Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SSL: Several SSL-backend related fixes
axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
- Loading branch information
Showing
9 changed files
with
270 additions
and
89 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
/*************************************************************************** | ||
* _ _ ____ _ | ||
* Project ___| | | | _ \| | | ||
* / __| | | | |_) | | | ||
* | (__| |_| | _ <| |___ | ||
* \___|\___/|_| \_\_____| | ||
* | ||
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
* | ||
* This software is licensed as described in the file COPYING, which | ||
* you should have received as part of this distribution. The terms | ||
* are also available at http://curl.haxx.se/docs/copyright.html. | ||
* | ||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
* copies of the Software, and permit persons to whom the Software is | ||
* furnished to do so, under the terms of the COPYING file. | ||
* | ||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
* KIND, either express or implied. | ||
* | ||
***************************************************************************/ | ||
|
||
#include "setup.h" | ||
|
||
#include "hostcheck.h" | ||
#include "rawstr.h" | ||
|
||
/* | ||
* Match a hostname against a wildcard pattern. | ||
* E.g. | ||
* "foo.host.com" matches "*.host.com". | ||
* | ||
* We use the matching rule described in RFC6125, section 6.4.3. | ||
* http://tools.ietf.org/html/rfc6125#section-6.4.3 | ||
*/ | ||
|
||
int Curl_hostmatch(const char *hostname, const char *pattern) | ||
{ | ||
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; | ||
int wildcard_enabled; | ||
size_t prefixlen, suffixlen; | ||
pattern_wildcard = strchr(pattern, '*'); | ||
if(pattern_wildcard == NULL) | ||
return Curl_raw_equal(pattern, hostname) ? | ||
CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
|
||
/* We require at least 2 dots in pattern to avoid too wide wildcard | ||
match. */ | ||
wildcard_enabled = 1; | ||
pattern_label_end = strchr(pattern, '.'); | ||
if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || | ||
pattern_wildcard > pattern_label_end || | ||
Curl_raw_nequal(pattern, "xn--", 4)) { | ||
wildcard_enabled = 0; | ||
} | ||
if(!wildcard_enabled) | ||
return Curl_raw_equal(pattern, hostname) ? | ||
CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
|
||
hostname_label_end = strchr(hostname, '.'); | ||
if(hostname_label_end == NULL || | ||
!Curl_raw_equal(pattern_label_end, hostname_label_end)) | ||
return CURL_HOST_NOMATCH; | ||
|
||
/* The wildcard must match at least one character, so the left-most | ||
label of the hostname is at least as large as the left-most label | ||
of the pattern. */ | ||
if(hostname_label_end - hostname < pattern_label_end - pattern) | ||
return CURL_HOST_NOMATCH; | ||
|
||
prefixlen = pattern_wildcard - pattern; | ||
suffixlen = pattern_label_end - (pattern_wildcard+1); | ||
return Curl_raw_nequal(pattern, hostname, prefixlen) && | ||
Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, | ||
suffixlen) ? | ||
CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
} | ||
|
||
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) | ||
{ | ||
if(!match_pattern || !*match_pattern || | ||
!hostname || !*hostname) /* sanity check */ | ||
return 0; | ||
|
||
if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ | ||
return 1; | ||
|
||
if(Curl_hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) | ||
return 1; | ||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#ifndef __HOSTCHECK_H | ||
#define __HOSTCHECK_H | ||
/*************************************************************************** | ||
* _ _ ____ _ | ||
* Project ___| | | | _ \| | | ||
* / __| | | | |_) | | | ||
* | (__| |_| | _ <| |___ | ||
* \___|\___/|_| \_\_____| | ||
* | ||
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
* | ||
* This software is licensed as described in the file COPYING, which | ||
* you should have received as part of this distribution. The terms | ||
* are also available at http://curl.haxx.se/docs/copyright.html. | ||
* | ||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
* copies of the Software, and permit persons to whom the Software is | ||
* furnished to do so, under the terms of the COPYING file. | ||
* | ||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
* KIND, either express or implied. | ||
* | ||
***************************************************************************/ | ||
|
||
#include <curl/curl.h> | ||
|
||
#define CURL_HOST_NOMATCH 0 | ||
#define CURL_HOST_MATCH 1 | ||
int Curl_hostmatch(const char *hostname, const char *pattern); | ||
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname); | ||
|
||
#endif |
Oops, something went wrong.