Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
git2
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
lvzhengyang
git2
Commits
441df990
Commit
441df990
authored
May 17, 2012
by
Carlos Martín Nieto
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ssl: look up the last CN the alternative names don't match
parent
3f9eb1e5
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
54 additions
and
11 deletions
+54
-11
src/netops.c
+54
-11
No files found.
src/netops.c
View file @
441df990
...
@@ -219,12 +219,15 @@ static int verify_server_cert(git_transport *t, const char *host)
...
@@ -219,12 +219,15 @@ static int verify_server_cert(git_transport *t, const char *host)
{
{
X509
*
cert
;
X509
*
cert
;
X509_NAME
*
peer_name
;
X509_NAME
*
peer_name
;
char
buf
[
1024
];
ASN1_STRING
*
str
;
unsigned
char
*
peer_cn
=
NULL
;
int
matched
=
-
1
,
type
=
GEN_DNS
;
int
matched
=
-
1
,
type
=
GEN_DNS
;
GENERAL_NAMES
*
alts
;
GENERAL_NAMES
*
alts
;
struct
in6_addr
addr6
;
struct
in6_addr
addr6
;
struct
in_addr
addr4
;
struct
in_addr
addr4
;
void
*
addr
;
void
*
addr
;
int
i
=
-
1
,
j
;
/* Try to parse the host as an IP address to see if it is */
/* Try to parse the host as an IP address to see if it is */
if
(
inet_pton
(
AF_INET
,
host
,
&
addr4
))
{
if
(
inet_pton
(
AF_INET
,
host
,
&
addr4
))
{
...
@@ -243,7 +246,7 @@ static int verify_server_cert(git_transport *t, const char *host)
...
@@ -243,7 +246,7 @@ static int verify_server_cert(git_transport *t, const char *host)
/* Check the alternative names */
/* Check the alternative names */
alts
=
X509_get_ext_d2i
(
cert
,
NID_subject_alt_name
,
NULL
,
NULL
);
alts
=
X509_get_ext_d2i
(
cert
,
NID_subject_alt_name
,
NULL
,
NULL
);
if
(
alts
)
{
if
(
alts
)
{
int
num
,
i
;
int
num
;
num
=
sk_GENERAL_NAME_num
(
alts
);
num
=
sk_GENERAL_NAME_num
(
alts
);
for
(
i
=
0
;
i
<
num
&&
matched
!=
1
;
i
++
)
{
for
(
i
=
0
;
i
<
num
&&
matched
!=
1
;
i
++
)
{
...
@@ -257,7 +260,7 @@ static int verify_server_cert(git_transport *t, const char *host)
...
@@ -257,7 +260,7 @@ static int verify_server_cert(git_transport *t, const char *host)
if
(
type
==
GEN_DNS
)
{
if
(
type
==
GEN_DNS
)
{
/* If it contains embedded NULs, don't even try */
/* If it contains embedded NULs, don't even try */
if
(
namelen
!=
strnlen
(
name
,
namelen
))
if
(
memchr
(
name
,
'\0'
,
namelen
))
continue
;
continue
;
if
(
check_host_name
(
name
,
host
)
<
0
)
if
(
check_host_name
(
name
,
host
)
<
0
)
...
@@ -272,22 +275,62 @@ static int verify_server_cert(git_transport *t, const char *host)
...
@@ -272,22 +275,62 @@ static int verify_server_cert(git_transport *t, const char *host)
}
}
GENERAL_NAMES_free
(
alts
);
GENERAL_NAMES_free
(
alts
);
if
(
matched
==
0
)
{
if
(
matched
==
0
)
giterr_set
(
GITERR_SSL
,
"Certificate host name check failed"
);
goto
on_error
;
return
-
1
;
}
if
(
matched
==
1
)
if
(
matched
==
1
)
return
0
;
return
0
;
/* If no alternative names are available, check the common name */
/* If no alternative names are available, check the common name */
peer_name
=
X509_get_subject_name
(
cert
);
peer_name
=
X509_get_subject_name
(
cert
);
X509_NAME_get_text_by_NID
(
peer_name
,
NID_commonName
,
buf
,
sizeof
(
buf
));
if
(
peer_name
==
NULL
)
if
(
strcasecmp
(
host
,
buf
))
{
goto
on_error
;
giterr_set
(
GITERR_NET
,
"CN %s doesn't match host %s
\n
"
,
buf
,
host
);
return
-
1
;
if
(
peer_name
)
{
/* Get the index of the last CN entry */
while
((
j
=
X509_NAME_get_index_by_NID
(
peer_name
,
NID_commonName
,
i
))
>=
0
)
i
=
j
;
}
}
if
(
i
<
0
)
goto
on_error
;
str
=
X509_NAME_ENTRY_get_data
(
X509_NAME_get_entry
(
peer_name
,
i
));
if
(
str
==
NULL
)
goto
on_error
;
/* Work around a bug in OpenSSL whereby ASN1_STRING_to_UTF8 fails if it's already in utf-8 */
if
(
ASN1_STRING_type
(
str
)
==
V_ASN1_UTF8STRING
)
{
int
size
=
ASN1_STRING_length
(
str
);
if
(
size
>
0
)
{
peer_cn
=
OPENSSL_malloc
(
size
+
1
);
GITERR_CHECK_ALLOC
(
peer_cn
);
memcpy
(
peer_cn
,
ASN1_STRING_data
(
str
),
size
);
peer_cn
[
size
]
=
'\0'
;
}
}
else
{
int
size
=
ASN1_STRING_to_UTF8
(
&
peer_cn
,
str
);
GITERR_CHECK_ALLOC
(
peer_cn
);
if
(
memchr
(
peer_cn
,
'\0'
,
size
))
goto
cert_fail
;
}
if
(
check_host_name
((
char
*
)
peer_cn
,
host
)
<
0
)
goto
cert_fail
;
OPENSSL_free
(
peer_cn
);
return
0
;
return
0
;
on_error:
OPENSSL_free
(
peer_cn
);
return
ssl_set_error
(
&
t
->
ssl
,
0
);
cert_fail:
OPENSSL_free
(
peer_cn
);
giterr_set
(
GITERR_SSL
,
"Certificate host name check failed"
);
return
-
1
;
}
}
static
int
ssl_setup
(
git_transport
*
t
,
const
char
*
host
)
static
int
ssl_setup
(
git_transport
*
t
,
const
char
*
host
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment