Skip to content

TLS validation of wildcard subjectAltName domain + SSLKEYLOGFILE support #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
masneyb merged 2 commits into from
May 5, 2025
Merged

TLS validation of wildcard subjectAltName domain + SSLKEYLOGFILE support #187

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4ba37c6
TLS validation of wildcard subjectAltName domain
nbanb Apr 14, 2025
2b9ac2c
Adding OpenSSL SSLKEYLOGFILE support in gFTP and removing OpenSSL <3.…
Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 35 additions & 12 deletions lib/sslcommon.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,35 +181,41 @@ static int gftp_ssl_post_connection_check (gftp_request * request)
* but it will fault later when we free the struct,
* as the heap would be corrupt.
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
const ASN1_OCTET_STRING* ext_value = X509_EXTENSION_get_data (ext);
const unsigned char* mutable_ptr = ASN1_STRING_get0_data (ext_value);
int len = ASN1_STRING_length (ext_value);
#else
const unsigned char* mutable_ptr = ext->value->data;
int len = ext->value->length;
#endif

#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if (meth->it) {
ext_str = ASN1_item_d2i (NULL, &mutable_ptr, len, ASN1_ITEM_ptr (meth->it));
} else {
ext_str = meth->d2i (NULL, &mutable_ptr, len);
}
#else
ext_str = meth->d2i(NULL, &mutable_ptr, len);
#endif
val = meth->i2v(meth, ext_str, NULL);

for (j = 0; j < sk_CONF_VALUE_num(val); j++)
{
nval = sk_CONF_VALUE_value (val, j);
if (strcmp (nval->name, "DNS") == 0 &&
strcmp (nval->value, request->hostname) == 0)
nval = sk_CONF_VALUE_value(val, j);
if (strcmp(nval->name, "DNS") == 0)
{
if (strcasecmp(nval->value, request->hostname) == 0)
{
ok = 1;
break;
}

// Wildcard support: check for leading '*.' and match domain suffix
if (nval->value[0] == '*' && nval->value[1] == '.')
{
const char *wildcard_domain = nval->value + 1; // skip the '*'
const char *host_suffix = strchr(request->hostname, '.');

if (host_suffix && strcasecmp(wildcard_domain, host_suffix) == 0)
{
ok = 1;
break;
}
}
}
}
}

Expand Down Expand Up @@ -319,6 +325,21 @@ static void _gftp_ssl_thread_setup (void)
}


static void gftp_ssl_keylog_callback(const SSL *ssl, const char *line)
{
const char *gftp_keylog_file = getenv("SSLKEYLOGFILE");
if (!gftp_keylog_file)
return;

FILE *gftp_fp = fopen(gftp_keylog_file, "a");
if (!gftp_fp)
return;

fprintf(gftp_fp, "%s\n", line);
fclose(gftp_fp);
}


int gftp_ssl_startup (gftp_request * request)
{
DEBUG_PRINT_FUNC
Expand Down Expand Up @@ -359,6 +380,8 @@ int gftp_ssl_startup (gftp_request * request)
_("Error loading default SSL certificates\n"));
return (GFTP_EFATAL);
}
/* enable SSLKEYLOGFILE */
SSL_CTX_set_keylog_callback(ctx, gftp_ssl_keylog_callback);

SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback);
SSL_CTX_set_verify_depth (ctx, 9);
Expand Down