cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] GnuTLS: Work around failure to check certs against IP addresses

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Sat, 12 Jul 2014 17:59:56 +0100

From: David Woodhouse <David.Woodhouse_at_intel.com>

Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...

---
The cipher list problem was because Fedora's GnuTLS doesn't have SRP
support. Given that gnutls_set_priority_direct() actually *gives* us a
pointer to the part of the string that it objected to, our error
handling could stand to be improved somewhat at that point.
 lib/vtls/gtls.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index a293483..3aa6c87 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -777,7 +777,41 @@ gtls_connect_step3(struct connectdata *conn,
      alternative name PKIX extension. Returns non zero on success, and zero on
      failure. */
   rc = gnutls_x509_crt_check_hostname(x509_cert, conn->host.name);
-
+#if GNUTLS_VERSION_NUMBER < 0x030306
+  /* Before 3.3.6, gnutls_x509_crt_check_hostname() didn't check IP
+     addresses. */
+  if(!rc) {
+    unsigned char addrbuf[sizeof(struct in6_addr)];
+    unsigned char certaddr[sizeof(struct in6_addr)];
+    size_t addrlen = 0, certaddrlen;
+    int i;
+    int ret = 0;
+
+    if(Curl_inet_pton(AF_INET, conn->host.name, addrbuf) > 0)
+      addrlen = 4;
+    else if(Curl_inet_pton(AF_INET6, conn->host.name, addrbuf) > 0)
+      addrlen = 16;
+
+    if(addrlen) {
+      for(i=0; ; i++) {
+        certaddrlen = sizeof(certaddr);
+        ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr,
+                                                   &certaddrlen, NULL);
+        /* If this happens, it wasn't an IP address. */
+        if(ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
+          continue;
+        if(ret < 0)
+          break;
+        if(ret != GNUTLS_SAN_IPADDRESS)
+          continue;
+        if(certaddrlen == addrlen && !memcmp(addrbuf, certaddr, addrlen)) {
+          rc = 1;
+          break;
+        }
+      }
+    }
+  }
+#endif
   if(!rc) {
     if(data->set.ssl.verifyhost) {
       failf(data, "SSL: certificate subject name (%s) does not match "
-- 
1.9.3
-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse_at_intel.com                              Intel Corporation

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/x-pkcs7-signature attachment: smime.p7s

Received on 2014-07-12

This message: [ Message body ]
Next message: Giuseppe Persico: "New curlcpp features"
Previous message: David Woodhouse: "GnuTLS hostname/IP checking, and 'Did you pass a valid GnuTLS cipher list'"
In reply to: David Woodhouse: "GnuTLS hostname/IP checking, and 'Did you pass a valid GnuTLS cipher list'"
Next in thread: Dan Fandrich: "Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses"
Reply: Dan Fandrich: "Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses"
Reply: Daniel Stenberg: "Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]