From: Daniel Stenberg Date: Fri, 29 Nov 2013 21:46:05 +0000 (+0100) Subject: gtls: respect *VERIFYHOST independently of *VERIFYPEER X-Git-Tag: curl-7_34_0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1dc43de0dccc2ea7da6dddb7b98f8d7dcf323914;p=thirdparty%2Fcurl.git gtls: respect *VERIFYHOST independently of *VERIFYPEER Security flaw CVE-2013-6422 This is conceptually the same problem and fix that 3c3622b6 brought to the OpenSSL backend and that resulted in CVE-2013-4545. This version of the problem was independently introduced to the GnuTLS backend with commit 59cf93cc, present in the code since the libcurl 7.21.4 release. Advisory: http://curl.haxx.se/docs/adv_20131217.html Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html Reported-by: Marc Deslauriers --- diff --git a/lib/gtls.c b/lib/gtls.c index 700e46a9da..b64dfa61c3 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -633,10 +633,8 @@ gtls_connect_step3(struct connectdata *conn, else infof(data, "\t server certificate verification OK\n"); } - else { + else infof(data, "\t server certificate verification SKIPPED\n"); - goto after_server_cert_verification; - } /* initialize an X.509 certificate structure. */ gnutls_x509_crt_init(&x509_cert); @@ -766,8 +764,6 @@ gtls_connect_step3(struct connectdata *conn, gnutls_x509_crt_deinit(x509_cert); -after_server_cert_verification: - /* compression algorithm (if any) */ ptr = gnutls_compression_get_name(gnutls_compression_get(session)); /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */