When using a proxy for an https connection, validate the cert hostname

against the target hostname, not the proxy hostname.  Issue reported by
dlg@, fix by Alex Wilson on tech@, tweaks by me.
No reply from tech@

diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c
index e130895..60ae2a7 100644 (file)
--- a/usr.bin/ftp/fetch.c
+++ b/usr.bin/ftp/fetch.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: fetch.c,v 1.127 2014/08/21 16:46:48 jca Exp $ */
+/*     $OpenBSD: fetch.c,v 1.128 2014/08/25 11:33:55 jca Exp $ */
 /*     $NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $ */
 
 /*-
@@ -343,6 +343,10 @@ noslash:
                }
 
                path = newline;
+       } else if (ishttpsurl) {
+               sslhost = strdup(host);
+               if (sslhost == NULL)
+                       errx(1, "Can't allocate memory for https path/host.");
        }
 
        if (isfileurl) {
@@ -604,7 +608,7 @@ again:
                            ressl_error(ssl));
                        goto cleanup_url_get;
                }
-               if (ressl_connect_socket(ssl, s, host) != 0) {
+               if (ressl_connect_socket(ssl, s, sslhost) != 0) {
                        fprintf(ttyout, "SSL failure: %s\n", ressl_error(ssl));
                        goto cleanup_url_get;
                }
@@ -975,6 +979,7 @@ cleanup_url_get:
                ressl_free(ssl);
        }
        free(full_host);
+       free(sslhost);
 #endif /* !SMALL */
        if (fin != NULL)
                fclose(fin);