From ae654266df25c7ddd2ca6bd8d3d32b9942b0b2dd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 30 Jul 2008 21:24:59 +0000 Subject: - PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that would set it to something non-zero would return before the assign in almost all error cases. The internal variable is now set to non-zero from the start of the function only to get cleared later on if things work out fine. --- CHANGES | 10 ++++++++++ RELEASE-NOTES | 2 ++ lib/ssluse.c | 44 +++++++++++++++++++++++--------------------- 3 files changed, 35 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index f87cace9d..16eb857ad 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,16 @@ Changelog +Daniel Stenberg (30 Jul 2008) +- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a + true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or + less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that + would set it to something non-zero would return before the assign in almost + all error cases. The internal variable is now set to non-zero from the start + of the function only to get cleared later on if things work out fine. + +- Made the curl tool's -w option support the %{ssl_verify_result} variable + Daniel Fandrich (30 Jul 2008) - Added test cases 1052 through 1055 to test uploading data from files during redirects. Test cases 1052 and 1055 show problems (maybe the same diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ba6121f06..9ea04d39c 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -18,6 +18,7 @@ This release includes the following changes: o Now builds for the INTEGRITY operating system o Added CURLINFO_APPCONNECT_TIME o Added test selection by key word in runtests.pl + o the curl tool's -w option support the %{ssl_verify_result} variable This release includes the following bugfixes: @@ -37,6 +38,7 @@ This release includes the following bugfixes: o user-agent in CONNECT with non-HTTP protocols o CURL_READFUNC_PAUSE problems fixed o --use-ascii now works on Symbian OS, MS-DOS and OS/2 + o CURLINFO_SSL_VERIFYRESULT is fixed This release includes the following known bugs: diff --git a/lib/ssluse.c b/lib/ssluse.c index 0311ed16b..cee78bbcc 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1444,7 +1444,7 @@ ossl_connect_step1(struct connectdata *conn, lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file()); if ( !lookup || (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE], - X509_FILETYPE_PEM)!=1) ) { + X509_FILETYPE_PEM)!=1) ) { failf(data,"error loading CRL file :\n" " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE]? @@ -1455,11 +1455,11 @@ ossl_connect_step1(struct connectdata *conn, /* Everything is fine. */ infof(data, "successfully load CRL file:\n"); X509_STORE_set_flags(connssl->ctx->cert_store, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); } infof(data, " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ? - data->set.str[STRING_SSL_CRLFILE]: "none"); + data->set.str[STRING_SSL_CRLFILE]: "none"); } /* SSL always tries to verify the peer, this only says whether it should @@ -1639,6 +1639,8 @@ static CURLcode servercert(struct connectdata *conn, X509 *issuer; FILE *fp; + data->set.ssl.certverifyresult = !X509_V_OK; + connssl->server_cert = SSL_get_peer_certificate(connssl->handle); if(!connssl->server_cert) { if(strict) @@ -1692,34 +1694,34 @@ static CURLcode servercert(struct connectdata *conn, if (data->set.str[STRING_SSL_ISSUERCERT]) { if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) { if (strict) - failf(data, "SSL: Unable to open issuer cert (%s)\n", - data->set.str[STRING_SSL_ISSUERCERT]); - X509_free(connssl->server_cert); - connssl->server_cert = NULL; - return CURLE_SSL_ISSUER_ERROR; + failf(data, "SSL: Unable to open issuer cert (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + connssl->server_cert = NULL; + return CURLE_SSL_ISSUER_ERROR; } issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL); if (!issuer) { if (strict) - failf(data, "SSL: Unable to read issuer cert (%s)\n", - data->set.str[STRING_SSL_ISSUERCERT]); - X509_free(connssl->server_cert); - X509_free(issuer); - fclose(fp); - return CURLE_SSL_ISSUER_ERROR; + failf(data, "SSL: Unable to read issuer cert (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + X509_free(issuer); + fclose(fp); + return CURLE_SSL_ISSUER_ERROR; } fclose(fp); if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) { if (strict) - failf(data, "SSL: Certificate issuer check failed (%s)\n", - data->set.str[STRING_SSL_ISSUERCERT]); - X509_free(connssl->server_cert); - X509_free(issuer); - connssl->server_cert = NULL; + failf(data, "SSL: Certificate issuer check failed (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + X509_free(issuer); + connssl->server_cert = NULL; return CURLE_SSL_ISSUER_ERROR; } infof(data, "\t SSL certificate issuer check ok (%s)\n", - data->set.str[STRING_SSL_ISSUERCERT]); + data->set.str[STRING_SSL_ISSUERCERT]); X509_free(issuer); } @@ -1728,7 +1730,7 @@ static CURLcode servercert(struct connectdata *conn, if(data->set.ssl.certverifyresult != X509_V_OK) { if(data->set.ssl.verifypeer) { /* We probably never reach this, because SSL_connect() will fail - and we return earlyer if verifypeer is set? */ + and we return earlier if verifypeer is set? */ if(strict) failf(data, "SSL certificate verify result: %s (%ld)", X509_verify_cert_error_string(lerr), lerr); -- cgit v1.2.3