You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-commits@axis.apache.org by bi...@apache.org on 2019/09/01 00:23:06 UTC
svn commit: r1866225 - in /axis/axis2/c/core/trunk: include/
src/core/transport/http/sender/ src/core/transport/http/sender/ssl/
Author: billblough
Date: Sun Sep 1 00:23:06 2019
New Revision: 1866225
URL: http://svn.apache.org/viewvc?rev=1866225&view=rev
Log:
Perform SSL hostname validation
SSL stream can now verify that the remote server hostname matches the
the certificate Common Name or Subject Alternative Name.
This behavior can be disabled/enabled at the http_client scope using the
new function:
axis2_http_client_set_validate_ssl_hostname
There is also an associated getter:
axis2_http_client_get_validate_ssl_hostname
For backwards compatibility, this behavior is disabled by default.
However, this will change to being enabled by default in a future
release.
When enabled, this functionality mitigates CVE-2012-6107.
JIRA: AXIS2C-1619
Modified:
axis/axis2/c/core/trunk/include/axis2_http_client.h
axis/axis2/c/core/trunk/src/core/transport/http/sender/http_client.c
axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.c
axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.h
axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c
axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.h
Modified: axis/axis2/c/core/trunk/include/axis2_http_client.h
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/include/axis2_http_client.h?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/include/axis2_http_client.h (original)
+++ axis/axis2/c/core/trunk/include/axis2_http_client.h Sun Sep 1 00:23:06 2019
@@ -271,6 +271,18 @@ extern "C"
axis2_http_client_t * client,
const axutil_env_t * env);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ axis2_http_client_set_validate_ssl_hostname(
+ axis2_http_client_t * client,
+ const axutil_env_t * env,
+ axis2_bool_t validate_host);
+
+ AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+ axis2_http_client_get_validate_ssl_hostname(
+ const axis2_http_client_t * client,
+ const axutil_env_t * env);
+
+
/** @} */
#ifdef __cplusplus
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/http_client.c
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/http_client.c?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/http_client.c (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/http_client.c Sun Sep 1 00:23:06 2019
@@ -52,6 +52,7 @@ struct axis2_http_client
axis2_char_t *key_file;
axis2_char_t *req_body;
int req_body_size;
+ axis2_bool_t validate_ssl_hostname;
/* These are for mtom case */
axutil_array_list_t *mime_parts;
@@ -97,6 +98,11 @@ axis2_http_client_create(
http_client->doing_mtom = AXIS2_FALSE;
http_client->mtom_sending_callback_name = NULL;
+ /* TODO default this to false for now, but this should default
+ * to true in a future version (after 1.8)
+ */
+ http_client->validate_ssl_hostname = AXIS2_FALSE;
+
return http_client;
}
@@ -277,7 +283,8 @@ axis2_http_client_send(
if(!client->data_stream)
client->data_stream =
axutil_stream_create_ssl(env, client->sockfd, axis2_http_client_get_server_cert(client,
- env), axis2_http_client_get_key_file(client, env), ssl_pp);
+ env), axis2_http_client_get_key_file(client, env), ssl_pp,
+ client->validate_ssl_hostname == AXIS2_TRUE ? host : NULL);
#else
axutil_network_handler_close_socket(env, client->sockfd);
client->sockfd = -1;
@@ -1052,3 +1059,22 @@ axis2_http_client_reset(
}
return AXIS2_SUCCESS;
}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+axis2_http_client_set_validate_ssl_hostname(
+ axis2_http_client_t * client,
+ const axutil_env_t * env,
+ axis2_bool_t validate_ssl_hostname)
+{
+ client->validate_ssl_hostname = validate_ssl_hostname;
+ return AXIS2_SUCCESS;
+}
+
+AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+axis2_http_client_get_validate_ssl_hostname(
+ const axis2_http_client_t * client,
+ const axutil_env_t * env)
+{
+ return client->validate_ssl_hostname;
+}
+
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.c
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.c?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.c (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.c Sun Sep 1 00:23:06 2019
@@ -69,7 +69,8 @@ axutil_stream_create_ssl(
axis2_socket_t socket,
axis2_char_t * server_cert,
axis2_char_t * key_file,
- axis2_char_t * ssl_pp)
+ axis2_char_t * ssl_pp,
+ axis2_char_t * host)
{
ssl_stream_impl_t *stream_impl = NULL;
@@ -96,7 +97,7 @@ axutil_stream_create_ssl(
return NULL;
}
stream_impl->ssl = axis2_ssl_utils_initialize_ssl(env, stream_impl->ctx,
- stream_impl->socket);
+ stream_impl->socket, host);
if (!stream_impl->ssl)
{
AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_SSL_ENGINE, AXIS2_FAILURE);
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.h
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.h?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.h (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_stream.h Sun Sep 1 00:23:06 2019
@@ -38,7 +38,8 @@ extern "C"
axis2_socket_t socket,
axis2_char_t * server_cert,
axis2_char_t * key_file,
- axis2_char_t * ssl_pp);
+ axis2_char_t * ssl_pp,
+ axis2_char_t * host);
void AXIS2_CALL
axis2_ssl_stream_free(
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c Sun Sep 1 00:23:06 2019
@@ -171,7 +171,8 @@ AXIS2_EXTERN SSL *AXIS2_CALL
axis2_ssl_utils_initialize_ssl(
const axutil_env_t * env,
SSL_CTX * ctx,
- axis2_socket_t socket)
+ axis2_socket_t socket,
+ axis2_char_t * host)
{
SSL *ssl = NULL;
BIO *sbio = NULL;
@@ -242,6 +243,17 @@ axis2_ssl_utils_initialize_ssl(
if (ASN1_STRING_cmp(peer_sig, client_sig) == 0)
{
+ /* if the caller passed a hostname, verify it against the cert */
+ if (host) {
+ if (X509_check_host(peer_cert, host, strlen(host), 0, NULL) == 1) {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name matches certificate CN/SAN");
+ } else {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name does not match certificate CN/SAN");
+ return NULL;
+ }
+ }
if (peer_cert)
{
X509_free(peer_cert);
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.h
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.h?rev=1866225&r1=1866224&r2=1866225&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.h (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.h Sun Sep 1 00:23:06 2019
@@ -41,7 +41,8 @@ extern "C"
axis2_ssl_utils_initialize_ssl(
const axutil_env_t * env,
SSL_CTX * ctx,
- axis2_socket_t socket);
+ axis2_socket_t socket,
+ axis2_char_t * host);
AXIS2_EXTERN axis2_status_t AXIS2_CALL
axis2_ssl_utils_cleanup_ssl(