Extend domain_match and domain_suffix_match to allow list of values

These wpa_supplicant network profile parameters could be used to specify a single match string that would be used against the dNSName items in subjectAltName or CN. There may be use cases where more than one alternative match string would be useful, so extend these to allow a semicolon delimited list of values to be used (e.g., "example.org;example.com"). If any of the specified values matches any of the dNSName/CN values in the server certificate, consider the certificate as meeting this requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:18:19 +03:00 · 2019-04-09 16:18:19 +03:00 · 242e857285
commit 242e857285
parent dcc0ccd5b0
6 changed files with 138 additions and 37 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -1735,9 +1735,9 @@ static int tls_match_altsubject(X509 *cert, const char *match)

 #ifndef CONFIG_NATIVE_WINDOWS
 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
-			       int full)
+			       size_t match_len, int full)
 {
-	size_t i, match_len;
+	size_t i;

 	/* Check for embedded nuls that could mess up suffix matching */
 	for (i = 0; i < len; i++) {
@ -1747,7 +1747,6 @@ static int domain_suffix_match(const u8 *val, size_t len, const char *match,
 		}
 	}

-	match_len = os_strlen(match);
 	if (match_len > len || (full && match_len != len))
 		return 0;

@ -1980,12 +1979,10 @@ static int tls_match_dn_field(X509 *cert, const char *match)
 }


-static int tls_match_suffix(X509 *cert, const char *match, int full)
+#ifndef CONFIG_NATIVE_WINDOWS
+static int tls_match_suffix_helper(X509 *cert, const char *match,
+				   size_t match_len, int full)
 {
-#ifdef CONFIG_NATIVE_WINDOWS
-	/* wincrypt.h has conflicting X509_NAME definition */
-	return -1;
-#else /* CONFIG_NATIVE_WINDOWS */
 	GENERAL_NAME *gen;
 	void *ext;
 	int i;
@ -2007,8 +2004,8 @@ static int tls_match_suffix(X509 *cert, const char *match, int full)
 				  gen->d.dNSName->data,
 				  gen->d.dNSName->length);
 		if (domain_suffix_match(gen->d.dNSName->data,
-					gen->d.dNSName->length, match, full) ==
-		    1) {
+					gen->d.dNSName->length,
+					match, match_len, full) == 1) {
 			wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
 				   full ? "Match" : "Suffix match");
 			sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
@ -2039,8 +2036,8 @@ static int tls_match_suffix(X509 *cert, const char *match, int full)
 			continue;
 		wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
 				  cn->data, cn->length);
-		if (domain_suffix_match(cn->data, cn->length, match, full) == 1)
-		{
+		if (domain_suffix_match(cn->data, cn->length,
+					match, match_len, full) == 1) {
 			wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
 				   full ? "Match" : "Suffix match");
 			return 1;
@ -2050,6 +2047,25 @@ static int tls_match_suffix(X509 *cert, const char *match, int full)
 	wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
 		   full ? "": "suffix ");
 	return 0;
+}
+#endif /* CONFIG_NATIVE_WINDOWS */
+
+
+static int tls_match_suffix(X509 *cert, const char *match, int full)
+{
+#ifdef CONFIG_NATIVE_WINDOWS
+	/* wincrypt.h has conflicting X509_NAME definition */
+	return -1;
+#else /* CONFIG_NATIVE_WINDOWS */
+	const char *token, *last = NULL;
+
+	/* Process each match alternative separately until a match is found */
+	while ((token = cstr_token(match, ";", &last))) {
+		if (tls_match_suffix_helper(cert, token, last - token, full))
+			return 1;
+	}
+
+	return 0;
 #endif /* CONFIG_NATIVE_WINDOWS */
 }