aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-03-16 11:02:33 +0100
committerDaniel Stenberg <daniel@haxx.se>2016-03-17 00:49:02 +0100
commit5f5b6263573ba70f06988f8e439feec4520b1b36 (patch)
tree519b53e16927cfccded9db7034dc2072614734c9 /lib
parent80015cdd52145bd95b98e0e456540c6da3120f98 (diff)
openssl: verbose: show matching SAN pattern
... to allow users to see which specfic wildcard that matched when such is used. Also minor logic cleanup to simplify the code, and I removed all tabs from verbose strings.
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/openssl.c57
1 files changed, 30 insertions, 27 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1517ca22b..3b19369f1 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1024,8 +1024,7 @@ void Curl_ossl_close_all(struct SessionHandle *data)
*/
static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
{
- int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
- means mismatch */
+ bool matched = FALSE;
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct SessionHandle *data = conn->data;
@@ -1062,7 +1061,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
numalts = sk_GENERAL_NAME_num(altnames);
/* loop through all alternatives while none has matched */
- for(i=0; (i<numalts) && (matched != 1); i++) {
+ for(i=0; (i<numalts) && !matched; i++) {
/* get a handle to alternative name number i */
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@@ -1087,19 +1086,23 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
if((altlen == strlen(altptr)) &&
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
- Curl_cert_hostcheck(altptr, conn->host.name))
- matched = 1;
- else
- matched = 0;
+ Curl_cert_hostcheck(altptr, conn->host.name)) {
+ matched = TRUE;
+ infof(data,
+ " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
+ conn->host.dispname, altptr);
+ }
break;
case GEN_IPADD: /* IP address comparison */
/* compare alternative IP address if the data chunk is the same size
our server IP address is */
- if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
- matched = 1;
- else
- matched = 0;
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
+ matched = TRUE;
+ infof(data,
+ " subjectAltName: host \"%s\" matched cert's IP address!\n",
+ conn->host.dispname);
+ }
break;
}
}
@@ -1107,13 +1110,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
GENERAL_NAMES_free(altnames);
}
- if(matched == 1)
- /* an alternative name matched the server hostname */
- infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
- else if(matched == 0) {
- /* an alternative name field existed, but didn't match and then
- we MUST fail */
- infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
+ if(matched)
+ /* an alternative name matched */
+ ;
+ else if(altnames) {
+ /* an alternative name field existed, but didn't match and then we MUST
+ fail */
+ infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
failf(data, "SSL: no alternative certificate subject name matches "
"target host name '%s'", conn->host.dispname);
result = CURLE_PEER_FAILED_VERIFICATION;
@@ -1123,7 +1126,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
distinguished one to get the most significant one. */
int j, i=-1;
-/* The following is done because of a bug in 0.9.6b */
+ /* The following is done because of a bug in 0.9.6b */
unsigned char *nulstr = (unsigned char *)"";
unsigned char *peer_CN = nulstr;
@@ -1195,7 +1198,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
result = CURLE_PEER_FAILED_VERIFICATION;
}
else {
- infof(data, "\t common name: %s (matched)\n", peer_CN);
+ infof(data, " common name: %s (matched)\n", peer_CN);
}
if(peer_CN)
OPENSSL_free(peer_CN);
@@ -2548,16 +2551,16 @@ static CURLcode servercert(struct connectdata *conn,
rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
buffer, BUFSIZE);
- infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
+ infof(data, " subject: %s\n", rc?"[NONE]":buffer);
ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));
len = BIO_get_mem_data(mem, (char **) &ptr);
- infof(data, "\t start date: %.*s\n", len, ptr);
+ infof(data, " start date: %.*s\n", len, ptr);
rc = BIO_reset(mem);
ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));
len = BIO_get_mem_data(mem, (char **) &ptr);
- infof(data, "\t expire date: %.*s\n", len, ptr);
+ infof(data, " expire date: %.*s\n", len, ptr);
rc = BIO_reset(mem);
BIO_free(mem);
@@ -2579,7 +2582,7 @@ static CURLcode servercert(struct connectdata *conn,
result = CURLE_SSL_CONNECT_ERROR;
}
else {
- infof(data, "\t issuer: %s\n", buffer);
+ infof(data, " issuer: %s\n", buffer);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
@@ -2619,7 +2622,7 @@ static CURLcode servercert(struct connectdata *conn,
return CURLE_SSL_ISSUER_ERROR;
}
- infof(data, "\t SSL certificate issuer check ok (%s)\n",
+ infof(data, " SSL certificate issuer check ok (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(issuer);
}
@@ -2637,12 +2640,12 @@ static CURLcode servercert(struct connectdata *conn,
result = CURLE_PEER_FAILED_VERIFICATION;
}
else
- infof(data, "\t SSL certificate verify result: %s (%ld),"
+ infof(data, " SSL certificate verify result: %s (%ld),"
" continuing anyway.\n",
X509_verify_cert_error_string(lerr), lerr);
}
else
- infof(data, "\t SSL certificate verify ok.\n");
+ infof(data, " SSL certificate verify ok.\n");
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \