- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL- (250ba994) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -6,6 +6,12 @@

		Changelog

		Daniel Stenberg (16 Sep 2009)
		- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
		powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
		field in the certficate it had to match and so even if non-DNS and non-IP
		entry was present it caused the verification to fail.

		Daniel Fandrich (15 Sep 2009)
		- Moved the libssh2 checks after the SSL library checks. This helps when
		statically linking since libssh2 needs the SSL library link flags to be

RELEASE-NOTES

+2 −1

Original line number	Diff line number	Diff line
		@@ -28,6 +28,7 @@ This release includes the following bugfixes:
		o configure uses pkg-config for cross-compiles as well
		o improved NSS detection in configure
		o cookie expiry date at 1970-jan-1 00:00:00
		o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name

		This release includes the following known bugs:

		@@ -38,6 +39,6 @@ advice from friends like these:

		Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
		Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
		Claes Jakobsson
		Claes Jakobsson, Sven Anders

		Thanks! (and sorry if I forgot to mention someone)

lib/ssluse.c

+11 −6

Original line number	Diff line number	Diff line
		@@ -1056,7 +1056,8 @@ cert_hostcheck(const char match_pattern, const char hostname)
		static CURLcode verifyhost(struct connectdata *conn,
		X509 *server_cert)
		{
		bool matched = FALSE; /* no alternative match yet */
		int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
		means mismatch */
		int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
		size_t addrlen = 0;
		struct SessionHandle *data = conn->data;
		@@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connectdata *conn,
		numalts = sk_GENERAL_NAME_num(altnames);

		/* loop through all alternatives while none has matched */
		for (i=0; (i<numalts) && !matched; i++) {
		for (i=0; (i<numalts) && (matched != 1); i++) {
		/* get a handle to alternative name number i */
		const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);

		@@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connectdata *conn,
		/* if this isn't true, there was an embedded zero in the name
		string and we cannot match it. */
		cert_hostcheck(altptr, conn->host.name))
		matched = TRUE;
		matched = 1;
		else
		matched = 0;
		break;

		case GEN_IPADD: /* IP address comparison */
		/* compare alternative IP address if the data chunk is the same size
		our server IP address is */
		if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
		matched = TRUE;
		matched = 1;
		else
		matched = 0;
		break;
		}
		}
		@@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connectdata *conn,
		GENERAL_NAMES_free(altnames);
		}

		if(matched)
		if(matched == 1)
		/* an alternative name matched the server hostname */
		infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
		else if(altnames) {
		else if(matched == 0) {
		/* an alternative name field existed, but didn't match and then
		we MUST fail */
		infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);