All of lore.kernel.org
 help / color / mirror / Atom feed
From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.01.org
Subject: Re: [PATCH 6/8] tls: Validate peer certificate's DNSNames against mask
Date: Fri, 23 Aug 2019 09:27:12 -0500	[thread overview]
Message-ID: <f19e8119-346b-6a28-fe45-53cf98683ec3@gmail.com> (raw)
In-Reply-To: <20190823004138.5480-6-andrew.zaborowski@intel.com>

[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]

Hi Andrew,

On 8/22/19 7:41 PM, Andrew Zaborowski wrote:
> Also return success in the domain_mask check if any of the DNSNames in
> the peer certificate's subjectAltName extension matches any of the mask
> strings supplied.
> ---
>   ell/tls.c | 49 ++++++++++++++++++++++++++++++++++++++++++++-----
>   1 file changed, 44 insertions(+), 5 deletions(-)
> 
> diff --git a/ell/tls.c b/ell/tls.c
> index 3fe2ff5..f1d73bd 100644
> --- a/ell/tls.c
> +++ b/ell/tls.c
> @@ -675,6 +675,10 @@ ok_next:
>   
>   static const struct asn1_oid dn_common_name_oid =
>   	{ 3, { 0x55, 0x04, 0x03 } };
> +static const struct asn1_oid subject_alt_name_oid =
> +	{ 3, { 0x55, 0x1d, 0x11 } };
> +
> +#define SAN_DNS_NAME_ID ASN1_CONTEXT_IMPLICIT(2)
>   
>   static bool tls_cert_domains_match_mask(struct l_cert *cert, char **mask)
>   {
> @@ -682,10 +686,14 @@ static bool tls_cert_domains_match_mask(struct l_cert *cert, char **mask)
>   	size_t dn_size;
>   	const char *cn = NULL;
>   	size_t cn_len;
> +	const uint8_t *san;
> +	size_t san_len;
> +	uint8_t san_tag;
> +	char **i;
>   
>   	/*
>   	 * Retrieve the Common Name from the Subject DN and check if it
> -	 * matches.  TODO: possibly also look at SubjectAltName.
> +	 * matches.
>   	 */
>   
>   	dn = l_cert_get_dn(cert, &dn_size);
> @@ -725,12 +733,43 @@ static bool tls_cert_domains_match_mask(struct l_cert *cert, char **mask)
>   		}
>   	}
>   
> -	if (!cn)
> +	if (cn)
> +		for (i = mask; *i; i++)
> +			if (tls_domain_match_mask(cn, cn_len, *i, strlen(*i)))
> +				return true;
> +
> +	/*
> +	 * Locate SubjectAltName (RFC5280 Section 4.2.1.6) and descend into
> +	 * the sole SEQUENCE element, check if any DNSName matches.
> +	 */

So I think the recommended approach is to check all SubjectAltName 
dNSName tags first.  And only then try to match the CN, no?

> +	san = cert_get_extension(cert, &subject_alt_name_oid, NULL, &san_len);
> +	if (!san)
>   		return false;
>   
> -	for (; *mask; mask++)
> -		if (tls_domain_match_mask(cn, cn_len, *mask, strlen(*mask)))
> -			return true;
> +	san = asn1_der_find_elem(san, san_len, 0, &san_tag, &san_len);
> +	if (unlikely(!san || san_tag != ASN1_ID_SEQUENCE))
> +		return NULL;
> +
> +	end = san + san_len;
> +	while (san < end) {
> +		const uint8_t *value;
> +		uint8_t tag;
> +		size_t len;
> +
> +		value = asn1_der_find_elem(san, end - san, SAN_DNS_NAME_ID,
> +						&tag, &len);
> +		if (!value)
> +			return false;
> +
> +		/* Type is implicitly IA5STRING */
> +
> +		for (i = mask; *i; i++)
> +			if (tls_domain_match_mask((const char *) value, len,
> +							*i, strlen(*i)))
> +				return true;
> +
> +		san = value + len;
> +	}
>   
>   	return false;
>   }
> 

Regards,
-Denis

  reply	other threads:[~2019-08-23 14:27 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-23  0:41 [PATCH 1/8] tls: Implement l_tls_set_domain_mask Andrew Zaborowski
2019-08-23  0:41 ` [PATCH 2/8] unit: Add l_tls_set_domain_mask tests Andrew Zaborowski
2019-08-23  0:41 ` [PATCH 3/8] asn1-private: Handle Context-specific tag class Andrew Zaborowski
2019-08-23  0:41 ` [PATCH 4/8] cert: Implement l_cert_get_extension Andrew Zaborowski
2019-08-23  0:41 ` [PATCH 5/8] strv: Implement l_strv_copy Andrew Zaborowski
2019-08-23 14:16   ` Denis Kenzior
2019-08-23  0:41 ` [PATCH 6/8] tls: Validate peer certificate's DNSNames against mask Andrew Zaborowski
2019-08-23 14:27   ` Denis Kenzior [this message]
2019-08-23 17:51     ` Andrew Zaborowski
2019-08-23 20:21       ` Denis Kenzior
2019-08-23 23:50         ` Andrew Zaborowski
2019-08-23  0:41 ` [PATCH 7/8] build: Add DNSNames to the test server cert Andrew Zaborowski
2019-08-23 14:29   ` Denis Kenzior
2019-08-23  0:41 ` [PATCH 8/8] unit: Add TLS tests for cert's DNSName matching Andrew Zaborowski
2019-08-23 14:28 ` [PATCH 1/8] tls: Implement l_tls_set_domain_mask Denis Kenzior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f19e8119-346b-6a28-fe45-53cf98683ec3@gmail.com \
    --to=denkenz@gmail.com \
    --cc=ell@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.