|
1 From 71c9842a710787145ff31603f100e4269dd676c1 Mon Sep 17 00:00:00 2001 |
|
2 From: Daniel Stenberg <[email protected]> |
|
3 Date: Fri, 29 Nov 2013 22:46:05 +0100 |
|
4 Subject: [PATCH] gtls: respect *VERIFYHOST independently of *VERIFYPEER |
|
5 |
|
6 This is basically the same fix that 3c3622b6 brought to the OpenSSL |
|
7 backend and that resulted in CVE-2013-4545. |
|
8 |
|
9 This version of the problem was independently introduced to the GnuTLS |
|
10 backend with commit 59cf93cc, present in the code since the libcurl |
|
11 7.21.4 release. |
|
12 |
|
13 Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html |
|
14 Reported-by: Marc Deslauriers |
|
15 --- |
|
16 lib/gtls.c | 8 ++------ |
|
17 1 file changed, 2 insertions(+), 6 deletions(-) |
|
18 |
|
19 --- lib/gtls.c.orig 2013-12-03 16:28:01.281292080 -0800 |
|
20 +++ lib/gtls.c 2013-12-03 16:28:09.281423499 -0800 |
|
21 @@ -5,7 +5,7 @@ |
|
22 * | (__| |_| | _ <| |___ |
|
23 * \___|\___/|_| \_\_____| |
|
24 * |
|
25 - * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al. |
|
26 + * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al. |
|
27 * |
|
28 * This software is licensed as described in the file COPYING, which |
|
29 * you should have received as part of this distribution. The terms |
|
30 @@ -609,10 +609,8 @@ |
|
31 else |
|
32 infof(data, "\t server certificate verification OK\n"); |
|
33 } |
|
34 - else { |
|
35 + else |
|
36 infof(data, "\t server certificate verification SKIPPED\n"); |
|
37 - goto after_server_cert_verification; |
|
38 - } |
|
39 |
|
40 /* initialize an X.509 certificate structure. */ |
|
41 gnutls_x509_crt_init(&x509_cert); |
|
42 @@ -742,8 +740,6 @@ |
|
43 |
|
44 gnutls_x509_crt_deinit(x509_cert); |
|
45 |
|
46 -after_server_cert_verification: |
|
47 - |
|
48 /* compression algorithm (if any) */ |
|
49 ptr = gnutls_compression_get_name(gnutls_compression_get(session)); |
|
50 /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */ |