From: Christos Tsantilas Date: Thu, 5 Apr 2012 16:38:31 +0000 (+0300) Subject: Add checks to assure that a cached certificate is valid for current request X-Git-Tag: BumpSslServerFirst.take08~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0efa4d01c223922cf637cd4f81796bf6470fa97d;p=thirdparty%2Fsquid.git Add checks to assure that a cached certificate is valid for current request Add checks in Ssl::certificateMatchesProperties to assure: - The CN name of the cached certificate matches the requested CN - "Not After" and "Not Before" fields of the cached certificate are valid Ssl::CommonHostName and getOrganization functions moved to gadgets.cc to allow use by ssl_crtd daemon --- diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index 15bedf67f9..de73fbc218 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -576,22 +576,17 @@ bool Ssl::certificateMatchesProperties(X509 *cert, CertificateProperties const & if (X509_NAME_cmp(cert1_name, cert2_name) != 0) return false; } - /* else { - if (properties.commonName != Ssl::CommonHostName(cert)) + else if (properties.commonName != CommonHostName(cert)) return false; - This function normaly called to verify a cached certificate matches the - specifications given by properties parameter. - The cached certificate retrieved from the cache using a key which has - as part the properties.commonName. This is enough to assume that the - cached cert has in its subject the properties.commonName as cn field. - } - */ if (!properties.setValidBefore) { ASN1_TIME *aTime = X509_get_notBefore(cert); ASN1_TIME *bTime = X509_get_notBefore(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; + } else if (X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) { + // notBefore does not exist (=0) or it is in the future (>0) + return false; } if (!properties.setValidAfter) { @@ -599,7 +594,11 @@ bool Ssl::certificateMatchesProperties(X509 *cert, CertificateProperties const & ASN1_TIME *bTime = X509_get_notAfter(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; + } else if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0) { + // notAfter does not exist (0) or it is in the past (<0) + return false; } + char *alStr1; int alLen; @@ -630,3 +629,32 @@ bool Ssl::certificateMatchesProperties(X509 *cert, CertificateProperties const & return match; } + +static const char *getSubjectEntry(X509 *x509, int nid) +{ + static char name[1024] = ""; // stores common name (CN) + + if (!x509) + return NULL; + + // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl). + const int nameLen = X509_NAME_get_text_by_NID( + X509_get_subject_name(x509), + nid, name, sizeof(name)); + + if (nameLen > 0) + return name; + + return NULL; +} + +const char *Ssl::CommonHostName(X509 *x509) +{ + return getSubjectEntry(x509, NID_commonName); +} + +const char *Ssl::getOrganization(X509 *x509) +{ + return getSubjectEntry(x509, NID_organizationName); +} + diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h index cc0008bed6..b6dc935a2f 100644 --- a/src/ssl/gadgets.h +++ b/src/ssl/gadgets.h @@ -254,5 +254,20 @@ bool sslDateIsInTheFuture(char const * date); \return true if the certificates matches false otherwise. */ bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties); + +/** + \ingroup ServerProtocolSSLAPI + * Returns CN from the certificate, suitable for use as a host name. + * Uses static memory to temporary store the extracted name. +*/ +const char *CommonHostName(X509 *x509); + +/** + \ingroup ServerProtocolSSLAPI + * Returns Organization from the certificate. + * Uses static memory to temporary store the extracted name. +*/ +const char *getOrganization(X509 *x509); + } // namespace Ssl #endif // SQUID_SSL_GADGETS_H diff --git a/src/ssl/support.cc b/src/ssl/support.cc index c40ad61b9f..b80162076a 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1384,34 +1384,6 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Poin } } -static const char *getSubjectEntry(X509 *x509, int nid) -{ - static char name[1024] = ""; // stores common name (CN) - - if (!x509) - return NULL; - - // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl). - const int nameLen = X509_NAME_get_text_by_NID( - X509_get_subject_name(x509), - nid, name, sizeof(name)); - - if (nameLen > 0) - return name; - - return NULL; -} - -const char *Ssl::CommonHostName(X509 *x509) -{ - return getSubjectEntry(x509, NID_commonName); -} - -static const char *getOrganization(X509 *x509) -{ - return getSubjectEntry(x509, NID_organizationName); -} - bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey) { // Generate the self-signed certificate, using a hard-coded subject prefix diff --git a/src/ssl/support.h b/src/ssl/support.h index 9eaf8dd2a4..6430010e6a 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -190,12 +190,6 @@ int asn1timeToString(ASN1_TIME *tm, char *buf, int len); */ bool setClientSNI(SSL *ssl, const char *fqdn); -/** - \ingroup ServerProtocolSSLAPI - * Returns CN from the certificate, suitable for use as a host name. - * Uses static memory to temporary store the extracted name. -*/ -const char *CommonHostName(X509 *x509); } //namespace Ssl #if _SQUID_MSWIN_