[PATCH] SSL: Verify IP SAN's in upstream certificates
Salmaan Pehlari
salmaanpehlari at gmail.com
Sun Jul 5 07:51:07 UTC 2020
# HG changeset patch
# User Salmaan Pehlari <salmaanpehlari at gmail.com>
# Date 1593931168 25200
# Sat Jul 04 23:39:28 2020 -0700
# Node ID 3b843e88de3761b2b71bac3c5fe453e09ae7990e
# Parent c5840ca2063d26e432264ad0b0fe00c0bd94252c
SSL: Verify IP SAN's in upstream certificates.
Verify IP's in upstream certificates if no host names match.
diff -r c5840ca2063d -r 3b843e88de37 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Jul 03 16:16:47 2020 +0300
+++ b/src/event/ngx_event_openssl.c Sat Jul 04 23:39:28 2020 -0700
@@ -4116,13 +4116,20 @@
}
if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "X509_check_host(): no match");
- goto failed;
+
+ char *ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));
+ ngx_memcpy(ip, name->data, name->len);
+ ip[name->len] = '\0';
+
+ if (X509_check_ip_asc(cert, ip, 0) != 1 {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "X509_check_host() & X590_check_ip_asc: no match");
+ goto failed;
+ }
}
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "X509_check_host(): match");
+ "X509_check_host() | X509_check_ip_asc: match");
goto found;
@@ -4148,21 +4155,47 @@
for (i = 0; i < n; i++) {
altname = sk_GENERAL_NAME_value(altnames, i);
- if (altname->type != GEN_DNS) {
- continue;
- }
-
- str = altname->d.dNSName;
-
- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "SSL subjectAltName: \"%*s\"",
- ASN1_STRING_length(str), ASN1_STRING_data(str));
-
- if (ngx_ssl_check_name(name, str) == NGX_OK) {
- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "SSL subjectAltName: match");
- GENERAL_NAMES_free(altnames);
- goto found;
+ if (altname->type == GEN_DNS) {
+
+ str = altname->d.dNSName;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: \"%*s\"",
+ ASN1_STRING_length(str), ASN1_STRING_data(str));
+
+ if (ngx_ssl_check_name(name, str) == NGX_OK) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: match");
+ GENERAL_NAMES_free(altnames);
+ goto found;
+ }
+ } else if (altname->type == GEN_IPADD) {
+ x509_ip = altname->d.iPAddress;
+
+ if (x509_ip && x509_ip->data && x509_ip->length) {
+ ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));
+ ngx_memcpy(ip, name->data, name->len);
+ ip[name->len] = '\0';
+
+ if (inet_pton(AF_INET, (const char *), ip, &(sa.sin_addr)) != 1) {
+ if (inet_pton(AF_INET6, (const char *), ip, &(sa.sin_addr)) != 1) {
+ GENERAL_NAME_free(altnames);
+ goto failed;
+ }
+ }
+
+ ip_octet = ASN1_OCTET_STRING_new();
+ ASN1_STRING_set(ip_octet, &san.sin_addr, sizeof(sa.sinaddr));
+
+ if (ASN1_STRING_cmp(x509_ip, ip_octet) == 0) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL subjectAltName IP: match");
+ ASN1_STRING_free(ip_octet);
+ GENERAL_NAMES_free(altnames);
+ goto found;
+ }
+
+ ASN1_STRING_free(ip_octet);
+ }
}
}
More information about the nginx-devel
mailing list