Commit 6efd2fa5 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

mbedtls/polarssl: set "hostname" unconditionally 

...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.

CVE-2016-3739

Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
parent 5db31398

lib/vtls/mbedtls.c

+6 −7
Original line number Original line Diff line number Diff line
@@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn, 
    mbedtls_ssl_conf_own_cert(&connssl->config,

    mbedtls_ssl_conf_own_cert(&connssl->config,

                              &connssl->clicert, &connssl->pk);

                              &connssl->clicert, &connssl->pk);

  }

  }

  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&

  if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {

#ifdef ENABLE_IPV6

    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*

     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&

       the name to set in the SNI extension. So even if curl connects to a

#endif

       host specified as an IP address, this function must be used. */

     sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {

    failf(data, "couldn't set hostname in mbedTLS");

    infof(data, "WARNING: failed to configure "

    return CURLE_SSL_CONNECT_ERROR;

          "server name indication (SNI) TLS extension\n");

  }

  }





#ifdef HAS_ALPN

#ifdef HAS_ALPN

lib/vtls/polarssl.c

+6 −7
Original line number Original line Diff line number Diff line
@@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn, 
  ssl_set_own_cert_rsa(&connssl->ssl,

  ssl_set_own_cert_rsa(&connssl->ssl,

                       &connssl->clicert, &connssl->rsa);

                       &connssl->clicert, &connssl->rsa);





  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&

  if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {

#ifdef ENABLE_IPV6

    /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name

     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&

       to set in the SNI extension. So even if curl connects to a host

#endif

       specified as an IP address, this function must be used. */

     sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {

    failf(data, "couldn't set hostname in PolarSSL");

     infof(data, "WARNING: failed to configure "

    return CURLE_SSL_CONNECT_ERROR;

                 "server name indication (SNI) TLS extension\n");

  }

  }





#ifdef HAS_ALPN

#ifdef HAS_ALPN