generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

openssl: verbose: show matching SAN pattern

Browse Source 
... to allow users to see which specfic wildcard that matched when such
is used.

Also minor logic cleanup to simplify the code, and I removed all tabs
from verbose strings.
This commit is contained in:
Daniel Stenberg 2016-03-16 11:02:33 +01:00
parent 80015cdd52
commit 5f5b626357
1 changed files with 30 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
lib/vtls/openssl.c
View File

@ -1024,8 +1024,7 @@ void Curl_ossl_close_all(struct SessionHandle *data)
*/
static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
{
int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
means mismatch */
bool matched = FALSE;
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct SessionHandle *data = conn->data;
@ -1062,7 +1061,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
numalts = sk_GENERAL_NAME_num(altnames);
/* loop through all alternatives while none has matched */
for(i=0; (i<numalts) && (matched != 1); i++) {
for(i=0; (i<numalts) && !matched; i++) {
/* get a handle to alternative name number i */
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@ -1087,19 +1086,23 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
if((altlen == strlen(altptr)) &&
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
Curl_cert_hostcheck(altptr, conn->host.name))
matched = 1;
else
matched = 0;
Curl_cert_hostcheck(altptr, conn->host.name)) {
matched = TRUE;
infof(data,
" subjectAltName: host \"%s\" matched cert's \"%s\"\n",
conn->host.dispname, altptr);
}
break;
case GEN_IPADD: /* IP address comparison */
/* compare alternative IP address if the data chunk is the same size
our server IP address is */
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
matched = 1;
else
matched = 0;
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
matched = TRUE;
infof(data,
" subjectAltName: host \"%s\" matched cert's IP address!\n",
conn->host.dispname);
}
break;
}
}
@ -1107,13 +1110,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
GENERAL_NAMES_free(altnames);
}
if(matched == 1)
/* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
else if(matched == 0) {
/* an alternative name field existed, but didn't match and then
we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
if(matched)
/* an alternative name matched */
;
else if(altnames) {
/* an alternative name field existed, but didn't match and then we MUST
fail */
infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
failf(data, "SSL: no alternative certificate subject name matches "
"target host name '%s'", conn->host.dispname);
result = CURLE_PEER_FAILED_VERIFICATION;
@ -1123,7 +1126,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
distinguished one to get the most significant one. */
int j, i=-1;
/* The following is done because of a bug in 0.9.6b */
/* The following is done because of a bug in 0.9.6b */
unsigned char *nulstr = (unsigned char *)"";
unsigned char *peer_CN = nulstr;
@ -1195,7 +1198,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
result = CURLE_PEER_FAILED_VERIFICATION;
}
else {
infof(data, "\t common name: %s (matched)\n", peer_CN);
infof(data, " common name: %s (matched)\n", peer_CN);
}
if(peer_CN)
OPENSSL_free(peer_CN);
@ -2548,16 +2551,16 @@ static CURLcode servercert(struct connectdata *conn,
rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
buffer, BUFSIZE);
infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
infof(data, " subject: %s\n", rc?"[NONE]":buffer);
ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));
len = BIO_get_mem_data(mem, (char **) &ptr);
infof(data, "\t start date: %.*s\n", len, ptr);
infof(data, " start date: %.*s\n", len, ptr);
rc = BIO_reset(mem);
ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));
len = BIO_get_mem_data(mem, (char **) &ptr);
infof(data, "\t expire date: %.*s\n", len, ptr);
infof(data, " expire date: %.*s\n", len, ptr);
rc = BIO_reset(mem);
BIO_free(mem);
@ -2579,7 +2582,7 @@ static CURLcode servercert(struct connectdata *conn,
result = CURLE_SSL_CONNECT_ERROR;
}
else {
infof(data, "\t issuer: %s\n", buffer);
infof(data, " issuer: %s\n", buffer);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
@ -2619,7 +2622,7 @@ static CURLcode servercert(struct connectdata *conn,
return CURLE_SSL_ISSUER_ERROR;
}
infof(data, "\t SSL certificate issuer check ok (%s)\n",
infof(data, " SSL certificate issuer check ok (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(issuer);
}
@ -2637,12 +2640,12 @@ static CURLcode servercert(struct connectdata *conn,
result = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t SSL certificate verify result: %s (%ld),"
infof(data, " SSL certificate verify result: %s (%ld),"
" continuing anyway.\n",
X509_verify_cert_error_string(lerr), lerr);
}
else
infof(data, "\t SSL certificate verify ok.\n");
infof(data, " SSL certificate verify ok.\n");
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \