diff --git a/CHANGELOG.md b/CHANGELOG.md index dba1346c..838c5e5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ All notable changes to this project will be documented in this file. +## Unreleased + +### Security + +- websocket: fix an issue where the wrong hostname was validated in connections + made after looking up DNS TXT records, resulting in a potential + MITM. A CVE has been issued with the id [CVE-2022-24968]. + +[CVE-2022-24968]: https://mellium.im/cve/cve-2022-24968/ + + ## v0.21.0 — 2022-02-08 ### Breaking diff --git a/websocket/ws.go b/websocket/ws.go index c032c5f1..57c0df30 100644 --- a/websocket/ws.go +++ b/websocket/ws.go @@ -61,7 +61,7 @@ func NewClient(ctx context.Context, origin, location string, addr jid.JID, rwc i d := Dialer{ Origin: origin, } - cfg, err := d.config(location) + cfg, err := d.config(addr.Domain().String(), location) if err != nil { return nil, err } @@ -190,7 +190,7 @@ func (d *Dialer) Dial(ctx context.Context, addr jid.JID) (net.Conn, error) { if !d.InsecureNoTLS && strings.HasPrefix(u, "ws:") { continue } - cfg, err = d.config(u) + cfg, err = d.config(addr.Domain().String(), u) if err != nil { continue } @@ -209,14 +209,14 @@ func (d *Dialer) Dial(ctx context.Context, addr jid.JID) (net.Conn, error) { // implementation. // This may change in the future. func (d *Dialer) DialDirect(_ context.Context, addr string) (net.Conn, error) { - cfg, err := d.config(addr) + cfg, err := d.config(addr, addr) if err != nil { return nil, err } return websocket.DialConfig(cfg) } -func (d *Dialer) config(addr string) (cfg *websocket.Config, err error) { +func (d *Dialer) config(remoteAddr, addr string) (cfg *websocket.Config, err error) { cfg, err = websocket.NewConfig(addr, d.Origin) if err != nil { return nil, err @@ -225,7 +225,7 @@ func (d *Dialer) config(addr string) (cfg *websocket.Config, err error) { cfg.TlsConfig = d.TLSConfig if cfg.TlsConfig == nil { cfg.TlsConfig = &tls.Config{ - ServerName: cfg.Location.Host, + ServerName: remoteAddr, MinVersion: tls.VersionTLS12, } }