gtls: respect *VERIFYHOST independently of *VERIFYPEER

Security flaw CVE-2013-6422 This is conceptually the same problem and fix that 3c3622b6 brought to the OpenSSL backend and that resulted in CVE-2013-4545. This version of the problem was independently introduced to the GnuTLS backend with commit 59cf93cc, present in the code since the libcurl 7.21.4 release. Advisory: http://curl.haxx.se/docs/adv_20131217.html Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html Reported-by: Marc Deslauriers
2024-11-27 05:50:21 +08:00 · 2013-11-29 22:46:05 +01:00 · 2013-11-29 22:46:05 +01:00 · 1dc43de0dc
commit 1dc43de0dc
parent 8a8f9a5d57
1 changed files with 2 additions and 6 deletions
--- a/lib/gtls.c
+++ b/lib/gtls.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -633,10 +633,8 @@ gtls_connect_step3(struct connectdata *conn,
    else
      infof(data, "\t server certificate verification OK\n");
  }
-  else {
+  else
    infof(data, "\t server certificate verification SKIPPED\n");
-    goto after_server_cert_verification;
-  }

  /* initialize an X.509 certificate structure. */
  gnutls_x509_crt_init(&x509_cert);
@ -766,8 +764,6 @@ gtls_connect_step3(struct connectdata *conn,

  gnutls_x509_crt_deinit(x509_cert);

-after_server_cert_verification:
-
  /* compression algorithm (if any) */
  ptr = gnutls_compression_get_name(gnutls_compression_get(session));
  /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */