[Asterisk-code-review] Add X.509 subject alternative name support to TLS certificat... (asterisk[master])

Fri May 8 14:40:28 CDT 2015

Maciej Szmigiero has uploaded a new change for review.

  https://gerrit.asterisk.org/416

Change subject: Add X.509 subject alternative name support to TLS certificate verification.
......................................................................

Add X.509 subject alternative name support to TLS certificate
verification.

This way one X.509 certificate can be used for hosts that
can be reached under multiple DNS names or for multiple hosts.

Signed-off-by: Maciej Szmigiero <mail at maciej.szmigiero.name>

ASTERISK-25063

Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f
---
M include/asterisk/tcptls.h
M main/tcptls.c
2 files changed, 39 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/16/416/1

diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
index 0e8d9d0..a3f3f28 100644
--- a/include/asterisk/tcptls.h
+++ b/include/asterisk/tcptls.h
@@ -65,6 +65,7 @@
 #ifdef DO_SSL
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/x509v3.h>
 #else
 /* declare dummy types so we can define a pointer to them */
 typedef struct {} SSL;
diff --git a/main/tcptls.c b/main/tcptls.c
index 0b06d22..7513e3f 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -633,6 +633,7 @@
 					ASN1_STRING *str;
 					unsigned char *str2;
 					X509_NAME *name = X509_get_subject_name(peer);
+					STACK_OF(GENERAL_NAME) *alt_names;
 					int pos = -1;
 					int found = 0;
 
@@ -662,6 +663,43 @@
 							break;
 						}
 					}
+
+					if (!found) {
+						alt_names = X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
+
+						if (alt_names != NULL) {
+							int alt_names_count = sk_GENERAL_NAME_num(alt_names);
+							for (pos = 0; pos < alt_names_count; pos++) {
+								const GENERAL_NAME *alt_name = sk_GENERAL_NAME_value(alt_names, pos);
+
+								if (alt_name->type != GEN_DNS) {
+									continue;
+								}
+
+								ret = ASN1_STRING_to_UTF8(&str2, alt_name->d.dNSName);
+								if (ret < 0) {
+									continue;
+								}
+
+								if (str2) {
+									if (strlen((char *) str2) != ret) {
+										ast_log(LOG_WARNING, "Invalid certificate alt name length (contains NULL bytes?)\n");
+									} else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
+										found = 1;
+									}
+									ast_debug(3, "SSL Alt Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
+									OPENSSL_free(str2);
+								}
+
+								if (found) {
+									break;
+								}
+							}
+
+							sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
+						}
+					}
+
 					if (!found) {
 						ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
 						X509_free(peer);

-- 
To view, visit https://gerrit.asterisk.org/416
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Maciej Szmigiero <mail at maciej.szmigiero.name>

