-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy path034-verify-full-skips-hostname-check-without-sni.patch
More file actions
44 lines (43 loc) · 2.52 KB
/
Copy path034-verify-full-skips-hostname-check-without-sni.patch
File metadata and controls
44 lines (43 loc) · 2.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
diff --git a/src/sql_jsc/postgres/PostgresSQLConnection.rs b/src/sql_jsc/postgres/PostgresSQLConnection.rs
index 7bbb6586b1..1ea24564a0 100644
--- a/src/sql_jsc/postgres/PostgresSQLConnection.rs
+++ b/src/sql_jsc/postgres/PostgresSQLConnection.rs
@@ -876,22 +876,24 @@ impl PostgresSQLConnection {
return;
}
- // SAFETY: native handle of a connected TLS socket is `SSL*`.
- let ssl_ptr: *mut BoringSSL::c::SSL = self
- .socket
- .get()
- .get_native_handle()
- .map_or(core::ptr::null_mut(), |p| p.cast());
- if let Some(servername) =
- unsafe { BoringSSL::c::SSL_get_servername(ssl_ptr, 0).as_ref() }
- {
- // SAFETY: SSL_get_servername returns a NUL-terminated C string.
- let hostname = unsafe {
- bun_core::ffi::cstr(
- std::ptr::from_ref(servername).cast::<core::ffi::c_char>(),
- )
+ if self.ssl_mode == SSLMode::VerifyFull {
+ let servername = self.tls_config.server_name();
+ if servername.is_null() {
+ let Ok(v) = verify_error_to_js(&ssl_error, self.global()) else {
+ return;
+ };
+ self.fail_with_js_value(v);
+ return;
}
- .to_bytes();
+
+ // SAFETY: native handle of a connected TLS socket is `SSL*`.
+ let ssl_ptr: *mut BoringSSL::c::SSL = self
+ .socket
+ .get()
+ .get_native_handle()
+ .map_or(core::ptr::null_mut(), |p| p.cast());
+ // SAFETY: `servername` is a NUL-terminated C string owned by `tls_config`.
+ let hostname = unsafe { bun_core::ffi::cstr(servername) }.to_bytes();
// SAFETY: `ssl_ptr` is the live SSL* of a connected TLS socket.
if !BoringSSL::check_server_identity(unsafe { &mut *ssl_ptr }, hostname)
{