Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Certificate SAN ip addresses not checked correctly for GSKit TLS provider #3102
I did this
Ran an HTTPS application using libcurl + GSKit TLS provider, connecting to a server at https://192.168.0.2:9443 who's certificate contains a SAN of:
I expected the following
For the connection to succeed
It appears that the implementation of Curl_verifyhost in x509asn1.c does a memcmp of &addr and q (where q = Curl_getASN1Element(...)). Running with a debugger appears to show that (name.end - q) = 0, which when compared to addrlen fails, preventing the memcmp even happening.
I wonder if it should it be comparing addrlen to (name.end - name.beg) & memcmp-ing &addr with name.beg?
Yeah that doesn't look right. On success the pointer assigned to q should always be the same as what was assigned to name.end which means it would always be 0. I almost can't believe nobody's ever caught that though it must not be a heavily used function since it's gskit. I agree your solution sounds correct. Are you able to test it out and write up a PR for it?
field of a certificate. For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. Fixes curl#3102