Date: Sun, 8 Mar 2020 00:48:45 +0000 (UTC) From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r527991 - in head/mail/cclient: . files Message-ID: <202003080048.0280mjZw067944@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: riggs Date: Sun Mar 8 00:48:45 2020 New Revision: 527991 URL: https://svnweb.freebsd.org/changeset/ports/527991 Log: Fix hostname verification PR: 226621 Submitted by: satanist+freebsd@bureaucracy.de Reviewed by: brnrd Modified: head/mail/cclient/Makefile head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c Modified: head/mail/cclient/Makefile ============================================================================== --- head/mail/cclient/Makefile Sat Mar 7 22:55:10 2020 (r527990) +++ head/mail/cclient/Makefile Sun Mar 8 00:48:45 2020 (r527991) @@ -3,7 +3,7 @@ PORTNAME= cclient PORTVERSION= 2007f -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= mail devel MASTER_SITES= ftp://ftp.cac.washington.edu/imap/%SUBDIR%/ \ Modified: head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c ============================================================================== --- head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c Sat Mar 7 22:55:10 2020 (r527990) +++ head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c Sun Mar 8 00:48:45 2020 (r527991) @@ -1,26 +1,59 @@ ---- src/osdep/unix/ssl_unix.c.orig 2011-07-23 00:20:10 UTC +Description: Support OpenSSL 1.1 + When building with OpenSSL 1.1 and newer, use the new built-in + hostname verification instead of code that doesn't compile due to + structs having been made opaque. +Bug-Debian: https://bugs.debian.org/828589 + +Obtained from: https://sources.debian.org/data/main/u/uw-imap/8:2007f~dfsg-5/debian/patches/1006_openssl1.1_autoverify.patch +--- src/osdep/unix/ssl_unix.c.orig +++ src/osdep/unix/ssl_unix.c -@@ -270,9 +270,9 @@ static char *ssl_start_work (SSLSTREAM * +@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM * + /* disable certificate validation? */ + if (flags & NET_NOVALIDATECERT) + SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); +- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); ++ else { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); ++ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ++ X509_VERIFY_PARAM_set1_host(param, host, 0); ++#endif ++ ++ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); + /* set default paths to CAs... */ ++ } + SSL_CTX_set_default_verify_paths (stream->context); + /* ...unless a non-standard path desired */ + if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) +@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM * + if (SSL_write (stream->con,"",0) < 0) + return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; + /* need to validate host names? */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + if (!(flags & NET_NOVALIDATECERT) && (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), host))) { - /* application callback */ -- if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""; -+ if (scq) return (*scq) (err,host,cert ? X509_get_subject_name(cert) : "???") ? NIL : ""; - /* error message to return via mm_log() */ -- sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); -+ sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_get_subject_name(cert) : "???"); +@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM * + sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); return ssl_last_error = cpystr (tmp); } ++#endif return NIL; -@@ -322,9 +322,9 @@ static char *ssl_validate_cert (X509 *ce - /* make sure have a certificate */ - if (!cert) ret = "No certificate from server"; - /* and that it has a name */ -- else if (!cert->name) ret = "No name in certificate"; -+ else if (!X509_get_subject_name(cert)) ret = "No name in certificate"; - /* locate CN */ -- else if (s = strstr (cert->name,"/CN=")) { -+ else if (s = strstr (X509_get_subject_name(cert),"/CN=")) { - if (t = strchr (s += 4,'/')) *t = '\0'; - /* host name matches pattern? */ - ret = ssl_compare_hostnames (host,s) ? NIL : + } + +@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_ + * Returns: NIL if validated, else string of error message + */ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + static char *ssl_validate_cert (X509 *cert,char *host) + { + int i,n; +@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce + else ret = "Unable to locate common name in certificate"; + return ret; + } ++#endif + + /* Case-independent wildcard pattern match + * Accepts: base string
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003080048.0280mjZw067944>