diff options
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 91 |
1 files changed, 13 insertions, 78 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index a701131f..92ae2e3e 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -50,6 +50,7 @@ #include "select.h" #include "sslgen.h" #include "rawstr.h" +#include "hostcheck.h" #define _MPRINTF_REPLACE /* use the internal *printf() functions */ #include <curl/mprintf.h> @@ -1039,71 +1040,6 @@ static int asn1_output(const ASN1_UTCTIME *tm, /* ====================================================== */ -/* - * Match a hostname against a wildcard pattern. - * E.g. - * "foo.host.com" matches "*.host.com". - * - * We use the matching rule described in RFC6125, section 6.4.3. - * http://tools.ietf.org/html/rfc6125#section-6.4.3 - */ -#define HOST_NOMATCH 0 -#define HOST_MATCH 1 - -static int hostmatch(const char *hostname, const char *pattern) -{ - const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; - int wildcard_enabled; - size_t prefixlen, suffixlen; - pattern_wildcard = strchr(pattern, '*'); - if(pattern_wildcard == NULL) { - return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; - } - /* We require at least 2 dots in pattern to avoid too wide wildcard - match. */ - wildcard_enabled = 1; - pattern_label_end = strchr(pattern, '.'); - if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || - pattern_wildcard > pattern_label_end || - Curl_raw_nequal(pattern, "xn--", 4)) { - wildcard_enabled = 0; - } - if(!wildcard_enabled) { - return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; - } - hostname_label_end = strchr(hostname, '.'); - if(hostname_label_end == NULL || - !Curl_raw_equal(pattern_label_end, hostname_label_end)) { - return HOST_NOMATCH; - } - /* The wildcard must match at least one character, so the left-most - label of the hostname is at least as large as the left-most label - of the pattern. */ - if(hostname_label_end - hostname < pattern_label_end - pattern) { - return HOST_NOMATCH; - } - prefixlen = pattern_wildcard - pattern; - suffixlen = pattern_label_end - (pattern_wildcard+1); - return Curl_raw_nequal(pattern, hostname, prefixlen) && - Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, - suffixlen) ? - HOST_MATCH : HOST_NOMATCH; -} - -static int -cert_hostcheck(const char *match_pattern, const char *hostname) -{ - if(!match_pattern || !*match_pattern || - !hostname || !*hostname) /* sanity check */ - return 0; - - if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ - return 1; - - if(hostmatch(hostname,match_pattern) == HOST_MATCH) - return 1; - return 0; -} /* Quote from RFC2818 section 3.1 "Server Identity" @@ -1192,7 +1128,7 @@ static CURLcode verifyhost(struct connectdata *conn, if((altlen == strlen(altptr)) && /* if this isn't true, there was an embedded zero in the name string and we cannot match it. */ - cert_hostcheck(altptr, conn->host.name)) + Curl_cert_hostcheck(altptr, conn->host.name)) matched = 1; else matched = 0; @@ -1291,15 +1227,10 @@ static CURLcode verifyhost(struct connectdata *conn, "SSL: unable to obtain common name from peer certificate"); res = CURLE_PEER_FAILED_VERIFICATION; } - else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) { - if(data->set.ssl.verifyhost > 1) { - failf(data, "SSL: certificate subject name '%s' does not match " - "target host name '%s'", peer_CN, conn->host.dispname); - res = CURLE_PEER_FAILED_VERIFICATION; - } - else - infof(data, "\t common name: %s (does not match '%s')\n", - peer_CN, conn->host.dispname); + else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) { + failf(data, "SSL: certificate subject name '%s' does not match " + "target host name '%s'", peer_CN, conn->host.dispname); + res = CURLE_PEER_FAILED_VERIFICATION; } else { infof(data, "\t common name: %s (matched)\n", peer_CN); @@ -1570,6 +1501,10 @@ ossl_connect_step1(struct connectdata *conn, ctx_options |= SSL_OP_NO_TICKET; #endif +#ifdef SSL_OP_NO_COMPRESSION + ctx_options |= SSL_OP_NO_COMPRESSION; +#endif + #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG /* mitigate CVE-2010-4180 */ ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; @@ -2308,11 +2243,11 @@ static CURLcode servercert(struct connectdata *conn, infof(data, "\t subject: %s\n", buffer); certdate = X509_get_notBefore(connssl->server_cert); - asn1_output(certdate, buffer, sizeof(buffer)); + asn1_output(certdate, buffer, BUFSIZE); infof(data, "\t start date: %s\n", buffer); certdate = X509_get_notAfter(connssl->server_cert); - asn1_output(certdate, buffer, sizeof(buffer)); + asn1_output(certdate, buffer, BUFSIZE); infof(data, "\t expire date: %s\n", buffer); if(data->set.ssl.verifyhost) { @@ -2325,7 +2260,7 @@ static CURLcode servercert(struct connectdata *conn, } rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert), - buffer, sizeof(buffer)); + buffer, BUFSIZE); if(rc) { if(strict) failf(data, "SSL: couldn't get X509-issuer name!"); |