Provide tls_peer_cert_common_name()

There is currently no sane way of getting your hands on the common name or subject alternative name of the peer certificate from libtls. It is possible to extract it from the peer cert's PEM by hand, but that way lies madness. While the common name is close to being deprecated in the webpki, it is still the de facto standard to identify client certs. It would be nice to have a way to access the subject alternative names as well, but this is a lot more difficult to expose in a clean and sane C interface due to its multivaluedness. Initial diff from henning, with input from beck, jsing and myself henning and bluhm have plans of using this in syslogd. ok beck
author: tb <> 2024-12-10 08:40:30 +0000
committer: tb <> 2024-12-10 08:40:30 +0000
commit: b3d93b59d26fa80123892302071d566ee8f30930 (patch)
tree: 2542f39bf15e49eda926e59376de19e797b35c50 /src/lib/libtls/tls_verify.c
parent: c0f2dde01da58c00510ac95afabe0df82b7374ec (diff)
download: openbsd-b3d93b59d26fa80123892302071d566ee8f30930.tar.gz
openbsd-b3d93b59d26fa80123892302071d566ee8f30930.tar.bz2
openbsd-b3d93b59d26fa80123892302071d566ee8f30930.zip
1 files changed, 77 insertions, 20 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 6b2a4fb82a..2935278383 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.31 2024/11/12 22:50:06 tb Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.32 2024/12/10 08:40:30 tb Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 *
@@ -210,19 +210,22 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 }
 static int
-tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
+tls_get_common_name_internal(X509 *cert, char **out_common_name,
-    int *cn_match)
+    unsigned int *out_tlserr, const char **out_errstr)
 {
        unsigned char *utf8_bytes = NULL;
        X509_NAME *subject_name;
        char *common_name = NULL;
-        union tls_addr addrbuf;
        int common_name_len;
        ASN1_STRING *data;
        int lastpos = -1;
        int rv = -1;
-        *cn_match = 0;
+        *out_tlserr = TLS_ERROR_UNKNOWN;
+        *out_errstr = "unknown";
+        free(*out_common_name);
+        *out_common_name = NULL;
        subject_name = X509_get_subject_name(cert);
        if (subject_name == NULL)
@@ -244,10 +247,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
                 * more than one CN fed to us in the subject, treating the
                 * certificate as hostile.
                 */
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+                *out_tlserr = TLS_ERROR_UNKNOWN;
-                    "error verifying name '%s': "
+                *out_errstr = "error getting common name: "
                    "Certificate subject contains multiple Common Name fields, "
-                    "probably a malicious or malformed certificate", name);
+                    "probably a malicious or malformed certificate";
                goto err;
        }
@@ -257,10 +260,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
         * Fail if we cannot encode the CN bytes as UTF-8.
         */
        if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+                *out_tlserr = TLS_ERROR_UNKNOWN;
-                    "error verifying name '%s': "
+                *out_errstr = "error getting common name: "
                    "Common Name field cannot be encoded as a UTF-8 string, "
-                    "probably a malicious certificate", name);
+                    "probably a malicious certificate";
                goto err;
        }
        /*
@@ -268,30 +271,85 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
         * must be between 1 and 64 bytes long.
         */
        if (common_name_len < 1 || common_name_len > 64) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+                *out_tlserr = TLS_ERROR_UNKNOWN;
-                    "error verifying name '%s': "
+                *out_errstr = "error getting common name: "
                    "Common Name field has invalid length, "
-                    "probably a malicious certificate", name);
+                    "probably a malicious certificate";
                goto err;
        }
        /*
         * Fail if the resulting text contains a NUL byte.
         */
        if (memchr(utf8_bytes, 0, common_name_len) != NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+                *out_tlserr = TLS_ERROR_UNKNOWN;
-                    "error verifying name '%s': "
+                *out_errstr = "error getting common name: "
                    "NUL byte in Common Name field, "
-                    "probably a malicious certificate", name);
+                    "probably a malicious certificate";
                goto err;
        }
        common_name = strndup(utf8_bytes, common_name_len);
        if (common_name == NULL) {
-                tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY,
+                *out_tlserr = TLS_ERROR_OUT_OF_MEMORY;
-                    "out of memory");
+                *out_errstr = "out of memory";
+                goto err;
+        }
+        *out_common_name = common_name;
+        common_name = NULL;
+ done:
+        if (*out_common_name == NULL)
+                *out_common_name = strdup("");
+        if (*out_common_name == NULL) {
+                *out_tlserr = TLS_ERROR_OUT_OF_MEMORY;
+                *out_errstr = "out of memory";
                goto err;
        }
+        rv = 0;
+ err:
+        free(utf8_bytes);
+        free(common_name);
+        return rv;
+}
+int
+tls_get_common_name(struct tls *ctx, X509 *cert, const char *in_name,
+    char **out_common_name)
+{
+        unsigned int errcode = TLS_ERROR_UNKNOWN;
+        const char *errstr = "unknown";
+        if (tls_get_common_name_internal(cert, out_common_name, &errcode,
+            &errstr) == -1) {
+                const char *name = in_name;
+                const char *space = " ";
+                if (name == NULL)
+                        name = space = "";
+                tls_set_errorx(ctx, errcode, "%s%s%s", name, space, errstr);
+                return -1;
+        }
+        return 0;
+}
+static int
+tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
+    int *cn_match)
+{
+        char *common_name = NULL;
+        union tls_addr addrbuf;
+        int rv = -1;
+        if (tls_get_common_name(ctx, cert, name, &common_name) == -1)
+                goto err;
+        if (strlen(common_name) == 0)
+                goto done;
        /*
         * We don't want to attempt wildcard matching against IP addresses,
         * so perform a simple comparison here.
@@ -310,7 +368,6 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
        rv = 0;
 err:
-        free(utf8_bytes);
        free(common_name);
        return rv;
 }
author	tb <>	2024-12-10 08:40:30 +0000
committer	tb <>	2024-12-10 08:40:30 +0000
commit	b3d93b59d26fa80123892302071d566ee8f30930 (patch)
tree	2542f39bf15e49eda926e59376de19e797b35c50 /src/lib/libtls/tls_verify.c
parent	c0f2dde01da58c00510ac95afabe0df82b7374ec (diff)
download	openbsd-b3d93b59d26fa80123892302071d566ee8f30930.tar.gz openbsd-b3d93b59d26fa80123892302071d566ee8f30930.tar.bz2 openbsd-b3d93b59d26fa80123892302071d566ee8f30930.zip