From dde23187f24fbf8d3cf1e477f34a8ea75543b6be Mon Sep 17 00:00:00 2001 From: jca Date: Mon, 25 Aug 2014 11:33:55 +0000 Subject: [PATCH] When using a proxy for an https connection, validate the cert hostname against the target hostname, not the proxy hostname. Issue reported by dlg@, fix by Alex Wilson on tech@, tweaks by me. No reply from tech@ --- usr.bin/ftp/fetch.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c index e130895d5f7..60ae2a75491 100644 --- a/usr.bin/ftp/fetch.c +++ b/usr.bin/ftp/fetch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fetch.c,v 1.127 2014/08/21 16:46:48 jca Exp $ */ +/* $OpenBSD: fetch.c,v 1.128 2014/08/25 11:33:55 jca Exp $ */ /* $NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $ */ /*- @@ -343,6 +343,10 @@ noslash: } path = newline; + } else if (ishttpsurl) { + sslhost = strdup(host); + if (sslhost == NULL) + errx(1, "Can't allocate memory for https path/host."); } if (isfileurl) { @@ -604,7 +608,7 @@ again: ressl_error(ssl)); goto cleanup_url_get; } - if (ressl_connect_socket(ssl, s, host) != 0) { + if (ressl_connect_socket(ssl, s, sslhost) != 0) { fprintf(ttyout, "SSL failure: %s\n", ressl_error(ssl)); goto cleanup_url_get; } @@ -975,6 +979,7 @@ cleanup_url_get: ressl_free(ssl); } free(full_host); + free(sslhost); #endif /* !SMALL */ if (fin != NULL) fclose(fin); -- 2.20.1