Bläddra i källkod

[crypto] Remove dynamically-allocated storage for certificate name

iPXE currently allocates a copy the certificate's common name as a
string.  This string is used by the TLS and CMS code to check
certificate names against an expected name, and also appears in
debugging messages.

Provide a function x509_check_name() to centralise certificate name
checking (in preparation for adding subjectAlternativeName support),
and a function x509_name() to provide a name to be used in debugging
messages, and remove the dynamically allocated string.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 10 år sedan
förälder
incheckning
01fa7efa38
6 ändrade filer med 143 tillägg och 108 borttagningar
  1. 2
    3
      src/crypto/cms.c
  2. 46
    43
      src/crypto/ocsp.c
  3. 86
    50
      src/crypto/x509.c
  4. 4
    1
      src/include/ipxe/x509.h
  5. 4
    10
      src/net/tls.c
  6. 1
    1
      src/net/validator.c

+ 2
- 3
src/crypto/cms.c Visa fil

@@ -130,7 +130,7 @@ static int cms_parse_certificates ( struct cms_signature *sig,
130 130
 		}
131 131
 		cert = x509_last ( sig->certificates );
132 132
 		DBGC ( sig, "CMS %p found certificate %s\n",
133
-		       sig, cert->subject.name );
133
+		       sig, x509_name ( cert ) );
134 134
 
135 135
 		/* Move to next certificate */
136 136
 		asn1_skip_any ( &cursor );
@@ -680,8 +680,7 @@ int cms_verify ( struct cms_signature *sig, userptr_t data, size_t len,
680 680
 	/* Verify using all signerInfos */
681 681
 	list_for_each_entry ( info, &sig->info, list ) {
682 682
 		cert = x509_first ( info->chain );
683
-		if ( name && ( ( cert->subject.name == NULL ) ||
684
-			       ( strcmp ( cert->subject.name, name ) != 0 ) ) )
683
+		if ( name && ( x509_check_name ( cert, name ) != 0 ) )
685 684
 			continue;
686 685
 		if ( ( rc = cms_verify_signer_info ( sig, info, data, len,
687 686
 						     time, root ) ) != 0 )

+ 46
- 43
src/crypto/ocsp.c Visa fil

@@ -177,11 +177,11 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
177 177
 		      asn1_wrap ( builder, ASN1_SEQUENCE ),
178 178
 		      asn1_wrap ( builder, ASN1_SEQUENCE ) ) ) != 0 ) {
179 179
 		DBGC ( ocsp, "OCSP %p \"%s\" could not build request: %s\n",
180
-		       ocsp, ocsp->cert->subject.name, strerror ( rc ) );
180
+		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
181 181
 		return rc;
182 182
 	}
183 183
 	DBGC2 ( ocsp, "OCSP %p \"%s\" request is:\n",
184
-		ocsp, ocsp->cert->subject.name );
184
+		ocsp, x509_name ( ocsp->cert ) );
185 185
 	DBGC2_HDA ( ocsp, 0, builder->data, builder->len );
186 186
 
187 187
 	/* Parse certificate ID for comparison with response */
@@ -192,7 +192,7 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
192 192
 		      asn1_enter ( cert_id, ASN1_SEQUENCE ),
193 193
 		      asn1_enter ( cert_id, ASN1_SEQUENCE ) ) ) != 0 ) {
194 194
 		DBGC ( ocsp, "OCSP %p \"%s\" could not locate certID: %s\n",
195
-		       ocsp, ocsp->cert->subject.name, strerror ( rc ) );
195
+		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
196 196
 		return rc;
197 197
 	}
198 198
 
@@ -218,7 +218,7 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
218 218
 	base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
219 219
 	if ( ! base_uri_string ) {
220 220
 		DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
221
-		       ocsp, ocsp->cert->subject.name );
221
+		       ocsp, x509_name ( ocsp->cert ) );
222 222
 		rc = -ENOTTY;
223 223
 		goto err_no_uri;
224 224
 	}
@@ -250,7 +250,7 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
250 250
 		goto err_ocsp_uri;
251 251
 	}
252 252
 	DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
253
-		ocsp, ocsp->cert->subject.name, ocsp->uri_string );
253
+		ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
254 254
 
255 255
 	/* Success */
256 256
 	rc = 0;
@@ -327,14 +327,14 @@ static int ocsp_parse_response_status ( struct ocsp_check *ocsp,
327 327
 	memcpy ( &cursor, raw, sizeof ( cursor ) );
328 328
 	if ( ( rc = asn1_enter ( &cursor, ASN1_ENUMERATED ) ) != 0 ) {
329 329
 		DBGC ( ocsp, "OCSP %p \"%s\" could not locate responseStatus: "
330
-		       "%s\n", ocsp, ocsp->cert->subject.name, strerror ( rc ));
330
+		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
331 331
 		return rc;
332 332
 	}
333 333
 
334 334
 	/* Extract response status */
335 335
 	if ( cursor.len != sizeof ( status ) ) {
336 336
 		DBGC ( ocsp, "OCSP %p \"%s\" invalid status:\n",
337
-		       ocsp, ocsp->cert->subject.name );
337
+		       ocsp, x509_name ( ocsp->cert ) );
338 338
 		DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
339 339
 		return -EINVAL;
340 340
 	}
@@ -343,7 +343,7 @@ static int ocsp_parse_response_status ( struct ocsp_check *ocsp,
343 343
 	/* Check response status */
344 344
 	if ( status != OCSP_STATUS_SUCCESSFUL ) {
345 345
 		DBGC ( ocsp, "OCSP %p \"%s\" response status %d\n",
346
-		       ocsp, ocsp->cert->subject.name, status );
346
+		       ocsp, x509_name ( ocsp->cert ), status );
347 347
 		return EPROTO_STATUS ( status );
348 348
 	}
349 349
 
@@ -368,7 +368,7 @@ static int ocsp_parse_response_type ( struct ocsp_check *ocsp,
368 368
 	/* Check responseType is "basic" */
369 369
 	if ( asn1_compare ( &oid_basic_response_type_cursor, &cursor ) != 0 ) {
370 370
 		DBGC ( ocsp, "OCSP %p \"%s\" response type not supported:\n",
371
-		       ocsp, ocsp->cert->subject.name );
371
+		       ocsp, x509_name ( ocsp->cert ) );
372 372
 		DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
373 373
 		return -ENOTSUP_RESPONSE_TYPE;
374 374
 	}
@@ -443,17 +443,17 @@ static int ocsp_parse_responder_id ( struct ocsp_check *ocsp,
443 443
 	switch ( type ) {
444 444
 	case ASN1_EXPLICIT_TAG ( 1 ) :
445 445
 		DBGC2 ( ocsp, "OCSP %p \"%s\" responder identified by name\n",
446
-			ocsp, ocsp->cert->subject.name );
446
+			ocsp, x509_name ( ocsp->cert ) );
447 447
 		responder->compare = ocsp_compare_responder_name;
448 448
 		return 0;
449 449
 	case ASN1_EXPLICIT_TAG ( 2 ) :
450 450
 		DBGC2 ( ocsp, "OCSP %p \"%s\" responder identified by key "
451
-			"hash\n", ocsp, ocsp->cert->subject.name );
451
+			"hash\n", ocsp, x509_name ( ocsp->cert ) );
452 452
 		responder->compare = ocsp_compare_responder_key_hash;
453 453
 		return 0;
454 454
 	default:
455 455
 		DBGC ( ocsp, "OCSP %p \"%s\" unsupported responder ID type "
456
-		       "%d\n", ocsp, ocsp->cert->subject.name, type );
456
+		       "%d\n", ocsp, x509_name ( ocsp->cert ), type );
457 457
 		return -ENOTSUP_RESPONDER_ID;
458 458
 	}
459 459
 }
@@ -474,7 +474,7 @@ static int ocsp_parse_cert_id ( struct ocsp_check *ocsp,
474 474
 	asn1_shrink_any ( &cursor );
475 475
 	if ( asn1_compare ( &cursor, &ocsp->request.cert_id ) != 0 ) {
476 476
 		DBGC ( ocsp, "OCSP %p \"%s\" certID mismatch:\n",
477
-		       ocsp, ocsp->cert->subject.name );
477
+		       ocsp, x509_name ( ocsp->cert ) );
478 478
 		DBGC_HDA ( ocsp, 0, ocsp->request.cert_id.data,
479 479
 			   ocsp->request.cert_id.len );
480 480
 		DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
@@ -512,7 +512,7 @@ static int ocsp_parse_responses ( struct ocsp_check *ocsp,
512 512
 	/* Check certStatus */
513 513
 	if ( asn1_type ( &cursor ) != ASN1_IMPLICIT_TAG ( 0 ) ) {
514 514
 		DBGC ( ocsp, "OCSP %p \"%s\" non-good certStatus:\n",
515
-		       ocsp, ocsp->cert->subject.name );
515
+		       ocsp, x509_name ( ocsp->cert ) );
516 516
 		DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
517 517
 		return -EACCES_CERT_STATUS;
518 518
 	}
@@ -522,11 +522,11 @@ static int ocsp_parse_responses ( struct ocsp_check *ocsp,
522 522
 	if ( ( rc = asn1_generalized_time ( &cursor,
523 523
 					    &response->this_update ) ) != 0 ) {
524 524
 		DBGC ( ocsp, "OCSP %p \"%s\" could not parse thisUpdate: %s\n",
525
-		       ocsp, ocsp->cert->subject.name, strerror ( rc ) );
525
+		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
526 526
 		return rc;
527 527
 	}
528 528
 	DBGC2 ( ocsp, "OCSP %p \"%s\" this update was at time %lld\n",
529
-		ocsp, ocsp->cert->subject.name, response->this_update );
529
+		ocsp, x509_name ( ocsp->cert ), response->this_update );
530 530
 	asn1_skip_any ( &cursor );
531 531
 
532 532
 	/* Parse nextUpdate, if present */
@@ -536,11 +536,11 @@ static int ocsp_parse_responses ( struct ocsp_check *ocsp,
536 536
 					     &response->next_update ) ) != 0 ) {
537 537
 			DBGC ( ocsp, "OCSP %p \"%s\" could not parse "
538 538
 			       "nextUpdate: %s\n", ocsp,
539
-			       ocsp->cert->subject.name, strerror ( rc ) );
539
+			       x509_name ( ocsp->cert ), strerror ( rc ) );
540 540
 			return rc;
541 541
 		}
542 542
 		DBGC2 ( ocsp, "OCSP %p \"%s\" next update is at time %lld\n",
543
-			ocsp, ocsp->cert->subject.name, response->next_update );
543
+			ocsp, x509_name ( ocsp->cert ), response->next_update );
544 544
 	} else {
545 545
 		/* If no nextUpdate is present, this indicates that
546 546
 		 * "newer revocation information is available all the
@@ -550,7 +550,7 @@ static int ocsp_parse_responses ( struct ocsp_check *ocsp,
550 550
 		 * time and it would still be valid.
551 551
 		 */
552 552
 		DBGC ( ocsp, "OCSP %p \"%s\" responder is a moron\n",
553
-		       ocsp, ocsp->cert->subject.name );
553
+		       ocsp, x509_name ( ocsp->cert ) );
554 554
 		response->next_update = time ( NULL );
555 555
 	}
556 556
 
@@ -630,7 +630,7 @@ static int ocsp_parse_certs ( struct ocsp_check *ocsp,
630 630
 					       &cert ) ) != 0 ) {
631 631
 			DBGC ( ocsp, "OCSP %p \"%s\" could not parse "
632 632
 			       "certificate: %s\n", ocsp,
633
-			       ocsp->cert->subject.name, strerror ( rc ) );
633
+			       x509_name ( ocsp->cert ), strerror ( rc ) );
634 634
 			DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
635 635
 			return rc;
636 636
 		}
@@ -638,9 +638,10 @@ static int ocsp_parse_certs ( struct ocsp_check *ocsp,
638 638
 		/* Use if this certificate matches the responder ID */
639 639
 		if ( response->responder.compare ( ocsp, cert ) == 0 ) {
640 640
 			response->signer = cert;
641
-			DBGC2 ( ocsp, "OCSP %p \"%s\" response is signed by "
642
-				"\"%s\"\n", ocsp, ocsp->cert->subject.name,
643
-				response->signer->subject.name );
641
+			DBGC2 ( ocsp, "OCSP %p \"%s\" response is signed by ",
642
+				ocsp, x509_name ( ocsp->cert ) );
643
+			DBGC2 ( ocsp, "\"%s\"\n",
644
+				x509_name ( response->signer ) );
644 645
 			return 0;
645 646
 		}
646 647
 
@@ -650,7 +651,7 @@ static int ocsp_parse_certs ( struct ocsp_check *ocsp,
650 651
 	}
651 652
 
652 653
 	DBGC ( ocsp, "OCSP %p \"%s\" missing responder certificate\n",
653
-	       ocsp, ocsp->cert->subject.name );
654
+	       ocsp, x509_name ( ocsp->cert ) );
654 655
 	return -EACCES_NO_RESPONDER;
655 656
 }
656 657
 
@@ -682,17 +683,17 @@ static int ocsp_parse_basic_response ( struct ocsp_check *ocsp,
682 683
 	if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
683 684
 		DBGC ( ocsp, "OCSP %p \"%s\" cannot parse signature "
684 685
 		       "algorithm: %s\n",
685
-		       ocsp, ocsp->cert->subject.name, strerror ( rc ) );
686
+		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
686 687
 		return rc;
687 688
 	}
688 689
 	DBGC2 ( ocsp, "OCSP %p \"%s\" signature algorithm is %s\n",
689
-		ocsp, ocsp->cert->subject.name, (*algorithm)->name );
690
+		ocsp, x509_name ( ocsp->cert ), (*algorithm)->name );
690 691
 	asn1_skip_any ( &cursor );
691 692
 
692 693
 	/* Parse signature */
693 694
 	if ( ( rc = asn1_integral_bit_string ( &cursor, signature ) ) != 0 ) {
694 695
 		DBGC ( ocsp, "OCSP %p \"%s\" cannot parse signature: %s\n",
695
-		       ocsp, ocsp->cert->subject.name, strerror ( rc ) );
696
+		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
696 697
 		return rc;
697 698
 	}
698 699
 	asn1_skip_any ( &cursor );
@@ -836,7 +837,7 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
836 837
 	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
837 838
 				  public_key->raw.len ) ) != 0 ) {
838 839
 		DBGC ( ocsp, "OCSP %p \"%s\" could not initialise public key: "
839
-		       "%s\n", ocsp, ocsp->cert->subject.name, strerror ( rc ));
840
+		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
840 841
 		goto err_init;
841 842
 	}
842 843
 
@@ -845,12 +846,12 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
845 846
 				    response->signature.data,
846 847
 				    response->signature.len ) ) != 0 ) {
847 848
 		DBGC ( ocsp, "OCSP %p \"%s\" signature verification failed: "
848
-		       "%s\n", ocsp, ocsp->cert->subject.name, strerror ( rc ));
849
+		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
849 850
 		goto err_verify;
850 851
 	}
851 852
 
852 853
 	DBGC2 ( ocsp, "OCSP %p \"%s\" signature is correct\n",
853
-		ocsp, ocsp->cert->subject.name );
854
+		ocsp, x509_name ( ocsp->cert ) );
854 855
 
855 856
  err_verify:
856 857
 	pubkey_final ( pubkey, pubkey_ctx );
@@ -892,10 +893,10 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
892 893
 		x509_invalidate ( signer );
893 894
 		if ( ( rc = x509_validate ( signer, ocsp->issuer, time,
894 895
 					    &ocsp_root ) ) != 0 ) {
895
-			DBGC ( ocsp, "OCSP %p \"%s\" could not validate "
896
-			       "signer \"%s\": %s\n", ocsp,
897
-			       ocsp->cert->subject.name, signer->subject.name,
898
-			       strerror ( rc ) );
896
+			DBGC ( ocsp, "OCSP %p \"%s\" could not validate ",
897
+			       ocsp, x509_name ( ocsp->cert ) );
898
+			DBGC ( ocsp, "signer \"%s\": %s\n",
899
+			       x509_name ( signer ), strerror ( rc ) );
899 900
 			return rc;
900 901
 		}
901 902
 
@@ -904,9 +905,10 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
904 905
 		 */
905 906
 		if ( ! ( signer->extensions.ext_usage.bits &
906 907
 			 X509_OCSP_SIGNING ) ) {
907
-			DBGC ( ocsp, "OCSP %p \"%s\" signer \"%s\" is "
908
-			       "not an OCSP-signing certificate\n", ocsp,
909
-			       ocsp->cert->subject.name, signer->subject.name );
908
+			DBGC ( ocsp, "OCSP %p \"%s\" ",
909
+			       ocsp, x509_name ( ocsp->cert ) );
910
+			DBGC ( ocsp, "signer \"%s\" is not an OCSP-signing "
911
+			       "certificate\n", x509_name ( signer ) );
910 912
 			return -EACCES_NON_OCSP_SIGNING;
911 913
 		}
912 914
 	}
@@ -920,16 +922,16 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
920 922
 	 */
921 923
 	if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
922 924
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
923
-		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
925
+		       "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
924 926
 		return -EACCES_STALE;
925 927
 	}
926 928
 	if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
927 929
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
928
-		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
930
+		       "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
929 931
 		return -EACCES_STALE;
930 932
 	}
931 933
 	DBGC2 ( ocsp, "OCSP %p \"%s\" response is valid (at time %lld)\n",
932
-		ocsp, ocsp->cert->subject.name, time );
934
+		ocsp, x509_name ( ocsp->cert ), time );
933 935
 
934 936
 	/* Mark certificate as passing OCSP verification */
935 937
 	ocsp->cert->extensions.auth_info.ocsp.good = 1;
@@ -938,11 +940,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
938 940
 	if ( ( rc = x509_validate ( ocsp->cert, ocsp->issuer, time,
939 941
 				    &ocsp_root ) ) != 0 ) {
940 942
 		DBGC ( ocsp, "OCSP %p \"%s\" could not validate certificate: "
941
-		       "%s\n", ocsp, ocsp->cert->subject.name, strerror ( rc ));
943
+		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
942 944
 		return rc;
943 945
 	}
944
-	DBGC ( ocsp, "OCSP %p \"%s\" successfully validated using \"%s\"\n",
945
-	       ocsp, ocsp->cert->subject.name, signer->subject.name );
946
+	DBGC ( ocsp, "OCSP %p \"%s\" successfully validated ",
947
+	       ocsp, x509_name ( ocsp->cert ) );
948
+	DBGC ( ocsp, "using \"%s\"\n", x509_name ( signer ) );
946 949
 
947 950
 	return 0;
948 951
 }

+ 86
- 50
src/crypto/x509.c Visa fil

@@ -103,10 +103,33 @@ FILE_LICENCE ( GPL2_OR_LATER );
103 103
 	__einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
104 104
 #define EINFO_EACCES_OCSP_REQUIRED \
105 105
 	__einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
106
+#define EACCES_WRONG_NAME \
107
+	__einfo_error ( EINFO_EACCES_WRONG_NAME )
108
+#define EINFO_EACCES_WRONG_NAME \
109
+	__einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
106 110
 
107 111
 /** Certificate cache */
108 112
 static LIST_HEAD ( x509_cache );
109 113
 
114
+/**
115
+ * Get X.509 certificate name (for debugging)
116
+ *
117
+ * @v cert		X.509 certificate
118
+ * @ret name		Name (for debugging)
119
+ */
120
+const char * x509_name ( struct x509_certificate *cert ) {
121
+	struct asn1_cursor *common_name = &cert->subject.common_name;
122
+	static char buf[64];
123
+	size_t len;
124
+
125
+	len = common_name->len;
126
+	if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
127
+		len = ( sizeof ( buf ) - 1 /* NUL */ );
128
+	memcpy ( buf, common_name->data, len );
129
+	buf[len] = '\0';
130
+	return buf;
131
+}
132
+
110 133
 /**
111 134
  * Free X.509 certificate
112 135
  *
@@ -117,7 +140,6 @@ static void x509_free ( struct refcnt *refcnt ) {
117 140
 		container_of ( refcnt, struct x509_certificate, refcnt );
118 141
 
119 142
 	DBGC2 ( cert, "X509 %p freed\n", cert );
120
-	free ( cert->subject.name );
121 143
 	free ( cert->extensions.auth_info.ocsp.uri );
122 144
 	free ( cert );
123 145
 }
@@ -292,11 +314,10 @@ static int x509_parse_validity ( struct x509_certificate *cert,
292 314
  * Parse X.509 certificate common name
293 315
  *
294 316
  * @v cert		X.509 certificate
295
- * @v name		Common name to fill in
296 317
  * @v raw		ASN.1 cursor
297 318
  * @ret rc		Return status code
298 319
  */
299
-static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
320
+static int x509_parse_common_name ( struct x509_certificate *cert,
300 321
 				    const struct asn1_cursor *raw ) {
301 322
 	struct asn1_cursor cursor;
302 323
 	struct asn1_cursor oid_cursor;
@@ -325,19 +346,9 @@ static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
325 346
 			return rc;
326 347
 		}
327 348
 
328
-		/* Allocate and copy name */
329
-		*name = zalloc ( name_cursor.len + 1 /* NUL */ );
330
-		if ( ! *name )
331
-			return -ENOMEM;
332
-		memcpy ( *name, name_cursor.data, name_cursor.len );
333
-
334
-		/* Check that name contains no NULs */
335
-		if ( strlen ( *name ) != name_cursor.len ) {
336
-			DBGC ( cert, "X509 %p contains malicious commonName:\n",
337
-			       cert );
338
-			DBGC_HDA ( cert, 0, raw->data, raw->len );
339
-			return rc;
340
-		}
349
+		/* Record common name */
350
+		memcpy ( &cert->subject.common_name, &name_cursor,
351
+			 sizeof ( cert->subject.common_name ) );
341 352
 
342 353
 		return 0;
343 354
 	}
@@ -357,7 +368,6 @@ static int x509_parse_common_name ( struct x509_certificate *cert, char **name,
357 368
 static int x509_parse_subject ( struct x509_certificate *cert,
358 369
 				const struct asn1_cursor *raw ) {
359 370
 	struct x509_subject *subject = &cert->subject;
360
-	char **name = &subject->name;
361 371
 	int rc;
362 372
 
363 373
 	/* Record raw subject */
@@ -367,9 +377,10 @@ static int x509_parse_subject ( struct x509_certificate *cert,
367 377
 	DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );
368 378
 
369 379
 	/* Parse common name */
370
-	if ( ( rc = x509_parse_common_name ( cert, name, raw ) ) != 0 )
380
+	if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
371 381
 		return rc;
372
-	DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert, *name );
382
+	DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
383
+		x509_name ( cert ) );
373 384
 
374 385
 	return 0;
375 386
 }
@@ -1045,7 +1056,7 @@ int x509_certificate ( const void *data, size_t len,
1045 1056
 		if ( asn1_compare ( &cursor, &(*cert)->raw ) == 0 ) {
1046 1057
 
1047 1058
 			DBGC2 ( *cert, "X509 %p \"%s\" cache hit\n",
1048
-				*cert, (*cert)->subject.name );
1059
+				*cert, x509_name ( *cert ) );
1049 1060
 
1050 1061
 			/* Mark as most recently used */
1051 1062
 			list_del ( &(*cert)->list );
@@ -1109,14 +1120,14 @@ static int x509_check_signature ( struct x509_certificate *cert,
1109 1120
 	digest_init ( digest, digest_ctx );
1110 1121
 	digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
1111 1122
 	digest_final ( digest, digest_ctx, digest_out );
1112
-	DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, cert->subject.name );
1123
+	DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
1113 1124
 	DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );
1114 1125
 
1115 1126
 	/* Check that signature public key algorithm matches signer */
1116 1127
 	if ( public_key->algorithm->pubkey != pubkey ) {
1117 1128
 		DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
1118 1129
 		       "match signer's algorithm %s\n",
1119
-		       cert, cert->subject.name, algorithm->name,
1130
+		       cert, x509_name ( cert ), algorithm->name,
1120 1131
 		       public_key->algorithm->name );
1121 1132
 		rc = -EINVAL_ALGORITHM_MISMATCH;
1122 1133
 		goto err_mismatch;
@@ -1126,14 +1137,14 @@ static int x509_check_signature ( struct x509_certificate *cert,
1126 1137
 	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
1127 1138
 				  public_key->raw.len ) ) != 0 ) {
1128 1139
 		DBGC ( cert, "X509 %p \"%s\" cannot initialise public key: "
1129
-		       "%s\n", cert, cert->subject.name, strerror ( rc ) );
1140
+		       "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1130 1141
 		goto err_pubkey_init;
1131 1142
 	}
1132 1143
 	if ( ( rc = pubkey_verify ( pubkey, pubkey_ctx, digest, digest_out,
1133 1144
 				    signature->value.data,
1134 1145
 				    signature->value.len ) ) != 0 ) {
1135 1146
 		DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
1136
-		       "%s\n", cert, cert->subject.name, strerror ( rc ) );
1147
+		       "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1137 1148
 		goto err_pubkey_verify;
1138 1149
 	}
1139 1150
 
@@ -1172,9 +1183,10 @@ int x509_check_issuer ( struct x509_certificate *cert,
1172 1183
 	 * for some enjoyable ranting on this subject.
1173 1184
 	 */
1174 1185
 	if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1175
-		DBGC ( cert, "X509 %p \"%s\" issuer does not match X509 %p "
1176
-		       "\"%s\" subject\n", cert, cert->subject.name,
1177
-		       issuer, issuer->subject.name );
1186
+		DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1187
+		       cert, x509_name ( cert ) );
1188
+		DBGC ( cert, "X509 %p \"%s\" subject\n",
1189
+		       issuer, x509_name ( issuer ) );
1178 1190
 		DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1179 1191
 			   cert->issuer.raw.len );
1180 1192
 		DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
@@ -1184,16 +1196,18 @@ int x509_check_issuer ( struct x509_certificate *cert,
1184 1196
 
1185 1197
 	/* Check that issuer is allowed to sign certificates */
1186 1198
 	if ( ! issuer->extensions.basic.ca ) {
1187
-		DBGC ( issuer, "X509 %p \"%s\" cannot sign X509 %p \"%s\": "
1188
-		       "not a CA certificate\n", issuer, issuer->subject.name,
1189
-		       cert, cert->subject.name );
1199
+		DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1200
+		       issuer, x509_name ( issuer ) );
1201
+		DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1202
+		       cert, x509_name ( cert ) );
1190 1203
 		return -EACCES_NOT_CA;
1191 1204
 	}
1192 1205
 	if ( issuer->extensions.usage.present &&
1193 1206
 	     ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1194
-		DBGC ( issuer, "X509 %p \"%s\" cannot sign X509 %p \"%s\": "
1195
-		       "no keyCertSign usage\n", issuer, issuer->subject.name,
1196
-		       cert, cert->subject.name );
1207
+		DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1208
+		       issuer, x509_name ( issuer ) );
1209
+		DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1210
+		       cert, x509_name ( cert ) );
1197 1211
 		return -EACCES_KEY_USAGE;
1198 1212
 	}
1199 1213
 
@@ -1243,14 +1257,14 @@ int x509_check_root ( struct x509_certificate *cert, struct x509_root *root ) {
1243 1257
 		if ( memcmp ( fingerprint, root_fingerprint,
1244 1258
 			      sizeof ( fingerprint ) ) == 0 ) {
1245 1259
 			DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1246
-			       cert, cert->subject.name );
1260
+			       cert, x509_name ( cert ) );
1247 1261
 			return 0;
1248 1262
 		}
1249 1263
 		root_fingerprint += sizeof ( fingerprint );
1250 1264
 	}
1251 1265
 
1252 1266
 	DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1253
-		cert, cert->subject.name );
1267
+		cert, x509_name ( cert ) );
1254 1268
 	return -ENOENT;
1255 1269
 }
1256 1270
 
@@ -1267,17 +1281,17 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
1267 1281
 	/* Check validity period */
1268 1282
 	if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
1269 1283
 		DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1270
-		       cert, cert->subject.name, time );
1284
+		       cert, x509_name ( cert ), time );
1271 1285
 		return -EACCES_EXPIRED;
1272 1286
 	}
1273 1287
 	if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
1274 1288
 		DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1275
-		       cert, cert->subject.name, time );
1289
+		       cert, x509_name ( cert ), time );
1276 1290
 		return -EACCES_EXPIRED;
1277 1291
 	}
1278 1292
 
1279 1293
 	DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1280
-		cert, cert->subject.name, time );
1294
+		cert, x509_name ( cert ), time );
1281 1295
 	return 0;
1282 1296
 }
1283 1297
 
@@ -1324,15 +1338,15 @@ int x509_validate ( struct x509_certificate *cert,
1324 1338
 	/* Fail unless we have an issuer */
1325 1339
 	if ( ! issuer ) {
1326 1340
 		DBGC2 ( cert, "X509 %p \"%s\" has no issuer\n",
1327
-			cert, cert->subject.name );
1341
+			cert, x509_name ( cert ) );
1328 1342
 		return -EACCES_UNTRUSTED;
1329 1343
 	}
1330 1344
 
1331 1345
 	/* Fail unless issuer has already been validated */
1332 1346
 	if ( ! issuer->valid ) {
1333
-		DBGC ( cert, "X509 %p \"%s\" issuer %p \"%s\" has not yet "
1334
-		       "been validated\n", cert, cert->subject.name,
1335
-		       issuer, issuer->subject.name );
1347
+		DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1348
+		DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1349
+		       issuer, x509_name ( issuer ) );
1336 1350
 		return -EACCES_OUT_OF_ORDER;
1337 1351
 	}
1338 1352
 
@@ -1342,9 +1356,9 @@ int x509_validate ( struct x509_certificate *cert,
1342 1356
 
1343 1357
 	/* Fail if path length constraint is violated */
1344 1358
 	if ( issuer->path_remaining == 0 ) {
1345
-		DBGC ( cert, "X509 %p \"%s\" issuer %p \"%s\" path length "
1346
-		       "exceeded\n", cert, cert->subject.name,
1347
-		       issuer, issuer->subject.name );
1359
+		DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1360
+		DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1361
+		       issuer, x509_name ( issuer ) );
1348 1362
 		return -EACCES_PATH_LEN;
1349 1363
 	}
1350 1364
 
@@ -1352,7 +1366,7 @@ int x509_validate ( struct x509_certificate *cert,
1352 1366
 	if ( cert->extensions.auth_info.ocsp.uri &&
1353 1367
 	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
1354 1368
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1355
-		       cert, cert->subject.name );
1369
+		       cert, x509_name ( cert ) );
1356 1370
 		return -EACCES_OCSP_REQUIRED;
1357 1371
 	}
1358 1372
 
@@ -1365,9 +1379,31 @@ int x509_validate ( struct x509_certificate *cert,
1365 1379
 	/* Mark certificate as valid */
1366 1380
 	cert->valid = 1;
1367 1381
 
1368
-	DBGC ( cert, "X509 %p \"%s\" successfully validated using issuer %p "
1369
-	       "\"%s\"\n", cert, cert->subject.name,
1370
-	       issuer, issuer->subject.name );
1382
+	DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1383
+	       cert, x509_name ( cert ) );
1384
+	DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1385
+	return 0;
1386
+}
1387
+
1388
+/**
1389
+ * Check X.509 certificate name
1390
+ *
1391
+ * @v cert		X.509 certificate
1392
+ * @v name		Name
1393
+ * @ret rc		Return status code
1394
+ */
1395
+int x509_check_name ( struct x509_certificate *cert, const char *name ) {
1396
+	struct asn1_cursor *common_name = &cert->subject.common_name;
1397
+	size_t len = strlen ( name );
1398
+
1399
+	/* Check commonName */
1400
+	if ( ! ( ( len == common_name->len ) &&
1401
+		 ( memcmp ( name, common_name->data, len ) == 0 ) ) ) {
1402
+		DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1403
+		       cert, x509_name ( cert ), name );
1404
+		return -EACCES_WRONG_NAME;
1405
+	}
1406
+
1371 1407
 	return 0;
1372 1408
 }
1373 1409
 
@@ -1435,7 +1471,7 @@ int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
1435 1471
 	link->cert = x509_get ( cert );
1436 1472
 	list_add_tail ( &link->list, &chain->links );
1437 1473
 	DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1438
-	       chain, cert, cert->subject.name );
1474
+	       chain, cert, x509_name ( cert ) );
1439 1475
 
1440 1476
 	return 0;
1441 1477
 }

+ 4
- 1
src/include/ipxe/x509.h Visa fil

@@ -65,7 +65,7 @@ struct x509_subject {
65 65
 	/** Raw subject */
66 66
 	struct asn1_cursor raw;
67 67
 	/** Common name */
68
-	char *name;
68
+	struct asn1_cursor common_name;
69 69
 	/** Public key information */
70 70
 	struct x509_public_key public_key;
71 71
 };
@@ -330,11 +330,14 @@ struct x509_root {
330 330
 	const void *fingerprints;
331 331
 };
332 332
 
333
+extern const char * x509_name ( struct x509_certificate *cert );
334
+
333 335
 extern int x509_certificate ( const void *data, size_t len,
334 336
 			      struct x509_certificate **cert );
335 337
 extern int x509_validate ( struct x509_certificate *cert,
336 338
 			   struct x509_certificate *issuer,
337 339
 			   time_t time, struct x509_root *root );
340
+extern int x509_check_name ( struct x509_certificate *cert, const char *name );
338 341
 
339 342
 extern struct x509_chain * x509_alloc_chain ( void );
340 343
 extern int x509_append ( struct x509_chain *chain,

+ 4
- 10
src/net/tls.c Visa fil

@@ -49,10 +49,6 @@ FILE_LICENCE ( GPL2_OR_LATER );
49 49
 #include <ipxe/tls.h>
50 50
 
51 51
 /* Disambiguate the various error causes */
52
-#define EACCES_WRONG_NAME __einfo_error ( EINFO_EACCES_WRONG_NAME )
53
-#define EINFO_EACCES_WRONG_NAME						\
54
-	__einfo_uniqify ( EINFO_EACCES, 0x02,				\
55
-			  "Incorrect server name" )
56 52
 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
57 53
 #define EINFO_EINVAL_CHANGE_CIPHER					\
58 54
 	__einfo_uniqify ( EINFO_EINVAL, 0x01,				\
@@ -1479,7 +1475,7 @@ static int tls_parse_chain ( struct tls_session *tls,
1479 1475
 		}
1480 1476
 		cert = x509_last ( tls->chain );
1481 1477
 		DBGC ( tls, "TLS %p found certificate %s\n",
1482
-		       tls, cert->subject.name );
1478
+		       tls, x509_name ( cert ) );
1483 1479
 
1484 1480
 		/* Move to next certificate in list */
1485 1481
 		data = next;
@@ -2454,11 +2450,9 @@ static void tls_validator_done ( struct tls_session *tls, int rc ) {
2454 2450
 	assert ( cert != NULL );
2455 2451
 
2456 2452
 	/* Verify server name */
2457
-	if ( ( cert->subject.name == NULL ) ||
2458
-	     ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
2459
-		DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
2460
-		       "%s)\n", tls, tls->name, cert->subject.name );
2461
-		rc = -EACCES_WRONG_NAME;
2453
+	if ( ( rc = x509_check_name ( cert, tls->name ) ) != 0 ) {
2454
+		DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
2455
+		       tls, tls->name, strerror ( rc ) );
2462 2456
 		goto err;
2463 2457
 	}
2464 2458
 

+ 1
- 1
src/net/validator.c Visa fil

@@ -179,7 +179,7 @@ static int validator_append ( struct validator *validator,
179 179
 		}
180 180
 		cert = x509_last ( certs );
181 181
 		DBGC ( validator, "VALIDATOR %p found certificate %s\n",
182
-		       validator, cert->subject.name );
182
+		       validator, x509_name ( cert ) );
183 183
 
184 184
 		/* Move to next certificate */
185 185
 		asn1_skip_any ( &cursor );

Laddar…
Avbryt
Spara