Certificate SAN ip addresses not checked correctly for GSKit TLS provider #3102
I did this
Ran an HTTPS application using libcurl + GSKit TLS provider, connecting to a server at https://192.168.0.2:9443 who's certificate contains a SAN of:
I expected the following
For the connection to succeed
It appears that the implementation of Curl_verifyhost in x509asn1.c does a memcmp of &addr and q (where q = Curl_getASN1Element(...)). Running with a debugger appears to show that (name.end - q) = 0, which when compared to addrlen fails, preventing the memcmp even happening.
I wonder if it should it be comparing addrlen to (name.end - name.beg) & memcmp-ing &addr with name.beg?
The text was updated successfully, but these errors were encountered:
Yeah that doesn't look right. On success the pointer assigned to q should always be the same as what was assigned to name.end which means it would always be 0. I almost can't believe nobody's ever caught that though it must not be a heavily used function since it's gskit. I agree your solution sounds correct. Are you able to test it out and write up a PR for it?
field of a certificate. For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. Fixes curl#3102