ASF Bugzilla – Attachment 35387 Details for
Bug 61574
mod_ssl RFC: change uniqueness logic for SSLCADNRequest*
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PoC using non-canonical name comparison in SSLCARequestDN*
ap_sslnames-2.patch (text/plain), 7.57 KB, created by
Joe Orton
on 2017-09-29 08:55:36 UTC
(
hide
)
Description:
PoC using non-canonical name comparison in SSLCARequestDN*
Filename:
MIME Type:
Creator:
Joe Orton
Created:
2017-09-29 08:55:36 UTC
Size:
7.57 KB
patch
obsolete
>Index: modules/ssl/ssl_engine_init.c >=================================================================== >--- modules/ssl/ssl_engine_init.c (revision 1810061) >+++ modules/ssl/ssl_engine_init.c (working copy) >@@ -33,8 +33,18 @@ > #include "mod_md.h" > > static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *, >- STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *); >+ STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *, >+ int nocanon); > >+/* Returns a stack of X509_NAMEs corresponding to the subject names of >+ * every cert found from in either or both of PEM file 'file' or >+ * directory of PEM files, 'dir'. The set of names returned are >+ * unique, with comparison after canonicalization if nocanon is zero, >+ * or using a bitwise comparison otherwise. */ >+static STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *p, >+ const char *file, const char *dir, >+ int nocanon); >+ > APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, > (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), > (s,p,is_proxy,ctx), OK, DECLINED) >@@ -868,11 +878,13 @@ > if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) { > ca_list = ssl_init_FindCAList(s, ptemp, > mctx->pks->ca_name_file, >- mctx->pks->ca_name_path); >+ mctx->pks->ca_name_path, >+ 1 /* no canonicalization */); > } else > ca_list = ssl_init_FindCAList(s, ptemp, > mctx->auth.ca_cert_file, >- mctx->auth.ca_cert_path); >+ mctx->auth.ca_cert_path, >+ 0 /* with canonicalization */); > if (sk_X509_NAME_num(ca_list) <= 0) { > ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896) > "Unable to determine list of acceptable " >@@ -1504,7 +1516,7 @@ > } > > if (pkp->cert_path) { >- ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk); >+ ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk, 0); > } > > if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { >@@ -2016,16 +2028,75 @@ > return(X509_NAME_cmp(*a, *b)); > } > >+static int ssl_init_FindCAList_X509BitNameCmp(const X509_NAME * const *a, >+ const X509_NAME * const *b) >+{ >+ unsigned char *xa = NULL, *xb = NULL; >+ int lena, lenb, rv; >+ >+ /* X509_NAME_cmp() itself casts away constness in this way, so >+ * assume it's safe: */ >+ lena = i2d_X509_NAME((X509_NAME *)*a, &xa); >+ lenb = i2d_X509_NAME((X509_NAME *)*b, &xb); >+ >+ if (lena < 0 || lenb < 0) >+ rv = -2; >+ else if (lena != lenb) >+ rv = lena - lenb; >+ else /* lena == lenb */ >+ rv = memcmp(xa, xb, lena); >+ >+ OPENSSL_free(xa); >+ OPENSSL_free(xb); >+ >+ return rv; >+} >+ >+static STACK_OF(X509_NAME) *load_x509_names(const char *file) >+{ >+ BIO *bio; >+ X509 *x509; >+ STACK_OF(X509_NAME) *sk = sk_X509_NAME_new_null(); >+ >+ if ((bio = BIO_new(BIO_s_file())) == NULL) >+ return sk; >+ if (BIO_read_filename(bio, file) <= 0) { >+ BIO_free(bio); >+ ERR_clear_error(); >+ return sk; >+ } >+ >+ while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { >+ X509_NAME *name = X509_get_subject_name(x509); >+ >+ sk_X509_NAME_push(sk, X509_NAME_dup(name)); >+ >+ X509_free(x509); >+ } >+ >+ ERR_clear_error(); >+ BIO_free(bio); >+ >+ return sk; >+} >+ > static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, > server_rec *s, apr_pool_t *ptemp, >- const char *file) >+ const char *file, int nocanon) > { > int n; > STACK_OF(X509_NAME) *sk; > >- sk = (STACK_OF(X509_NAME) *) >- SSL_load_client_CA_file(file); >- >+ if (nocanon) { >+ /* SSL_load_client_CA_file() uses X509_NAME_cmp() internally >+ * with canonical name comparison; to avoid that use a simpler >+ * replacement for that function. */ >+ sk = load_x509_names(file); >+ } >+ else { >+ sk = SSL_load_client_CA_file(file); >+ } >+ > if (!sk) { > return; > } >@@ -2060,7 +2131,8 @@ > apr_pool_t *ptemp, > const char *path, > STACK_OF(X509_NAME) *ca_list, >- STACK_OF(X509_INFO) *xi_list) >+ STACK_OF(X509_INFO) *xi_list, >+ int nocanon) > { > apr_dir_t *dir; > apr_finfo_t direntry; >@@ -2078,7 +2150,7 @@ > } > file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); > if (ca_list) { >- ssl_init_PushCAList(ca_list, s, ptemp, file); >+ ssl_init_PushCAList(ca_list, s, ptemp, file, nocanon); > } > if (xi_list) { > load_x509_info(ptemp, xi_list, file); >@@ -2093,7 +2165,8 @@ > STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, > apr_pool_t *ptemp, > const char *ca_file, >- const char *ca_path) >+ const char *ca_path, >+ int nocanon) > { > STACK_OF(X509_NAME) *ca_list; > >@@ -2101,13 +2174,16 @@ > * Start with a empty stack/list where new > * entries get added in sorted order. > */ >- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp); >+ if (nocanon) >+ ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509BitNameCmp); >+ else >+ ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp); > > /* > * Process CA certificate bundle file > */ > if (ca_file) { >- ssl_init_PushCAList(ca_list, s, ptemp, ca_file); >+ ssl_init_PushCAList(ca_list, s, ptemp, ca_file, nocanon); > /* > * If ca_list is still empty after trying to load ca_file > * then the file failed to load, and users should hear about that. >@@ -2124,7 +2200,7 @@ > */ > if (ca_path && > ssl_init_ca_cert_path(s, ptemp, >- ca_path, ca_list, NULL) != APR_SUCCESS) { >+ ca_path, ca_list, NULL, nocanon) != APR_SUCCESS) { > ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02211) > "Failed to open Certificate Path `%s'", ca_path); > sk_X509_NAME_pop_free(ca_list, X509_NAME_free); >Index: modules/ssl/ssl_private.h >=================================================================== >--- modules/ssl/ssl_private.h (revision 1810061) >+++ modules/ssl/ssl_private.h (working copy) >@@ -876,8 +876,6 @@ > int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, > apr_pool_t *ptemp, server_rec *s, > ap_conf_vector_t *section_config); >-STACK_OF(X509_NAME) >- *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); > void ssl_init_Child(apr_pool_t *, server_rec *); > apr_status_t ssl_init_ModuleKill(void *data); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=35387">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 61574
: 35387