diff options
| author | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2014-08-25 11:33:56 +0000 |
|---|---|---|
| committer | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2014-08-25 11:33:56 +0000 |
| commit | 4d45c0051e4e31f9ceeff5f965641d3bd3a41268 (patch) | |
| tree | c28a5e38adfac7fe76eecda673891e8b50846357 /usr.bin/ftp | |
| parent | 02813df82158ec37cbaffde8c38c10221f1139ac (diff) | |
When using a proxy for an https connection, validate the cert hostname
against the target hostname, not the proxy hostname. Issue reported by
dlg@, fix by Alex Wilson on tech@, tweaks by me.
No reply from tech@
Diffstat (limited to 'usr.bin/ftp')
| -rw-r--r-- | usr.bin/ftp/fetch.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c index e130895d5f7..60ae2a75491 100644 --- a/usr.bin/ftp/fetch.c +++ b/usr.bin/ftp/fetch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fetch.c,v 1.127 2014/08/21 16:46:48 jca Exp $ */ +/* $OpenBSD: fetch.c,v 1.128 2014/08/25 11:33:55 jca Exp $ */ /* $NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $ */ /*- @@ -343,6 +343,10 @@ noslash: } path = newline; + } else if (ishttpsurl) { + sslhost = strdup(host); + if (sslhost == NULL) + errx(1, "Can't allocate memory for https path/host."); } if (isfileurl) { @@ -604,7 +608,7 @@ again: ressl_error(ssl)); goto cleanup_url_get; } - if (ressl_connect_socket(ssl, s, host) != 0) { + if (ressl_connect_socket(ssl, s, sslhost) != 0) { fprintf(ttyout, "SSL failure: %s\n", ressl_error(ssl)); goto cleanup_url_get; } @@ -975,6 +979,7 @@ cleanup_url_get: ressl_free(ssl); } free(full_host); + free(sslhost); #endif /* !SMALL */ if (fin != NULL) fclose(fin); |