diff options
author | Timo Teräs <timo.teras@iki.fi> | 2017-10-06 18:09:37 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2017-10-06 18:09:37 +0300 |
commit | 0d814ba35b5e26eb9a42ea7a52521eca44306479 (patch) | |
tree | 156234c1d4b8e369c32e2b7460c34da84ab1a940 | |
parent | eb8f44d629aca3a780f7feedfee11794f14082ad (diff) | |
download | apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.gz apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.bz2 apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.xz apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.zip |
libfetch: fix certificate host name check
OpenSSL allows passing zero-length to indicate "use strlen".
LibreSSL requires using the real length always, so pass the length.
-rw-r--r-- | libfetch/common.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libfetch/common.c b/libfetch/common.c index 278c606..3bd8a53 100644 --- a/libfetch/common.c +++ b/libfetch/common.c @@ -541,7 +541,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) { if (verbose) fetch_info("Verify hostname"); - if (X509_check_host(conn->ssl_cert, URL->host, 0, + if (X509_check_host(conn->ssl_cert, URL->host, strlen(URL->host), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL) != 1) { fprintf(stderr, "SSL certificate subject doesn't match host %s\n", |