Commit 5f5b6263 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

openssl: verbose: show matching SAN pattern 

... to allow users to see which specfic wildcard that matched when such
is used.

Also minor logic cleanup to simplify the code, and I removed all tabs
from verbose strings.
parent 80015cdd

lib/vtls/openssl.c

+30 −27
Original line number Diff line number Diff line
@@ -1024,8 +1024,7 @@ void Curl_ossl_close_all(struct SessionHandle *data) 
*/

static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)

{

  int matched = -1; /* -1 is no alternative match yet, 1 means match and 0

                       means mismatch */

  bool matched = FALSE;

  int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */

  size_t addrlen = 0;

  struct SessionHandle *data = conn->data;
@@ -1062,7 +1061,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) 
    numalts = sk_GENERAL_NAME_num(altnames);



    /* loop through all alternatives while none has matched */

    for(i=0; (i<numalts) && (matched != 1); i++) {

    for(i=0; (i<numalts) && !matched; i++) {

      /* get a handle to alternative name number i */

      const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@@ -1087,19 +1086,23 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) 
          if((altlen == strlen(altptr)) &&

             /* if this isn't true, there was an embedded zero in the name

                string and we cannot match it. */

             Curl_cert_hostcheck(altptr, conn->host.name))

            matched = 1;

          else

            matched = 0;

             Curl_cert_hostcheck(altptr, conn->host.name)) {

            matched = TRUE;

            infof(data,

                  " subjectAltName: host \"%s\" matched cert's \"%s\"\n",

                  conn->host.dispname, altptr);

          }

          break;



        case GEN_IPADD: /* IP address comparison */

          /* compare alternative IP address if the data chunk is the same size

             our server IP address is */

          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))

            matched = 1;

          else

            matched = 0;

          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {

            matched = TRUE;

            infof(data,

                  " subjectAltName: host \"%s\" matched cert's IP address!\n",

                  conn->host.dispname);

          }

          break;

        }

      }
@@ -1107,13 +1110,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) 
    GENERAL_NAMES_free(altnames);

  }



  if(matched == 1)

    /* an alternative name matched the server hostname */

    infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);

  else if(matched == 0) {

    /* an alternative name field existed, but didn't match and then

       we MUST fail */

    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);

  if(matched)

    /* an alternative name matched */

    ;

  else if(altnames) {

    /* an alternative name field existed, but didn't match and then we MUST

       fail */

    infof(data, " subjectAltName does not match %s\n", conn->host.dispname);

    failf(data, "SSL: no alternative certificate subject name matches "

          "target host name '%s'", conn->host.dispname);

    result = CURLE_PEER_FAILED_VERIFICATION;
@@ -1195,7 +1198,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) 
      result = CURLE_PEER_FAILED_VERIFICATION;

    }

    else {

      infof(data, "\t common name: %s (matched)\n", peer_CN);

      infof(data, " common name: %s (matched)\n", peer_CN);

    }

    if(peer_CN)

      OPENSSL_free(peer_CN);
@@ -2548,16 +2551,16 @@ static CURLcode servercert(struct connectdata *conn, 


  rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),

                         buffer, BUFSIZE);

  infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);

  infof(data, " subject: %s\n", rc?"[NONE]":buffer);



  ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));

  len = BIO_get_mem_data(mem, (char **) &ptr);

  infof(data, "\t start date: %.*s\n", len, ptr);

  infof(data, " start date: %.*s\n", len, ptr);

  rc = BIO_reset(mem);



  ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));

  len = BIO_get_mem_data(mem, (char **) &ptr);

  infof(data, "\t expire date: %.*s\n", len, ptr);

  infof(data, " expire date: %.*s\n", len, ptr);

  rc = BIO_reset(mem);



  BIO_free(mem);
@@ -2579,7 +2582,7 @@ static CURLcode servercert(struct connectdata *conn, 
    result = CURLE_SSL_CONNECT_ERROR;

  }

  else {

    infof(data, "\t issuer: %s\n", buffer);

    infof(data, " issuer: %s\n", buffer);



    /* We could do all sorts of certificate verification stuff here before

       deallocating the certificate. */
@@ -2619,7 +2622,7 @@ static CURLcode servercert(struct connectdata *conn, 
        return CURLE_SSL_ISSUER_ERROR;

      }



      infof(data, "\t SSL certificate issuer check ok (%s)\n",

      infof(data, " SSL certificate issuer check ok (%s)\n",

            data->set.str[STRING_SSL_ISSUERCERT]);

      X509_free(issuer);

    }
@@ -2637,12 +2640,12 @@ static CURLcode servercert(struct connectdata *conn, 
        result = CURLE_PEER_FAILED_VERIFICATION;

      }

      else

        infof(data, "\t SSL certificate verify result: %s (%ld),"

        infof(data, " SSL certificate verify result: %s (%ld),"

              " continuing anyway.\n",

              X509_verify_cert_error_string(lerr), lerr);

    }

    else

      infof(data, "\t SSL certificate verify ok.\n");

      infof(data, " SSL certificate verify ok.\n");

  }



#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \