libgit2-mbedtls-verify.patch
commit eefe88eaf8c5c5b7c9a596da79e68dca3a3234d4
Author: Curtis Vogt <curtis.vogt@gmail.com>
Date: Thu Jun 29 16:30:53 2017 -0500
Use mbedtls certificate verification
Letting mbedtls handle all certficate verification and removed the
custom alternative names and common name checking.
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
index 0376ee4..e456ea8 100644
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -228,82 +228,19 @@ static int ssl_teardown(mbedtls_ssl_context *ssl)
return ret;
}
-static int check_host_name(const char *name, const char *host)
-{
- if (!strcasecmp(name, host))
- return 0;
-
- if (gitno__match_host(name, host) < 0)
- return -1;
-
- return 0;
-}
-
static int verify_server_cert(mbedtls_ssl_context *ssl, const char *host)
{
- const mbedtls_x509_crt *cert;
- const mbedtls_x509_sequence *alts;
- int ret, matched = -1;
- size_t sn_size = 512;
- char subject_name[sn_size], alt_name[sn_size];
-
+ int ret = -1;
+ (void)(host); // Suppress unused parameter warning
if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) {
char vrfy_buf[512];
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- giterr_set(GITERR_SSL, "The SSL certificate is invalid: %s", vrfy_buf);
+ mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret);
+ giterr_set(GITERR_SSL, "The SSL certificate is invalid: %x - %s", ret, vrfy_buf);
return GIT_ECERTIFICATE;
}
- cert = mbedtls_ssl_get_peer_cert(ssl);
- if (!cert) {
- giterr_set(GITERR_SSL, "the server did not provide a certificate");
- return -1;
- }
-
- /* Check the alternative names */
- alts = &cert->subject_alt_names;
- while (alts != NULL && matched != 1) {
- // Buffer is too small
- if( alts->buf.len >= sn_size )
- goto on_error;
-
- memcpy(alt_name, alts->buf.p, alts->buf.len);
- alt_name[alts->buf.len] = '\0';
-
- if (!memchr(alt_name, '\0', alts->buf.len)) {
- if (check_host_name(alt_name, host) < 0)
- matched = 0;
- else
- matched = 1;
- }
-
- alts = alts->next;
- }
- if (matched == 0)
- goto cert_fail_name;
-
- if (matched == 1)
- return 0;
-
- /* If no alternative names are available, check the common name */
- ret = mbedtls_x509_dn_gets(subject_name, sn_size, &cert->subject);
- if (ret == 0)
- goto on_error;
- if (memchr(subject_name, '\0', ret))
- goto cert_fail_name;
-
- if (check_host_name(subject_name, host) < 0)
- goto cert_fail_name;
-
return 0;
-
-on_error:
- return ssl_set_error(ssl, 0);
-
-cert_fail_name:
- giterr_set(GITERR_SSL, "hostname does not match certificate");
- return GIT_ECERTIFICATE;
}
typedef struct {