-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509 crt verify SAN iPAddress #6475
Conversation
Some builds pass. |
11f4821
to
aed5437
Compare
e96156a
to
9da4810
Compare
Besides While I could save a few lines of code by not flagging existence of MBEDTLS_X509_SAN_IP_ADDRESS in the loop which calls As for OpenBSD, the defines for AF_INET and AF_INET6 are in I am ok if this feature is only available on platforms using compilers supporting |
9da4810
to
d1a005e
Compare
Sorry, my review queue is about a dozen deep. I am not volunteering for a review of this PR at this time.
Consider the scenario: I am setting up an IoT application, and doing deployment testing on a PC. Everything works. But when I deploy to my embedded devices, it works on some and fails on others. This seems like a debugging nightmare. I've kicked an internal discussion, and I personally need to think about this some more. My current thinking is that this would be ok for some platform-adjacent functionality, such as the ability to start an network connection. But for certificate validation, I would not expect this kind of platform adherence, especially when it's not about the standard library but about the compiler. |
d1a005e
to
afca0ad
Compare
The reason I am working on this PR is the very real-world issue of #6473 "curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName)". This feature gap makes mbedtls unusable with some modern applications in certain situations. For #6473, the patches here are likely to be backported to the openwrt mbedtls package (openwrt/packages#19677).
Please compare that to the current situation where verification with SAN iPAddress fails on all platforms. While incomplete platform coverage for a feature is not ideal, it should still be obvious which one of the above two scenarios is better and which one is worse. In any case, @gilles-peskine-arm since you do not have time to review this PR, please nominate someone else to review this PR so that this PR does not languish for 3 years as has happened with reviewer churn in PR #2906, a precursor to this PR. Please remove the label "needs-work" and allow the next reviewer to determine if the PR needs work, and to describe what that requested work is, so that I can address more detailed feedback. I have added some additional commits to this PR. When I would prefer to have this PR scoped without the two extra commits I added to this PR. This would mean that the SAN iPAddress matching would be available on most, but not all mbedtls platforms, but should make the PR easier to review. If you remove the top two commits to this PR, tests pass (or are skipped) on all platforms in the mbedtls CI. In a separate PR, the mbedtls team could provide more detailed guidance on how a platform abstraction might be structured for this. For example, I think that it is undesirable for libmbedx509 to grow a dependency on |
5295081
to
40c3dfe
Compare
All tests pass, besides an unrelated ABI error about removing mbedtls_mpi_core_shift_r, which was not done here. I have pushed an additional change to attempt to include |
Well, yes, that's obvious, but not the way you think. So no, it's actually not obvious. For a system-related feature, it's better to support the feature on some systems than on none. For a cryptographic feature, it's better to be consistent. Certificate verification is a cryptographic feature. |
x509 crt verify local implementation to parse IP if inet_pton() is not portably available Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Eugene K <eugene.kobyakov@netfoundry.io>
Extended from Mbed-TLS#2906 contributed by Eugene K <eugene.kobyakov@netfoundry.io> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
instead of MBEDTLS_SHA256_C in test data dependencies Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
instead of MBEDTLS_ECDSA_C in test data dependencies Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
3e2f8cf
to
9a5a388
Compare
rebased to HEAD of development at request of @mprse |
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Merged as a part of #7436. |
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d679b15)
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d679b15)
This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: Mbed-TLS/mbedtls#6243 Mbed-TLS/mbedtls#7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: Mbed-TLS/mbedtls#6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d679b15)
Description
X509 crt verify SAN iPAddress
Status
READY
Requires Backporting
NO
Additional comments
A fair bit of work went into #2906 with over 70 posts, but for some reason the PR was never completed. Related PRs:
#2906 Verify numerical ip SubjectAlternativeName properly
#4494 Backport 2.28: Verify numerical ip SubjectAlternativeName properly
#5082 subjectAltName IP:X.X.X.X address not recognized, CN verification fails
#6473 curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName)
Why did #2906 reinvent the wheel with parsing IPv4 and IPv6 addresses? I implemented this PR in under an hour using
inet_pton()
(and while the patches do backport cleanly to mbedtls 2.28.1, I understand the feature is unlikely to be backported)Should I incorporate the ~110 lines of code from #2906 which re-implement IPv4 and IPv6 string parsing? Should that be done only when
inet_pton()
is not available? Can all of this be done more simply with a feature macro, e.g.#if defined(MBEDTLS_X509_CRT_VERIFY_SAN_IP)
which is disabled by default, and if you enable it, you should haveinet_pton()
? Most modern systems haveinet_pton()
in libc, though there are some odd systems out there like Haiku which might have it in -lsocket or -lnetwork (I have not checked).This PR defers checking MBEDTLS_X509_SAN_IP_ADDRESS. It flags if MBEDTLS_X509_SAN_IP_ADDRESS is seen while checking MBEDTLS_X509_SAN_DNS_NAME, and only if a dNSName match is not found (and MBEDTLS_X509_SAN_IP_ADDRESS is present) does this PR attempt to convert the string with
inet_pton()
, and then check for match with MBEDTLS_X509_SAN_IP_ADDRESS.Todos