Adding RFC2818 compliance to axTLS and moving helper functions to a generic place. #46

Closed
wants to merge 34 commits into
from

Conversation

Projects
None yet
2 participants
Contributor

okoeroo commented Nov 3, 2012

axTLS:
This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend.

Generic for OpenSSL and axTLS:
Also move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends in the near future. Currently these are now in the lib/rawstr.c but will be moved later in a separate file.

CyaSSL:
CyaSSL has the RFC2818 checks also enabled now by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too.

Schannel:
Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist).

PolarSSL:
Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0.

curl tool:
Sets a CURLOPT_SSL_VERIFYHOST value of 0L.

Generic:
All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.

okoeroo added some commits Nov 3, 2012

@okoeroo okoeroo Adding RFC2818 compliance checks to axTLS. Completely new are the Sub…
…jectAltName checks. The peer CN field fallback is implemented matching the OpenSSL behaviour. VERIFYHOST 0 == 1.
1bc4e22
@okoeroo okoeroo Moved the hostcheck and cert_hostcheck static functions from lib/sslu…
…se.c to rawstr.c to make them usable by the axTLS and other SSL backends. Also prefixed the functions with Curl_
0ddef25
@okoeroo okoeroo Adding RFC2818 checks for CyaSSL. This implementation will work simil…
…ar to GnuTLS and NSS, meaning that you can't distinghuish between a SubjectAltName failure and CN failure
f1e5d4c
@okoeroo okoeroo Split the IP address usage message from the verifyhost setting and ch…
…anging the wrong message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) where SAN (Subject Alternative Name) is meant according to http://msdn.microsoft.com/en-us/library/aa923430.aspx about the flag SCH_CRED_NO_SERVERNAME_CHECK
971b13c
@okoeroo okoeroo Moved the hostmatch and cert_hostcheck function out of the rawstr.c a…
…nd into new files hostcheck.c and hostcheck.h. The OpenSSL and axTLS SSL backend code is now adjusted to use the hostcheck.h header for the prototypes. The Makefile.inc is updated with these two new files and everything builds and tests nicely.
ebbf7d8
@okoeroo okoeroo Improved the Schannel informational texts to indicate that SNI usages…
… is disabled together with disabling the servername check against the subject name(s) with the flag SCH_CRED_NO_SERVERNAME_CHECK.
fbff64b
@okoeroo okoeroo Fix the prototype change of ssl_set_session and the move of the peer_…
…cert from the ssl_context to the ssl_session. Found in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100.
1e3aea9
@okoeroo okoeroo It seems Ubuntu 12.10 has a slight offset to what I found in SVN. Thi…
…s needs further attention, this works now with Ubuntu's libpolarssl
4d04589
@okoeroo okoeroo Ubuntu's PolarSSL version 1.1.4 doesn't exist in the PolarSSL SVN tru…
…nk. Assuming 1.2.x as a different release compared to 1.1.x, changing the #if POLARSSL_VERSION_NUMBER<=0x01010400 to POLARSSL_VERSION_NUMBER<0x01020000.
5e85cea
@okoeroo okoeroo Remote unused code and added an explicit errSSLHostNameMismatch error…
… switch-case that changes curl's generic failure on an SSL issue (CURLE_SSL_CONNECT_ERROR) to the explicit error code CURLE_PEER_FAILED_VERIFICATION which is used in all the other SSL backends for the same situation.
c70617a
@okoeroo okoeroo For the PolarSSL version 1.2.0 and up now getting the peer certificat…
…e via the function ssl_get_peer_cert() with thanks the PolarSSL twitter account for feedback.
81e0496

bagder was assigned Nov 5, 2012

okoeroo and others added some commits Nov 6, 2012

@okoeroo okoeroo Patched the Darwin, Schannel and OpenSSL interfaces. Also adjusted in…
… the curl tool sets a CURLOPT_SSL_VERIFYHOST of value 0.
9d3e503
@okoeroo okoeroo Merge branch 'master' of github.com:okoeroo/curl 9eb04b7
@bagder bagder Revert "Zero out auth structs before transfer"
This reverts commit ce8311c.

The commit made test 2024 work but caused a regression with repeated
Digest authentication. We need to fix this differently.
8e329bb
@bagder bagder test1412: verify Digest with repeated URLs
This test case verifies that bug 3582718 is fixed.

Bug: http://curl.haxx.se/bug/view.cgi?id=3582718
Reported by: Nick Zitzmann (originally)
95326a4
@bagder bagder Curl_pretransfer: clear out unwanted auth methods
As a handle can be re-used after having done HTTP auth in a previous
request, it must make sure to clear out the HTTP types that aren't
wanted in this new request.
13ce903
@bagder bagder test 2027/2030: take duplicate Digest requests into account
With the reversion of ce8311c and the new clear logic, this flaw
is present and we allow it.
8d97bed
@bagder bagder curl: set CURLOPT_SSL_VERIFYHOST to 0 to disable a1be8e7
@bagder bagder OpenSSL/servercert: use correct buffer size, not size of pointer 3f20303
@bagder bagder URL parser: cut off '#' fragments from URLs (better)
The existing logic only cut off the fragment from the separate 'path'
buffer which is used when sending HTTP to hosts. The buffer that held
the full URL used for proxies were not dealt with. It is now.

Test case 5 was updated to use a fragment on a URL over a proxy.

Bug: http://curl.haxx.se/bug/view.cgi?id=3579813
473003f
@bagder bagder test1413: verify redirects to URLs with fragments
The bug report claimed it didn't work. This problem was probably fixed
in 473003f.

Bug: http://curl.haxx.se/bug/view.cgi?id=3581898
cda6d89
@okoeroo okoeroo Adding RFC2818 compliance checks to axTLS. Completely new are the Sub…
…jectAltName checks. The peer CN field fallback is implemented matching the OpenSSL behaviour. VERIFYHOST 0 == 1.
a46e66e
@okoeroo okoeroo Resolving conflict after rebase ab20e7c
@okoeroo okoeroo Moved the hostcheck and cert_hostcheck static functions from lib/sslu…
…se.c to rawstr.c to make them usable by the axTLS and other SSL backends. Also prefixed the functions with Curl_
d4386ef
@okoeroo okoeroo Adding RFC2818 checks for CyaSSL. This implementation will work simil…
…ar to GnuTLS and NSS, meaning that you can't distinghuish between a SubjectAltName failure and CN failure
2ca36e7
@okoeroo okoeroo Merged after rebase d09c88e
@okoeroo okoeroo Moved the hostmatch and cert_hostcheck function out of the rawstr.c a…
…nd into new files hostcheck.c and hostcheck.h. The OpenSSL and axTLS SSL backend code is now adjusted to use the hostcheck.h header for the prototypes. The Makefile.inc is updated with these two new files and everything builds and tests nicely.
f2eaa70
@okoeroo okoeroo Fix the prototype change of ssl_set_session and the move of the peer_…
…cert from the ssl_context to the ssl_session. Found in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100.
7748dc7
@okoeroo okoeroo It seems Ubuntu 12.10 has a slight offset to what I found in SVN. Thi…
…s needs further attention, this works now with Ubuntu's libpolarssl
4bfd2fa
@okoeroo okoeroo Ubuntu's PolarSSL version 1.1.4 doesn't exist in the PolarSSL SVN tru…
…nk. Assuming 1.2.x as a different release compared to 1.1.x, changing the #if POLARSSL_VERSION_NUMBER<=0x01010400 to POLARSSL_VERSION_NUMBER<0x01020000.
5dae9ab
@okoeroo okoeroo Merge after rebase 573b4a1
@okoeroo okoeroo Merge branch 'master' of github.com:okoeroo/curl 24e8f9a
@okoeroo okoeroo Manually reapplying a recent diff between the main repo and my repo d565b38
@okoeroo okoeroo Compensating in the axTLS and CyaSSL code for the internal change of …
…the set.ssl.verifyhost from an int to a boolean.
029f8f1
Contributor

okoeroo commented Nov 7, 2012

I've gone through the git rebase work to get to a better known state of my repo compared to yours. The files I didn't intend to touch are kept in sync with the latest versions in the main repo (regarding docs and such files).

I also needed to fix the axTLS and CyaSSL backends to function with the recently changed type of the ssl.verifyhost variable, which changed from an int/long to a boolean.

Owner

bagder commented Nov 7, 2012

Sorry, but I only want the rebased commits. I can't rebase this set on top of master, I get lots of merge conflicts then.

Contributor

okoeroo commented Nov 7, 2012

Yeah, I think Git wants to integrate it as is, not look back a few steps. I think I'll better re-create a new pull request to fix it.

okoeroo closed this Nov 7, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment