mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-26 14:27:14 +00:00 
			
		
		
		
	The verification process will now load a full certificate chain retrieved via the X5U URL instead of loading only the end user cert. * Renamed crypto_load_cert_from_file() and crypto_load_cert_from_memory() to crypto_load_cert_chain_from_file() and crypto_load_cert_chain_from_memory() respectively. * The two load functions now continue to load certs from the file or memory PEMs and store them in a separate stack of untrusted certs specific to the current verification context. * crypto_is_cert_trusted() now uses the stack of untrusted certs that were extracted from the PEM in addition to any untrusted certs that were passed in from the configuration (and any CA certs passed in from the config of course). Resolves: #1272 UserNote: The STIR/SHAKEN verification process will now load a full certificate chain retrieved via the X5U URL instead of loading only the end user cert.
		
			
				
	
	
		
			988 lines
		
	
	
		
			24 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			988 lines
		
	
	
		
			24 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * Asterisk -- An open source telephony toolkit.
 | |
|  *
 | |
|  * Copyright (C) 2023, Sangoma Technologies Corporation
 | |
|  *
 | |
|  * George Joseph <gjoseph@sangoma.com>
 | |
|  *
 | |
|  * See http://www.asterisk.org for more information about
 | |
|  * the Asterisk project. Please do not directly contact
 | |
|  * any of the maintainers of this project for assistance;
 | |
|  * the project provides a web site, mailing lists and IRC
 | |
|  * channels for your use.
 | |
|  *
 | |
|  * This program is free software, distributed under the terms of
 | |
|  * the GNU General Public License Version 2. See the LICENSE file
 | |
|  * at the top of the source tree.
 | |
|  */
 | |
| 
 | |
| #include <sys/stat.h>
 | |
| 
 | |
| #include <openssl/err.h>
 | |
| #include <openssl/ssl.h>
 | |
| #include <openssl/evp.h>
 | |
| #include <openssl/md5.h>
 | |
| #include <openssl/sha.h>
 | |
| #include <openssl/bio.h>
 | |
| #include <openssl/obj_mac.h>
 | |
| #include <openssl/x509.h>
 | |
| #include <openssl/x509v3.h>
 | |
| #include <openssl/x509_vfy.h>
 | |
| 
 | |
| #include "crypto_utils.h"
 | |
| 
 | |
| #include "asterisk.h"
 | |
| #include "asterisk/cli.h"
 | |
| #include "asterisk/file.h"
 | |
| #include "asterisk/logger.h"
 | |
| #include "asterisk/module.h"
 | |
| #include "asterisk/stringfields.h"
 | |
| #include "asterisk/utils.h"
 | |
| #include "asterisk/vector.h"
 | |
| #include "asterisk/cli.h"
 | |
| 
 | |
| void __attribute__((format(printf, 5, 6)))
 | |
| crypto_log_openssl(int level, char *file, int line, const char *function,
 | |
| 	const char *fmt, ...)
 | |
| {
 | |
| 	FILE *fp;
 | |
| 	char *buffer;
 | |
| 	size_t length;
 | |
| 	va_list ap;
 | |
| 	char *tmp_fmt;
 | |
| 
 | |
| 	fp = open_memstream(&buffer, &length);
 | |
| 	if (!fp) {
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	va_start(ap, fmt);
 | |
| 	if (!ast_strlen_zero(fmt)) {
 | |
| 		size_t fmt_len = strlen(fmt);
 | |
| 		if (fmt[fmt_len - 1] == '\n') {
 | |
| 			tmp_fmt = ast_strdupa(fmt);
 | |
| 			tmp_fmt[fmt_len - 1] = '\0';
 | |
| 			fmt = tmp_fmt;
 | |
| 		}
 | |
| 	}
 | |
| 	vfprintf(fp, fmt, ap);
 | |
| 	fputs(": ", fp);
 | |
| 	ERR_print_errors_fp(fp);
 | |
| 	fclose(fp);
 | |
| 
 | |
| 	if (length) {
 | |
| 		ast_log(level, file, line, function, "%s\n", buffer);
 | |
| 	}
 | |
| 
 | |
| 	ast_std_free(buffer);
 | |
| }
 | |
| 
 | |
| int crypto_register_x509_extension(const char *oid, const char *short_name,
 | |
| 	const char *long_name)
 | |
| {
 | |
| 	int nid = 0;
 | |
| 
 | |
| 	if (ast_strlen_zero(oid) || ast_strlen_zero(short_name) ||
 | |
| 		ast_strlen_zero(long_name)) {
 | |
| 		ast_log(LOG_ERROR, "One or more of oid, short_name or long_name are NULL or empty\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	nid = OBJ_sn2nid(short_name);
 | |
| 	if (nid != NID_undef) {
 | |
| 		ast_log(LOG_NOTICE, "NID %d, object %s already registered\n", nid, short_name);
 | |
| 		return nid;
 | |
| 	}
 | |
| 
 | |
| 	nid = OBJ_create(oid, short_name, long_name);
 | |
| 	if (nid == NID_undef) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Couldn't register %s X509 extension\n", short_name);
 | |
| 		return -1;
 | |
| 	}
 | |
| 	ast_log(LOG_NOTICE, "Registered object %s as NID %d\n", short_name, nid);
 | |
| 
 | |
| 	return nid;
 | |
| }
 | |
| 
 | |
| ASN1_OCTET_STRING *crypto_get_cert_extension_data(X509 *cert,
 | |
| 	int nid, const char *short_name)
 | |
| {
 | |
| 	int ex_idx;
 | |
| 	X509_EXTENSION *ex;
 | |
| 
 | |
| 	if (nid <= 0) {
 | |
| 		nid = OBJ_sn2nid(short_name);
 | |
| 		if (nid == NID_undef) {
 | |
| 			ast_log(LOG_ERROR, "Extension object for %s not found\n", short_name);
 | |
| 			return NULL;
 | |
| 		}
 | |
| 	} else {
 | |
| 		const char *tmp = OBJ_nid2sn(nid);
 | |
| 		if (!tmp) {
 | |
| 			ast_log(LOG_ERROR, "Extension object for NID %d not found\n", nid);
 | |
| 			return NULL;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	ex_idx = X509_get_ext_by_NID(cert, nid, -1);
 | |
| 	if (ex_idx < 0) {
 | |
| 		ast_log(LOG_ERROR, "Extension index not found in certificate\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 	ex = X509_get_ext(cert, ex_idx);
 | |
| 	if (!ex) {
 | |
| 		ast_log(LOG_ERROR, "Extension not found in certificate\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	return X509_EXTENSION_get_data(ex);
 | |
| }
 | |
| 
 | |
| EVP_PKEY *crypto_load_privkey_from_file(const char *filename)
 | |
| {
 | |
| 	EVP_PKEY *key = NULL;
 | |
| 	FILE *fp;
 | |
| 
 | |
| 	if (ast_strlen_zero(filename)) {
 | |
| 		ast_log(LOG_ERROR, "filename was null or empty\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	fp = fopen(filename, "r");
 | |
| 	if (!fp) {
 | |
| 		ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
 | |
| 	fclose(fp);
 | |
| 	if (!key) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to load private key from %s\n", filename);
 | |
| 	}
 | |
| 	return key;
 | |
| }
 | |
| 
 | |
| X509_CRL *crypto_load_crl_from_file(const char *filename)
 | |
| {
 | |
| 	FILE *fp;
 | |
| 	X509_CRL *crl = NULL;
 | |
| 
 | |
| 	if (ast_strlen_zero(filename)) {
 | |
| 		ast_log(LOG_ERROR, "filename was null or empty\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	fp = fopen(filename, "r");
 | |
| 	if (!fp) {
 | |
| 		ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	crl = PEM_read_X509_CRL(fp, &crl, NULL, NULL);
 | |
| 	fclose(fp);
 | |
| 	if (!crl) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create CRL from %s\n", filename);
 | |
| 	}
 | |
| 	return crl;
 | |
| }
 | |
| 
 | |
| #define debug_cert_chain(level, cert_chain) \
 | |
| ({ \
 | |
| 	int i; \
 | |
| 	char subj[1024]; \
 | |
| 	if (cert_chain && sk_X509_num(cert_chain) > 0) { \
 | |
| 		for (i = 0; i < sk_X509_num(cert_chain); i++) { \
 | |
| 			X509 *cert = sk_X509_value(cert_chain, i); \
 | |
| 			subj[0] = '\0'; \
 | |
| 			X509_NAME_oneline(X509_get_subject_name(cert), subj, 1024); \
 | |
| 			ast_debug(level, "Chain cert %d: '%s'\n", i, subj); \
 | |
| 		} \
 | |
| 	} \
 | |
| })
 | |
| 
 | |
| X509 *crypto_load_cert_chain_from_file(const char *filename, STACK_OF(X509) **cert_chain)
 | |
| {
 | |
| 	FILE *fp;
 | |
| 	X509 *end_cert = NULL;
 | |
| 
 | |
| 	if (ast_strlen_zero(filename)) {
 | |
| 		ast_log(LOG_ERROR, "filename was null or empty\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	fp = fopen(filename, "r");
 | |
| 	if (!fp) {
 | |
| 		ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	end_cert = PEM_read_X509(fp, &end_cert, NULL, NULL);
 | |
| 	if (!end_cert) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create end_cert from %s\n", filename);
 | |
| 		fclose(fp);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * If the caller provided a stack, we will read the chain certs
 | |
| 	 * (if any) into it.
 | |
| 	 */
 | |
| 	if (cert_chain) {
 | |
| 		X509 *chain_cert = NULL;
 | |
| 
 | |
| 		*cert_chain = sk_X509_new_null();
 | |
| 		while ((chain_cert = PEM_read_X509(fp, &chain_cert, NULL, NULL)) != NULL) {
 | |
| 			if (sk_X509_push(*cert_chain, chain_cert) <= 0) {
 | |
| 				crypto_log_openssl(LOG_ERROR, "Failed to add chain cert from %s to list\n",
 | |
| 					filename);
 | |
| 				fclose(fp);
 | |
| 				X509_free(end_cert);
 | |
| 				sk_X509_pop_free(*cert_chain, X509_free);
 | |
| 				return NULL;
 | |
| 			}
 | |
| 			/* chain_cert needs to be reset to NULL after every call to PEM_read_X509 */
 | |
| 			chain_cert = NULL;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (DEBUG_ATLEAST(4)) {
 | |
| 		char subj[1024];
 | |
| 
 | |
| 		X509_NAME_oneline(X509_get_subject_name(end_cert), subj, 1024);
 | |
| 		ast_debug(4, "Opened end cert '%s' from '%s'\n", subj, filename);
 | |
| 
 | |
| 		if (cert_chain && *cert_chain) {
 | |
| 			debug_cert_chain(4, *cert_chain);
 | |
| 		} else {
 | |
| 			ast_debug(4, "No chain certs found in '%s'\n", filename);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	fclose(fp);
 | |
| 
 | |
| 	return end_cert;
 | |
| }
 | |
| 
 | |
| X509 *crypto_load_cert_chain_from_memory(const char *buffer, size_t size,
 | |
| 	STACK_OF(X509) **cert_chain)
 | |
| {
 | |
| 	RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 | |
| 	X509 *end_cert = NULL;
 | |
| 
 | |
| 	if (ast_strlen_zero(buffer) || size <= 0) {
 | |
| 		ast_log(LOG_ERROR, "buffer was null or empty\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	bio = BIO_new_mem_buf(buffer, size);
 | |
| 	if (!bio) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to create memory BIO\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	end_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
 | |
| 	if (!end_cert) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create end_cert from BIO\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * If the caller provided a stack, we will read the chain certs
 | |
| 	 * (if any) into it.
 | |
| 	 */
 | |
| 	if (cert_chain) {
 | |
| 		X509 *chain_cert = NULL;
 | |
| 
 | |
| 		*cert_chain = sk_X509_new_null();
 | |
| 		while ((chain_cert = PEM_read_bio_X509(bio, &chain_cert, NULL, NULL)) != NULL) {
 | |
| 			if (sk_X509_push(*cert_chain, chain_cert) <= 0) {
 | |
| 				crypto_log_openssl(LOG_ERROR, "Failed to add chain cert from BIO to list\n");
 | |
| 				X509_free(end_cert);
 | |
| 				sk_X509_pop_free(*cert_chain, X509_free);
 | |
| 				return NULL;
 | |
| 			}
 | |
| 			/* chain_cert needs to be reset to NULL after every call to PEM_read_X509 */
 | |
| 			chain_cert = NULL;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (DEBUG_ATLEAST(4)) {
 | |
| 		char subj[1024];
 | |
| 
 | |
| 		X509_NAME_oneline(X509_get_subject_name(end_cert), subj, 1024);
 | |
| 		ast_debug(4, "Opened end cert '%s' from BIO\n", subj);
 | |
| 
 | |
| 		if (cert_chain && *cert_chain) {
 | |
| 			debug_cert_chain(4, *cert_chain);
 | |
| 		} else {
 | |
| 			ast_debug(4, "No chain certs found in BIO\n");
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return end_cert;
 | |
| }
 | |
| 
 | |
| static EVP_PKEY *load_private_key_from_memory(const char *buffer, size_t size)
 | |
| {
 | |
| 	RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 | |
| 	EVP_PKEY *key = NULL;
 | |
| 
 | |
| 	if (ast_strlen_zero(buffer) || size <= 0) {
 | |
| 		ast_log(LOG_ERROR, "buffer was null or empty\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	bio = BIO_new_mem_buf(buffer, size);
 | |
| 	if (!bio) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to create memory BIO\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
 | |
| 
 | |
| 	return key;
 | |
| }
 | |
| 
 | |
| EVP_PKEY *crypto_load_private_key_from_memory(const char *buffer, size_t size)
 | |
| {
 | |
| 	EVP_PKEY *key = load_private_key_from_memory(buffer, size);
 | |
| 	if (!key) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to load private key from memory\n");
 | |
| 	}
 | |
| 	return key;
 | |
| }
 | |
| 
 | |
| int crypto_has_private_key_from_memory(const char *buffer, size_t size)
 | |
| {
 | |
| 	RAII_VAR(EVP_PKEY *, key, load_private_key_from_memory(buffer, size), EVP_PKEY_free);
 | |
| 
 | |
| 	return key ? 1 : 0;
 | |
| }
 | |
| 
 | |
| static int dump_mem_bio(BIO *bio, unsigned char **buffer)
 | |
| {
 | |
| 	char *temp_ptr;
 | |
| 	int raw_key_len;
 | |
| 
 | |
| 	raw_key_len = BIO_get_mem_data(bio, &temp_ptr);
 | |
| 	if (raw_key_len <= 0) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to extract raw public key\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 	*buffer = ast_malloc(raw_key_len);
 | |
| 	if (!*buffer) {
 | |
| 		ast_log(LOG_ERROR, "Unable to allocate memory for raw public key\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 	memcpy(*buffer, temp_ptr, raw_key_len);
 | |
| 
 | |
| 	return raw_key_len;
 | |
| }
 | |
| 
 | |
| int crypto_extract_raw_pubkey(EVP_PKEY *key, unsigned char **buffer)
 | |
| {
 | |
| 	RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 | |
| 
 | |
| 	bio = BIO_new(BIO_s_mem());
 | |
| 
 | |
| 	if (!bio || (PEM_write_bio_PUBKEY(bio, key) <= 0)) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to write pubkey to BIO\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return dump_mem_bio(bio, buffer);
 | |
| }
 | |
| 
 | |
| int crypto_get_raw_pubkey_from_cert(X509 *cert,
 | |
| 	unsigned char **buffer)
 | |
| {
 | |
| 	RAII_VAR(EVP_PKEY *, public_key, X509_get_pubkey(cert), EVP_PKEY_free);
 | |
| 
 | |
| 	if (!public_key) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to retrieve pubkey from cert\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return crypto_extract_raw_pubkey(public_key, buffer);
 | |
| }
 | |
| 
 | |
| int crypto_extract_raw_privkey(EVP_PKEY *key, unsigned char **buffer)
 | |
| {
 | |
| 	RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 | |
| 
 | |
| 	bio = BIO_new(BIO_s_mem());
 | |
| 
 | |
| 	if (!bio || (PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL) <= 0)) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to write privkey to BIO\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return dump_mem_bio(bio, buffer);
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Notes on the crypto_cert_store object:
 | |
|  *
 | |
|  * We've discoverd a few issues with the X509_STORE object in OpenSSL
 | |
|  * that requires us to a bit more work to get the desired behavior.
 | |
|  *
 | |
|  * Basically, although X509_STORE_load_locations() and X509_STORE_load_path()
 | |
|  * work file for trusted certs, they refuse to load either CRLs or
 | |
|  * untrusted certs from directories, which is needed to support the
 | |
|  * crl_path and untrusted_cert_path options.  So we have to brute force
 | |
|  * it a bit.  We now use PEM_read_X509() and PEM_read_X509_CRL() to load
 | |
|  * the objects from files and then use X509_STORE_add_cert() and
 | |
|  * X509_STORE_add_crl() to add them to the store.  This is a bit more
 | |
|  * work but it gets the job done.  To load from directories, we
 | |
|  * simply use ast_file_read_dirs() with a callback that calls
 | |
|  * those functions.  This also fixes an issue where certificates
 | |
|  * loaded using ca_path don't show up when displaying the
 | |
|  * verification or profile objects from the CLI.
 | |
|  *
 | |
|  * NOTE: X509_STORE_load_file() could have been used instead of
 | |
|  * PEM_read_X509()/PEM_read_X509_CRL() and
 | |
|  * X509_STORE_add_cert()/X509_STORE_add_crl() but X509_STORE_load_file()
 | |
|  * didn't appear in OpenSSL until version 1.1.1. :(
 | |
|  *
 | |
|  * Another issue we have is that, while X509_verify_cert() can use
 | |
|  * an X509_STORE of CA certificates directly, it can't use X509_STOREs
 | |
|  * of untrusted certs or CRLs.  Instead, it needs a stack of X509
 | |
|  * objects for untrusted certs and a stack of X509_CRL objects for CRLs.
 | |
|  * So we need to extract the untrusted certs and CRLs from their
 | |
|  * stores and push them onto the stacks when the configuration is
 | |
|  * loaded.  We still use the stores as intermediaries because they
 | |
|  * make it easy to load the certs and CRLs from files and directories
 | |
|  * and they handle freeing the objects when the store is freed.
 | |
|  */
 | |
| 
 | |
| static void crypto_cert_store_destructor(void *obj)
 | |
| {
 | |
| 	struct crypto_cert_store *store = obj;
 | |
| 
 | |
| 	if (store->certs) {
 | |
| 		X509_STORE_free(store->certs);
 | |
| 	}
 | |
| 	if (store->untrusted) {
 | |
| 		X509_STORE_free(store->untrusted);
 | |
| 	}
 | |
| 	if (store->untrusted_stack) {
 | |
| 		sk_X509_free(store->untrusted_stack);
 | |
| 	}
 | |
| 	if (store->crls) {
 | |
| 		X509_STORE_free(store->crls);
 | |
| 	}
 | |
| 	if (store->crl_stack) {
 | |
| 		sk_X509_CRL_free(store->crl_stack);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| struct crypto_cert_store *crypto_create_cert_store(void)
 | |
| {
 | |
| 	struct crypto_cert_store *store = ao2_alloc(sizeof(*store), crypto_cert_store_destructor);
 | |
| 	if (!store) {
 | |
| 		ast_log(LOG_ERROR, "Failed to create crypto_cert_store\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	store->certs = X509_STORE_new();
 | |
| 	if (!store->certs) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create X509_STORE\n");
 | |
| 		ao2_ref(store, -1);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	store->untrusted = X509_STORE_new();
 | |
| 	if (!store->untrusted) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create untrusted X509_STORE\n");
 | |
| 		ao2_ref(store, -1);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 	store->untrusted_stack = sk_X509_new_null();
 | |
| 	if (!store->untrusted_stack) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create untrusted stack\n");
 | |
| 		ao2_ref(store, -1);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	store->crls = X509_STORE_new();
 | |
| 	if (!store->crls) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create CRL X509_STORE\n");
 | |
| 		ao2_ref(store, -1);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 	store->crl_stack = sk_X509_CRL_new_null();
 | |
| 	if (!store->crl_stack) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to create CRL stack\n");
 | |
| 		ao2_ref(store, -1);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	return store;
 | |
| }
 | |
| 
 | |
| static int crypto_load_store_from_cert_file(X509_STORE *store, const char *file)
 | |
| {
 | |
| 	X509 *cert;
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (ast_strlen_zero(file)) {
 | |
| 		ast_log(LOG_ERROR, "file was null or empty\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	cert = crypto_load_cert_chain_from_file(file, NULL);
 | |
| 	if (!cert) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 	rc = X509_STORE_add_cert(store, cert);
 | |
| 	X509_free(cert);
 | |
| 	if (!rc) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to load store from file '%s'\n", file);
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static int crypto_load_store_from_crl_file(X509_STORE *store, const char *file)
 | |
| {
 | |
| 	X509_CRL *crl;
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (ast_strlen_zero(file)) {
 | |
| 		ast_log(LOG_ERROR, "file was null or empty\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	crl = crypto_load_crl_from_file(file);
 | |
| 	if (!crl) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 	rc = X509_STORE_add_crl(store, crl);
 | |
| 	X509_CRL_free(crl);
 | |
| 	if (!rc) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Failed to load store from file '%s'\n", file);
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| struct pem_file_cb_data {
 | |
| 	X509_STORE *store;
 | |
| 	int is_crl;
 | |
| };
 | |
| 
 | |
| static int pem_file_cb(const char *dir_name, const char *filename, void *obj)
 | |
| {
 | |
| 	struct pem_file_cb_data* data = obj;
 | |
| 	char *filename_merged = NULL;
 | |
| 	struct stat statbuf;
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (ast_asprintf(&filename_merged, "%s/%s", dir_name, filename) < 0) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	if (lstat(filename_merged, &statbuf)) {
 | |
| 		printf("Error reading path stats - %s: %s\n",
 | |
| 					filename_merged, strerror(errno));
 | |
| 		ast_free(filename_merged);
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	/* We only want the symlinks from the directory */
 | |
| 	if (!S_ISLNK(statbuf.st_mode)) {
 | |
| 		ast_free(filename_merged);
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	if (data->is_crl) {
 | |
| 		rc = crypto_load_store_from_crl_file(data->store, filename_merged);
 | |
| 	} else {
 | |
| 		rc = crypto_load_store_from_cert_file(data->store, filename_merged);
 | |
| 	}
 | |
| 
 | |
| 	ast_free(filename_merged);
 | |
| 	return rc;
 | |
| }
 | |
| 
 | |
| static int _crypto_load_cert_store(X509_STORE *store, const char *file, const char *path)
 | |
| {
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (!ast_strlen_zero(file)) {
 | |
| 		rc = crypto_load_store_from_cert_file(store, file);
 | |
| 		if (rc != 0) {
 | |
| 			return -1;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (!ast_strlen_zero(path)) {
 | |
| 		struct pem_file_cb_data data = { .store = store, .is_crl = 0 };
 | |
| 		if (ast_file_read_dirs(path, pem_file_cb, &data, 0)) {
 | |
| 			return -1;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static int _crypto_load_crl_store(X509_STORE *store, const char *file, const char *path)
 | |
| {
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (!ast_strlen_zero(file)) {
 | |
| 		rc = crypto_load_store_from_crl_file(store, file);
 | |
| 		if (rc != 0) {
 | |
| 			return -1;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (!ast_strlen_zero(path)) {
 | |
| 		struct pem_file_cb_data data = { .store = store, .is_crl = 1 };
 | |
| 		if (ast_file_read_dirs(path, pem_file_cb, &data, 0)) {
 | |
| 			return -1;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| int crypto_load_cert_store(struct crypto_cert_store *store, const char *file,
 | |
| 	const char *path)
 | |
| {
 | |
| 	if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
 | |
| 		ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	if (!store || !store->certs) {
 | |
| 		ast_log(LOG_ERROR, "store or store->certs is NULL\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	return _crypto_load_cert_store(store->certs, file, path);
 | |
| }
 | |
| 
 | |
| int crypto_load_untrusted_cert_store(struct crypto_cert_store *store, const char *file,
 | |
| 	const char *path)
 | |
| {
 | |
| 	int rc = 0;
 | |
| 	STACK_OF(X509_OBJECT) *objs = NULL;
 | |
| 	int count = 0;
 | |
| 	int i = 0;
 | |
| 
 | |
| 	if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
 | |
| 		ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	if (!store || !store->untrusted || !store->untrusted_stack) {
 | |
| 		ast_log(LOG_ERROR, "store wasn't initialized properly\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	rc = _crypto_load_cert_store(store->untrusted, file, path);
 | |
| 	if (rc != 0) {
 | |
| 		return rc;
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * We need to extract the certs from the store and push them onto the
 | |
| 	 * untrusted stack.  This is because the verification context needs
 | |
| 	 * a stack of untrusted certs and not the store.
 | |
| 	 * The store holds the references to the certs so we can't
 | |
| 	 * free it.
 | |
| 	 */
 | |
| 	objs = X509_STORE_get0_objects(store->untrusted);
 | |
| 	count = sk_X509_OBJECT_num(objs);
 | |
| 	for (i = 0; i < count ; i++) {
 | |
| 		X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
 | |
| 		if (X509_OBJECT_get_type(o) == X509_LU_X509) {
 | |
| 			X509 *c = X509_OBJECT_get0_X509(o);
 | |
| 			sk_X509_push(store->untrusted_stack, c);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| int crypto_load_crl_store(struct crypto_cert_store *store, const char *file,
 | |
| 	const char *path)
 | |
| {
 | |
| 	int rc = 0;
 | |
| 	STACK_OF(X509_OBJECT) *objs = NULL;
 | |
| 	int count = 0;
 | |
| 	int i = 0;
 | |
| 
 | |
| 	if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
 | |
| 		ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	if (!store || !store->untrusted || !store->untrusted_stack) {
 | |
| 		ast_log(LOG_ERROR, "store wasn't initialized properly\n");
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	rc = _crypto_load_crl_store(store->crls, file, path);
 | |
| 	if (rc != 0) {
 | |
| 		return rc;
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * We need to extract the CRLs from the store and push them onto the
 | |
| 	 * crl stack.  This is because the verification context needs
 | |
| 	 * a stack of CRLs and not the store.
 | |
| 	 * The store holds the references to the CRLs so we can't
 | |
| 	 * free it.
 | |
| 	 */
 | |
| 	objs = X509_STORE_get0_objects(store->crls);
 | |
| 	count = sk_X509_OBJECT_num(objs);
 | |
| 	for (i = 0; i < count ; i++) {
 | |
| 		X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
 | |
| 		if (X509_OBJECT_get_type(o) == X509_LU_CRL) {
 | |
| 			X509_CRL *c = X509_OBJECT_get0_X509_CRL(o);
 | |
| 			sk_X509_CRL_push(store->crl_stack, c);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| int crypto_show_cli_store(struct crypto_cert_store *store, int fd)
 | |
| {
 | |
| #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
 | |
| 	STACK_OF(X509_OBJECT) *objs = NULL;
 | |
| 	int count = 0;
 | |
| 	int untrusted_count = 0;
 | |
| 	int crl_count = 0;
 | |
| 	int i = 0;
 | |
| 	char subj[1024];
 | |
| 
 | |
| 	/*
 | |
| 	 * The CA certificates are stored in the certs store.
 | |
| 	 */
 | |
| 	objs = X509_STORE_get0_objects(store->certs);
 | |
| 	count = sk_X509_OBJECT_num(objs);
 | |
| 
 | |
| 	for (i = 0; i < count ; i++) {
 | |
| 		X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
 | |
| 		if (X509_OBJECT_get_type(o) == X509_LU_X509) {
 | |
| 			X509 *c = X509_OBJECT_get0_X509(o);
 | |
| 			X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
 | |
| 			ast_cli(fd, "Cert: %s\n", subj);
 | |
| 		} else {
 | |
| 			ast_log(LOG_ERROR, "CRLs are not allowed in the CA cert store\n");
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * Although the untrusted certs are stored in the untrusted store,
 | |
| 	 * we already have the stack of certificates so we can just
 | |
| 	 * list them directly.
 | |
| 	 */
 | |
| 	untrusted_count = sk_X509_num(store->untrusted_stack);
 | |
| 	for (i = 0; i < untrusted_count ; i++) {
 | |
| 		X509 *c = sk_X509_value(store->untrusted_stack, i);
 | |
| 		X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
 | |
| 		ast_cli(fd, "Untrusted: %s\n", subj);
 | |
| 	}
 | |
| 
 | |
| 	/*
 | |
| 	 * Same for the CRLs.
 | |
| 	 */
 | |
| 	crl_count = sk_X509_CRL_num(store->crl_stack);
 | |
| 	for (i = 0; i < crl_count ; i++) {
 | |
| 		X509_CRL *crl = sk_X509_CRL_value(store->crl_stack, i);
 | |
| 		X509_NAME_oneline(X509_CRL_get_issuer(crl), subj, 1024);
 | |
| 		ast_cli(fd, "CRL: %s\n", subj);
 | |
| 	}
 | |
| 
 | |
| 	return count + untrusted_count + crl_count;
 | |
| #else
 | |
| 	ast_cli(fd, "This command is not supported until OpenSSL 1.1.0\n");
 | |
| 	return 0;
 | |
| #endif
 | |
| }
 | |
| 
 | |
| int crypto_is_cert_time_valid(X509*cert, time_t reftime)
 | |
| {
 | |
| 	ASN1_STRING *notbefore;
 | |
| 	ASN1_STRING *notafter;
 | |
| 
 | |
| 	if (!reftime) {
 | |
| 		reftime = time(NULL);
 | |
| 	}
 | |
| 	notbefore = X509_get_notBefore(cert);
 | |
| 	notafter = X509_get_notAfter(cert);
 | |
| 	if (!notbefore || !notafter) {
 | |
| 		ast_log(LOG_ERROR, "Either notbefore or notafter were not present in the cert\n");
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	return (X509_cmp_time(notbefore, &reftime) < 0 &&
 | |
| 		X509_cmp_time(notafter, &reftime) > 0);
 | |
| }
 | |
| 
 | |
| int crypto_is_cert_trusted(struct crypto_cert_store *store, X509 *cert,
 | |
| 	STACK_OF(X509) *cert_chain, const char **err_msg)
 | |
| {
 | |
| 	X509_STORE_CTX *verify_ctx = NULL;
 | |
| 	RAII_VAR(STACK_OF(X509) *, untrusted_stack, NULL, sk_X509_free);
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (!(verify_ctx = X509_STORE_CTX_new())) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to create verify_ctx\n");
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	if (cert_chain && sk_X509_num(cert_chain) > 0) {
 | |
| 		int untrusted_count = store->untrusted_stack ? sk_X509_num(store->untrusted_stack) : 0;
 | |
| 		int i = 0;
 | |
| 
 | |
| 		untrusted_stack = sk_X509_dup(cert_chain);
 | |
| 		if (!untrusted_stack) {
 | |
| 			crypto_log_openssl(LOG_ERROR, "Unable to duplicate untrusted stack\n");
 | |
| 			X509_STORE_CTX_free(verify_ctx);
 | |
| 			return 0;
 | |
| 		}
 | |
| 		/*
 | |
| 		 * If store->untrusted_stack was NULL for some reason then
 | |
| 		 * untrusted_count will be 0 so the loop will never run.
 | |
| 		 */
 | |
| 		for (i = 0; i < untrusted_count; i++) {
 | |
| 			X509 *c = sk_X509_value(store->untrusted_stack, i);
 | |
| 			if (sk_X509_push(untrusted_stack, c) <= 0) {
 | |
| 				crypto_log_openssl(LOG_ERROR, "Unable to push untrusted cert onto stack\n");
 | |
| 				sk_X509_free(untrusted_stack);
 | |
| 				X509_STORE_CTX_free(verify_ctx);
 | |
| 				return 0;
 | |
| 			}
 | |
| 		}
 | |
| 	/*
 | |
| 	 * store->untrusted_stack should always be allocated even if empty
 | |
| 	 * but we'll make sure.
 | |
| 	 */
 | |
| 	} else if (store->untrusted_stack){
 | |
| 		/* This is a dead simple shallow clone */
 | |
| 		ast_debug(4, "cert_chain had no certs\n");
 | |
| 		untrusted_stack = sk_X509_dup(store->untrusted_stack);
 | |
| 		if (!untrusted_stack) {
 | |
| 			crypto_log_openssl(LOG_ERROR, "Unable to duplicate untrusted stack\n");
 | |
| 			X509_STORE_CTX_free(verify_ctx);
 | |
| 			return 0;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (X509_STORE_CTX_init(verify_ctx, store->certs, cert, untrusted_stack) != 1) {
 | |
| 		X509_STORE_CTX_cleanup(verify_ctx);
 | |
| 		X509_STORE_CTX_free(verify_ctx);
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to initialize verify_ctx\n");
 | |
| 		return 0;
 | |
| 	}
 | |
| 	X509_STORE_CTX_set0_crls(verify_ctx, store->crl_stack);
 | |
| 
 | |
| 	rc = X509_verify_cert(verify_ctx);
 | |
| 	if (rc != 1 && err_msg != NULL) {
 | |
| 		int err = X509_STORE_CTX_get_error(verify_ctx);
 | |
| 		*err_msg = X509_verify_cert_error_string(err);
 | |
| 	}
 | |
| 
 | |
| 	X509_STORE_CTX_cleanup(verify_ctx);
 | |
| 	X509_STORE_CTX_free(verify_ctx);
 | |
| 
 | |
| 	return rc;
 | |
| }
 | |
| 
 | |
| #define SECS_PER_DAY 86400
 | |
| time_t crypto_asn_time_as_time_t(ASN1_TIME *at)
 | |
| {
 | |
| 	int pday;
 | |
| 	int psec;
 | |
| 	time_t rt = time(NULL);
 | |
| 
 | |
| 	if (!ASN1_TIME_diff(&pday, &psec, NULL, at)) {
 | |
| 		crypto_log_openssl(LOG_ERROR, "Unable to calculate time diff\n");
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	rt += ((pday * SECS_PER_DAY) + psec);
 | |
| 
 | |
| 	return rt;
 | |
| }
 | |
| #undef SECS_PER_DAY
 | |
| 
 | |
| char *crypto_get_cert_subject(X509 *cert, const char *short_name)
 | |
| {
 | |
| 	size_t len = 0;
 | |
| 	RAII_VAR(char *, buffer, NULL, ast_std_free);
 | |
| 	char *search_buff = NULL;
 | |
| 	char *search = NULL;
 | |
| 	size_t search_len = 0;
 | |
| 	char *rtn = NULL;
 | |
| 	char *line = NULL;
 | |
| 	/*
 | |
| 	 * If short_name was supplied, we want a multiline subject
 | |
| 	 * with each component on a separate line.  This makes it easier
 | |
| 	 * to iterate over the components to find the one we want.
 | |
| 	 * Otherwise, we just want the whole subject on one line.
 | |
| 	 */
 | |
| 	unsigned long flags =
 | |
| 		short_name ? XN_FLAG_FN_SN | XN_FLAG_SEP_MULTILINE : XN_FLAG_ONELINE;
 | |
| 	FILE *fp = open_memstream(&buffer, &len);
 | |
| 	BIO *bio = fp ? BIO_new_fp(fp, BIO_CLOSE) : NULL;
 | |
| 	X509_NAME *subject = X509_get_subject_name(cert);
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (!fp || !bio || !subject) {
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	rc = X509_NAME_print_ex(bio, subject, 0, flags);
 | |
| 	BIO_free(bio);
 | |
| 	if (rc < 0) {
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	if (!short_name) {
 | |
| 		rtn = ast_malloc(len + 1);
 | |
| 		if (rtn) {
 | |
| 			strcpy(rtn, buffer); /* Safe */
 | |
| 		}
 | |
| 		return rtn;
 | |
| 	}
 | |
| 
 | |
| 	search_len = strlen(short_name) + 1;
 | |
| 	rc = ast_asprintf(&search, "%s=", short_name);
 | |
| 	if (rc != search_len) {
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	search_buff = buffer;
 | |
| 	while((line = ast_read_line_from_buffer(&search_buff))) {
 | |
| 		if (ast_begins_with(line, search)) {
 | |
| 			rtn = ast_malloc(strlen(line) - search_len + 1);
 | |
| 			if (rtn) {
 | |
| 				strcpy(rtn, line + search_len); /* Safe */
 | |
| 			}
 | |
| 			break;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	ast_std_free(search);
 | |
| 	return rtn;
 | |
| }
 | |
| 
 | |
| int crypto_load(void)
 | |
| {
 | |
| 	return AST_MODULE_LOAD_SUCCESS;
 | |
| }
 | |
| 
 | |
| int crypto_unload(void)
 | |
| {
 | |
| 	return 0;
 | |
| }
 | |
| 
 |