0003-Make-extract_x509_extension-in-ssl_verify_openssl.c-.patch on Ticket #402 – Attachment – OpenVPN Community

src/openvpn/ssl_verify.c

From 1cd060230653bd93067a0837384907200fa19c74 Mon Sep 17 00:00:00 2001
From: Andris Kalnozols <andris@hpl.hp.com>
Date: Sat, 28 Jun 2014 20:26:21 +0200
Subject: [PATCH 3/3] Make extract_x509_extension() in ssl_verify_openssl.c
 more informative.

I did enhance extract_x509_extension() in ssl_verify_openssl.c to be more
informative but only when dealing with the client certificate. Getting
access to the "cert_depth" variable required minor changes in the following
files:
    ssl_verify.c
    ssl_verify_backend.h
    ssl_verify_polarssl.c

Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
---
 src/openvpn/ssl_verify.c          |   2 +-
 src/openvpn/ssl_verify_backend.h  |   3 +-
 src/openvpn/ssl_verify_openssl.c  | 134 +++++++++++++++++++++++---------------
 src/openvpn/ssl_verify_polarssl.c |   2 +-
 4 files changed, 86 insertions(+), 55 deletions(-)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c90c2c3..19df9fb 100644

a	b	verify_cert(struct tls_session session, openvpn_x509_cert_t cert, int cert_dep
620	620
621	621	/* extract the username (default is CN) */
622	622	if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
623		opt->x509_username_field, cert))
	623	opt->x509_username_field, cert, cert_depth))
624	624	{
625	625	if (!cert_depth)
626	626	{

src/openvpn/ssl_verify_backend.h

diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 6f118c9..14383ad 100644

  unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *g
  * @param cn_len                Length of the cn buffer.
  * @param x509_username_field   Name of the field to load from
  * @param cert                  Certificate to retrieve the common name from.
+ * @param cert_depth            Depth of the current certificate
+ *
  * @return              \c FAILURE, \c or SUCCESS
  */
 result_t x509_get_username (char *common_name, int cn_len,
     char * x509_username_field, openvpn_x509_cert_t *peer_cert);
+    char * x509_username_field, openvpn_x509_cert_t *peer_cert, int cert_depth);
 /*
  * Return the certificate's serial number in decimal string representation.

src/openvpn/ssl_verify_openssl.c

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 19982ae..e5a6904 100644

  cleanup:
+}
 #ifdef ENABLE_X509ALTUSERNAME
+static
+bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
+static result_t
+extract_x509_extension(X509 *cert, int cert_depth, char *fieldname,
+                       char *out, int size)
+{
+  bool retval = false;
+  X509_EXTENSION *pExt;
+  char *buf = 0;
+  result_t retval = FAILURE;
+  int nid;
   int length = 0;
   GENERAL_NAMES *extensions;
   int nid = OBJ_txt2nid(fieldname);
+  char *buf  = 0;
+  GENERAL_NAMES *extension;
+  extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
+  if ( extensions )
+  nid = OBJ_txt2nid(fieldname);
+  extension = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
+  if (!extension && cert_depth == 0)
+      /*
+       * The cert depth is used to filter message logging to just the
+       * client certificate; we're not concerned about the CA(s) here.
+       */
+      msg(D_TLS_ERRORS, "VERIFY ERROR: can not find extension %s",
+          fieldname);
+  else
+    {
       int numalts;
       int i;
+      /* get amount of alternatives,
+       * RFC2459 claims there MUST be at least
+       * one, but we don't depend on it...
+      STACK_OF(CONF_VALUE) *vals = sk_CONF_VALUE_new_null();
+      /* Get the number of alternatives, i.e., GeneralName fields.
+       * RFC5280, Section 4.2.1.6 states there MUST be at least
+       * one and that no GeneralName field may have an empty value.
+       * We will not trust but verify instead.
        */
+      numalts = sk_GENERAL_NAME_num(extensions);
+      /* loop through all alternatives */
+      for (i=0; i<numalts; i++)
+        {
+          /* get a handle to alternative name number i */
+          const GENERAL_NAME *name = sk_GENERAL_NAME_value (extensions, i );
+          switch (name->type)
+            {
+              case GEN_EMAIL:
+                ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
+                if ( strlen (buf) != name->d.ia5->length )
+                  {
+                    msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
+                    OPENSSL_free (buf);
+                  } else {
+                    strncpynt(out, buf, size);
+                    OPENSSL_free(buf);
+                    retval = true;
+                  }
+                break;
+              default:
+                msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i",
+                     name->type);
+                break;
+            }
+          }
+        sk_GENERAL_NAME_free (extensions);
+      i2v_GENERAL_NAMES(NULL, extension, vals);
+      numalts = sk_GENERAL_NAME_num(extension);
+      if (cert_depth == 0)
+        msg(M_INFO, "Found extension %s with %i alternative name(s)", fieldname,
+            numalts);
+      /* loop through all of the alternatives */
+      for (i = 0; i < numalts; i++)
+        {
+          /* Get a handle to alternative GeneralName number "i"
+           * and to its associated OpenSSL configuration name.
+           */
+          const GENERAL_NAME *name = sk_GENERAL_NAME_value(extension, i);
+          const CONF_VALUE *conf   = sk_CONF_VALUE_value(vals, i);
+          switch (name->type)
+            {
+              case GEN_EMAIL:
+                ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
+                if (strlen(buf) != name->d.ia5->length)
+                   msg(D_TLS_ERRORS,
+                       "ASN1 ERROR: field '%s' (%i of %i) has an embedded NUL",
+                       conf->name, i, numalts);
+                else
+                if (name->d.ia5->length == 0)
+                   msg(D_TLS_ERRORS,
+                        "Field '%s' (%i of %i) has an empty value",
+                        conf->name, i, numalts);
+                else
+                  {
+                    strncpynt(out, buf, size);
+                    if (cert_depth == 0)
+                      if (retval == SUCCESS)
+                        msg(M_INFO, "Updating common name to '%s'", out);
+                      else
+                        msg(M_INFO, "Setting common name to '%s'", out);
+                    retval = SUCCESS;
+                  }
+                OPENSSL_free(buf);
+                break;
+              default:
+                if (cert_depth == 0)
+                  msg(D_TLS_DEBUG, "Ignoring alternative type '%s'",
+                      conf->name);
+                break;
+            }
+        }
+      sk_CONF_VALUE_free(vals);
+    }
+  sk_GENERAL_NAME_free(extension);
   return retval;
+}
 #endif /* ENABLE_X509ALTUSERNAME */
-…
+ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out,
 result_t
 x509_get_username (char *common_name, int cn_len,
     char * x509_username_field, X509 *peer_cert)
+    char * x509_username_field, X509 *peer_cert, int cert_depth)
+{
+  result_t retval;
 #ifdef ENABLE_X509ALTUSERNAME
+  if (strncmp("ext:",x509_username_field,4) == 0)
+    {
+      if (!extract_x509_extension (peer_cert, x509_username_field+4, common_name, cn_len))
+        return FAILURE;
+    } else
+  if (strncmp("ext:", x509_username_field, 4) == 0)
+    retval = extract_x509_extension(peer_cert, cert_depth,
+               x509_username_field+4, common_name, cn_len);
+  else
 #endif
+  if (FAILURE == extract_x509_field_ssl (X509_get_subject_name (peer_cert),
+      x509_username_field, common_name, cn_len))
+      return FAILURE;
+  return SUCCESS;
+    retval = extract_x509_field_ssl(X509_get_subject_name(peer_cert),
+               x509_username_field, common_name, cn_len);
+  return retval;
+}
 char *

src/openvpn/ssl_verify_polarssl.c

diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index 8931f8a..25f1550 100644

  verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
 result_t
 x509_get_username (char *cn, int cn_len,
     char *x509_username_field, x509_cert *cert)
+    char *x509_username_field, x509_cert *cert, int cert_depth)
+{
   x509_name *name;

Context Navigation

Ticket #402: 0003-Make-extract_x509_extension-in-ssl_verify_openssl.c-.patch

src/openvpn/ssl_verify.c

src/openvpn/ssl_verify_backend.h

src/openvpn/ssl_verify_openssl.c

src/openvpn/ssl_verify_polarssl.c

Download in other formats: