From 441df990b4e68459eb98c10445478d0fece30b83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn=20Nieto?= Date: Thu, 17 May 2012 23:57:30 +0200 Subject: [PATCH] ssl: look up the last CN the alternative names don't match --- src/netops.c | 65 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 11 deletions(-) diff --git a/src/netops.c b/src/netops.c index 6341fb887..bd76d3022 100644 --- a/src/netops.c +++ b/src/netops.c @@ -219,12 +219,15 @@ static int verify_server_cert(git_transport *t, const char *host) { X509 *cert; X509_NAME *peer_name; - char buf[1024]; + ASN1_STRING *str; + unsigned char *peer_cn = NULL; int matched = -1, type = GEN_DNS; GENERAL_NAMES *alts; struct in6_addr addr6; struct in_addr addr4; void *addr; + int i = -1,j; + /* Try to parse the host as an IP address to see if it is */ if (inet_pton(AF_INET, host, &addr4)) { @@ -243,7 +246,7 @@ static int verify_server_cert(git_transport *t, const char *host) /* Check the alternative names */ alts = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (alts) { - int num, i; + int num; num = sk_GENERAL_NAME_num(alts); for (i = 0; i < num && matched != 1; i++) { @@ -257,7 +260,7 @@ static int verify_server_cert(git_transport *t, const char *host) if (type == GEN_DNS) { /* If it contains embedded NULs, don't even try */ - if (namelen != strnlen(name, namelen)) + if (memchr(name, '\0', namelen)) continue; if (check_host_name(name, host) < 0) @@ -272,22 +275,62 @@ static int verify_server_cert(git_transport *t, const char *host) } GENERAL_NAMES_free(alts); - if (matched == 0) { - giterr_set(GITERR_SSL, "Certificate host name check failed"); - return -1; - } + if (matched == 0) + goto on_error; + if (matched == 1) return 0; /* If no alternative names are available, check the common name */ peer_name = X509_get_subject_name(cert); - X509_NAME_get_text_by_NID(peer_name, NID_commonName, buf, sizeof(buf)); - if (strcasecmp(host, buf)) { - giterr_set(GITERR_NET, "CN %s doesn't match host %s\n", buf, host); - return -1; + if (peer_name == NULL) + goto on_error; + + if (peer_name) { + /* Get the index of the last CN entry */ + while ((j = X509_NAME_get_index_by_NID(peer_name, NID_commonName, i)) >= 0) + i = j; } + if (i < 0) + goto on_error; + + str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(peer_name, i)); + if (str == NULL) + goto on_error; + + /* Work around a bug in OpenSSL whereby ASN1_STRING_to_UTF8 fails if it's already in utf-8 */ + if (ASN1_STRING_type(str) == V_ASN1_UTF8STRING) { + int size = ASN1_STRING_length(str); + + if (size > 0) { + peer_cn = OPENSSL_malloc(size + 1); + GITERR_CHECK_ALLOC(peer_cn); + memcpy(peer_cn, ASN1_STRING_data(str), size); + peer_cn[size] = '\0'; + } + } else { + int size = ASN1_STRING_to_UTF8(&peer_cn, str); + GITERR_CHECK_ALLOC(peer_cn); + if (memchr(peer_cn, '\0', size)) + goto cert_fail; + } + + if (check_host_name((char *)peer_cn, host) < 0) + goto cert_fail; + + OPENSSL_free(peer_cn); + return 0; + +on_error: + OPENSSL_free(peer_cn); + return ssl_set_error(&t->ssl, 0); + +cert_fail: + OPENSSL_free(peer_cn); + giterr_set(GITERR_SSL, "Certificate host name check failed"); + return -1; } static int ssl_setup(git_transport *t, const char *host)