From: Glenn Strauss Date: Fri, 28 Oct 2022 02:26:48 +0000 (-0400) Subject: mbedtls: x509 crt verify SAN iPAddress X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=2a691fc7f2bac365d147beb593be4331f11c5dca;p=openwrt%2Fstaging%2Fjow.git mbedtls: x509 crt verify SAN iPAddress backport from X509 crt verify SAN iPAddress https://github.com/Mbed-TLS/mbedtls/pull/6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) https://github.com/Mbed-TLS/mbedtls/issues/6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls https://github.com/openwrt/packages/issues/19677 Signed-off-by: Glenn Strauss --- diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 2ae3fdbe2a..02d076d18f 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls PKG_VERSION:=2.28.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch new file mode 100644 index 0000000000..357ec44649 --- /dev/null +++ b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch @@ -0,0 +1,181 @@ +From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sun, 23 Oct 2022 19:48:18 -0400 +Subject: [PATCH 1/4] x509 crt verify SAN iPAddress + +Signed-off-by: Glenn Strauss +--- + include/mbedtls/x509_crt.h | 2 +- + library/x509_crt.c | 115 +++++++++++++++++++++++++++++-------- + 2 files changed, 93 insertions(+), 24 deletions(-) + +--- a/include/mbedtls/x509_crt.h ++++ b/include/mbedtls/x509_crt.h +@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char * + * \param cn The expected Common Name. This will be checked to be + * present in the certificate's subjectAltNames extension or, + * if this extension is absent, as a CN component in its +- * Subject name. Currently only DNS names are supported. This ++ * Subject name. DNS names and IP addresses are supported. This + * may be \c NULL if the CN need not be verified. + * \param flags The address at which to store the result of the verification. + * If the verification couldn't be completed, the flag value is +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -2986,6 +2986,54 @@ find_parent: + } + } + ++#ifdef _WIN32 ++/* ??? */ ++#elif defined(__sun) ++/* Solaris requires -lsocket -lnsl for inet_pton() */ ++#elif defined(__has_include) ++#if __has_include() ++#include ++#endif ++#if __has_include() ++#include ++#endif ++#endif ++ ++/* Use whether or not AF_INET6 is defined to indicate whether or not to use ++ * the platform inet_pton() or a local implementation (below). The local ++ * implementation may be used even in cases where the platform provides ++ * inet_pton(), e.g. when there are different includes required and/or the ++ * platform implementation requires dependencies on additional libraries. ++ * Specifically, Windows requires custom includes and additional link ++ * dependencies, and Solaris requires additional link dependencies. ++ * Also, as a coarse heuristic, use the local implementation if the compiler ++ * does not support __has_include(), or if the definition of AF_INET6 is not ++ * provided by headers included (or not) via __has_include() above. */ ++#ifndef AF_INET6 ++ ++#define x509_cn_inet_pton( cn, dst ) ( 0 ) ++ ++#else ++ ++static int x509_inet_pton_ipv6( const char *src, void *dst ) ++{ ++ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 ); ++} ++ ++static int x509_inet_pton_ipv4( const char *src, void *dst ) ++{ ++ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 ); ++} ++ ++#endif /* AF_INET6 */ ++ ++static size_t x509_cn_inet_pton( const char *cn, void *dst ) ++{ ++ return( strchr( cn, ':' ) == NULL ++ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0 ++ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 ); ++} ++ + /* + * Check for CN match + */ +@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed + return( -1 ); + } + ++static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san, ++ const char *cn, size_t cn_len ) ++{ ++ uint32_t ip[4]; ++ cn_len = x509_cn_inet_pton( cn, ip ); ++ if( cn_len == 0 ) ++ return( -1 ); ++ ++ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) ++ { ++ const unsigned char san_type = (unsigned char) cur->buf.tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS && ++ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 ) ++ return( 0 ); ++ } ++ ++ return( -1 ); ++} ++ + /* + * Check for SAN match, see RFC 5280 Section 4.2.1.6 + */ +-static int x509_crt_check_san( const mbedtls_x509_buf *name, ++static int x509_crt_check_san( const mbedtls_x509_sequence *san, + const char *cn, size_t cn_len ) + { +- const unsigned char san_type = (unsigned char) name->tag & +- MBEDTLS_ASN1_TAG_VALUE_MASK; +- +- /* dNSName */ +- if( san_type == MBEDTLS_X509_SAN_DNS_NAME ) +- return( x509_crt_check_cn( name, cn, cn_len ) ); +- +- /* (We may handle other types here later.) */ ++ int san_ip = 0; ++ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) ++ { ++ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK ) ++ { ++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ ++ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) ++ return( 0 ); ++ break; ++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ ++ san_ip = 1; ++ break; ++ /* (We may handle other types here later.) */ ++ default: /* Unrecognized type */ ++ break; ++ } ++ } + +- /* Unrecognized type */ +- return( -1 ); ++ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 ); + } + + /* +@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const + uint32_t *flags ) + { + const mbedtls_x509_name *name; +- const mbedtls_x509_sequence *cur; + size_t cn_len = strlen( cn ); + + if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) + { +- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) +- { +- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 ) +- break; +- } +- +- if( cur == NULL ) +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; ++ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 ) ++ return; + } + else + { +@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const + if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && + x509_crt_check_cn( &name->val, cn, cn_len ) == 0 ) + { +- break; ++ return; + } + } + +- if( name == NULL ) +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } ++ ++ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } + + /*