Commit Graph

11 Commits

Author SHA1 Message Date
FDB Formatster df90cc89de apply clang-format to *.c, *.cpp, *.h, *.hpp files 2021-03-10 10:18:07 -08:00
sfc-gh-tclinkenbeard 4669f837fa Add uses of makeReference 2020-11-07 22:10:18 -08:00
Evan Tschannen 362c2bf1e6 improved the cpu efficiency of printable 2019-05-29 14:55:45 -07:00
A.J. Beamon d3c1f9afbd Suppress 'TraceEventFieldNotFound' event. Don't suppress simultaneous FDBLibTLSVerifyFailure events (this requires including flow.h and removing the copied version of Reference/ReferenceCounted in FDBLibTLS). 2019-05-20 15:12:28 -07:00
Alex Miller 7cd73468f1 Fix FDBLibTLS to specify includes from the root. 2018-10-19 18:56:36 -07:00
Alex Miller 44694607e8 Fix Subject Alternative Name matching and add test cases.
The previous change was done in the optimistic hope that NID_subject_alt_name
could be handled in the same fashion as all the rest of the attributes we match
against.  However, X509 is not a place for optimisim.  Instead, it turns out
that the Subject Alternative Name is an X509v3 extension, and needs to be
handled separately.

Therefore, this change...

* Introduces the idea of Criteria matching against a location in the
  certificate, and not just against the entirety of the certificate.
* Extracts the Subject Alternative Name extension, and allows iteration and
  matching against its components.
* Extends our constraint language to sensibly match against SubjectAlternativeNames.

The `S.subjectAltName` syntax has been kept, but the value is now required to
provide what type of field the rest of the value is intended to match against.
The code currently supports DNS, EMAIL, URI, and IP.  Prefix and suffix
matching is supported.

Both verify-test and plugin-test were updated to cover Subject Alternative Name
matching.  I've additionally run plugin-test under valgrind to verify that I've
understood object lifetimes correctly.
2018-06-29 17:17:58 -07:00
Alex Miller 70d078021f Implement prefix and suffix matching for TLS certificate verification.
This extends our language for specifying verification rules from, e.g.

    S.O=XYZCorp

to also include two more operators

    S.O>=XYZ  # Prefix
    S.O<=Corp # Suffix

both of which would match against an Organization of XYZCorp (among others).
2018-06-27 18:11:07 -07:00
Alex Miller e39d2c702d Support Subject Alternative Name verification in TLS Plugin.
The TLS code understands three different things it can verify: the subject, the
issuer, and the root.  The existing code assumes that any attribute we can
verify against one of these is also verifyable against the others.

For Subject Alternative Name, this might not be true.  There exists both
Subject Alternative Name and Issuer Alternative Name.  This code change allows
one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name
against the Issuer, which wouldn't be right.  Issuer Alternative Name isn't a
requested feature (yet?), so I'm punting on this problem.
2018-06-27 16:14:34 -07:00
Balachandar Namasivayam f71e13fa4d TLS Plugin Changes. 2018-05-08 16:27:21 -07:00
Alec Grieser fced3c61b3
fix headers of FDBLibTLS files 2018-04-19 10:11:55 -07:00
Alex Miller 53e8a84bef Import LibreSSL TLS Plugin.
This does not integrate it into the FoundationDB build system at all, though
the original Makefile exists and could be used to build this plugin.
2018-04-12 14:13:02 -07:00