moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

mbedtls/polarssl: set "hostname" unconditionally 

...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.

CVE-2016-3739

Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
This commit is contained in:
Daniel Stenberg 2016-04-24 17:52:18 +02:00
parent 5db313985e
commit 6efd2fa529
2 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/vtls/mbedtls.c
View File

@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk);
}
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
the name to set in the SNI extension. So even if curl connects to a
host specified as an IP address, this function must be used. */
failf(data, "couldn't set hostname in mbedTLS");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN

13
lib/vtls/polarssl.c
View File

@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn,
ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
/* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
to set in the SNI extension. So even if curl connects to a host
specified as an IP address, this function must be used. */
failf(data, "couldn't set hostname in PolarSSL");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN