- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name field in the certficate it had to match and so even if non-DNS and non-IP entry was present it caused the verification to fail.
This commit is contained in:
Daniel Stenberg
6
CHANGES
6
CHANGES
@@ -6,6 +6,12 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
Daniel Stenberg (16 Sep 2009)
|
||||||
|
- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
|
||||||
|
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
|
||||||
|
field in the certficate it had to match and so even if non-DNS and non-IP
|
||||||
|
entry was present it caused the verification to fail.
|
||||||
|
|
||||||
Daniel Fandrich (15 Sep 2009)
|
Daniel Fandrich (15 Sep 2009)
|
||||||
- Moved the libssh2 checks after the SSL library checks. This helps when
|
- Moved the libssh2 checks after the SSL library checks. This helps when
|
||||||
statically linking since libssh2 needs the SSL library link flags to be
|
statically linking since libssh2 needs the SSL library link flags to be
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ This release includes the following bugfixes:
|
|||||||
o configure uses pkg-config for cross-compiles as well
|
o configure uses pkg-config for cross-compiles as well
|
||||||
o improved NSS detection in configure
|
o improved NSS detection in configure
|
||||||
o cookie expiry date at 1970-jan-1 00:00:00
|
o cookie expiry date at 1970-jan-1 00:00:00
|
||||||
|
o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
@@ -38,6 +39,6 @@ advice from friends like these:
|
|||||||
|
|
||||||
Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
|
Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
|
||||||
Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
|
Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
|
||||||
Claes Jakobsson
|
Claes Jakobsson, Sven Anders
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
|||||||
17
lib/ssluse.c
17
lib/ssluse.c
@@ -1056,7 +1056,8 @@ cert_hostcheck(const char *match_pattern, const char *hostname)
|
|||||||
static CURLcode verifyhost(struct connectdata *conn,
|
static CURLcode verifyhost(struct connectdata *conn,
|
||||||
X509 *server_cert)
|
X509 *server_cert)
|
||||||
{
|
{
|
||||||
bool matched = FALSE; /* no alternative match yet */
|
int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
|
||||||
|
means mismatch */
|
||||||
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
|
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
|
||||||
size_t addrlen = 0;
|
size_t addrlen = 0;
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
@@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
numalts = sk_GENERAL_NAME_num(altnames);
|
numalts = sk_GENERAL_NAME_num(altnames);
|
||||||
|
|
||||||
/* loop through all alternatives while none has matched */
|
/* loop through all alternatives while none has matched */
|
||||||
for (i=0; (i<numalts) && !matched; i++) {
|
for (i=0; (i<numalts) && (matched != 1); i++) {
|
||||||
/* get a handle to alternative name number i */
|
/* get a handle to alternative name number i */
|
||||||
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
|
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
|
||||||
|
|
||||||
@@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
/* if this isn't true, there was an embedded zero in the name
|
/* if this isn't true, there was an embedded zero in the name
|
||||||
string and we cannot match it. */
|
string and we cannot match it. */
|
||||||
cert_hostcheck(altptr, conn->host.name))
|
cert_hostcheck(altptr, conn->host.name))
|
||||||
matched = TRUE;
|
matched = 1;
|
||||||
|
else
|
||||||
|
matched = 0;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case GEN_IPADD: /* IP address comparison */
|
case GEN_IPADD: /* IP address comparison */
|
||||||
/* compare alternative IP address if the data chunk is the same size
|
/* compare alternative IP address if the data chunk is the same size
|
||||||
our server IP address is */
|
our server IP address is */
|
||||||
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
|
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
|
||||||
matched = TRUE;
|
matched = 1;
|
||||||
|
else
|
||||||
|
matched = 0;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
GENERAL_NAMES_free(altnames);
|
GENERAL_NAMES_free(altnames);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(matched)
|
if(matched == 1)
|
||||||
/* an alternative name matched the server hostname */
|
/* an alternative name matched the server hostname */
|
||||||
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
|
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
|
||||||
else if(altnames) {
|
else if(matched == 0) {
|
||||||
/* an alternative name field existed, but didn't match and then
|
/* an alternative name field existed, but didn't match and then
|
||||||
we MUST fail */
|
we MUST fail */
|
||||||
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
|
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
|
||||||
|
|||||||
Reference in New Issue
Block a user