diff options
-rw-r--r-- | CMakeLists.txt | 2 | ||||
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | librabbitmq/CMakeLists.txt | 2 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl.c | 12 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_bio.c | 24 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_bio.h | 8 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_hostname_validation.c | 183 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_hostname_validation.h | 58 |
8 files changed, 5 insertions, 288 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 428b1e5..9752984 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -112,7 +112,7 @@ endif() option(ENABLE_SSL_SUPPORT "Enable SSL support" ON) if (ENABLE_SSL_SUPPORT) - find_package(OpenSSL 0.9.8 REQUIRED) + find_package(OpenSSL 1.1.1 REQUIRED) cmake_push_check_state() set(THREADS_PREFER_PTHREAD_FLAG ON) @@ -37,7 +37,7 @@ API documentation for v0.8.0+ can viewed from: - [CMake v2.6 or better](http://www.cmake.org/) - A C compiler (GCC 4.4+, clang, and MSVC are test. Other compilers may also work) -- *Optionally* [OpenSSL](http://www.openssl.org/) v0.9.8+ to enable support for +- *Optionally* [OpenSSL](http://www.openssl.org/) v1.1.1+ to enable support for connecting to RabbitMQ over SSL/TLS - *Optionally* [POpt](http://freecode.com/projects/popt) to build some handy command-line tools. @@ -74,7 +74,7 @@ Other interesting flags that can be passed to CMake: ON by default. * `BUILD_STATIC_LIBS=ON/OFF` toggles building rabbitmq-c as a static library. OFF by default. -* `BUILD_TESTS=ON/OFF` toggles building test code. ON by default. +* `BUILD_TESTING=ON/OFF` toggles building test code. ON by default. * `BUILD_TOOLS=ON/OFF` toggles building the command line tools. By default this is ON if the build system can find the POpt header and library. * `BUILD_TOOLS_DOCS=ON/OFF` toggles building the man pages for the command line diff --git a/librabbitmq/CMakeLists.txt b/librabbitmq/CMakeLists.txt index 16a5d4e..daecc02 100644 --- a/librabbitmq/CMakeLists.txt +++ b/librabbitmq/CMakeLists.txt @@ -70,8 +70,6 @@ if (ENABLE_SSL_SUPPORT) ${AMQP_SSL_SOCKET_SHIM_PATH} ${AMQP_SSL_SOCKET_H_PATH} amqp_openssl.c - amqp_openssl_hostname_validation.c - amqp_openssl_hostname_validation.h amqp_hostcheck.c amqp_hostcheck.h amqp_openssl_bio.c diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c index 058d69a..478c1e1 100644 --- a/librabbitmq/amqp_openssl.c +++ b/librabbitmq/amqp_openssl.c @@ -33,7 +33,6 @@ #endif #include "amqp_openssl_bio.h" -#include "amqp_openssl_hostname_validation.h" #include "amqp_private.h" #include "amqp_socket.h" #include "amqp_time.h" @@ -260,7 +259,8 @@ start_connect: goto error_out3; } - if (AMQP_HVR_MATCH_FOUND != amqp_ssl_validate_hostname(host, cert)) { + if (1 != X509_check_host(cert, host, 0, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL)) { self->internal_error = 0; status = AMQP_STATUS_SSL_HOSTNAME_VERIFY_FAILED; goto error_out4; @@ -637,14 +637,10 @@ static int setup_openssl(void) { CRYPTO_set_id_callback(ssl_threadid_callback); CRYPTO_set_locking_callback(ssl_locking_callback); -#ifdef AMQP_OPENSSL_V110 if (OPENSSL_init_ssl(0, NULL) <= 0) { status = AMQP_STATUS_SSL_ERROR; goto out; } -#else - OPENSSL_config(NULL); -#endif SSL_library_init(); SSL_load_error_strings(); @@ -758,10 +754,6 @@ int amqp_uninitialize_ssl_library(void) { amqp_openssl_bio_destroy(); openssl_bio_initialized = 0; -#ifndef AMQP_OPENSSL_V110 - ERR_remove_state(0); -#endif - CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); { diff --git a/librabbitmq/amqp_openssl_bio.c b/librabbitmq/amqp_openssl_bio.c index 3556d6f..9d99602 100644 --- a/librabbitmq/amqp_openssl_bio.c +++ b/librabbitmq/amqp_openssl_bio.c @@ -120,25 +120,11 @@ static int amqp_openssl_bio_read(BIO *b, char *out, int outl) { return res; } - -#ifndef AMQP_OPENSSL_V110 -static int BIO_meth_set_write(BIO_METHOD *biom, - int (*wfn)(BIO *, const char *, int)) { - biom->bwrite = wfn; - return 0; -} - -static int BIO_meth_set_read(BIO_METHOD *biom, int (*rfn)(BIO *, char *, int)) { - biom->bread = rfn; - return 0; -} -#endif /* AQP_OPENSSL_V110 */ #endif /* AMQP_USE_AMQP_BIO */ int amqp_openssl_bio_init(void) { assert(!amqp_ssl_bio_initialized); #ifdef AMQP_USE_AMQP_BIO -#ifdef AMQP_OPENSSL_V110 if (!(amqp_bio_method = BIO_meth_new(BIO_TYPE_SOCKET, "amqp_bio_method"))) { return AMQP_STATUS_NO_MEMORY; } @@ -155,13 +141,7 @@ int amqp_openssl_bio_init(void) { BIO_meth_set_write(amqp_bio_method, BIO_meth_get_write(meth)); BIO_meth_set_gets(amqp_bio_method, BIO_meth_get_gets(meth)); BIO_meth_set_puts(amqp_bio_method, BIO_meth_get_puts(meth)); -#else - if (!(amqp_bio_method = OPENSSL_malloc(sizeof(BIO_METHOD)))) { - return AMQP_STATUS_NO_MEMORY; - } - memcpy(amqp_bio_method, BIO_s_socket(), sizeof(BIO_METHOD)); -#endif BIO_meth_set_write(amqp_bio_method, amqp_openssl_bio_write); BIO_meth_set_read(amqp_bio_method, amqp_openssl_bio_read); #endif @@ -173,11 +153,7 @@ int amqp_openssl_bio_init(void) { void amqp_openssl_bio_destroy(void) { assert(amqp_ssl_bio_initialized); #ifdef AMQP_USE_AMQP_BIO -#ifdef AMQP_OPENSSL_V110 BIO_meth_free(amqp_bio_method); -#else - OPENSSL_free(amqp_bio_method); -#endif amqp_bio_method = NULL; #endif amqp_ssl_bio_initialized = 0; diff --git a/librabbitmq/amqp_openssl_bio.h b/librabbitmq/amqp_openssl_bio.h index ec09c5e..586f655 100644 --- a/librabbitmq/amqp_openssl_bio.h +++ b/librabbitmq/amqp_openssl_bio.h @@ -29,15 +29,7 @@ int amqp_openssl_bio_init(void); void amqp_openssl_bio_destroy(void); -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) -#define AMQP_OPENSSL_V110 -#endif - -#ifdef AMQP_OPENSSL_V110 typedef const BIO_METHOD *BIO_METHOD_PTR; -#else -typedef BIO_METHOD *BIO_METHOD_PTR; -#endif BIO_METHOD_PTR amqp_openssl_bio(void); diff --git a/librabbitmq/amqp_openssl_hostname_validation.c b/librabbitmq/amqp_openssl_hostname_validation.c deleted file mode 100644 index 01cf740..0000000 --- a/librabbitmq/amqp_openssl_hostname_validation.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright (C) 2012, iSEC Partners. - * Copyright (C) 2015 Alan Antonuk. - * - * All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. - * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, - * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR - * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE - * USE OR OTHER DEALINGS IN THE SOFTWARE. - * - * Except as contained in this notice, the name of a copyright holder shall - * not be used in advertising or otherwise to promote the sale, use or other - * dealings in this Software without prior written authorization of the - * copyright holder. - */ - -/* Originally from: - * https://github.com/iSECPartners/ssl-conservatory - * https://wiki.openssl.org/index.php/Hostname_validation - */ - -#if defined(_WIN32) -#define WIN32_LEAN_AND_MEAN -#endif - -#include <openssl/ssl.h> -#include <openssl/x509v3.h> - -#include "amqp_hostcheck.h" -#include "amqp_openssl_bio.h" -#include "amqp_openssl_hostname_validation.h" - -#include <string.h> - -#define HOSTNAME_MAX_SIZE 255 - -/** - * Tries to find a match for hostname in the certificate's Common Name field. - * - * Returns AMQP_HVR_MATCH_FOUND if a match was found. - * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. - * Returns AMQP_HVR_MALFORMED_CERTIFICATE if the Common Name had a NUL character - * embedded in it. - * Returns AMQP_HVR_ERROR if the Common Name could not be extracted. - */ -static amqp_hostname_validation_result amqp_matches_common_name( - const char *hostname, const X509 *server_cert) { - int common_name_loc = -1; - X509_NAME_ENTRY *common_name_entry = NULL; - ASN1_STRING *common_name_asn1 = NULL; - const char *common_name_str = NULL; - - // Find the position of the CN field in the Subject field of the certificate - common_name_loc = X509_NAME_get_index_by_NID( - X509_get_subject_name((X509 *)server_cert), NID_commonName, -1); - if (common_name_loc < 0) { - return AMQP_HVR_ERROR; - } - - // Extract the CN field - common_name_entry = X509_NAME_get_entry( - X509_get_subject_name((X509 *)server_cert), common_name_loc); - if (common_name_entry == NULL) { - return AMQP_HVR_ERROR; - } - - // Convert the CN field to a C string - common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); - if (common_name_asn1 == NULL) { - return AMQP_HVR_ERROR; - } - -#ifdef AMQP_OPENSSL_V110 - common_name_str = (const char *)ASN1_STRING_get0_data(common_name_asn1); -#else - common_name_str = (char *)ASN1_STRING_data(common_name_asn1); -#endif - - // Make sure there isn't an embedded NUL character in the CN - if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) { - return AMQP_HVR_MALFORMED_CERTIFICATE; - } - - // Compare expected hostname with the CN - if (amqp_hostcheck(common_name_str, hostname) == AMQP_HCR_MATCH) { - return AMQP_HVR_MATCH_FOUND; - } else { - return AMQP_HVR_MATCH_NOT_FOUND; - } -} - -/** - * Tries to find a match for hostname in the certificate's Subject Alternative - * Name extension. - * - * Returns AMQP_HVR_MATCH_FOUND if a match was found. - * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. - * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL - * character embedded in it. - * Returns AMQP_HVR_NO_SAN_PRESENT if the SAN extension was not present in the - * certificate. - */ -static amqp_hostname_validation_result amqp_matches_subject_alternative_name( - const char *hostname, const X509 *server_cert) { - amqp_hostname_validation_result result = AMQP_HVR_MATCH_NOT_FOUND; - int i; - int san_names_nb = -1; - STACK_OF(GENERAL_NAME) *san_names = NULL; - - // Try to extract the names within the SAN extension from the certificate - san_names = - X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL); - if (san_names == NULL) { - return AMQP_HVR_NO_SAN_PRESENT; - } - san_names_nb = sk_GENERAL_NAME_num(san_names); - - // Check each name within the extension - for (i = 0; i < san_names_nb; i++) { - const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i); - - if (current_name->type == GEN_DNS) { - // Current name is a DNS name, let's check it - const char *dns_name = (const char *) -#ifdef AMQP_OPENSSL_V110 - ASN1_STRING_get0_data(current_name->d.dNSName); -#else - ASN1_STRING_data(current_name->d.dNSName); -#endif - - // Make sure there isn't an embedded NUL character in the DNS name - if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != - strlen(dns_name)) { - result = AMQP_HVR_MALFORMED_CERTIFICATE; - break; - } else { // Compare expected hostname with the DNS name - if (amqp_hostcheck(dns_name, hostname) == AMQP_HCR_MATCH) { - result = AMQP_HVR_MATCH_FOUND; - break; - } - } - } - } - sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free); - - return result; -} - -/** - * Validates the server's identity by looking for the expected hostname in the - * server's certificate. As described in RFC 6125, it first tries to find a - * match in the Subject Alternative Name extension. If the extension is not - * present in the certificate, it checks the Common Name instead. - * - * Returns AMQP_HVR_MATCH_FOUND if a match was found. - * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. - * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL - * character embedded in it. - * Returns AMQP_HVR_ERROR if there was an error. - */ -amqp_hostname_validation_result amqp_ssl_validate_hostname( - const char *hostname, const X509 *server_cert) { - amqp_hostname_validation_result result; - - if ((hostname == NULL) || (server_cert == NULL)) return AMQP_HVR_ERROR; - - // First try the Subject Alternative Names extension - result = amqp_matches_subject_alternative_name(hostname, server_cert); - if (result == AMQP_HVR_NO_SAN_PRESENT) { - // Extension was not found: try the Common Name - result = amqp_matches_common_name(hostname, server_cert); - } - - return result; -} diff --git a/librabbitmq/amqp_openssl_hostname_validation.h b/librabbitmq/amqp_openssl_hostname_validation.h deleted file mode 100644 index 920c5b3..0000000 --- a/librabbitmq/amqp_openssl_hostname_validation.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef librabbitmq_amqp_openssl_hostname_validation_h -#define librabbitmq_amqp_openssl_hostname_validation_h - -/* - * Copyright (C) 2012, iSEC Partners. - * Copyright (C) 2015 Alan Antonuk. - * - * All rights reserved. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. - * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, - * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR - * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE - * USE OR OTHER DEALINGS IN THE SOFTWARE. - * - * Except as contained in this notice, the name of a copyright holder shall - * not be used in advertising or otherwise to promote the sale, use or other - * dealings in this Software without prior written authorization of the - * copyright holder. - */ - -/* Originally from: - * https://github.com/iSECPartners/ssl-conservatory - * https://wiki.openssl.org/index.php/Hostname_validation - */ - -#include <openssl/ossl_typ.h> - -typedef enum { - AMQP_HVR_MATCH_FOUND, - AMQP_HVR_MATCH_NOT_FOUND, - AMQP_HVR_NO_SAN_PRESENT, - AMQP_HVR_MALFORMED_CERTIFICATE, - AMQP_HVR_ERROR -} amqp_hostname_validation_result; - -/** - * Validates the server's identity by looking for the expected hostname in the - * server's certificate. As described in RFC 6125, it first tries to find a - * match in the Subject Alternative Name extension. If the extension is not - * present in the certificate, it checks the Common Name instead. - * - * Returns AMQP_HVR_MATCH_FOUND if a match was found. - * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. - * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL - * character embedded in it. - * Returns AMQP_HVR_ERROR if there was an error. - */ -amqp_hostname_validation_result amqp_ssl_validate_hostname( - const char *hostname, const X509 *server_cert); - -#endif |