return os;
}
+bool OpenSSLUtils::getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
+ sockaddr_storage* addrStorage,
+ socklen_t* addrLen) {
+ // Grab the ssl idx and then the ssl object so that we can get the peer
+ // name to compare against the ips in the subjectAltName
+ auto sslIdx = SSL_get_ex_data_X509_STORE_CTX_idx();
+ auto ssl =
+ reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, sslIdx));
+ int fd = SSL_get_fd(ssl);
+ if (fd < 0) {
+ LOG(ERROR) << "Inexplicably couldn't get fd from SSL";
+ return false;
+ }
+
+ *addrLen = sizeof(*addrStorage);
+ if (getpeername(fd, reinterpret_cast<sockaddr*>(addrStorage), addrLen) != 0) {
+ PLOG(ERROR) << "Unable to get peer name";
+ return false;
+ }
+ CHECK(*addrLen <= sizeof(*addrStorage));
+ return true;
+}
+
+bool OpenSSLUtils::validatePeerCertNames(X509* cert,
+ const sockaddr* addr,
+ socklen_t addrLen) {
+ // Try to extract the names within the SAN extension from the certificate
+ auto altNames =
+ reinterpret_cast<STACK_OF(GENERAL_NAME)*>(
+ X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
+ SCOPE_EXIT {
+ if (altNames != nullptr) {
+ sk_GENERAL_NAME_pop_free(altNames, GENERAL_NAME_free);
+ }
+ };
+ if (altNames == nullptr) {
+ LOG(WARNING) << "No subjectAltName provided and we only support ip auth";
+ return false;
+ }
+
+ const sockaddr_in* addr4 = nullptr;
+ const sockaddr_in6* addr6 = nullptr;
+ if (addr != nullptr) {
+ if (addr->sa_family == AF_INET) {
+ addr4 = reinterpret_cast<const sockaddr_in*>(addr);
+ } else if (addr->sa_family == AF_INET6) {
+ addr6 = reinterpret_cast<const sockaddr_in6*>(addr);
+ } else {
+ LOG(FATAL) << "Unsupported sockaddr family: " << addr->sa_family;
+ }
+ }
+
+
+ for (int i = 0; i < sk_GENERAL_NAME_num(altNames); i++) {
+ auto name = sk_GENERAL_NAME_value(altNames, i);
+ if ((addr4 != nullptr || addr6 != nullptr) && name->type == GEN_IPADD) {
+ // Extra const-ness for paranoia
+ unsigned char const * const rawIpStr = name->d.iPAddress->data;
+ int const rawIpLen = name->d.iPAddress->length;
+
+ if (rawIpLen == 4 && addr4 != nullptr) {
+ if (::memcmp(rawIpStr, &addr4->sin_addr, rawIpLen) == 0) {
+ return true;
+ }
+ } else if (rawIpLen == 16 && addr6 != nullptr) {
+ if (::memcmp(rawIpStr, &addr6->sin6_addr, rawIpLen) == 0) {
+ return true;
+ }
+ } else if (rawIpLen != 4 && rawIpLen != 16) {
+ LOG(WARNING) << "Unexpected IP length: " << rawIpLen;
+ }
+ }
+ }
+
+ LOG(WARNING) << "Unable to match client cert against alt name ip";
+ return false;
+}
+
+
} // folly
#include <openssl/ssl.h>
#include <openssl/tls1.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
#include <glog/logging.h>
namespace folly {
std::ostream& operator<<(std::ostream& os, const folly::PasswordCollector& collector);
+class OpenSSLUtils {
+ public:
+ /**
+ * Validate that the peer certificate's common name or subject alt names
+ * match what we expect. Currently this only checks for IPs within
+ * subject alt names but it could easily be expanded to check common name
+ * and hostnames as well.
+ *
+ * @param cert X509* peer certificate
+ * @param addr sockaddr object containing sockaddr to verify
+ * @param addrLen length of sockaddr as returned by getpeername or accept
+ * @return true iff a subject altname IP matches addr
+ */
+ // TODO(agartrell): Add support for things like common name when
+ // necessary.
+ static bool validatePeerCertNames(X509* cert,
+ const sockaddr* addr,
+ socklen_t addrLen);
+
+ /**
+ * Get the peer socket address from an X509_STORE_CTX*. Unlike the
+ * accept, getsockname, getpeername, etc family of operations, addrLen's
+ * initial value is ignored and reset.
+ *
+ * @param ctx Context from which to retrieve peer sockaddr
+ * @param addrStorage out param for address
+ * @param addrLen out param for length of address
+ * @return true on success, false on failure
+ */
+ static bool getPeerAddressFromX509StoreCtx(X509_STORE_CTX* ctx,
+ sockaddr_storage* addrStorage,
+ socklen_t* addrLen);
+
+};
+
+
} // folly
projects / folly.git / commitdiff