diff options
| author | Seonah Moon <seonah1.moon@samsung.com> | 2016-06-22 14:23:07 +0900 |
|---|---|---|
| committer | Seonah Moon <seonah1.moon@samsung.com> | 2016-06-22 14:23:19 +0900 |
| commit | c29f34764b3b0526ccb4a44d450f829d8f80372e (patch) | |
| tree | d1efc06354a37603e3cba4fd88db69905ae48ef9 | |
| parent | 0be6abcfa9907d66495e75d33667479a62639bd9 (diff) | |
| download | curl-c29f34764b3b0526ccb4a44d450f829d8f80372e.tar.gz curl-c29f34764b3b0526ccb4a44d450f829d8f80372e.tar.bz2 curl-c29f34764b3b0526ccb4a44d450f829d8f80372e.zip | |
[CVE-2016-3739] TLS certificate check bypass with mbedTLS/PolarSSL
Change-Id: I76d120f5c9e696ecd402a2099b94759cc22a51e2
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
| -rw-r--r-- | lib/vtls/mbedtls.c | 13 | ||||
| -rw-r--r-- | lib/vtls/polarssl.c | 15 |
2 files changed, 13 insertions, 15 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index f0900a5af..805095865 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -392,13 +392,12 @@ mbedtls_connect_step1(struct connectdata *conn, mbedtls_ssl_conf_own_cert(&connssl->config, &connssl->clicert, &connssl->pk); } - if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) && -#ifdef ENABLE_IPV6 - !Curl_inet_pton(AF_INET6, conn->host.name, &addr) && -#endif - sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) { - infof(data, "WARNING: failed to configure " - "server name indication (SNI) TLS extension\n"); + if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) { + /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and* + the name to set in the SNI extension. So even if curl connects to a + host specified as an IP address, this function must be used. */ + failf(data, "couldn't set hostname in mbedTLS"); + return CURLE_SSL_CONNECT_ERROR; } #ifdef HAS_ALPN diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index fcce60f05..aff15f2f7 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2012 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com> * * This software is licensed as described in the file COPYING, which @@ -344,13 +344,12 @@ polarssl_connect_step1(struct connectdata *conn, ssl_set_own_cert_rsa(&connssl->ssl, &connssl->clicert, &connssl->rsa); - if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) && -#ifdef ENABLE_IPV6 - !Curl_inet_pton(AF_INET6, conn->host.name, &addr) && -#endif - sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) { - infof(data, "WARNING: failed to configure " - "server name indication (SNI) TLS extension\n"); + if(ssl_set_hostname(&connssl->ssl, conn->host.name)) { + /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name + to set in the SNI extension. So even if curl connects to a host + specified as an IP address, this function must be used. */ + failf(data, "couldn't set hostname in PolarSSL"); + return CURLE_SSL_CONNECT_ERROR; } #ifdef HAS_ALPN |