aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-04-24 17:52:18 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-05-17 14:48:17 +0200
commit6efd2fa529a189bf41736a610f6184cd8ad94b4d (patch)
tree2172e87706b045a5e8d9ea412c6bce9b2b33f86a
parent5db313985e502e82a3eed03396ee600b726d60c2 (diff)
mbedtls/polarssl: set "hostname" unconditionally
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
-rw-r--r--lib/vtls/mbedtls.c13
-rw-r--r--lib/vtls/polarssl.c13
2 files changed, 12 insertions, 14 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index f0048ef49..6fc7214ac 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk);
}
- if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
-#ifdef ENABLE_IPV6
- !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
-#endif
- sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
- infof(data, "WARNING: failed to configure "
- "server name indication (SNI) TLS extension\n");
+ if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
+ the name to set in the SNI extension. So even if curl connects to a
+ host specified as an IP address, this function must be used. */
+ failf(data, "couldn't set hostname in mbedTLS");
+ return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index aa4da3f6a..0e8b0f500 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn,
ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
- if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
-#ifdef ENABLE_IPV6
- !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
-#endif
- sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
- infof(data, "WARNING: failed to configure "
- "server name indication (SNI) TLS extension\n");
+ if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+ /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
+ to set in the SNI extension. So even if curl connects to a host
+ specified as an IP address, this function must be used. */
+ failf(data, "couldn't set hostname in PolarSSL");
+ return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN