gnunet-svn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 95/178: openssl: fix subjectAltName check on non-AS


From: gnunet
Subject: [GNUnet-SVN] [gnurl] 95/178: openssl: fix subjectAltName check on non-ASCII platforms
Date: Wed, 23 May 2018 12:25:30 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit b0a50227c07654e47598c90fe55cee1c890cc4a4
Author: Stephan Mühlstrasser <address@hidden>
AuthorDate: Fri Apr 13 14:04:11 2018 +0200

    openssl: fix subjectAltName check on non-ASCII platforms
    
    Curl_cert_hostcheck operates with the host character set, therefore the
    ASCII subjectAltName string retrieved with OpenSSL must be converted to
    the host encoding before comparison.
    
    Closes #2493
---
 lib/vtls/openssl.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 988fd3506..80e9bf940 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1323,6 +1323,51 @@ static void Curl_ossl_close_all(struct Curl_easy *data)
 
 /* ====================================================== */
 
+/*
+ * Match subjectAltName against the host name. This requires a conversion
+ * in CURL_DOES_CONVERSIONS builds.
+ */
+static bool subj_alt_hostcheck(struct Curl_easy *data,
+                               const char *match_pattern, const char *hostname,
+                               const char *dispname)
+#ifdef CURL_DOES_CONVERSIONS
+{
+  bool res = FALSE;
+
+  /* Curl_cert_hostcheck uses host encoding, but we get ASCII from
+     OpenSSl.
+   */
+  char *match_pattern2 = strdup(match_pattern);
+
+  if(match_pattern2) {
+    if(Curl_convert_from_network(data, match_pattern2,
+                                strlen(match_pattern2)) == CURLE_OK) {
+      if(Curl_cert_hostcheck(match_pattern2, hostname)) {
+        res = TRUE;
+        infof(data,
+                " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
+                dispname, match_pattern2);
+      }
+    }
+    free(match_pattern2);
+  }
+  else {
+    failf(data,
+        "SSL: out of memory when allocating temporary for subjectAltName");
+  }
+  return res;
+}
+#else
+{
+  if(Curl_cert_hostcheck(match_pattern, hostname)) {
+    infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
+                  dispname, match_pattern);
+    return TRUE;
+  }
+  return FALSE;
+}
+#endif
+
 
 /* Quote from RFC2818 section 3.1 "Server Identity"
 
@@ -1422,11 +1467,8 @@ static CURLcode verifyhost(struct connectdata *conn, 
X509 *server_cert)
           if((altlen == strlen(altptr)) &&
              /* if this isn't true, there was an embedded zero in the name
                 string and we cannot match it. */
-             Curl_cert_hostcheck(altptr, hostname)) {
+             subj_alt_hostcheck(data, altptr, hostname, dispname)) {
             dnsmatched = TRUE;
-            infof(data,
-                  " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
-                  dispname, altptr);
           }
           break;
 

-- 
To stop receiving notification emails like this one, please contact
address@hidden



reply via email to

[Prev in Thread] Current Thread [Next in Thread]