diff options
author | Dan McNulty <dmcnulty@pingidentity.com> | 2016-09-09 16:56:02 -0500 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-12-19 07:53:20 +0100 |
commit | 0354eed41085baa5ba8777019ebf5e9ef32c001d (patch) | |
tree | ae58964e7809171b0323c7481038049225347008 /lib/hostcheck.c | |
parent | 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 (diff) | |
download | curl-0354eed41085baa5ba8777019ebf5e9ef32c001d.tar.gz |
schannel: fix wildcard cert name validation on Win CE
Fixes a few issues in manual wildcard cert name validation in
schannel support code for Win32 CE:
- when comparing the wildcard name to the hostname, the wildcard
character was removed from the cert name and the hostname
was checked to see if it ended with the modified cert name.
This allowed cert names like *.com to match the connection
hostname. This violates recommendations from RFC 6125.
- when the wildcard name in the certificate is longer than the
connection hostname, a buffer overread of the connection
hostname buffer would occur during the comparison of the
certificate name and the connection hostname.
Diffstat (limited to 'lib/hostcheck.c')
-rw-r--r-- | lib/hostcheck.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/hostcheck.c b/lib/hostcheck.c index f545254f3..cbd089360 100644 --- a/lib/hostcheck.c +++ b/lib/hostcheck.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -22,7 +22,10 @@ #include "curl_setup.h" -#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT) +#if defined(USE_OPENSSL) \ + || defined(USE_AXTLS) \ + || defined(USE_GSKIT) \ + || (defined(USE_SCHANNEL) && defined(_WIN32_WCE)) /* these backends use functions from this file */ #ifdef HAVE_NETINET_IN_H @@ -144,4 +147,4 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) return res; } -#endif /* OPENSSL or AXTLS or GSKIT */ +#endif /* OPENSSL, AXTLS, GSKIT or schannel+wince */ |