From 5f5b6263573ba70f06988f8e439feec4520b1b36 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 16 Mar 2016 11:02:33 +0100 Subject: openssl: verbose: show matching SAN pattern ... to allow users to see which specfic wildcard that matched when such is used. Also minor logic cleanup to simplify the code, and I removed all tabs from verbose strings. --- lib/vtls/openssl.c | 57 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1517ca22b..3b19369f1 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1024,8 +1024,7 @@ void Curl_ossl_close_all(struct SessionHandle *data) */ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) { - int matched = -1; /* -1 is no alternative match yet, 1 means match and 0 - means mismatch */ + bool matched = FALSE; int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ size_t addrlen = 0; struct SessionHandle *data = conn->data; @@ -1062,7 +1061,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) numalts = sk_GENERAL_NAME_num(altnames); /* loop through all alternatives while none has matched */ - for(i=0; (ihost.name)) - matched = 1; - else - matched = 0; + Curl_cert_hostcheck(altptr, conn->host.name)) { + matched = TRUE; + infof(data, + " subjectAltName: host \"%s\" matched cert's \"%s\"\n", + conn->host.dispname, altptr); + } break; case GEN_IPADD: /* IP address comparison */ /* compare alternative IP address if the data chunk is the same size our server IP address is */ - if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) - matched = 1; - else - matched = 0; + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) { + matched = TRUE; + infof(data, + " subjectAltName: host \"%s\" matched cert's IP address!\n", + conn->host.dispname); + } break; } } @@ -1107,13 +1110,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) GENERAL_NAMES_free(altnames); } - if(matched == 1) - /* an alternative name matched the server hostname */ - infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname); - else if(matched == 0) { - /* an alternative name field existed, but didn't match and then - we MUST fail */ - infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname); + if(matched) + /* an alternative name matched */ + ; + else if(altnames) { + /* an alternative name field existed, but didn't match and then we MUST + fail */ + infof(data, " subjectAltName does not match %s\n", conn->host.dispname); failf(data, "SSL: no alternative certificate subject name matches " "target host name '%s'", conn->host.dispname); result = CURLE_PEER_FAILED_VERIFICATION; @@ -1123,7 +1126,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) distinguished one to get the most significant one. */ int j, i=-1; -/* The following is done because of a bug in 0.9.6b */ + /* The following is done because of a bug in 0.9.6b */ unsigned char *nulstr = (unsigned char *)""; unsigned char *peer_CN = nulstr; @@ -1195,7 +1198,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) result = CURLE_PEER_FAILED_VERIFICATION; } else { - infof(data, "\t common name: %s (matched)\n", peer_CN); + infof(data, " common name: %s (matched)\n", peer_CN); } if(peer_CN) OPENSSL_free(peer_CN); @@ -2548,16 +2551,16 @@ static CURLcode servercert(struct connectdata *conn, rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert), buffer, BUFSIZE); - infof(data, "\t subject: %s\n", rc?"[NONE]":buffer); + infof(data, " subject: %s\n", rc?"[NONE]":buffer); ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert)); len = BIO_get_mem_data(mem, (char **) &ptr); - infof(data, "\t start date: %.*s\n", len, ptr); + infof(data, " start date: %.*s\n", len, ptr); rc = BIO_reset(mem); ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert)); len = BIO_get_mem_data(mem, (char **) &ptr); - infof(data, "\t expire date: %.*s\n", len, ptr); + infof(data, " expire date: %.*s\n", len, ptr); rc = BIO_reset(mem); BIO_free(mem); @@ -2579,7 +2582,7 @@ static CURLcode servercert(struct connectdata *conn, result = CURLE_SSL_CONNECT_ERROR; } else { - infof(data, "\t issuer: %s\n", buffer); + infof(data, " issuer: %s\n", buffer); /* We could do all sorts of certificate verification stuff here before deallocating the certificate. */ @@ -2619,7 +2622,7 @@ static CURLcode servercert(struct connectdata *conn, return CURLE_SSL_ISSUER_ERROR; } - infof(data, "\t SSL certificate issuer check ok (%s)\n", + infof(data, " SSL certificate issuer check ok (%s)\n", data->set.str[STRING_SSL_ISSUERCERT]); X509_free(issuer); } @@ -2637,12 +2640,12 @@ static CURLcode servercert(struct connectdata *conn, result = CURLE_PEER_FAILED_VERIFICATION; } else - infof(data, "\t SSL certificate verify result: %s (%ld)," + infof(data, " SSL certificate verify result: %s (%ld)," " continuing anyway.\n", X509_verify_cert_error_string(lerr), lerr); } else - infof(data, "\t SSL certificate verify ok.\n"); + infof(data, " SSL certificate verify ok.\n"); } #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ -- cgit v1.2.3