Skip to content
Permalink
Browse files Browse the repository at this point in the history
correctly check return value of X509_check_host
CVE-2020-7041 incorrect use of X509_check_host (regarding return value)
is fixed with this commit.

The flaw came in with #242 and prevented proper host name verification
when openssl >= 1.0.2 was in use since openfortivpn 1.7.0.
  • Loading branch information
mrbaseman authored and adrienverge committed Feb 26, 2020
1 parent 07946c1 commit 60660e0
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/tunnel.c
Expand Up @@ -666,7 +666,8 @@ static int ssl_verify_cert(struct tunnel *tunnel)

#ifdef HAVE_X509_CHECK_HOST
// Use OpenSSL native host validation if v >= 1.0.2.
if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL))
// correctly check return value of X509_check_host
if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL) == 1)
cert_valid = 1;
#else
// Use explicit Common Name check if native validation not available.
Expand Down

0 comments on commit 60660e0

Please sign in to comment.