1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2417
5 @@ -1028,7 +1028,7 @@ static CURLcode verifyhost(struct connec
6 if(check->type == target) {
7 /* get data and length */
8 const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
10 + size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
13 case GEN_DNS: /* name/pattern comparison */
14 @@ -1042,14 +1042,16 @@ static CURLcode verifyhost(struct connec
15 "I checked the 0.9.6 and 0.9.8 sources before my patch and
16 it always 0-terminates an IA5String."
18 - if (cert_hostcheck(altptr, conn->host.name))
19 + if((altlen == strlen(altptr)) &&
20 + /* if this isn't true, there was an embedded zero in the name
21 + string and we cannot match it. */
22 + cert_hostcheck(altptr, conn->host.name))
26 case GEN_IPADD: /* IP address comparison */
27 /* compare alternative IP address if the data chunk is the same size
28 our server IP address is */
29 - altlen = ASN1_STRING_length(check->d.ia5);
30 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
33 @@ -1089,18 +1091,27 @@ static CURLcode verifyhost(struct connec
34 string manually to avoid the problem. This code can be made
35 conditional in the future when OpenSSL has been fixed. Work-around
36 brought by Alexis S. L. Carvalho. */
37 - if (tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
38 - j = ASN1_STRING_length(tmp);
40 - peer_CN = OPENSSL_malloc(j+1);
42 - memcpy(peer_CN, ASN1_STRING_data(tmp), j);
45 + if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
46 + j = ASN1_STRING_length(tmp);
48 + peer_CN = OPENSSL_malloc(j+1);
50 + memcpy(peer_CN, ASN1_STRING_data(tmp), j);
55 + else /* not a UTF8 name */
56 + j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
58 + if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
59 + /* there was a terminating zero before the end of string, this
60 + cannot match and we return failure! */
61 + failf(data, "SSL: illegal cert name field");
62 + res = CURLE_SSL_PEER_CERTIFICATE;
65 - else /* not a UTF8 name */
66 - j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
69 if (peer_CN == nulstr)
70 @@ -1118,7 +1129,10 @@ static CURLcode verifyhost(struct connec
72 #endif /* CURL_DOES_CONVERSIONS */
76 + /* error already detected, pass through */
80 "SSL: unable to obtain common name from peer certificate");
81 return CURLE_PEER_FAILED_VERIFICATION;