View | Details | Raw Unified | Return to bug 32652
Collapse All | Expand All

(-)ssl_engine_init.c (+4 lines)
Lines 847-852 Link Here
847
        }
847
        }
848
    }
848
    }
849
849
850
#ifdef HAVE_SSL_X509V3_EXT_d2i
851
    SSL_X509_check_hostname(s, cert);
852
#else
850
    if (SSL_X509_getCN(ptemp, cert, &cn)) {
853
    if (SSL_X509_getCN(ptemp, cert, &cn)) {
851
        int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
854
        int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
852
855
Lines 866-871 Link Here
866
                         ssl_asn1_keystr(type), cn);
869
                         ssl_asn1_keystr(type), cn);
867
        }
870
        }
868
    }
871
    }
872
#endif
869
}
873
}
870
874
871
static void ssl_init_server_certs(server_rec *s,
875
static void ssl_init_server_certs(server_rec *s,
(-)ssl_util_ssl.c (+104 lines)
Lines 354-359 Link Here
354
#endif
354
#endif
355
}
355
}
356
356
357
#ifdef HAVE_SSL_X509V3_EXT_d2i
358
359
static BOOL host_match(server_rec *s, unsigned char *str, BOOL verbose)
360
{
361
    int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
362
    BOOL iswild;
363
    const char *wildstr;
364
    iswild = apr_fnmatch_test(str);
365
    if (iswild == TRUE) {
366
        if (apr_fnmatch(str, s->server_hostname, fnm_flags) != APR_FNM_NOMATCH)
367
            return TRUE;
368
    } else {
369
        if (strEQ(s->server_hostname, str))
370
            return TRUE;
371
    }
372
    if (verbose) {
373
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
374
                     "    server certificate %sname `%s' does NOT match.",
375
                     iswild ? "wildcard ": "", str);
376
    }
377
    return FALSE;
378
}
379
380
/* Check hostname against certificate */
381
BOOL hostname_check(server_rec *s, X509 *xs, BOOL verbose)
382
{
383
    X509_NAME *xsn;
384
    ASN1_STRING *cn;
385
    int i;
386
    /* If we have a subject alternate name extension use it for matching
387
     */
388
    GENERAL_NAMES *alt = NULL;
389
    alt = X509_get_ext_d2i(xs, NID_subject_alt_name, NULL, NULL);
390
391
    if (alt) {
392
        GENERAL_NAME *an;
393
        for (i = 0; i < sk_GENERAL_NAME_num(alt); i++) {
394
            an = sk_GENERAL_NAME_value(alt, i);
395
            if (an->type == GEN_DNS) {
396
                /* Note: type is guaranteed to be IA5String */
397
                if (host_match(s, ASN1_STRING_data(an->d.dNSName), verbose)) {
398
                    GENERAL_NAMES_free(alt);
399
                    return TRUE;
400
                }
401
            }
402
        }
403
        GENERAL_NAMES_free(alt);
404
        if (verbose == FALSE) {
405
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
406
                         "server certificate SubjectAlternateName "
407
                         "does NOT match server name!?");
408
        }
409
        return FALSE;
410
    }
411
412
    /* Else try certificate common name */
413
414
    xsn = X509_get_subject_name(xs);
415
    i = -1;
416
    for (;;) {
417
        ASN1_STRING *cnstr;
418
        int xntype;
419
        i = X509_NAME_get_index_by_NID(xsn, NID_commonName, i);
420
        if (i == -1)
421
            break;
422
        cnstr = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xsn, i));
423
        xntype = ASN1_STRING_type(cnstr);
424
        if (xntype == V_ASN1_BMPSTRING || xntype == V_ASN1_UNIVERSALSTRING) {
425
            unsigned char *u8str;
426
            BOOL have_match;
427
            if (ASN1_STRING_to_UTF8(&u8str, cnstr) > 0) {
428
                have_match =  host_match(s, u8str, verbose);
429
                OPENSSL_free(u8str);
430
                if (have_match == TRUE)
431
                    return TRUE;
432
            }
433
        } else {
434
            if (host_match(s, ASN1_STRING_data(cnstr), verbose) == TRUE)
435
                return TRUE;
436
        }
437
        
438
    }
439
    if (verbose == FALSE) {
440
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
441
                     "server certificate CommonName (CN) "
442
                     "does NOT match server name!?");
443
    }
444
    return FALSE;
445
}
446
447
BOOL SSL_X509_check_hostname(server_rec *s, X509 *xs)
448
{
449
    /* If hostname mismatch rerun check printing out each comparison */
450
    if (hostname_check(s, xs, FALSE) == FALSE) {
451
        hostname_check(s, xs, TRUE);
452
        return FALSE;
453
    }
454
    return TRUE;
455
}
456
457
#else 
458
357
/* retrieve subject CommonName of certificate */
459
/* retrieve subject CommonName of certificate */
358
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
460
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
359
{
461
{
Lines 382-387 Link Here
382
    return FALSE;
484
    return FALSE;
383
}
485
}
384
486
487
#endif
488
385
/*  _________________________________________________________________
489
/*  _________________________________________________________________
386
**
490
**
387
**  Low-Level CA Certificate Loading
491
**  Low-Level CA Certificate Loading
(-)ssl_util_ssl.h (+4 lines)
Lines 85-91 Link Here
85
char       *SSL_make_ciphersuite(apr_pool_t *, SSL *);
85
char       *SSL_make_ciphersuite(apr_pool_t *, SSL *);
86
BOOL        SSL_X509_isSGC(X509 *);
86
BOOL        SSL_X509_isSGC(X509 *);
87
BOOL        SSL_X509_getBC(X509 *, int *, int *);
87
BOOL        SSL_X509_getBC(X509 *, int *, int *);
88
#ifdef HAVE_SSL_X509V3_EXT_d2i
89
BOOL        SSL_X509_check_hostname(server_rec *s, X509 *xs);
90
#else
88
BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);
91
BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);
92
#endif
89
BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
93
BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
90
BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
94
BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
91
int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
95
int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);

Return to bug 32652