cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Oscar Koeroo <okoeroo_at_nikhef.nl>
Date: Sun, 04 Nov 2012 03:06:30 +0100

On 28-10-12 22:25, Oscar Koeroo wrote:
[...]
> I pulled a fresh cUrl and looked at the cUrl code enabling axTLS, CyaSSL,
> GnuTLS, NSS, OpenSSL, PolarSSL and QsoSSL. I could only find the API docs
> for QsoSSL, but I've downloaded and read the code in these SSL
> implementation up to and including where it started to verify the
> certificate chain as a TLS client and where/how either the SSL library or
> cUrl is implementing the RFC2818 checks for a secure HTTP over TLS check
> before we set an CURL_OK;.

errata:

I've combined all the fixes and adjustment of axTLS, CyaSSL, Darwin and
OpenSSL into https://github.com/bagder/curl/pull/46

I've not been able to mess around/verify the Windows API, but it looks good
based on what I'm reading on MSDN and how this is reflected in cUrl.
Likewise I've not touched the QsoSSL (IBM i) interface. If somebody donates
the code for QsoSSL (and if needed the matching hardware), I will build this
in to.

PolarSSL is going to need more time. It's recent API in SVN is quite
different from what I can find in repos like Debian(6) and will need some
more pre-processor magic to make this work again. A backwards compatible
safety check might also be interesting as my findings were based on the
latest and greatest PolarSSL from their SVN.

More later on PolarSSL.

        Oscar "on a role"

The missing interfaces Windows and Darwin's SSL backend:

lib/curl_schannel.c
VerifyHost is not used
It's RFC2818 compliant out of the box, like NSS. It's the only SSL security
opt-out SSL interface I've seen. To switch it off you'll need to set the
flag SCH_CRED_NO_SERVERNAME_CHECK according to
http://msdn.microsoft.com/en-us/library/aa923430.aspx :

 159 if(Curl_inet_pton(AF_INET, conn->host.name, &addr) ||
 160 #ifdef ENABLE_IPV6
 161 Curl_inet_pton(AF_INET6, conn->host.name, &addr6) ||
 162 #endif
 163 data->set.ssl.verifyhost < 2) {
 164 schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
 165 infof(data, "schannel: using IP address, disable SNI servername "
 166 "check\n");
 167 }

Note: The info statement of SNI is wrong, it should've said SAN or something
related to the common name and/or subject alt names.

lib/curl_darwin.c
VerifyHost is not used

It's RFC2818 compliant.

 807 /* If this is a domain name and not an IP address, then configure SNI: */
 808 if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
 809 #ifdef ENABLE_IPV6
 810 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 811 #endif
 812 sni) {
 813 err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
 814 strlen(conn->host.name));
 815 if(err != noErr) {
 816 infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed:
OSStatus %d",
 817 err);
 818 }
 819 }

Note: The info statement of SNI is wrong, it should've said SAN or something
related to the common name and/or subject alt names. Copy/Paste error? Also
the 'sni' variable is initialized to 'true' in the top of this function
without any use in the code.

Note2: I've offered a patch to fix these tiny things, including the addition
to an explicit failure status to curl on a mismatch.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-11-04