UNPKG

noflo-runtime-msgflo/mosquitto-1.3.1/lib/tls_mosq.c

Version:

4.58 kBtext/x-cView Raw

1/*
2Copyright (c) 2013 Roger Light <roger@atchoo.org>
3All rights reserved.
4
5Redistribution and use in source and binary forms, with or without
6modification, are permitted provided that the following conditions are met:
7
81. Redistributions of source code must retain the above copyright notice,
9   this list of conditions and the following disclaimer.
102. Redistributions in binary form must reproduce the above copyright
11   notice, this list of conditions and the following disclaimer in the
12   documentation and/or other materials provided with the distribution.
133. Neither the name of mosquitto nor the names of its
14   contributors may be used to endorse or promote products derived from
15   this software without specific prior written permission.
16
17THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
21LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27POSSIBILITY OF SUCH DAMAGE.
28*/
29
30#ifdef WITH_TLS
31
32#ifdef WIN32
33#  include <winsock2.h>
34#  include <ws2tcpip.h>
35#else
36#  include <arpa/inet.h>
37#endif
38
39#include <string.h>
40#include <openssl/conf.h>
41#include <openssl/x509v3.h>
42#include <openssl/ssl.h>
43
44#ifdef WITH_BROKER
45#  include "mosquitto_broker.h"
46#endif
47#include "mosquitto_internal.h"
48#include "tls_mosq.h"
49
50extern int tls_ex_index_mosq;
51
52int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
53{
54	/* Preverify should have already checked expiry, revocation.
55	 * We need to verify the hostname. */
56	struct mosquitto *mosq;
57	SSL *ssl;
58	X509 *cert;
59
60	/* Always reject if preverify_ok has failed. */
61	if(!preverify_ok) return 0;
62
63	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
64	mosq = SSL_get_ex_data(ssl, tls_ex_index_mosq);
65	if(!mosq) return 0;
66
67	if(mosq->tls_insecure == false){
68		if(X509_STORE_CTX_get_error_depth(ctx) == 0){
69			/* FIXME - use X509_check_host() etc. for sufficiently new openssl (>=1.1.x) */
70			cert = X509_STORE_CTX_get_current_cert(ctx);
71			/* This is the peer certificate, all others are upwards in the chain. */
72#if defined(WITH_BROKER)
73			return _mosquitto_verify_certificate_hostname(cert, mosq->bridge->addresses[mosq->bridge->cur_address].address);
74#else
75			return _mosquitto_verify_certificate_hostname(cert, mosq->host);
76#endif
77		}else{
78			return preverify_ok;
79		}
80	}else{
81		return preverify_ok;
82	}
83}
84
85/* This code is based heavily on the example provided in "Secure Programming
86 * Cookbook for C and C++".
87 */
88int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
89{
90	int i;
91	char name[256];
92	X509_NAME *subj;
93	bool have_san_dns = false;
94	STACK_OF(GENERAL_NAME) *san;
95	const GENERAL_NAME *nval;
96	const unsigned char *data;
97	unsigned char ipv6_addr[16];
98	unsigned char ipv4_addr[4];
99	int ipv6_ok;
100	int ipv4_ok;
101
102#ifdef WIN32
103	ipv6_ok = InetPton(AF_INET6, hostname, &ipv6_addr);
104	ipv4_ok = InetPton(AF_INET, hostname, &ipv4_addr);
105#else
106	ipv6_ok = inet_pton(AF_INET6, hostname, &ipv6_addr);
107	ipv4_ok = inet_pton(AF_INET, hostname, &ipv4_addr);
108#endif
109
110	san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
111	if(san){
112		for(i=0; i<sk_GENERAL_NAME_num(san); i++){
113			nval = sk_GENERAL_NAME_value(san, i);
114			if(nval->type == GEN_DNS){
115				data = ASN1_STRING_data(nval->d.dNSName);
116				if(data && !strcasecmp((char *)data, hostname)){
117					return 1;
118				}
119				have_san_dns = true;
120			}else if(nval->type == GEN_IPADD){
121				data = ASN1_STRING_data(nval->d.iPAddress);
122				if(nval->d.iPAddress->length == 4 && ipv4_ok){
123					if(!memcmp(ipv4_addr, data, 4)){
124						return 1;
125					}
126				}else if(nval->d.iPAddress->length == 16 && ipv6_ok){
127					if(!memcmp(ipv6_addr, data, 16)){
128						return 1;
129					}
130				}
131			}
132		}
133		if(have_san_dns){
134			/* Only check CN if subjectAltName DNS entry does not exist. */
135			return 0;
136		}
137	}
138	subj = X509_get_subject_name(cert);
139	if(X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0){
140		name[sizeof(name) - 1] = '\0';
141		if (!strcasecmp(name, hostname)) return 1;
142	}
143	return 0;
144}
145
146#endif
147

1	`/*`
2	`Copyright (c) 2013 Roger Light <roger@atchoo.org>`
3	`All rights reserved.`
4
5	`Redistribution and use in source and binary forms, with or without`
6	`modification, are permitted provided that the following conditions are met:`
7
8	`1. Redistributions of source code must retain the above copyright notice,`
9	`this list of conditions and the following disclaimer.`
10	`2. Redistributions in binary form must reproduce the above copyright`
11	`notice, this list of conditions and the following disclaimer in the`
12	`documentation and/or other materials provided with the distribution.`
13	`3. Neither the name of mosquitto nor the names of its`
14	`contributors may be used to endorse or promote products derived from`
15	`this software without specific prior written permission.`
16
17	`THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
18	`AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
19	`IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
20	`ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE`
21	`LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
22	`CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
23	`SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
24	`INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
25	`CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
26	`ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
27	`POSSIBILITY OF SUCH DAMAGE.`
28	`*/`
29
30	`#ifdef WITH_TLS`
31
32	`#ifdef WIN32`
33	`# include <winsock2.h>`
34	`# include <ws2tcpip.h>`
35	`#else`
36	`# include <arpa/inet.h>`
37	`#endif`
38
39	`#include <string.h>`
40	`#include <openssl/conf.h>`
41	`#include <openssl/x509v3.h>`
42	`#include <openssl/ssl.h>`
43
44	`#ifdef WITH_BROKER`
45	`# include "mosquitto_broker.h"`
46	`#endif`
47	`#include "mosquitto_internal.h"`
48	`#include "tls_mosq.h"`
49
50	`extern int tls_ex_index_mosq;`
51
52	`int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)`
53	`{`
54	`/* Preverify should have already checked expiry, revocation.`
55	`* We need to verify the hostname. */`
56	`struct mosquitto *mosq;`
57	`SSL *ssl;`
58	`X509 *cert;`
59
60	`/* Always reject if preverify_ok has failed. */`
61	`if(!preverify_ok) return 0;`
62
63	`ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());`
64	`mosq = SSL_get_ex_data(ssl, tls_ex_index_mosq);`
65	`if(!mosq) return 0;`
66
67	`if(mosq->tls_insecure == false){`
68	`if(X509_STORE_CTX_get_error_depth(ctx) == 0){`
69	`/* FIXME - use X509_check_host() etc. for sufficiently new openssl (>=1.1.x) */`
70	`cert = X509_STORE_CTX_get_current_cert(ctx);`
71	`/* This is the peer certificate, all others are upwards in the chain. */`
72	`#if defined(WITH_BROKER)`
73	`return _mosquitto_verify_certificate_hostname(cert, mosq->bridge->addresses[mosq->bridge->cur_address].address);`
74	`#else`
75	`return _mosquitto_verify_certificate_hostname(cert, mosq->host);`
76	`#endif`
77	`}else{`
78	`return preverify_ok;`
79	`}`
80	`}else{`
81	`return preverify_ok;`
82	`}`
83	`}`
84
85	`/* This code is based heavily on the example provided in "Secure Programming`
86	`* Cookbook for C and C++".`
87	`*/`
88	`int _mosquitto_verify_certificate_hostname(X509 cert, const char hostname)`
89	`{`
90	`int i;`
91	`char name[256];`
92	`X509_NAME *subj;`
93	`bool have_san_dns = false;`
94	`STACK_OF(GENERAL_NAME) *san;`
95	`const GENERAL_NAME *nval;`
96	`const unsigned char *data;`
97	`unsigned char ipv6_addr[16];`
98	`unsigned char ipv4_addr[4];`
99	`int ipv6_ok;`
100	`int ipv4_ok;`
101
102	`#ifdef WIN32`
103	`ipv6_ok = InetPton(AF_INET6, hostname, &ipv6_addr);`
104	`ipv4_ok = InetPton(AF_INET, hostname, &ipv4_addr);`
105	`#else`
106	`ipv6_ok = inet_pton(AF_INET6, hostname, &ipv6_addr);`
107	`ipv4_ok = inet_pton(AF_INET, hostname, &ipv4_addr);`
108	`#endif`
109
110	`san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);`
111	`if(san){`
112	`for(i=0; i<sk_GENERAL_NAME_num(san); i++){`
113	`nval = sk_GENERAL_NAME_value(san, i);`
114	`if(nval->type == GEN_DNS){`
115	`data = ASN1_STRING_data(nval->d.dNSName);`
116	`if(data && !strcasecmp((char *)data, hostname)){`
117	`return 1;`
118	`}`
119	`have_san_dns = true;`
120	`}else if(nval->type == GEN_IPADD){`
121	`data = ASN1_STRING_data(nval->d.iPAddress);`
122	`if(nval->d.iPAddress->length == 4 && ipv4_ok){`
123	`if(!memcmp(ipv4_addr, data, 4)){`
124	`return 1;`
125	`}`
126	`}else if(nval->d.iPAddress->length == 16 && ipv6_ok){`
127	`if(!memcmp(ipv6_addr, data, 16)){`
128	`return 1;`
129	`}`
130	`}`
131	`}`
132	`}`
133	`if(have_san_dns){`
134	`/* Only check CN if subjectAltName DNS entry does not exist. */`
135	`return 0;`
136	`}`
137	`}`
138	`subj = X509_get_subject_name(cert);`
139	`if(X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0){`
140	`name[sizeof(name) - 1] = '\0';`
141	`if (!strcasecmp(name, hostname)) return 1;`
142	`}`
143	`return 0;`
144	`}`
145
146	`#endif`
147