SSL: Several SSL-backend related fixes

axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
author: Oscar Koeroo <okoeroo@gmail.com> 2012-11-03 02:06:51 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2012-11-08 22:23:12 +0100
commit: 1394cad30fcac7eb21adb9158dfcfab10e9f53d4 (patch)
tree: a4c89ce32f9f5fb1da8c69e1b44ba6005d6b2a96 /lib/cyassl.c
parent: 18c0e9bd71009792982dc6cf518427c13c8674a0 (diff)
1 files changed, 42 insertions, 5 deletions
diff --git a/lib/cyassl.c b/lib/cyassl.c
index 4c517802f..3639532b2 100644
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@@ -53,6 +53,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
+#include <cyassl/ssl.h>
+#include <cyassl/error.h>
 
 
 static Curl_recv cyassl_recv;
@@ -237,6 +239,13 @@ cyassl_connect_step2(struct connectdata *conn,
   conn->recv[sockindex] = cyassl_recv;
   conn->send[sockindex] = cyassl_send;
 
+  /* Enable RFC2818 checks */
+  if(data->set.ssl.verifyhost) {
+    ret = CyaSSL_check_domain_name(conssl->handle, conn->host.name);
+    if(ret == SSL_FAILURE)
+      return CURLE_OUT_OF_MEMORY;
+  }
+
   ret = SSL_connect(conssl->handle);
   if(ret != 1) {
     char error_buffer[80];
@@ -246,15 +255,43 @@ cyassl_connect_step2(struct connectdata *conn,
       conssl->connecting_state = ssl_connect_2_reading;
       return CURLE_OK;
     }
-
-    if(SSL_ERROR_WANT_WRITE == detail) {
+    else if(SSL_ERROR_WANT_WRITE == detail) {
       conssl->connecting_state = ssl_connect_2_writing;
       return CURLE_OK;
     }
-
-    failf(data, "SSL_connect failed with error %d: %s", detail,
+    /* There is no easy way to override only the CN matching.
+     * This will enable the override of both mismatching SubjectAltNames
+     * as also mismatching CN fields */
+    else if(DOMAIN_NAME_MISMATCH == detail) {
+#if 1
+      failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n",
+            conn->host.dispname);
+      return CURLE_PEER_FAILED_VERIFICATION;
+#else
+      /* When the CyaSSL_check_domain_name() is used and you desire to continue
+       * on a DOMAIN_NAME_MISMATCH, i.e. 'data->set.ssl.verifyhost == 0',
+       * CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA error. The only
+       * way to do this is currently to switch the CyaSSL_check_domain_name()
+       * in and out based on the 'data->set.ssl.verifyhost' value. */
+      if(data->set.ssl.verifyhost) {
+        failf(data,
+              "\tsubject alt name(s) or common name do not match \"%s\"\n",
+              conn->host.dispname);
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else {
+        infof(data,
+              "\tsubject alt name(s) and/or common name do not match \"%s\"\n",
+              conn->host.dispname);
+        return CURLE_OK;
+      }
+#endif
+    }
+    else {
+      failf(data, "SSL_connect failed with error %d: %s", detail,
           ERR_error_string(detail, error_buffer));
-    return CURLE_SSL_CONNECT_ERROR;
+      return CURLE_SSL_CONNECT_ERROR;
+    }
   }
 
   conssl->connecting_state = ssl_connect_3;
author	Oscar Koeroo <okoeroo@gmail.com>	2012-11-03 02:06:51 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2012-11-08 22:23:12 +0100
commit	1394cad30fcac7eb21adb9158dfcfab10e9f53d4 (patch)
tree	a4c89ce32f9f5fb1da8c69e1b44ba6005d6b2a96 /lib/cyassl.c
parent	18c0e9bd71009792982dc6cf518427c13c8674a0 (diff)