[GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs
Date:	Fri, 06 Oct 2017 19:42:30 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit b3b75d1778e3b4f47f6655da5e9012299e3ba6aa
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Aug 25 16:56:03 2017 +0200

    darwinssl: handle long strings in TLS certs
    
    ... as the previous fixed length 128 bytes buffer was sometimes too
    small.
    
    Fixes #1823
    Closes #1831
    
    Reported-by: Benjamin Sergeant
    Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
---
 lib/vtls/darwinssl.c | 141 ++++++++++++++++++++++++++-------------------------
 1 file changed, 73 insertions(+), 68 deletions(-)

diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 18751ca49..dda53a651 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -849,7 +849,7 @@ CF_INLINE void GetDarwinVersionNumber(int *major, int 
*minor)
    into a string. Some aren't available under iOS or newer cats. So here's
    a unified function for getting a string describing the certificate that
    ought to work in all cats starting with Leopard. */
-CF_INLINE CFStringRef CopyCertSubject(SecCertificateRef cert)
+CF_INLINE CFStringRef getsubject(SecCertificateRef cert)
 {
   CFStringRef server_cert_summary = CFSTR("(null)");
 
@@ -876,6 +876,39 @@ CF_INLINE CFStringRef CopyCertSubject(SecCertificateRef 
cert)
   return server_cert_summary;
 }
 
+static CURLcode CopyCertSubject(struct Curl_easy *data,
+                                SecCertificateRef cert, char **certp)
+{
+  CFStringRef c = getsubject(cert);
+  CURLcode result = CURLE_OK;
+  char *cbuf = NULL;
+  *certp = NULL;
+
+  /* If subject is not UTF-8 then check if it can be converted */
+  if(!CFStringGetCStringPtr(c, kCFStringEncodingUTF8)) {
+    size_t cbuf_size = ((size_t)CFStringGetLength(c) * 4) + 1;
+    cbuf = calloc(cbuf_size, 1);
+    if(cbuf) {
+      if(!CFStringGetCString(c, cbuf, cbuf_size,
+                             kCFStringEncodingUTF8)) {
+        failf(data, "SSL: invalid CA certificate subject");
+        result = CURLE_SSL_CACERT;
+      }
+      else
+        /* pass back the buffer */
+        *certp = cbuf;
+    }
+    else {
+      failf(data, "SSL: couldn't allocate %zu bytes of memory", cbuf_size);
+      result = CURLE_OUT_OF_MEMORY;
+    }
+  }
+  if(result)
+    free(cbuf);
+  CFRelease(c);
+  return result;
+}
+
 #if CURL_SUPPORT_MAC_10_6
 /* The SecKeychainSearch API was deprecated in Lion, and using it will raise
    deprecation warnings, so let's not compile this unless it's necessary: */
@@ -1418,20 +1451,16 @@ static CURLcode darwinssl_connect_step1(struct 
connectdata *conn,
       /* If we found one, print it out: */
       err = SecIdentityCopyCertificate(cert_and_key, &cert);
       if(err == noErr) {
-        CFStringRef cert_summary = CopyCertSubject(cert);
-        char cert_summary_c[128];
-
-        if(cert_summary) {
-          memset(cert_summary_c, 0, 128);
-          if(CFStringGetCString(cert_summary,
-                                cert_summary_c,
-                                128,
-                                kCFStringEncodingUTF8)) {
-            infof(data, "Client certificate: %s\n", cert_summary_c);
-          }
-          CFRelease(cert_summary);
-          CFRelease(cert);
+        char *certp;
+        CURLcode result = CopyCertSubject(data, cert, &certp);
+        if(!result) {
+          infof(data, "Client certificate: %s\n", certp);
+          free(certp);
         }
+
+        CFRelease(cert);
+        if(result)
+          return result;
       }
       certs_c[0] = cert_and_key;
       certs = CFArrayCreate(NULL, (const void **)certs_c, 1L,
@@ -1875,6 +1904,8 @@ static int append_cert_to_array(struct Curl_easy *data,
                                 CFMutableArrayRef array)
 {
     CFDataRef certdata = CFDataCreate(kCFAllocatorDefault, buf, buflen);
+    char *certp;
+    CURLcode result;
     if(!certdata) {
       failf(data, "SSL: failed to allocate array for CA certificate");
       return CURLE_OUT_OF_MEMORY;
@@ -1889,25 +1920,10 @@ static int append_cert_to_array(struct Curl_easy *data,
     }
 
     /* Check if cacert is valid. */
-    CFStringRef subject = CopyCertSubject(cacert);
-    if(subject) {
-      char subject_cbuf[128];
-      memset(subject_cbuf, 0, 128);
-      if(!CFStringGetCString(subject,
-                            subject_cbuf,
-                            128,
-                            kCFStringEncodingUTF8)) {
-        CFRelease(cacert);
-        failf(data, "SSL: invalid CA certificate subject");
-        return CURLE_SSL_CACERT;
-      }
-      CFRelease(subject);
-    }
-    else {
-      CFRelease(cacert);
-      failf(data, "SSL: invalid CA certificate");
-      return CURLE_SSL_CACERT;
-    }
+    result = CopyCertSubject(data, cacert, &certp);
+    if(result)
+      return result;
+    free(certp);
 
     CFArrayAppendValue(array, cacert);
     CFRelease(cacert);
@@ -2299,8 +2315,6 @@ show_verbose_server_cert(struct connectdata *conn,
 {
   struct Curl_easy *data = conn->data;
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-  CFStringRef server_cert_summary;
-  char server_cert_summary_c[128];
   CFArrayRef server_certs = NULL;
   SecCertificateRef server_cert;
   OSStatus err;
@@ -2319,16 +2333,14 @@ show_verbose_server_cert(struct connectdata *conn,
   if(err == noErr && trust) {
     count = SecTrustGetCertificateCount(trust);
     for(i = 0L ; i < count ; i++) {
+      CURLcode result;
+      char *certp;
       server_cert = SecTrustGetCertificateAtIndex(trust, i);
-      server_cert_summary = CopyCertSubject(server_cert);
-      memset(server_cert_summary_c, 0, 128);
-      if(CFStringGetCString(server_cert_summary,
-                            server_cert_summary_c,
-                            128,
-                            kCFStringEncodingUTF8)) {
-        infof(data, "Server certificate: %s\n", server_cert_summary_c);
+      result = CopyCertSubject(data, server_cert, &certp);
+      if(!result) {
+        infof(data, "Server certificate: %s\n", certp);
+        free(certp);
       }
-      CFRelease(server_cert_summary);
     }
     CFRelease(trust);
   }
@@ -2347,16 +2359,14 @@ show_verbose_server_cert(struct connectdata *conn,
     if(err == noErr && trust) {
       count = SecTrustGetCertificateCount(trust);
       for(i = 0L ; i < count ; i++) {
+        char *certp;
+        CURLcode result;
         server_cert = SecTrustGetCertificateAtIndex(trust, i);
-        server_cert_summary = CopyCertSubject(server_cert);
-        memset(server_cert_summary_c, 0, 128);
-        if(CFStringGetCString(server_cert_summary,
-                              server_cert_summary_c,
-                              128,
-                              kCFStringEncodingUTF8)) {
-          infof(data, "Server certificate: %s\n", server_cert_summary_c);
+        result = CopyCertSubject(data, server_cert, &certp);
+        if(!result) {
+          infof(data, "Server certificate: %s\n", certp);
+          free(certp);
         }
-        CFRelease(server_cert_summary);
       }
       CFRelease(trust);
     }
@@ -2368,18 +2378,15 @@ show_verbose_server_cert(struct connectdata *conn,
     if(err == noErr && server_certs) {
       count = CFArrayGetCount(server_certs);
       for(i = 0L ; i < count ; i++) {
+        char *certp;
+        CURLcode result;
         server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs,
                                                                 i);
-
-        server_cert_summary = CopyCertSubject(server_cert);
-        memset(server_cert_summary_c, 0, 128);
-        if(CFStringGetCString(server_cert_summary,
-                              server_cert_summary_c,
-                              128,
-                              kCFStringEncodingUTF8)) {
-          infof(data, "Server certificate: %s\n", server_cert_summary_c);
+        result = CopyCertSubject(data, server_cert, &certp);
+        if(!result) {
+          infof(data, "Server certificate: %s\n", certp);
+          free(certp);
         }
-        CFRelease(server_cert_summary);
       }
       CFRelease(server_certs);
     }
@@ -2392,16 +2399,14 @@ show_verbose_server_cert(struct connectdata *conn,
   if(err == noErr) {
     count = CFArrayGetCount(server_certs);
     for(i = 0L ; i < count ; i++) {
+      CURLcode result;
+      char *certp;
       server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
-      server_cert_summary = CopyCertSubject(server_cert);
-      memset(server_cert_summary_c, 0, 128);
-      if(CFStringGetCString(server_cert_summary,
-                            server_cert_summary_c,
-                            128,
-                            kCFStringEncodingUTF8)) {
-        infof(data, "Server certificate: %s\n", server_cert_summary_c);
+      result = CopyCertSubject(data, server_cert, &certp);
+      if(!result) {
+        infof(data, "Server certificate: %s\n", certp);
+        free(certp);
       }
-      CFRelease(server_cert_summary);
     }
     CFRelease(server_certs);
   }

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 153/256: curl.h: use lower case curl_mime* as for all public symbols, (continued)
- [GNUnet-SVN] [gnurl] 153/256: curl.h: use lower case curl_mime* as for all public symbols, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 171/256: http-proxy: when not doing CONNECT, that phase is done immediately, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 175/256: configure: check for C++ compiler after C, to make it non-fatal, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 72/256: axtls: reorder functions topologically, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 165/256: HISTORY: added some recent items, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 132/256: tool_formparse: fix some trivial warnings, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 35/256: mailmap: de-duplify some git authors, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 221/256: imap: quote atoms properly when escaping characters, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 219/256: vtls: provide curl_global_sslset() even in non-SSL builds, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if supported, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 59/256: darwinssl: handle long strings in TLS certs, gnunet <=
- [GNUnet-SVN] [gnurl] 73/256: schannel: reorder functions topologically, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 69/256: vtls: move sha256sum into the Curl_ssl struct, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 195/256: rtsp: Segfault in rtsp.c when using WRITEDATA, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 253/256: build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 30/256: metalink: adjust source code style, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 149/256: docs/curl_mime_*.3: added examples, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 93/256: configure: allow setting the default SSL backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 224/256: metalink: fix NSS issue in MultiSSL builds, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 198/256: non-ascii: use iconv() with 'char **' argument, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 136/256: RELEASE-NOTES: synced with 1ab9e9b50, gnunet, 2017/10/06

Prev by Date: [GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if supported
Next by Date: [GNUnet-SVN] [gnurl] 73/256: schannel: reorder functions topologically
Previous by thread: [GNUnet-SVN] [gnurl] 217/256: openssl: only verify RSA private key if supported
Next by thread: [GNUnet-SVN] [gnurl] 73/256: schannel: reorder functions topologically
Index(es):
- Date
- Thread