[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN
|
From: |
Stef Caunter |
|
Subject: |
Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN |
|
Date: |
Fri, 23 Jul 2004 00:27:06 -0400 (EDT) |
Does this still test for the hash of the cert in SSL_CERT_DIR? Since this is
where the system level trust decision is made it should follow that setting
from
FORCE_SSL_PROMPT:PROMPT
in lynx.cfg.
It might be an idea to be able to toggle accepting wildcard certs or being
stricter on the matching of CN to hostname (if interested).
Since it is at times desirable to be quite fussy about the certificates you
accept some users may appreciate additional granularity.
__Stef
http://caunter.ca/contact.html
On Wed, 21 Jul 2004, Thorsten Glaser wrote:
> Date: Wed, 21 Jul 2004 17:11:37 +0000
> From: Thorsten Glaser <address@hidden>
> To: address@hidden
> Subject: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN
>
> Hello people,
>
> the SSL certificate CN optimizer strikes back, part 2:
>
> in the first episode, I was annoyed that a server with HTTPS on
> a non-default port was not matched correctly - that code is in
> since quite some time now.
>
> But look what happens when you go to www.cvshome.org - you are
> redirected to https://www.cvshome.org/ which has got an SSL
> certificate of *.cvshome.org - apparently using wildcards.
>
> Since I don't think it's "bad to have", am able to implement
> it (hopefully correctly) and tested that, I think we should
> take this diff even if I didn't look into the standards.
>
> Hostnames are, as usual, matched case-insensitive but not
> locale-specific (they're quite limited, character-wise,
> anyway).
>
> Have fun!
>
> Index: HTString.c
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTString.c,v
> retrieving revision 1.1.3.4
> retrieving revision 1.4
> diff -d -u -r1.1.3.4 -r1.4
> --- HTString.c 15 Jul 2004 15:46:43 -0000 1.1.3.4
> +++ HTString.c 21 Jul 2004 17:05:52 -0000 1.4
> @@ -155,6 +157,37 @@
> return ((long) n < 0 ? 0 : cm[*us1] - cm[*--us2]);
> }
>
> +int strcasecomp_asterisk(const char *a, const char *b)
> +{
> + unsigned char *cm = charmap;
> + unsigned char *us1 = (unsigned char *) a;
> + unsigned char *us2 = (unsigned char *) b;
> +
> + if ((*a != '*') && (*b != '*'))
> + return strcasecomp(a, b);
> +
> + if (*b == '*') {
> + us1 = us2;
> + us2 = (unsigned char *) a;
> + }
> +
> + if (strlen(us2) < (strlen(us1) - 1))
> + return 1;
> +
> + while (*++us1 != '\0')
> + ;
> + while (*++us2 != '\0')
> + ;
> +
> + while (1) {
> + if (cm[*--us1] != cm[*--us2])
> + return 1;
> + if ((*--us1) == '*')
> + return 0;
> + --us2;
> + }
> +}
> +
> #else /* SH_EX */
>
> /* Strings of any length
> @@ -201,6 +234,36 @@
> return diff;
> }
> /*NOTREACHED */
> +}
> +
> +int strcasecomp_asterisk(const char *a, const char *b)
> +{
> + unsigned char *us1 = (unsigned char *) a;
> + unsigned char *us2 = (unsigned char *) b;
> +
> + if ((*a != '*') && (*b != '*'))
> + return strcasecomp(a, b);
> +
> + if (*b == '*') {
> + us1 = us2;
> + us2 = (unsigned char *) a;
> + }
> +
> + if (strlen(us2) < (strlen(us1) - 1))
> + return 1;
> +
> + while (*++us1 != '\0')
> + ;
> + while (*++us2 != '\0')
> + ;
> +
> + while (1) {
> + if (TOLOWER(*us1) != TOLOWER(*us2))
> + return 1;
> + if ((*--us1) == '*')
> + return 0;
> + --us2;
> + }
> }
>
> #endif /* SH_EX */
> Index: HTString.h
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTString.h,v
> retrieving revision 1.1.3.4
> retrieving revision 1.4
> diff -d -u -r1.1.3.4 -r1.4
> --- HTString.h 15 Jul 2004 15:46:12 -0000 1.1.3.4
> +++ HTString.h 21 Jul 2004 17:05:53 -0000 1.4
> @@ -42,10 +44,15 @@
> extern int strcasecomp8(const char *a, const char *b);
> extern int strncasecomp8(const char *a, const char *b, int n);
>
> +extern int strcasecomp_asterisk(const char *a, const char *b);
> +
> /*
> * strcasecomp8 and strncasecomp8 are variants of strcasecomp and
> * strncasecomp, but use 8bit upper/lower case information from the
> * current display charset
> + * strcasecomp_asterisk does a comparision from right IF AND ONLY
> + * IF one of the values starts with an asterisk wildcard, and then
> + * it only returns if the strings are equal (0) or not (1)
> */
>
> /*
> Index: HTTP.c
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c,v
> retrieving revision 1.1.3.5
> retrieving revision 1.7
> diff -d -u -r1.1.3.5 -r1.7
> --- HTTP.c 15 Jul 2004 15:47:10 -0000 1.1.3.5
> +++ HTTP.c 21 Jul 2004 17:05:53 -0000 1.7
> @@ -602,7 +604,7 @@
> ssl_host = HTParse(url, "", PARSE_HOST);
> if ((p = strchr(ssl_host, ':')) != NULL)
> *p = '\0';
> - if (strcasecomp(ssl_host, cert_host)) {
> + if (strcasecomp_asterisk(ssl_host, cert_host)) {
> HTSprintf0(&msg,
> gettext("SSL error:host(%s)!=cert(%s)-Continue?"),
> ssl_host,
>
>
> //Thorsten
> --
> Currently blocking eMail from the following domains: bigpond.com, biz, gmx.de,
> gmx.net, hotmail.com, info, jumpy.it, libero.it, name, netscape.net,
> postino.it, simplesnet.pt, spymac.com, tatanova.com, tiscali.co.uk,
> tiscali.cz, tiscali.de, tiscali.it, voila.fr, yahoo.co.uk, yahoo.com.
>
>
> _______________________________________________
> Lynx-dev mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/lynx-dev
>