Re: git: 77d788e23d09 - main - libfetch: specify OpenSSL 1.1 APIs

In reply to: Ed Maste : "git: 77d788e23d09 - main - libfetch: specify OpenSSL 1.1 APIs"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Steffen Nurpmeso <steffen_at_sdaoden.eu>
Date: Thu, 25 May 2023 18:57:26 UTC

Hello.

Ed Maste wrote in
 <202305251716.34PHGwJc044622@gitrepo.freebsd.org>:
 |The branch main has been updated by emaste:
 |
 |URL: https://cgit.FreeBSD.org/src/commit/?id=77d788e23d0964053b81b5de307\
 |fa04bd1ccadc5
 |
 |commit 77d788e23d0964053b81b5de307fa04bd1ccadc5
 |Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
 |AuthorDate: 2023-05-25 06:46:02 +0000
 |Commit:     Ed Maste <emaste@FreeBSD.org>
 |CommitDate: 2023-05-25 17:15:45 +0000
 |
 |    libfetch: specify OpenSSL 1.1 APIs
 ...

Btw out of interest (sorry to be here again) i looked into that
just now, and it seems to me, i may be mistaken and should reread
anything from scratch etc etc, that

   * the client. This includes wildcard matching. The algorithm is based on
   * RFC6125, sections 6.4.3 and 7.2, which clarifies RFC2818 and RFC3280.
   */
  static int
  fetch_ssl_hname_match(const char *h, size_t hlen, const char *m,
      size_t mlen)

and its claim

        /*
         * there must be at least two more domain labels and
         * wildcard has to be in the leftmost label (RFC6125)
         */

that can be verified is the way it works (that code uses too much
in-place string-offset calculations so i copied it out to a file
"t.c" and tried it by running):

  #?148|kent:tmp$ tcc -run t.c www.x.com www.x.com
  #?0|kent:tmp$ tcc -run t.c www.x.com www.xs.com

^ ? -> $? of last command

  #?1|kent:tmp$ tcc -run t.c www.x.com *.x.com
  #?0|kent:tmp$ tcc -run t.c www.com *.com
  #?1|kent:tmp$ jobs

ie it really imposes a two-more-domain-labels rule, cannot be
found in the mentioned RFC 6125 (despite RFC 2595 defines
wildcard, as in Appendix B.1 of 6125)?

I think the imposed two-more-domain-labels is libfetch specific.

(Other than that looking into causes trouble as re-verifying what
i do leads to manual entries like "considered deprecated" for
X509_NAME_get_text_by_NID, whereas libfetch is far off.  Sigh.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|~~
|..and in spring, hear David Leonard sing..
|
|The black bear,          The black bear,
|blithely holds his own   holds himself at leisure
|beating it, up and down  tossing over his ups and downs with pleasure
|~~
|Farewell, dear collar bear