generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a

Browse Source 
true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or
  less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that
  would set it to something non-zero would return before the assign in almost
  all error cases. The internal variable is now set to non-zero from the start
  of the function only to get cleared later on if things work out fine.
This commit is contained in:
Daniel Stenberg 2008-07-30 21:24:59 +00:00
parent 03986f1b8b
commit ae654266df
3 changed files with 35 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGES
View File

@ -6,6 +6,16 @@
Changelog Changelog
Daniel Stenberg (30 Jul 2008)
- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a
true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or
less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that
would set it to something non-zero would return before the assign in almost
all error cases. The internal variable is now set to non-zero from the start
of the function only to get cleared later on if things work out fine.
- Made the curl tool's -w option support the %{ssl_verify_result} variable
Daniel Fandrich (30 Jul 2008) Daniel Fandrich (30 Jul 2008)
- Added test cases 1052 through 1055 to test uploading data from files - Added test cases 1052 through 1055 to test uploading data from files
during redirects. Test cases 1052 and 1055 show problems (maybe the same during redirects. Test cases 1052 and 1055 show problems (maybe the same

2
RELEASE-NOTES
View File

@ -18,6 +18,7 @@ This release includes the following changes:
o Now builds for the INTEGRITY operating system o Now builds for the INTEGRITY operating system
o Added CURLINFO_APPCONNECT_TIME o Added CURLINFO_APPCONNECT_TIME
o Added test selection by key word in runtests.pl o Added test selection by key word in runtests.pl
o the curl tool's -w option support the %{ssl_verify_result} variable
This release includes the following bugfixes: This release includes the following bugfixes:
@ -37,6 +38,7 @@ This release includes the following bugfixes:
o user-agent in CONNECT with non-HTTP protocols o user-agent in CONNECT with non-HTTP protocols
o CURL_READFUNC_PAUSE problems fixed o CURL_READFUNC_PAUSE problems fixed
o --use-ascii now works on Symbian OS, MS-DOS and OS/2 o --use-ascii now works on Symbian OS, MS-DOS and OS/2
o CURLINFO_SSL_VERIFYRESULT is fixed
This release includes the following known bugs: This release includes the following known bugs:

44
lib/ssluse.c
View File

@ -1444,7 +1444,7 @@ ossl_connect_step1(struct connectdata *conn,
lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file()); lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file());
if ( !lookup || if ( !lookup ||
(X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE], (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
X509_FILETYPE_PEM)!=1) ) { X509_FILETYPE_PEM)!=1) ) {
failf(data,"error loading CRL file :\n" failf(data,"error loading CRL file :\n"
" CRLfile: %s\n", " CRLfile: %s\n",
data->set.str[STRING_SSL_CRLFILE]? data->set.str[STRING_SSL_CRLFILE]?
@ -1455,11 +1455,11 @@ ossl_connect_step1(struct connectdata *conn,
/* Everything is fine. */ /* Everything is fine. */
infof(data, "successfully load CRL file:\n"); infof(data, "successfully load CRL file:\n");
X509_STORE_set_flags(connssl->ctx->cert_store, X509_STORE_set_flags(connssl->ctx->cert_store,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
} }
infof(data, infof(data,
" CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ? " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
data->set.str[STRING_SSL_CRLFILE]: "none"); data->set.str[STRING_SSL_CRLFILE]: "none");
} }
/* SSL always tries to verify the peer, this only says whether it should /* SSL always tries to verify the peer, this only says whether it should
@ -1639,6 +1639,8 @@ static CURLcode servercert(struct connectdata *conn,
X509 *issuer; X509 *issuer;
FILE *fp; FILE *fp;
data->set.ssl.certverifyresult = !X509_V_OK;
connssl->server_cert = SSL_get_peer_certificate(connssl->handle); connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) { if(!connssl->server_cert) {
if(strict) if(strict)
@ -1692,34 +1694,34 @@ static CURLcode servercert(struct connectdata *conn,
if (data->set.str[STRING_SSL_ISSUERCERT]) { if (data->set.str[STRING_SSL_ISSUERCERT]) {
if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) { if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) {
if (strict) if (strict)
failf(data, "SSL: Unable to open issuer cert (%s)\n", failf(data, "SSL: Unable to open issuer cert (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]); data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert); X509_free(connssl->server_cert);
connssl->server_cert = NULL; connssl->server_cert = NULL;
return CURLE_SSL_ISSUER_ERROR; return CURLE_SSL_ISSUER_ERROR;
} }
issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL); issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL);
if (!issuer) { if (!issuer) {
if (strict) if (strict)
failf(data, "SSL: Unable to read issuer cert (%s)\n", failf(data, "SSL: Unable to read issuer cert (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]); data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert); X509_free(connssl->server_cert);
X509_free(issuer); X509_free(issuer);
fclose(fp); fclose(fp);
return CURLE_SSL_ISSUER_ERROR; return CURLE_SSL_ISSUER_ERROR;
} }
fclose(fp); fclose(fp);
if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) { if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
if (strict) if (strict)
failf(data, "SSL: Certificate issuer check failed (%s)\n", failf(data, "SSL: Certificate issuer check failed (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]); data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert); X509_free(connssl->server_cert);
X509_free(issuer); X509_free(issuer);
connssl->server_cert = NULL; connssl->server_cert = NULL;
return CURLE_SSL_ISSUER_ERROR; return CURLE_SSL_ISSUER_ERROR;
} }
infof(data, "\t SSL certificate issuer check ok (%s)\n", infof(data, "\t SSL certificate issuer check ok (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]); data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(issuer); X509_free(issuer);
} }
@ -1728,7 +1730,7 @@ static CURLcode servercert(struct connectdata *conn,
if(data->set.ssl.certverifyresult != X509_V_OK) { if(data->set.ssl.certverifyresult != X509_V_OK) {
if(data->set.ssl.verifypeer) { if(data->set.ssl.verifypeer) {
/* We probably never reach this, because SSL_connect() will fail /* We probably never reach this, because SSL_connect() will fail
and we return earlyer if verifypeer is set? */ and we return earlier if verifypeer is set? */
if(strict) if(strict)
failf(data, "SSL certificate verify result: %s (%ld)", failf(data, "SSL certificate verify result: %s (%ld)",
X509_verify_cert_error_string(lerr), lerr); X509_verify_cert_error_string(lerr), lerr);