summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorDaniel Silverstone <dsilvers@digital-scurf.org>2019-08-14 20:11:11 +0100
committerDaniel Silverstone <dsilvers@digital-scurf.org>2019-08-14 20:11:11 +0100
commit44f3846727d35ab17be3f779caa4a33548cdc152 (patch)
tree71356c67938b7ee8d5bbb60af66b0f9bf3d937fc /content
parentc903c881e62ce020f53da0b03f4e8f388b9bd986 (diff)
downloadnetsurf-44f3846727d35ab17be3f779caa4a33548cdc152.tar.gz
netsurf-44f3846727d35ab17be3f779caa4a33548cdc152.tar.bz2
SSL Error: Enable OpenSSL hostname verification
Since OpenSSL 1.0.2 there has been hostname verification support which cURL doesn't turn on for some reason. Turn it on so that we get better hostname verification handling. Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
Diffstat (limited to 'content')
-rw-r--r--content/fetchers/curl.c35
1 files changed, 19 insertions, 16 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index db41b32cb..50c5d6473 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -39,6 +39,7 @@
#include <time.h>
#include <sys/stat.h>
#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
#include <libwapcaplet/libwapcaplet.h>
#include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
case X509_V_ERR_CERT_REVOKED:
ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+ case X509_V_ERR_HOSTNAME_MISMATCH:
+ ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ break;
default:
ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
int ok;
+ X509_VERIFY_PARAM *vparam;
+
+ /* Configure the verification parameters to include hostname */
+ vparam = X509_STORE_CTX_get0_param(x509_ctx);
+ X509_VERIFY_PARAM_set_hostflags(vparam, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ ok = X509_VERIFY_PARAM_set1_host(vparam,
+ lwc_string_data(f->host),
+ lwc_string_length(f->host));
/* Store fetch struct in context for verify callback */
- ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ if (ok) {
+ ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ }
/* verify the certificate chain using standard call */
if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result)
;
} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
result == CURLE_SSL_CACERT) {
- /*
- * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
- * unified *all* SSL errors into the single
- * CURLE_PEER_FAILED_VERIFICATION depricating
- * CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
- *
- * This change complete removed the ability to
- * distinguish between certificate errors, host
- * verification errors or any other failure reason
- * using the curl result code.
- *
- * The result is when certificate error message is
- * sent there is currently no way of informing the
- * llcache about host verification faliures as the
- * certificate chain has no error codes set.
+ /* Some kind of failure has occurred. If we don't know
+ * what happened, we'll have reported unknown errors up
+ * to the user already via the certificate chain error fields.
*/
cert = true;
} else {