From: Seonah Moon <seonah1.moon@samsung.com>
Date: Wed, 22 Jun 2016 05:23:07 +0000 (+0900)
Subject: [CVE-2016-3739] TLS certificate check bypass with mbedTLS/PolarSSL
X-Git-Tag: accepted/tizen/common/20160627.191214~1
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Fcurl.git;a=commitdiff_plain;h=c29f34764b3b0526ccb4a44d450f829d8f80372e

[CVE-2016-3739] TLS certificate check bypass with mbedTLS/PolarSSL

Change-Id: I76d120f5c9e696ecd402a2099b94759cc22a51e2
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
---

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index f0900a5..8050958 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -392,13 +392,12 @@ mbedtls_connect_step1(struct connectdata *conn,
     mbedtls_ssl_conf_own_cert(&connssl->config,
                               &connssl->clicert, &connssl->pk);
   }
-  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
-#ifdef ENABLE_IPV6
-     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
-#endif
-     sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
-    infof(data, "WARNING: failed to configure "
-          "server name indication (SNI) TLS extension\n");
+  if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
+       the name to set in the SNI extension. So even if curl connects to a
+       host specified as an IP address, this function must be used. */
+    failf(data, "couldn't set hostname in mbedTLS");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
 #ifdef HAS_ALPN
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index fcce60f..aff15f2 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
  *
  * This software is licensed as described in the file COPYING, which
@@ -344,13 +344,12 @@ polarssl_connect_step1(struct connectdata *conn,
   ssl_set_own_cert_rsa(&connssl->ssl,
                        &connssl->clicert, &connssl->rsa);
 
-  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
-#ifdef ENABLE_IPV6
-     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
-#endif
-     sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
-     infof(data, "WARNING: failed to configure "
-                 "server name indication (SNI) TLS extension\n");
+  if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+    /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
+       to set in the SNI extension. So even if curl connects to a host
+       specified as an IP address, this function must be used. */
+    failf(data, "couldn't set hostname in PolarSSL");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
 #ifdef HAS_ALPN