View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003038GNUnetGNSpublic2013-09-18 15:342013-12-24 20:54
ReporterChristian Grothoff Assigned ToChristian Grothoff  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.10.0Fixed in Version0.10.0 
Summary0003038: gnunet-gns-proxy does not properly validate SSL certificates
DescriptionRight now, it fprintf's the certs, but does not check if they match the LEHO record. Also, even the printing may not work depending on how libcurl was compiled (the documentation says it only works with OpenSSL, so we may have need for a libcurl improvement here as well).
TagsNo tags attached.
Attached Files
0001-Adding-support-for-CURLINFO_CERTINFO-when-compiled-w.patch (2,747 bytes)    
From e70671769c65826efc07a9da8a75a694e9619140 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Wed, 18 Sep 2013 22:00:55 +0200
Subject: [PATCH] Adding support for CURLINFO_CERTINFO when compiled with
 GnuTLS.

This change exposes the server's x509 certificate chain to
the client via the CURLINFO_CERTINFO mechanism, which
previously was documented to only work for OpenSSL.  However,
the format in which the certificate is returned maybe
slightly different: as implemented, GnuTLS provides more
information in a human-readable fashion.  The OpenSSL
format as generated from the code seemed also rather
ad-hoc, so I'm not sure if this is OK or not.  I would
prefer if both mechanisms were changed to output some
standard format that can be easily processed later (DER
would be best), but for that a new option (like
CURLINFO_CERTINFO_PEM) should probably be introduced;
this change is less invasive and should improve
compatibility between the OpenSSL and GnuTLS-based
variants of libcurl.

Note that I did not update the documentation itself.
---
 lib/gtls.c |   29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/lib/gtls.c b/lib/gtls.c
index 700e46a..6f5536b 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -51,6 +51,7 @@
 #include "connect.h" /* for the connect timeout */
 #include "select.h"
 #include "rawstr.h"
+#include "slist.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -605,6 +606,34 @@ gtls_connect_step3(struct connectdata *conn,
     infof(data, "\t common name: WARNING couldn't obtain\n");
   }
 
+  if(0 == Curl_ssl_init_certinfo (data, cert_list_size)) {
+    unsigned int i;
+
+    for(i=0;i<cert_list_size;i++) {
+      gnutls_x509_crt_t cert;
+      gnutls_datum_t dn;
+
+      if(GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&cert)) {
+        if((GNUTLS_E_SUCCESS ==
+            gnutls_x509_crt_import (cert, &chainp[i],
+                                    GNUTLS_X509_FMT_DER)) &&
+           (GNUTLS_E_SUCCESS ==
+            gnutls_x509_crt_print (cert,
+                                   GNUTLS_CRT_PRINT_FULL,
+                                   &dn))) {
+          char *output;
+          struct curl_certinfo * ci = &data->info.certs;
+
+          output = curl_maprintf ("%.*s", dn.size, dn.data);
+          gnutls_free (dn.data);
+          if(NULL != output)
+            ci->certinfo[i] = Curl_slist_append_nodup (NULL, output);
+        }
+        gnutls_x509_crt_deinit (cert);
+      }
+    }
+  }
+
   if(data->set.ssl.verifypeer) {
     /* This function will try to verify the peer's certificate and return its
        status (trusted, invalid etc.). The value of status should be one or
-- 
1.7.10.4
0001-Adding-support-for-CURLINFO_CERTINFO-when-compiled-w.patch (2,747 bytes)   

Relationships

parent of 0002526 closedChristian Grothoff GNS proxy does not validate DANE/TLSA records 

Activities

Christian Grothoff

2013-09-18 22:16

manager   ~0007464

The attached patch (to curl git head) adds support for returning certificates via the CURLINFO_CERTINFO mechanism for curl with GnuTLS. I still don't like it, as we'd really prefer to get the PEM encoding back instead. Well, to be discussed with the cURL folks.

Christian Grothoff

2013-10-21 17:26

manager   ~0007551

In combination with the CURL patch the verification is now implemented.

Christian Grothoff

2013-10-23 12:54

manager   ~0007560

By moving to libgnurl, this is now for sure done.

Issue History

Date Modified Username Field Change
2013-09-18 15:34 Christian Grothoff New Issue
2013-09-18 15:34 Christian Grothoff Status new => assigned
2013-09-18 15:34 Christian Grothoff Assigned To => Matthias Wachs
2013-09-18 15:34 Christian Grothoff Assigned To Matthias Wachs =>
2013-09-18 15:34 Christian Grothoff Target Version 0.10.1 => 0.11.0pre66
2013-09-18 15:35 Christian Grothoff Relationship added parent of 0002526
2013-09-18 15:36 Christian Grothoff Status assigned => confirmed
2013-09-18 22:16 Christian Grothoff File Added: 0001-Adding-support-for-CURLINFO_CERTINFO-when-compiled-w.patch
2013-09-18 22:16 Christian Grothoff Note Added: 0007464
2013-10-20 20:36 Christian Grothoff Target Version 0.11.0pre66 => 0.10.1
2013-10-20 20:36 Christian Grothoff Assigned To => Christian Grothoff
2013-10-20 20:36 Christian Grothoff Status confirmed => assigned
2013-10-21 17:26 Christian Grothoff Note Added: 0007551
2013-10-23 12:54 Christian Grothoff Note Added: 0007560
2013-10-23 12:54 Christian Grothoff Status assigned => resolved
2013-10-23 12:54 Christian Grothoff Fixed in Version => 0.10.0
2013-10-23 12:54 Christian Grothoff Resolution open => fixed
2013-10-23 12:54 Christian Grothoff Target Version 0.10.1 => 0.10.0
2013-12-24 20:54 Christian Grothoff Status resolved => closed