You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by be...@apache.org on 2015/06/26 06:06:13 UTC

[3/5] mesos git commit: Refactor Openssl certificate Subject Alternative Name logic.

Refactor Openssl certificate Subject Alternative Name logic.

Review: https://reviews.apache.org/r/35853


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/69e0f5a2
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/69e0f5a2
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/69e0f5a2

Branch: refs/heads/master
Commit: 69e0f5a29449835e8001614a4a0d54a6c456d4be
Parents: ed84f36
Author: Joris Van Remoortere <jo...@gmail.com>
Authored: Thu Jun 25 21:05:20 2015 -0700
Committer: Benjamin Hindman <be...@gmail.com>
Committed: Thu Jun 25 21:05:20 2015 -0700

----------------------------------------------------------------------
 3rdparty/libprocess/src/openssl.cpp | 73 +++++++++++++++++---------------
 1 file changed, 38 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/69e0f5a2/3rdparty/libprocess/src/openssl.cpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index 090e985..40b60bf 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -389,7 +389,8 @@ void initialize()
         EXIT(EXIT_FAILURE) << "Could not load default CA file and/or directory";
       }
 
-      VLOG(2) << "Using default CA file and/or directory";
+      VLOG(2) << "Using default CA file '" << X509_get_default_cert_file()
+              << "' and/or directory '" << X509_get_default_cert_dir() << "'";
     }
 
     // Set SSL peer verification callback.
@@ -488,44 +489,46 @@ Try<Nothing> verify(const SSL* const ssl, const Option<string>& hostname)
       : Try<Nothing>(Nothing());
   }
 
-  int extcount = X509_get_ext_count(cert);
-  if (extcount <= 0) {
-    X509_free(cert);
-    return Error("X509_get_ext_count failed: " + stringify(extcount));
-  }
-
-  for (int i = 0; i < extcount; i++) {
-    X509_EXTENSION* ext = X509_get_ext(cert, i);
-
-    const string extstr =
-      OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
-
-    if (extstr == "subjectAltName") {
-#if OPENSSL_VERSION_NUMBER <= 0x00909000L
-      X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
-#else
-      const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
-#endif
-      if (method == NULL) {
-        break;
-      }
-
-      const unsigned char* data = ext->value->data;
-
-      STACK_OF(CONF_VALUE)* values = method->i2v(
-          method,
-          method->d2i(NULL, &data, ext->value->length),
-          NULL);
-
-      for (int j = 0; j < sk_CONF_VALUE_num(values); j++) {
-        CONF_VALUE* value = sk_CONF_VALUE_value(values, j);
-        if ((strcmp(value->name, "DNS") == 0) &&
-            (value->value == hostname.get())) {
+  // From https://wiki.openssl.org/index.php/Hostname_validation.
+  // Check the Subject Alternate Name extension (SAN). This is useful
+  // for certificates that serve multiple physical hosts.
+  STACK_OF(GENERAL_NAME)* san_names =
+    reinterpret_cast<STACK_OF(GENERAL_NAME)*>(X509_get_ext_d2i(
+        reinterpret_cast<X509*>(cert),
+        NID_subject_alt_name,
+        NULL,
+        NULL));
+
+  if (san_names != NULL) {
+    int san_names_num = sk_GENERAL_NAME_num(san_names);
+
+    // Check each name within the extension.
+    for (int i = 0; i < san_names_num; i++) {
+      const GENERAL_NAME* current_name = sk_GENERAL_NAME_value(san_names, i);
+
+      if (current_name->type == GEN_DNS) {
+        // Current name is a DNS name, let's check it.
+        const string dns_name =
+          reinterpret_cast<char*>(ASN1_STRING_data(current_name->d.dNSName));
+
+        // Make sure there isn't an embedded NUL character in the DNS name.
+        const size_t length = ASN1_STRING_length(current_name->d.dNSName);
+        if (length != dns_name.length()) {
+          sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
           X509_free(cert);
-          return Nothing();
+          return Error(
+            "X509 certificate malformed: embedded NUL character in DNS name");
+        } else { // Compare expected hostname with the DNS name.
+          if (hostname.get() == dns_name) {
+            sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
+            X509_free(cert);
+            return Nothing();
+          }
         }
       }
     }
+
+    sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
   }
 
   // If we still haven't verified the hostname, try doing it via