aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2009-09-16 20:44:18 +0000
committerDaniel Stenberg <daniel@haxx.se>2009-09-16 20:44:18 +0000
commit250ba9949894571052888cd2065defbb3e00b183 (patch)
treebd368d9b53bf8d43cbee54515f097b76a16843e2
parentc2c3a46e3e69afb6f34410b89919b2e5c18ce1c4 (diff)
- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name field in the certficate it had to match and so even if non-DNS and non-IP entry was present it caused the verification to fail.
-rw-r--r--CHANGES6
-rw-r--r--RELEASE-NOTES3
-rw-r--r--lib/ssluse.c17
3 files changed, 19 insertions, 7 deletions
diff --git a/CHANGES b/CHANGES
index 816505f02..c9a34891e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,12 @@
Changelog
+Daniel Stenberg (16 Sep 2009)
+- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
+ powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
+ field in the certficate it had to match and so even if non-DNS and non-IP
+ entry was present it caused the verification to fail.
+
Daniel Fandrich (15 Sep 2009)
- Moved the libssh2 checks after the SSL library checks. This helps when
statically linking since libssh2 needs the SSL library link flags to be
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 7136fd55c..6077ef25f 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -28,6 +28,7 @@ This release includes the following bugfixes:
o configure uses pkg-config for cross-compiles as well
o improved NSS detection in configure
o cookie expiry date at 1970-jan-1 00:00:00
+ o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
This release includes the following known bugs:
@@ -38,6 +39,6 @@ advice from friends like these:
Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
- Claes Jakobsson
+ Claes Jakobsson, Sven Anders
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/ssluse.c b/lib/ssluse.c
index aaf5df05a..c0c1ee6de 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1056,7 +1056,8 @@ cert_hostcheck(const char *match_pattern, const char *hostname)
static CURLcode verifyhost(struct connectdata *conn,
X509 *server_cert)
{
- bool matched = FALSE; /* no alternative match yet */
+ int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
+ means mismatch */
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct SessionHandle *data = conn->data;
@@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connectdata *conn,
numalts = sk_GENERAL_NAME_num(altnames);
/* loop through all alternatives while none has matched */
- for (i=0; (i<numalts) && !matched; i++) {
+ for (i=0; (i<numalts) && (matched != 1); i++) {
/* get a handle to alternative name number i */
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connectdata *conn,
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
cert_hostcheck(altptr, conn->host.name))
- matched = TRUE;
+ matched = 1;
+ else
+ matched = 0;
break;
case GEN_IPADD: /* IP address comparison */
/* compare alternative IP address if the data chunk is the same size
our server IP address is */
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
- matched = TRUE;
+ matched = 1;
+ else
+ matched = 0;
break;
}
}
@@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connectdata *conn,
GENERAL_NAMES_free(altnames);
}
- if(matched)
+ if(matched == 1)
/* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
- else if(altnames) {
+ else if(matched == 0) {
/* an alternative name field existed, but didn't match and then
we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);