[PATCH] SSL: Verify IP SAN's in upstream certificates

Salmaan Pehlari salmaanpehlari at gmail.com
Sun Jul 5 07:51:07 UTC 2020


# HG changeset patch
# User Salmaan Pehlari <salmaanpehlari at gmail.com>
# Date 1593931168 25200
#      Sat Jul 04 23:39:28 2020 -0700
# Node ID 3b843e88de3761b2b71bac3c5fe453e09ae7990e
# Parent  c5840ca2063d26e432264ad0b0fe00c0bd94252c
SSL: Verify IP SAN's in upstream certificates.

Verify IP's in upstream certificates if no host names match.

diff -r c5840ca2063d -r 3b843e88de37 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Fri Jul 03 16:16:47 2020 +0300
+++ b/src/event/ngx_event_openssl.c	Sat Jul 04 23:39:28 2020 -0700
@@ -4116,13 +4116,20 @@
     }
 
     if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
-        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                       "X509_check_host(): no match");
-        goto failed;
+
+        char *ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));
+        ngx_memcpy(ip, name->data, name->len);
+        ip[name->len] = '\0';
+
+        if (X509_check_ip_asc(cert, ip, 0) != 1 {
+            ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "X509_check_host() & X590_check_ip_asc: no match");
+            goto failed;
+        }
     }
 
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "X509_check_host(): match");
+                   "X509_check_host() | X509_check_ip_asc: match");
 
     goto found;
 
@@ -4148,21 +4155,47 @@
         for (i = 0; i < n; i++) {
             altname = sk_GENERAL_NAME_value(altnames, i);
 
-            if (altname->type != GEN_DNS) {
-                continue;
-            }
-
-            str = altname->d.dNSName;
-
-            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                           "SSL subjectAltName: \"%*s\"",
-                           ASN1_STRING_length(str), ASN1_STRING_data(str));
-
-            if (ngx_ssl_check_name(name, str) == NGX_OK) {
-                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                               "SSL subjectAltName: match");
-                GENERAL_NAMES_free(altnames);
-                goto found;
+            if (altname->type == GEN_DNS) {
+
+                str = altname->d.dNSName;
+
+                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                               "SSL subjectAltName: \"%*s\"",
+                               ASN1_STRING_length(str), ASN1_STRING_data(str));
+
+                if (ngx_ssl_check_name(name, str) == NGX_OK) {
+                    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                                   "SSL subjectAltName: match");
+                    GENERAL_NAMES_free(altnames);
+                    goto found;
+                }
+            } else if (altname->type == GEN_IPADD) {
+                x509_ip = altname->d.iPAddress;
+
+                if (x509_ip && x509_ip->data && x509_ip->length) {
+                    ip = (char *) ngx_palloc(c->pool, (name->len+1 * sizeof(char)));
+                    ngx_memcpy(ip, name->data, name->len);
+                    ip[name->len] = '\0';
+
+                    if (inet_pton(AF_INET, (const char *), ip, &(sa.sin_addr)) != 1) {
+                        if (inet_pton(AF_INET6, (const char *), ip, &(sa.sin_addr)) != 1) {
+                            GENERAL_NAME_free(altnames);
+                            goto failed;
+                        }
+                    }
+
+                    ip_octet = ASN1_OCTET_STRING_new();
+                    ASN1_STRING_set(ip_octet, &san.sin_addr, sizeof(sa.sinaddr));
+
+                    if (ASN1_STRING_cmp(x509_ip, ip_octet) == 0) {
+                        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL subjectAltName IP: match");
+                        ASN1_STRING_free(ip_octet);
+                        GENERAL_NAMES_free(altnames);
+                        goto found;
+                    }
+
+                    ASN1_STRING_free(ip_octet);
+                }
             }
         }
 


More information about the nginx-devel mailing list