moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-10-31 15:45:12 -04:00
Code Issues Releases Wiki Activity

mbedtls/polarssl: set "hostname" unconditionally

Browse Source 
...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.

CVE-2016-3739

Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
This commit is contained in:
Daniel Stenberg 2016-04-24 17:52:18 +02:00
parent 5db313985e
commit 6efd2fa529
2 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/vtls/mbedtls.c
View File

@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_own_cert(&connssl->config, mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk); &connssl->clicert, &connssl->pk);
} }
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) && if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
#ifdef ENABLE_IPV6 /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) && the name to set in the SNI extension. So even if curl connects to a
#endif host specified as an IP address, this function must be used. */
sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) { failf(data, "couldn't set hostname in mbedTLS");
infof(data, "WARNING: failed to configure " return CURLE_SSL_CONNECT_ERROR;
"server name indication (SNI) TLS extension\n");
} }
#ifdef HAS_ALPN #ifdef HAS_ALPN

13
lib/vtls/polarssl.c
View File

@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn,
ssl_set_own_cert_rsa(&connssl->ssl, ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa); &connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) && if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
#ifdef ENABLE_IPV6 /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) && to set in the SNI extension. So even if curl connects to a host
#endif specified as an IP address, this function must be used. */
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) { failf(data, "couldn't set hostname in PolarSSL");
infof(data, "WARNING: failed to configure " return CURLE_SSL_CONNECT_ERROR;
"server name indication (SNI) TLS extension\n");
} }
#ifdef HAS_ALPN #ifdef HAS_ALPN