curl-library
Re: "The Most Dangerous Code in the World"
Date: Sun, 04 Nov 2012 19:05:26 +0100
On 04-11-12 03:06, Oscar Koeroo wrote:
> On 28-10-12 22:25, Oscar Koeroo wrote:
> [...]
Errata 2:
about lib/schannel.c
If I understand MSDN[1] correctly regarding the "CertGetNameString()"
function, it will only return the first SubjectAltName DNS (or the CN field
when no SubjectAltNames are present).
Quote: "If the certificate has a Subject Alternative Name extension for
issuer, Issuer Alternative Name, search for first DNSName choice. If the
DNSName choice is not found in the extension, search the Subject Name field
for the CN OID, "2.5.4.3". If the DNSName or CN OID is found, return the
string. Otherwise, return an empty string.
This would mean that a connection to e.g. Twitter might falsely be flagged
as non-secured. Twitter uses two SubjectAltNames: "www.twitter.com" and
"twitter.com". A download using `curl https://twitter.com` is expected to
fail by this construction and an easy test to do.
I wonder if these checks are required as there are hints that Schannel is
capable of doing all the required RFC2818 checks, i.e. by evaluating each of
the Subject Alt Names. Perhaps this construction is indeed fundamentally
needed. In that case it seems that only Windows 8 and Windows Server 2012
are currently capable of providing all the SubjectAltNames with the
introduction of the CERT_NAME_SEARCH_ALL_NAMES_FLAG.
Oscar
[1]:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376086%28v=vs.85%29.aspx
Post connection checks:
1248 if(result == CURLE_OK) {
1249 if(data->set.ssl.verifyhost == 1) {
1250 infof(data, "warning: ignoring unsupported value (1)
ssl.verifyhost\n");
1251 }
1252 else if(data->set.ssl.verifyhost == 2) {
1253 TCHAR cert_hostname_buff[128];
1254 xcharp_u hostname;
1255 xcharp_u cert_hostname;
1256 DWORD len;
1257
1258 cert_hostname.const_tchar_ptr = cert_hostname_buff;
1259 hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name);
1260
1261 len = CertGetNameString(pCertContextServer,
1262 CERT_NAME_DNS_TYPE,
1263 0,
1264 NULL,
1265 cert_hostname.tchar_ptr,
1266 128);
1267 if(len > 0 && *cert_hostname.tchar_ptr == '*') {
1268 /* this is a wildcard cert. try matching the last len - 1 chars */
1269 int hostname_len = strlen(conn->host.name);
1270 cert_hostname.tchar_ptr++;
1271 if(_tcsicmp(cert_hostname.const_tchar_ptr,
1272 hostname.const_tchar_ptr + hostname_len - len + 2)
!= 0)
1273 result = CURLE_PEER_FAILED_VERIFICATION;
1274 }
1275 else if(len == 0 || _tcsicmp(hostname.const_tchar_ptr,
1276 cert_hostname.const_tchar_ptr) != 0) {
1277 result = CURLE_PEER_FAILED_VERIFICATION;
1278 }
1279 if(result == CURLE_PEER_FAILED_VERIFICATION) {
1280 char *_cert_hostname;
1281 _cert_hostname =
Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr);
1282 failf(data, "schannel: CertGetNameString() certificate hostname "
1283 "(%s) did not match connection (%s)",
1284 _cert_hostname, conn->host.name);
1285 Curl_unicodefree(_cert_hostname);
1286 }
1287 Curl_unicodefree(hostname.tchar_ptr);
1288 }
1289 }
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-11-04