size_t n = sk_GENERAL_NAME_num(altnames);
for (size_t i = 0; i < n; ++i) { for (size_t i = 0; i < n; ++i) {
@ -999,11 +1006,19 @@ int verify_hostname(X509 *cert, const StringRef &hostname,
} }
} }
dns_found = true;
if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)}, if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
hostname)) { hostname)) {
return 0; return 0;
} }
} }
// RFC 6125, section 6.4.4. says that client MUST not seek a match
// for CN if a dns dNSName is found.
if (dns_found) {
return -1;
}
} }
auto cn = get_common_name(cert); auto cn = get_common_name(cert);
@ -1237,6 +1252,7 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
if (altnames) { if (altnames) {
auto altnames_deleter = defer(GENERAL_NAMES_free, altnames); auto altnames_deleter = defer(GENERAL_NAMES_free, altnames);
size_t n = sk_GENERAL_NAME_num(altnames); size_t n = sk_GENERAL_NAME_num(altnames);
auto dns_found = false;
for (size_t i = 0; i < n; ++i) { for (size_t i = 0; i < n; ++i) {
auto altname = sk_GENERAL_NAME_value(altnames, i); auto altname = sk_GENERAL_NAME_value(altnames, i);
if (altname->type != GEN_DNS) { if (altname->type != GEN_DNS) {
@ -1264,8 +1280,14 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
} }
} }
dns_found = true;
lt->add_cert(ssl_ctx, StringRef{name, static_cast<size_t>(len)}); lt->add_cert(ssl_ctx, StringRef{name, static_cast<size_t>(len)});
} }
// Don't bother CN if we have dNSName.
if (dns_found) {
return 0;
}
} }
auto cn = get_common_name(cert); auto cn = get_common_name(cert);