<div dir="ltr"># HG changeset patch<br># User Salmaan Pehlari <<a href="mailto:salmaanpehlari@gmail.com" target="_blank">salmaanpehlari@gmail.com</a>><br># Date 1593931168 25200<br>#      Sat Jul 04 23:39:28 2020 -0700<br># Node ID 3b843e88de3761b2b71bac3c5fe453e09ae7990e<br># Parent  c5840ca2063d26e432264ad0b0fe00c0bd94252c<br>SSL: Verify IP SAN's in upstream certificates.<br><br>Verify IP's in upstream certificates if no host names match.<br><br>diff -r c5840ca2063d -r 3b843e88de37 src/event/ngx_event_openssl.c<br>--- a/src/event/ngx_event_openssl.c     Fri Jul 03 16:16:47 2020 +0300<br>+++ b/src/event/ngx_event_openssl.c     Sat Jul 04 23:39:28 2020 -0700<br>@@ -4116,13 +4116,20 @@<br>     }<br><br>     if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {<br>-        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>-                       "X509_check_host(): no match");<br>-        goto failed;<br>+<br>+        char *ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));<br>+        ngx_memcpy(ip, name->data, name->len);<br>+        ip[name->len] = '\0';<br>+<br>+        if (X509_check_ip_asc(cert, ip, 0) != 1 {<br>+            ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>+                           "X509_check_host() & X590_check_ip_asc: no match");<br>+            goto failed;<br>+        }<br>     }<br><br>     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>-                   "X509_check_host(): match");<br>+                   "X509_check_host() | X509_check_ip_asc: match");<br><br>     goto found;<br><br>@@ -4148,21 +4155,47 @@<br>         for (i = 0; i < n; i++) {<br>             altname = sk_GENERAL_NAME_value(altnames, i);<br><br>-            if (altname->type != GEN_DNS) {<br>-                continue;<br>-            }<br>-<br>-            str = altname->d.dNSName;<br>-<br>-            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>-                           "SSL subjectAltName: \"%*s\"",<br>-                           ASN1_STRING_length(str), ASN1_STRING_data(str));<br>-<br>-            if (ngx_ssl_check_name(name, str) == NGX_OK) {<br>-                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>-                               "SSL subjectAltName: match");<br>-                GENERAL_NAMES_free(altnames);<br>-                goto found;<br>+            if (altname->type == GEN_DNS) {<br>+<br>+                str = altname->d.dNSName;<br>+<br>+                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>+                               "SSL subjectAltName: \"%*s\"",<br>+                               ASN1_STRING_length(str), ASN1_STRING_data(str));<br>+<br>+                if (ngx_ssl_check_name(name, str) == NGX_OK) {<br>+                    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>+                                   "SSL subjectAltName: match");<br>+                    GENERAL_NAMES_free(altnames);<br>+                    goto found;<br>+                }<br>+            } else if (altname->type == GEN_IPADD) {<br>+                x509_ip = altname->d.iPAddress;<br>+<br>+                if (x509_ip && x509_ip->data && x509_ip->length) {<br>+                    ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));<br>+                    ngx_memcpy(ip, name->data, name->len);<br>+                    ip[name->len] = '\0';<br>+<br>+                    if (inet_pton(AF_INET, (const char *), ip, &(sa.sin_addr)) != 1) {<br>+                        if (inet_pton(AF_INET6, (const char *), ip, &(sa.sin_addr)) != 1) {<br>+                            GENERAL_NAME_free(altnames);<br>+                            goto failed;<br>+                        }<br>+                    }<br>+<br>+                    ip_octet = ASN1_OCTET_STRING_new();<br>+                    ASN1_STRING_set(ip_octet, &san.sin_addr, sizeof(sa.sinaddr));<br>+<br>+                    if (ASN1_STRING_cmp(x509_ip, ip_octet) == 0) {<br>+                        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL subjectAltName IP: match");<br>+                        ASN1_STRING_free(ip_octet);<br>+                        GENERAL_NAMES_free(altnames);<br>+                        goto found;<br>+                    }<br>+<br>+                    ASN1_STRING_free(ip_octet);<br>+                }<br>             }<br>         }<br></div>