mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
mbedtls/polarssl: set "hostname" unconditionally
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
This commit is contained in:
parent
5db313985e
commit
6efd2fa529
@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn,
|
||||
mbedtls_ssl_conf_own_cert(&connssl->config,
|
||||
&connssl->clicert, &connssl->pk);
|
||||
}
|
||||
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
|
||||
#ifdef ENABLE_IPV6
|
||||
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
|
||||
#endif
|
||||
sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||
infof(data, "WARNING: failed to configure "
|
||||
"server name indication (SNI) TLS extension\n");
|
||||
if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
|
||||
the name to set in the SNI extension. So even if curl connects to a
|
||||
host specified as an IP address, this function must be used. */
|
||||
failf(data, "couldn't set hostname in mbedTLS");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
#ifdef HAS_ALPN
|
||||
|
@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn,
|
||||
ssl_set_own_cert_rsa(&connssl->ssl,
|
||||
&connssl->clicert, &connssl->rsa);
|
||||
|
||||
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
|
||||
#ifdef ENABLE_IPV6
|
||||
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
|
||||
#endif
|
||||
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||
infof(data, "WARNING: failed to configure "
|
||||
"server name indication (SNI) TLS extension\n");
|
||||
if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||
/* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
|
||||
to set in the SNI extension. So even if curl connects to a host
|
||||
specified as an IP address, this function must be used. */
|
||||
failf(data, "couldn't set hostname in PolarSSL");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
#ifdef HAS_ALPN
|
||||
|
Loading…
Reference in New Issue
Block a user