File Coverage

amqp_openssl_hostname_validation.c
Criterion Covered Total %
statement 24 48 50.0
branch 9 26 34.6
condition n/a
subroutine n/a
pod n/a
total 33 74 44.5


line stmt bran cond sub pod time code
1             /*
2             * Copyright (C) 2012, iSEC Partners.
3             * Copyright (C) 2015 Alan Antonuk.
4             *
5             * All rights reserved.
6             *
7             * Permission to use, copy, modify, and distribute this software for any
8             * purpose with or without fee is hereby granted, provided that the above
9             * copyright notice and this permission notice appear in all copies.
10             *
11             * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12             * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13             * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14             * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15             * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16             * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
17             * USE OR OTHER DEALINGS IN THE SOFTWARE.
18             *
19             * Except as contained in this notice, the name of a copyright holder shall
20             * not be used in advertising or otherwise to promote the sale, use or other
21             * dealings in this Software without prior written authorization of the
22             * copyright holder.
23             */
24              
25             /* Originally from:
26             * https://github.com/iSECPartners/ssl-conservatory
27             * https://wiki.openssl.org/index.php/Hostname_validation
28             */
29              
30             #if defined(_WIN32)
31             #define WIN32_LEAN_AND_MEAN
32             #endif
33              
34             #include
35             #include
36              
37             #include "amqp_hostcheck.h"
38             #include "amqp_openssl_bio.h"
39             #include "amqp_openssl_hostname_validation.h"
40              
41             #include
42              
43             #define HOSTNAME_MAX_SIZE 255
44              
45             /**
46             * Tries to find a match for hostname in the certificate's Common Name field.
47             *
48             * Returns AMQP_HVR_MATCH_FOUND if a match was found.
49             * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
50             * Returns AMQP_HVR_MALFORMED_CERTIFICATE if the Common Name had a NUL character
51             * embedded in it.
52             * Returns AMQP_HVR_ERROR if the Common Name could not be extracted.
53             */
54 0           static amqp_hostname_validation_result amqp_matches_common_name(
55             const char *hostname, const X509 *server_cert) {
56 0           int common_name_loc = -1;
57 0           X509_NAME_ENTRY *common_name_entry = NULL;
58 0           ASN1_STRING *common_name_asn1 = NULL;
59 0           const char *common_name_str = NULL;
60              
61             // Find the position of the CN field in the Subject field of the certificate
62 0           common_name_loc = X509_NAME_get_index_by_NID(
63             X509_get_subject_name((X509 *)server_cert), NID_commonName, -1);
64 0 0         if (common_name_loc < 0) {
65 0           return AMQP_HVR_ERROR;
66             }
67              
68             // Extract the CN field
69 0           common_name_entry = X509_NAME_get_entry(
70             X509_get_subject_name((X509 *)server_cert), common_name_loc);
71 0 0         if (common_name_entry == NULL) {
72 0           return AMQP_HVR_ERROR;
73             }
74              
75             // Convert the CN field to a C string
76 0           common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
77 0 0         if (common_name_asn1 == NULL) {
78 0           return AMQP_HVR_ERROR;
79             }
80              
81             #ifdef AMQP_OPENSSL_V110
82             common_name_str = (const char *)ASN1_STRING_get0_data(common_name_asn1);
83             #else
84 0           common_name_str = (char *)ASN1_STRING_data(common_name_asn1);
85             #endif
86              
87             // Make sure there isn't an embedded NUL character in the CN
88 0 0         if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
89 0           return AMQP_HVR_MALFORMED_CERTIFICATE;
90             }
91              
92             // Compare expected hostname with the CN
93 0 0         if (amqp_hostcheck(common_name_str, hostname) == AMQP_HCR_MATCH) {
94 0           return AMQP_HVR_MATCH_FOUND;
95             } else {
96 0           return AMQP_HVR_MATCH_NOT_FOUND;
97             }
98             }
99              
100             /**
101             * Tries to find a match for hostname in the certificate's Subject Alternative
102             * Name extension.
103             *
104             * Returns AMQP_HVR_MATCH_FOUND if a match was found.
105             * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
106             * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL
107             * character embedded in it.
108             * Returns AMQP_HVR_NO_SAN_PRESENT if the SAN extension was not present in the
109             * certificate.
110             */
111 1           static amqp_hostname_validation_result amqp_matches_subject_alternative_name(
112             const char *hostname, const X509 *server_cert) {
113 1           amqp_hostname_validation_result result = AMQP_HVR_MATCH_NOT_FOUND;
114             int i;
115 1           int san_names_nb = -1;
116 1           STACK_OF(GENERAL_NAME) *san_names = NULL;
117              
118             // Try to extract the names within the SAN extension from the certificate
119 1           san_names =
120             X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL);
121 1 50         if (san_names == NULL) {
122 0           return AMQP_HVR_NO_SAN_PRESENT;
123             }
124 1           san_names_nb = sk_GENERAL_NAME_num(san_names);
125              
126             // Check each name within the extension
127 2 50         for (i = 0; i < san_names_nb; i++) {
128 2           const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
129              
130 2 50         if (current_name->type == GEN_DNS) {
131             // Current name is a DNS name, let's check it
132 2           const char *dns_name = (const char *)
133             #ifdef AMQP_OPENSSL_V110
134             ASN1_STRING_get0_data(current_name->d.dNSName);
135             #else
136 2           ASN1_STRING_data(current_name->d.dNSName);
137             #endif
138              
139             // Make sure there isn't an embedded NUL character in the DNS name
140 2 50         if ((size_t)ASN1_STRING_length(current_name->d.dNSName) !=
141 2           strlen(dns_name)) {
142 0           result = AMQP_HVR_MALFORMED_CERTIFICATE;
143 0           break;
144             } else { // Compare expected hostname with the DNS name
145 2 100         if (amqp_hostcheck(dns_name, hostname) == AMQP_HCR_MATCH) {
146 1           result = AMQP_HVR_MATCH_FOUND;
147 1           break;
148             }
149             }
150             }
151             }
152 1           sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
153              
154 1           return result;
155             }
156              
157             /**
158             * Validates the server's identity by looking for the expected hostname in the
159             * server's certificate. As described in RFC 6125, it first tries to find a
160             * match in the Subject Alternative Name extension. If the extension is not
161             * present in the certificate, it checks the Common Name instead.
162             *
163             * Returns AMQP_HVR_MATCH_FOUND if a match was found.
164             * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
165             * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL
166             * character embedded in it.
167             * Returns AMQP_HVR_ERROR if there was an error.
168             */
169 1           amqp_hostname_validation_result amqp_ssl_validate_hostname(
170             const char *hostname, const X509 *server_cert) {
171             amqp_hostname_validation_result result;
172              
173 1 50         if ((hostname == NULL) || (server_cert == NULL)) return AMQP_HVR_ERROR;
    50          
174              
175             // First try the Subject Alternative Names extension
176 1           result = amqp_matches_subject_alternative_name(hostname, server_cert);
177 1 50         if (result == AMQP_HVR_NO_SAN_PRESENT) {
178             // Extension was not found: try the Common Name
179 0           result = amqp_matches_common_name(hostname, server_cert);
180             }
181              
182 1           return result;
183             }