1.0.2 to 1.1 migration problem with verify_callback()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

1.0.2 to 1.1 migration problem with verify_callback()

Neptune
This post was updated on .
I am in the process of migrating our code from the 1.0.2 library to 1.1 and
have run across a situation that I am struggling to reconcile:

The existing code utilizes the verify_callback() function in order to
perform validation measures against a peer certificate. This callback
performs validation such as checking the certificate against a CRL and doing
wildcard matching. The reason we need to define our own callback and
validation code is because, as I understand it, the built-in OpenSSL
wildcard matching will only process one wildcard field prefix (*.domain.com)
whereas our requirements allow for wildcard patterns beyond just a prefix
(*.domain.com, F*O.BAR.domain.com, FO*.BAR.domain.com etc.).

The problem arises when I attempt to access 'ssl->tlsext_hostname' which is
understood because this structure is now opaque. I believe the accessor
function for this is '__owur const char *SSL_SESSION_get0_hostname(const
SSL_SESSION *s);' in ssl.h. However, within the context of the callback
function I only have two arguments to work with:

int verify_callback(int ok, X509_STORE_CTX *ctx)

This does not provide me with a SSL_SESSION object to pass into the
SSL_SESSION_get0_hostname accessor function, so...

1. Is SSL_SESSION_get0_hostname() the right accessor for this data?
2. If so, how can I call SSL_SESSION_get0_hostname() within
verify_callback() without a SSL_SESSION object?
3. Has the validation code for the 1.1 (and future) branches been changed so
that I would no longer need to define my own validation code? (He asks
hopefully)

Thanks in advance for your help.

Edit: fixed typos in domain examples

--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.2 to 1.1 migration problem with verify_callback()

Matt Caswell-2


On 02/08/2019 18:24, Neptune wrote:

> I am in the process of migrating our code from the 1.0.2 library to 1.1 and
> have run across a situation that I am struggling to reconcile:
>
> The existing code utilizes the verify_callback() function in order to
> perform validation measures against a peer certificate. This callback
> performs validation such as checking the certificate against a CRL and doing
> wildcard matching. The reason we need to define our own callback and
> validation code is because, as I understand it, the built-in OpenSSL
> wildcard matching will only process one wildcard field prefix (*.domain.com)
> whereas our requirements allow for wildcard patterns beyond just a prefix
> (FOO.*.domain.com, FOO.B*R.domain.com, etc.).
>
> The problem arises when I attempt to access 'ssl->tlsext_hostname' which is
> understood because this structure is now opaque. I believe the accessor
> function for this is '__owur const char *SSL_SESSION_get0_hostname(const
> SSL_SESSION *s);' in ssl.h. However, within the context of the callback
> function I only have two arguments to work with:
>
> int verify_callback(int ok, X509_STORE_CTX *ctx)
>
> This does not provide me with a SSL_SESSION object to pass into the
> SSL_SESSION_get0_hostname accessor function, so...

From within your callback you can do this to get hold of the SSL object:

SSL *s = (SSL *)X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());

And then this to get hold of the hostname requested:

const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);


Hope that helps,

Matt
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.2 to 1.1 migration problem with verify_callback()

Remy Lebeau

In my verify callback (for 1.0.2, mind you), I use X509_STORE_CTX_get_app_data(ctx) to get the SSL* pointer.  X509_STORE_CTX_get_app_data(ctx) is a macro in OpenSSL's "x509_vfy.h" header file that maps to X509_STORE_CTX_get_ex_data(ctx,0) (why doesn't it use SSL_get_ex_data_X509_STORE_CTX_idx() instead of 0?).


Remy Lebeau
Lebeau Software
On 8/5/2019 7:40 AM, Matt Caswell wrote:
From within your callback you can do this to get hold of the SSL object:

SSL *s = (SSL *)X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());

And then this to get hold of the hostname requested:

const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.2 to 1.1 migration problem with verify_callback()

OpenSSL - User mailing list

> (why doesn't it use SSL_get_ex_data_X509_STORE_CTX_idx() instead of 0?).

History; OpenSSL reserved some exdata indices for itself.