diff options
Diffstat (limited to 'Utilities/cmcurl/lib/vtls/x509asn1.c')
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/x509asn1.c | 62 |
1 files changed, 32 insertions, 30 deletions
diff --git a/Utilities/cmcurl/lib/vtls/x509asn1.c b/Utilities/cmcurl/lib/vtls/x509asn1.c index 0cfcbe87da..4c1c9a8b79 100644 --- a/Utilities/cmcurl/lib/vtls/x509asn1.c +++ b/Utilities/cmcurl/lib/vtls/x509asn1.c @@ -182,7 +182,7 @@ static const char *getASN1Element(struct Curl_asn1Element *elem, const char *beg, const char *end) { unsigned char b; - unsigned long len; + size_t len; struct Curl_asn1Element lelem; /* Get a single ASN.1 element into `elem', parse ASN.1 string at `beg' @@ -307,7 +307,7 @@ static const char *bit2str(const char *beg, const char *end) */ static const char *int2str(const char *beg, const char *end) { - unsigned long val = 0; + unsigned int val = 0; size_t n = end - beg; if(!n) @@ -323,7 +323,7 @@ static const char *int2str(const char *beg, const char *end) do val = (val << 8) | *(const unsigned char *) beg++; while(beg < end); - return curl_maprintf("%s%lx", val >= 10? "0x": "", val); + return curl_maprintf("%s%x", val >= 10? "0x": "", val); } /* @@ -953,8 +953,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, * ECC public key is all the data, a value of type BIT STRING mapped to * OCTET STRING and should not be parsed as an ASN.1 value. */ - const unsigned long len = - (unsigned long)((pubkey->end - pubkey->beg - 2) * 4); + const size_t len = ((pubkey->end - pubkey->beg - 2) * 4); if(!certnum) infof(data, " ECC Public Key (%lu bits)", len); if(data->set.ssl.certinfo) { @@ -972,7 +971,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, if(strcasecompare(algo, "rsaEncryption")) { const char *q; - unsigned long len; + size_t len; p = getASN1Element(&elem, pk.beg, pk.end); if(!p) @@ -981,7 +980,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, /* Compute key length. */ for(q = elem.beg; !*q && q < elem.end; q++) ; - len = (unsigned long)((elem.end - q) * 8); + len = ((elem.end - q) * 8); if(len) { unsigned int i; for(i = *(unsigned char *) q; !(i & 0x80); i <<= 1) @@ -1073,7 +1072,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, size_t cl1; char *cp2; CURLcode result = CURLE_OK; - unsigned long version; + unsigned int version; size_t i; size_t j; @@ -1276,9 +1275,12 @@ static const char *checkOID(const char *beg, const char *end, return matched? ccp: NULL; } -CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, +CURLcode Curl_verifyhost(struct Curl_cfilter *cf, + struct Curl_easy *data, const char *beg, const char *end) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct Curl_X509certificate cert; struct Curl_asn1Element dn; struct Curl_asn1Element elem; @@ -1290,9 +1292,8 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, int matched = -1; size_t addrlen = (size_t) -1; ssize_t len; - const char * const hostname = SSL_HOST_NAME(); - const char * const dispname = SSL_HOST_DISPNAME(); - size_t hostlen = strlen(hostname); + size_t hostlen; + #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -1302,19 +1303,21 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, /* Verify that connection server matches info in X509 certificate at `beg'..`end'. */ - if(!SSL_CONN_CONFIG(verifyhost)) + if(!conn_config->verifyhost) return CURLE_OK; if(Curl_parseX509(&cert, beg, end)) return CURLE_PEER_FAILED_VERIFICATION; + hostlen = strlen(connssl->hostname); + /* Get the server IP address. */ #ifdef ENABLE_IPV6 - if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, hostname, &addr)) + if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, connssl->hostname, &addr)) addrlen = sizeof(struct in6_addr); else #endif - if(Curl_inet_pton(AF_INET, hostname, &addr)) + if(Curl_inet_pton(AF_INET, connssl->hostname, &addr)) addrlen = sizeof(struct in_addr); /* Process extensions. */ @@ -1345,19 +1348,20 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, break; switch(name.tag) { case 2: /* DNS name. */ + matched = 0; len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, name.beg, name.end); - if(len > 0 && (size_t)len == strlen(dnsname)) - matched = Curl_cert_hostcheck(dnsname, - (size_t)len, hostname, hostlen); - else - matched = 0; - free(dnsname); + if(len > 0) { + if(size_t)len == strlen(dnsname) + matched = Curl_cert_hostcheck(dnsname, (size_t)len, + connssl->hostname, hostlen); + free(dnsname); + } break; case 7: /* IP address. */ - matched = (size_t) (name.end - name.beg) == addrlen && - !memcmp(&addr, name.beg, addrlen); + matched = (name.end - name.beg) == addrlen && + !memcmp(&addr, name.beg, addrlen); break; } } @@ -1367,12 +1371,12 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, switch(matched) { case 1: /* an alternative name matched the server hostname */ - infof(data, " subjectAltName: %s matched", dispname); + infof(data, " subjectAltName: %s matched", connssl->dispname); return CURLE_OK; case 0: /* an alternative name field existed, but didn't match and then we MUST fail */ - infof(data, " subjectAltName does not match %s", dispname); + infof(data, " subjectAltName does not match %s", connssl->dispname); return CURLE_PEER_FAILED_VERIFICATION; } @@ -1402,21 +1406,19 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, failf(data, "SSL: unable to obtain common name from peer certificate"); else { len = utf8asn1str(&dnsname, elem.tag, elem.beg, elem.end); - if(len < 0) { - free(dnsname); + if(len < 0) return CURLE_OUT_OF_MEMORY; - } if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */ failf(data, "SSL: illegal cert name field"); else if(Curl_cert_hostcheck((const char *) dnsname, - len, hostname, hostlen)) { + len, connssl->hostname, hostlen)) { infof(data, " common name: %s (matched)", dnsname); free(dnsname); return CURLE_OK; } else failf(data, "SSL: certificate subject name '%s' does not match " - "target host name '%s'", dnsname, dispname); + "target host name '%s'", dnsname, connssl->dispname); free(dnsname); } |