Content - eb0b3854cbb05f129e686384a30c9e49a75b0439 - d6336bb/patches/libgit2-mbedtls-verify.patch

libgit2-mbedtls-verify.patch
commit eefe88eaf8c5c5b7c9a596da79e68dca3a3234d4
Author: Curtis Vogt <curtis.vogt@gmail.com>
Date:   Thu Jun 29 16:30:53 2017 -0500

    Use mbedtls certificate verification
    
    Letting mbedtls handle all certficate verification and removed the
    custom alternative names and common name checking.

diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
index 0376ee4..e456ea8 100644
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -228,82 +228,19 @@ static int ssl_teardown(mbedtls_ssl_context *ssl)
 	return ret;
 }
 
-static int check_host_name(const char *name, const char *host)
-{
-	if (!strcasecmp(name, host))
-		return 0;
-
-	if (gitno__match_host(name, host) < 0)
-		return -1;
-
-	return 0;
-}
-
 static int verify_server_cert(mbedtls_ssl_context *ssl, const char *host)
 {
-	const mbedtls_x509_crt *cert;
-	const mbedtls_x509_sequence *alts;
-	int ret, matched = -1;
-	size_t sn_size = 512;
-	char subject_name[sn_size], alt_name[sn_size];
-
+	int ret = -1;
+	(void)(host);  // Suppress unused parameter warning
 
 	if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) {
 		char vrfy_buf[512];
-		mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
-		giterr_set(GITERR_SSL, "The SSL certificate is invalid: %s", vrfy_buf);
+		mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret);
+		giterr_set(GITERR_SSL, "The SSL certificate is invalid: %x - %s", ret, vrfy_buf);
 		return GIT_ECERTIFICATE;
 	}
 
-	cert = mbedtls_ssl_get_peer_cert(ssl);
-	if (!cert) {
-		giterr_set(GITERR_SSL, "the server did not provide a certificate");
-		return -1;
-	}
-
-	/* Check the alternative names */
-	alts = &cert->subject_alt_names;
-	while (alts != NULL && matched != 1) {
-		// Buffer is too small
-		if( alts->buf.len >= sn_size )
-			goto on_error;
-
-		memcpy(alt_name, alts->buf.p, alts->buf.len);
-		alt_name[alts->buf.len] = '\0';
-
-		if (!memchr(alt_name, '\0', alts->buf.len)) {
-			if (check_host_name(alt_name, host) < 0)
-				matched = 0;
-			else
-				matched = 1;
-		}
-
-		alts = alts->next;
-	}
-	if (matched == 0)
-		goto cert_fail_name;
-
-	if (matched == 1)
-		return 0;
-
-	/* If no alternative names are available, check the common name */
-	ret = mbedtls_x509_dn_gets(subject_name, sn_size, &cert->subject);
-	if (ret == 0)
-		goto on_error;
-	if (memchr(subject_name, '\0', ret))
-		goto cert_fail_name;
-
-	if (check_host_name(subject_name, host) < 0)
-		goto cert_fail_name;
-
 	return 0;
-
-on_error:
-	return ssl_set_error(ssl, 0);
-
-cert_fail_name:
-	giterr_set(GITERR_SSL, "hostname does not match certificate");
-	return GIT_ECERTIFICATE;
 }
 
 typedef struct {