Verify host name against subjectAltName on non-ASCII platforms #2493
Conversation
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison.
|
The travis red is a failed |
|
Fixed "make checksrc" problem. |
|
There's a second place in the file where And regarding the code, I would prefer an approach that uses less #ifdefs in place. Perhaps you can just provide a wrapper function that does the conversions in this style: #ifdef CURL_DOES_CONVERSIONS
static int hostcheck_convert(const char *match_pattern, const char *hostname)
{
char *altptr2 = strdup(altptr);
if(altptr2) {
if(!Curl_convert_from_network(data, altptr2, altlen))
rc = Curl_cert_hostcheck(altptr2, hostname);
else
rc = failcode;
free(altptr2);
}
return rc;
}
#define Curl_cert_hostcheck(x,y) hostcheck_convert(x,y)
#endif |
You are right, I need to check this. If I understand it correctly the second place is triggered when a certificate does not have the
I will refactor the code accordingly. |
The second place within Line 1516 in a3f3853 |
For readability reasons the matching of the subjectAltName entries against the hostname was moved to a function of its own.
|
I moved the check against subjectAltName into a separate function. The proposed macro trick to redefine the function |
|
Thanks, the red travis failure is unrelated. I took the liberty to modify your function slightly before I merged, please have a look and shout if you think I massacred something. |
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison.
This was discovered on a z/OS machine with EBCDIC encoding, where HTTPS connections to servers with subjectAltName in the server certificate failed.