include SAN in TL certification verification #1421

Author: phoddie

modules/crypt/etc/ber.js

@@ -45,7 +45,10 @@ export default class BER {
 		else if (buffer instanceof Uint8Array)
 			this.#a = buffer;
 		else
-			this.#a = new Uint8Array(new ArrayBuffer(0, {maxByteLength: 0x10000000}));
+			this.#a = new Uint8Array(new ArrayBuffer(0, {maxByteLength: 16896}));
+	}
+	get readable() {
+		return this.#a.byteLength - this.#i;
 	}
 	getTag() {
 		return this.#a[this.#i++];
@@ -73,7 +76,7 @@ export default class BER {
 	}
 	next() {
 		const i = this.#i;
-		this.getTag();
+		this.skip(1);
 		this.skip(this.getLength());
 		return this.#a.subarray(i, this.#i)
 	}
@@ -432,8 +435,8 @@ export default class BER {
 		case 0x16:	// IA5 string
 			res = String.fromArrayBuffer(b.getChunk(len).slice().buffer);
 			break;
-		case 0x17:	// ITC time
 /*
+		case 0x17:	// ITC time
 		case 0x18: {// generalized time
 			let s = String.fromArrayBuffer(b.getChunk(len));
 			let prefix = ""

modules/crypt/etc/x509.js

@@ -81,7 +81,7 @@ const X509 = {
 		return tbs;
 	},
 	getSPK(spki) {		// Subject Public Key Info
-		spki = this._decodeSPKI(spki);
+		spki = decodeSPKI(spki);
 		if (!spki)
 			throw new Error("x509: no SPKI");
 		spki = new BER(spki);
@@ -175,17 +175,34 @@ const X509 = {
 			let len = ber.getLength();
 			let endp = ber.i + len;
 			while (ber.i < endp) {
-				if ((ber.getTag() & 0x1f) == 0) {
-					len = ber.getLength();
-					return ber.getChunk(len);
-				}
+				if ((ber.getTag() & 0x1f) == 0)
+					return ber.getChunk(ber.getLength());
 				ber.skip(ber.getLength());
 			}
 		}
 	},
-	_decodeSPKI(buf) @ "xs_x509_decodeSPKI",
+	decodeSAN(buf) {
+		let b = this.decodeExtension(buf, [2, 5, 29, 17]);	// Subject Alternative Name
+		if (!b) return;
+
+		b = new BER((new BER(b)).getSequence());
+
+		const names = [];
+		while (b.readable) {
+			const tag = b.getTag() & 0x7F;
+			let value = b.getChunk(b.getLength()).slice().buffer;
+			if ((2 === tag) || (1 === tag) || (6 === tag))		// IA5String: dNSName, rfc822Name, uniformResourceIdentifier
+				value = String.fromArrayBuffer(value); 
+			names.push({tag, value});
+		}
+		
+		return names;
+	},
 	decodeExtension(buf, extid) @ "xs_x509_decodeExtension",
 };
+
+function decodeSPKI(buf) @ "xs_x509_decodeSPKI";
+
 Object.freeze(X509);
 
 function parseDate(date) {

modules/crypt/ssl/ssl_cert.js

@@ -111,7 +111,7 @@ class CertificateManager {
 
 		return X509.decodeSPKI(data);
 	}
-	verify(certs) {
+	verify(certs, options) {
 		if (!this.#verify)
 			return true;
 
@@ -121,6 +121,41 @@ class CertificateManager {
 		// this approach calls decodeSPKI once more than necessary in favor of minimizing memory use
 		for (let i = 0; i < length; i++) {
 			x509 = X509.decode(certs[i]);
+			const names = X509.decodeSAN(certs[i]);
+			if (!names) return false;
+
+			let tls_server_name = options.tls_server_name, match;
+			if (tls_server_name) {
+				tls_server_name = tls_server_name.toLowerCase();
+
+				for (let j = 0; j < names.length; j++) {
+					let name = names[j];
+					if (2 === name.tag) {			// dNSName
+						name = name.value.toLowerCase();
+						if (42 === name.charCodeAt(0)) {		// wildcard ("*")
+							if (name.indexOf("*", 1) > 0)	// only one wild card
+								continue;
+							let position = tls_server_name.indexOf(".");
+							if (position < 0) continue;
+							match = name.slice(1).toLowerCase() === tls_server_name.slice(position);
+						}
+						else
+							match = name.toLowerCase() === tls_server_name;
+					}
+					else if (7 === name.tag) {		// iPAddress
+						name = name.value;
+						if (4 !== name.byteLength) continue;		// only handling IPv4 for now
+						name = (new Uint8Array(name)).join(".");
+						match = name === tls_server_name;
+					}
+					if (match) break;
+				}
+			}
+			if (!match) {
+				trace(`subjectAltName match failed for ${tls_server_name}\n`);
+				return false;
+			}
+
 			validity = X509.decodeTBS(x509.tbs).validity;
 			if (!((validity.from < now) && (now < validity.to))) {
 				trace("date validation failed on received certificate\n");

modules/crypt/ssl/ssl_handshake.js

@@ -478,42 +478,19 @@ const handshakeProtocol = {
 	certificate: {
 		name: "certificate",
 		msgType: certificate,
-//		matchName(re, name) {
-//			re = re.replace(/\./g, "\\.").replace(/\*/g, "[^.]*");
-//			var a = name.match(new RegExp("^" + re + "$", "i"));
-//			return a && a.length == 1;
-//		},
-//		verifyHost(session, cert) {
-//			//@@ this fails because session.socket.host doesn't exist
-//			var altNames = X509.decodeExtension(cert, 'subjectAlternativeName');
-//			var hostname = session.socket.host;
-//			for (var i = 0; i < altNames.length; i++) {
-//				var name = altNames[i];
-//				if (typeof name == "string" && this.matchName(name, hostname))
-//					return true;
-//			}
-//			var arr = X509.decodeTBS(cert).subject.match(/CN=([^,]*)/);
-//			return arr && arr.length > 1 && this.matchName(arr[1], hostname);
-//		},
 
 		unpacketize(session, s) {
 			session.traceProtocol(this);
-			let certs = [];
+			const certs = [];
 			let ttlSize = s.readChars(3);
 			while (ttlSize > 0 && s.bytesAvailable > 0) {
-				let certSize = s.readChars(3);
-				certs.push(s.readChunk(certSize, true));
-				ttlSize -= certSize + 3;
+				const size = s.readChars(3);
+				certs.push(s.readChunk(size, true));
+				ttlSize -= size + 3;
 			}
-			if (!session.certificateManager.verify(certs))
+			if (!session.certificateManager.verify(certs, session.options))
 				throw new TLSError("certificate: auth err");
 
-/*
-			if (session.options.verifyHost) {
-				if (!this.verifyHost(session, certs[0]))
-					throw new TLSError("certificate: bad host");
-			}
-*/
 			session.peerCert = certs[0].slice(0).buffer;		// could we store only the key?
 			return session.certificateManager.register(session.peerCert);	// tail call optimization
 		},

modules/crypt/ssl/ssl_stream.js

@@ -52,7 +52,7 @@ class SSLStream {
 			this.#write = buffer.length;
 		}
 		else {
-			this.#bytes = new Uint8Array(new ArrayBuffer(initial ?? 32, {maxByteLength: 0x10000000}));
+			this.#bytes = new Uint8Array(new ArrayBuffer(initial ?? 32, {maxByteLength: 16896}));		// TLS chunks can't be bigger than 16 KB, so this should be enough (and XS doesn't really use this value)
 			this.#bytes.i = true;
 		}
 	}
@@ -83,11 +83,13 @@ class SSLStream {
 		this.writeChunk(ArrayBuffer.fromString(s));
 	}
 	readChar() {
-		return this.#read < this.#write ? this.#bytes[this.#read++] : undefined;
+		if (this.#read >= this.#write)
+			throw new Error;
+		return this.#bytes[this.#read++];
 	}
 	readChars(n) {
 		if (this.#read + n > this.#write)
-			return;
+			throw new Error;
 		let v = 0;
 		while (--n >= 0)
 			v = (v << 8) | this.#bytes[this.#read++];
@@ -96,7 +98,7 @@ class SSLStream {
 	readChunk(n, reference) {
 		const read = this.#read;
 		if (read + n > this.#write)
-			return;
+			throw new Error;
 
 		this.#read += n;
 		if (reference)