From c529150b6140fd6fb7a6af59786457b95df6fb5b Mon Sep 17 00:00:00 2001 From: geby Date: Tue, 7 Nov 2023 10:37:28 +0000 Subject: [PATCH] Enable hostname verification in OpenSSL (bug #75 by dokkie8844) git-svn-id: https://svn.code.sf.net/p/synalist/code/trunk@274 7c85be65-684b-0410-a082-b2ed4fbef004 --- ssl_openssl.pas | 5 ++++- ssl_openssl11.pas | 5 ++++- ssl_openssl11_lib.pas | 14 +++++++++++++- ssl_openssl3.pas | 9 ++++++--- ssl_openssl3_lib.pas | 25 +++++++++++++++++++------ ssl_openssl_lib.pas | 15 ++++++++++++++- 6 files changed, 60 insertions(+), 13 deletions(-) diff --git a/ssl_openssl.pas b/ssl_openssl.pas index 1f6d3bd..1fd0613 100644 --- a/ssl_openssl.pas +++ b/ssl_openssl.pas @@ -1,5 +1,5 @@ {==============================================================================| -| Project : Ararat Synapse | 001.004.000 | +| Project : Ararat Synapse | 001.004.001 | |==============================================================================| | Content: SSL support by OpenSSL | |==============================================================================| @@ -539,7 +539,10 @@ begin Exit; end; if SNIHost<>'' then + begin SSLCtrl(Fssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, PAnsiChar(AnsiString(SNIHost))); + SslSet1Host(Fssl, PAnsiChar(AnsiString(SNIHost))); + end; if FSocket.ConnectionTimeout <= 0 then //do blocking call of SSL_Connect begin x := sslconnect(FSsl); diff --git a/ssl_openssl11.pas b/ssl_openssl11.pas index 53b3808..febbd76 100644 --- a/ssl_openssl11.pas +++ b/ssl_openssl11.pas @@ -1,5 +1,5 @@ {==============================================================================| -| Project : Ararat Synapse | 002.000.000 | +| Project : Ararat Synapse | 002.000.001 | |==============================================================================| | Content: SSL support by OpenSSL | |==============================================================================| @@ -507,7 +507,10 @@ begin Exit; end; if SNIHost<>'' then + begin SSLCtrl(Fssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, PAnsiChar(AnsiString(SNIHost))); + SslSet1Host(Fssl, PAnsiChar(AnsiString(SNIHost))); + end; if FSocket.ConnectionTimeout <= 0 then //do blocking call of SSL_Connect begin x := sslconnect(FSsl); diff --git a/ssl_openssl11_lib.pas b/ssl_openssl11_lib.pas index a8bb98b..22e28bb 100644 --- a/ssl_openssl11_lib.pas +++ b/ssl_openssl11_lib.pas @@ -1,5 +1,5 @@ {==============================================================================| -| Project : Ararat Synapse | 004.000.000 | +| Project : Ararat Synapse | 004.000.001 | |==============================================================================| | Content: SSL support by OpenSSL 1.1 | |==============================================================================| @@ -281,6 +281,7 @@ var function SSLCipherGetBits(c: SslPtr; var alg_bits: Integer):Integer; function SSLGetVerifyResult(ssl: PSSL):Integer; function SSLCtrl(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; + function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; // libeay.dll @@ -398,6 +399,7 @@ type TSSLCipherGetBits = function(c: SslPtr; alg_bits: PInteger):Integer; cdecl; TSSLGetVerifyResult = function(ssl: PSSL):Integer; cdecl; TSSLCtrl = function(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; cdecl; + TSslSet1Host = function(ssl: PSSL; hostname: PAnsiChar):Integer; cdecl; TSSLSetTlsextHostName = function(ssl: PSSL; buf: PAnsiChar):Integer; cdecl; @@ -864,6 +866,14 @@ begin Result := X509_V_ERR_APPLICATION_VERIFICATION; end; +function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; +begin + if InitSSLInterface and Assigned(_SslSet1Host) then + Result := _SslSet1Host(ssl, hostname) + else + Result := 0; +end; + // libeay.dll function X509New: PX509; begin @@ -1321,6 +1331,7 @@ begin _SslCipherGetBits := GetProcAddr(SSLLibHandle, 'SSL_CIPHER_get_bits'); _SslGetVerifyResult := GetProcAddr(SSLLibHandle, 'SSL_get_verify_result'); _SslCtrl := GetProcAddr(SSLLibHandle, 'SSL_ctrl'); + _SslSet1Host := GetProcAddr(SSLLibHandle, 'SSL_set1_host'); _OPENSSL_sk_new_null:= GetProcAddr(SSLUtilHandle, 'OPENSSL_sk_new_null'); _OPENSSL_sk_num:= GetProcAddr(SSLUtilHandle, 'OPENSSL_sk_num'); @@ -1470,6 +1481,7 @@ begin _SslCipherGetBits := nil; _SslGetVerifyResult := nil; _SslCtrl := nil; + _SslSet1Host := nil; _SslCtxSetMinProtoVersion := nil; _SslCtxSetMaxProtoVersion := nil; diff --git a/ssl_openssl3.pas b/ssl_openssl3.pas index 3d4b36a..99452e4 100644 --- a/ssl_openssl3.pas +++ b/ssl_openssl3.pas @@ -1,9 +1,9 @@ {==============================================================================| -| Project : Ararat Synapse | 001.000.000 | +| Project : Ararat Synapse | 001.000.001 | |==============================================================================| | Content: SSL support by OpenSSL | |==============================================================================| -| Copyright (c)1999-2022, Lukas Gebauer | +| Copyright (c)1999-2023, Lukas Gebauer | | All rights reserved. | | | | Redistribution and use in source and binary forms, with or without | @@ -33,7 +33,7 @@ | DAMAGE. | |==============================================================================| | The Initial Developer of the Original Code is Lukas Gebauer (Czech Republic).| -| Portions created by Lukas Gebauer are Copyright (c)2005-2022. | +| Portions created by Lukas Gebauer are Copyright (c)2005-2023. | | Portions created by Petr Fejfar are Copyright (c)2011-2012. | | All Rights Reserved. | |==============================================================================| @@ -507,7 +507,10 @@ begin Exit; end; if SNIHost<>'' then + begin SSLCtrl(Fssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, PAnsiChar(AnsiString(SNIHost))); + SslSet1Host(Fssl, PAnsiChar(AnsiString(SNIHost))); + end; if FSocket.ConnectionTimeout <= 0 then //do blocking call of SSL_Connect begin x := sslconnect(FSsl); diff --git a/ssl_openssl3_lib.pas b/ssl_openssl3_lib.pas index caf6ad1..1ad03c1 100644 --- a/ssl_openssl3_lib.pas +++ b/ssl_openssl3_lib.pas @@ -1,9 +1,9 @@ {==============================================================================| -| Project : Ararat Synapse | 001.000.000 | +| Project : Ararat Synapse | 001.000.001 | |==============================================================================| | Content: SSL support by OpenSSL 3.0 | |==============================================================================| -| Copyright (c)1999-2022, Lukas Gebauer | +| Copyright (c)1999-2023, Lukas Gebauer | | All rights reserved. | | | | Redistribution and use in source and binary forms, with or without | @@ -33,7 +33,7 @@ | DAMAGE. | |==============================================================================| | The Initial Developer of the Original Code is Lukas Gebauer (Czech Republic).| -| Portions created by Lukas Gebauer are Copyright (c)2002-2022. | +| Portions created by Lukas Gebauer are Copyright (c)2002-2023. | | Portions created by Petr Fejfar are Copyright (c)2011-2012. | | All Rights Reserved. | |==============================================================================| @@ -228,7 +228,7 @@ const SSL_CTRL_SET_TLSEXT_HOSTNAME = 55; SSL_CTRL_SET_MIN_PROTO_VERSION = 123; - SSL_CTRL_SET_MAX_PROTO_VERSION = 124; + SSL_CTRL_SET_MAX_PROTO_VERSION = 124; TLSEXT_NAMETYPE_host_name = 0; @@ -282,6 +282,7 @@ var function SSLCipherGetBits(c: SslPtr; var alg_bits: Integer):Integer; function SSLGetVerifyResult(ssl: PSSL):Integer; function SSLCtrl(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; + function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; // libeay.dll @@ -397,6 +398,7 @@ type TSSLCipherGetBits = function(c: SslPtr; alg_bits: PInteger):Integer; cdecl; TSSLGetVerifyResult = function(ssl: PSSL):Integer; cdecl; TSSLCtrl = function(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; cdecl; + TSslSet1Host = function(ssl: PSSL; hostname: PAnsiChar):Integer; cdecl; TSSLSetTlsextHostName = function(ssl: PSSL; buf: PAnsiChar):Integer; cdecl; @@ -498,7 +500,8 @@ var _SSLCipherGetBits: TSSLCipherGetBits = nil; _SSLGetVerifyResult: TSSLGetVerifyResult = nil; _SSLCtrl: TSSLCtrl = nil; - + _SslSet1Host: TSslSet1Host = nil; + // libeay.dll _OPENSSL_sk_new_null: TOPENSSL_sk_new_null = nil; @@ -845,6 +848,14 @@ begin Result := X509_V_ERR_APPLICATION_VERIFICATION; end; +function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; +begin + if InitSSLInterface and Assigned(_SslSet1Host) then + Result := _SslSet1Host(ssl, hostname) + else + Result := 0; +end; + // libeay.dll function X509New: PX509; begin @@ -1300,7 +1311,8 @@ begin _SslCipherGetBits := GetProcAddr(SSLLibHandle, 'SSL_CIPHER_get_bits'); _SslGetVerifyResult := GetProcAddr(SSLLibHandle, 'SSL_get_verify_result'); _SslCtrl := GetProcAddr(SSLLibHandle, 'SSL_ctrl'); - + _SslSet1Host := GetProcAddr(SSLLibHandle, 'SSL_set1_host'); + _OPENSSL_sk_new_null:= GetProcAddr(SSLUtilHandle, 'OPENSSL_sk_new_null'); _OPENSSL_sk_num:= GetProcAddr(SSLUtilHandle, 'OPENSSL_sk_num'); _OPENSSL_sk_value:= GetProcAddr(SSLUtilHandle, 'OPENSSL_sk_value'); @@ -1449,6 +1461,7 @@ begin _SslCipherGetBits := nil; _SslGetVerifyResult := nil; _SslCtrl := nil; + _SslSet1Host := nil; _X509New := nil; _X509Free := nil; diff --git a/ssl_openssl_lib.pas b/ssl_openssl_lib.pas index aaaa4cc..bb9b250 100644 --- a/ssl_openssl_lib.pas +++ b/ssl_openssl_lib.pas @@ -1,5 +1,5 @@ {==============================================================================| -| Project : Ararat Synapse | 003.009.000 | +| Project : Ararat Synapse | 003.009.001 | |==============================================================================| | Content: SSL support by OpenSSL | |==============================================================================| @@ -812,6 +812,7 @@ var function SSLCipherGetBits(c: SslPtr; var alg_bits: Integer):Integer; function SSLGetVerifyResult(ssl: PSSL):Integer; function SSLCtrl(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; + function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; // libeay.dll function X509New: PX509; @@ -938,6 +939,7 @@ type TSSLCipherGetBits = function(c: SslPtr; alg_bits: PInteger):Integer; cdecl; TSSLGetVerifyResult = function(ssl: PSSL):Integer; cdecl; TSSLCtrl = function(ssl: PSSL; cmd: integer; larg: integer; parg: SslPtr):Integer; cdecl; + TSslSet1Host = function(ssl: PSSL; hostname: PAnsiChar):Integer; cdecl; TSSLSetTlsextHostName = function(ssl: PSSL; buf: PAnsiChar):Integer; cdecl; @@ -1046,6 +1048,7 @@ var _SSLCipherGetBits: TSSLCipherGetBits = nil; _SSLGetVerifyResult: TSSLGetVerifyResult = nil; _SSLCtrl: TSSLCtrl = nil; + _SslSet1Host: TSslSet1Host = nil; // libeay.dll _X509New: TX509New = nil; @@ -1463,6 +1466,14 @@ begin Result := X509_V_ERR_APPLICATION_VERIFICATION; end; +function SslSet1Host(ssl: PSSL; hostname: PAnsiChar):Integer; +begin + if InitSSLInterface and Assigned(_SslSet1Host) then + Result := _SslSet1Host(ssl, hostname) + else + Result := 0; +end; + // libeay.dll function X509New: PX509; begin @@ -2010,6 +2021,7 @@ begin _SslCipherGetBits := GetProcAddr(SSLLibHandle, 'SSL_CIPHER_get_bits'); _SslGetVerifyResult := GetProcAddr(SSLLibHandle, 'SSL_get_verify_result'); _SslCtrl := GetProcAddr(SSLLibHandle, 'SSL_ctrl'); + _SslSet1Host := GetProcAddr(SSLLibHandle, 'SSL_set1_host'); _X509New := GetProcAddr(SSLUtilHandle, 'X509_new'); _X509Free := GetProcAddr(SSLUtilHandle, 'X509_free'); @@ -2200,6 +2212,7 @@ begin _SslCipherGetBits := nil; _SslGetVerifyResult := nil; _SslCtrl := nil; + _SslSet1Host := nil; _X509New := nil; _X509Free := nil;