Date: Mon, 12 Mar 2018 00:09:32 +0100 From: satanist+freebsd@bureaucracy.de To: ports@FreeBSD.org Subject: mail/cclient hostname verification broken Message-ID: <6056b73caf6a48f9@notebook.bureaucracy.de>
next in thread | raw e-mail | index | archive | help
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <47015.1520809771.1@localhost>
Hi
Since the last patch for mail/cclient the hostname verification is
broken. I have attached a patch which should fix the problem. Can
someone with a bit more OpenSSL experience look at it?
satanist
------- =_aaaaaaaaaa0
Content-Type: text/x-diff; charset="us-ascii";
name="patch-src_osdep_unix_ssl__unix.c"; charset="us-ascii"
Content-Description: patch-src_osdep_unix_ssl__unix.c
Content-Disposition: attachment; filename="patch-src_osdep_unix_ssl__unix.c"
Content-Transfer-Encoding: quoted-printable
--- src/osdep/unix/ssl_unix.c.orig 2011-07-23 02:20:10.000000000 +0200
+++ src/osdep/unix/ssl_unix.c 2018-03-12 00:03:36.550613000 +0100
@@ -210,7 +210,7 @@
BIO *bio;
X509 *cert;
unsigned long sl,tl;
- char *s,*t,*err,tmp[MAILTMPLEN];
+ char *s,*t,*err,tmp[MAILTMPLEN], hostname[MAILTMPLEN];
sslcertificatequery_t scq =3D
(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,N=
IL);
sslclientcert_t scc =3D
@@ -270,9 +270,9 @@
(err =3D ssl_validate_cert (cert =3D SSL_get_peer_certificate (strea=
m->con),
host))) {
/* application callback */
- if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""=
;
+ if (scq) return (*scq) (err,host,cert ? X509_NAME_oneline (X509_get_su=
bject_name(cert), NULL, 0) : "???") ? NIL : "";
/* error message to return via mm_log() */
- sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
+ sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_NAME_oneline (X509_get_=
subject_name(cert), hostname, MAILTMPLEN) : "???");
return ssl_last_error =3D cpystr (tmp);
}
return NIL;
@@ -316,15 +316,15 @@
static char *ssl_validate_cert (X509 *cert,char *host)
{
int i,n;
- char *s,*t,*ret;
+ char *s,*t,*ret, hostname[MAILTMPLEN];
void *ext;
GENERAL_NAME *name;
/* make sure have a certificate */
if (!cert) ret =3D "No certificate from server";
/* and that it has a name */
- else if (!cert->name) ret =3D "No name in certificate";
+ else if (!X509_NAME_oneline(X509_get_subject_name(cert), hostname, MAILT=
MPLEN)) ret =3D "No name in certificate";
/* locate CN */
- else if (s =3D strstr (cert->name,"/CN=3D")) {
+ else if (s =3D strstr (hostname,"/CN=3D")) {
if (t =3D strchr (s +=3D 4,'/')) *t =3D '\0';
/* host name matches pattern? */
ret =3D ssl_compare_hostnames (host,s) ? NIL :
------- =_aaaaaaaaaa0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6056b73caf6a48f9>