From owner-freebsd-ports@freebsd.org  Sun Mar 11 23:09:35 2018
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C21DAF2E81B
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Sun, 11 Mar 2018 23:09:35 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 54E4B84030
 for <freebsd-ports@freebsd.org>; Sun, 11 Mar 2018 23:09:35 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 14297F2E81A; Sun, 11 Mar 2018 23:09:35 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F126BF2E819
 for <ports@mailman.ysv.freebsd.org>; Sun, 11 Mar 2018 23:09:34 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: from bureaucracy.bureaucracy.de (bureaucracy.bureaucracy.de
 [IPv6:2a02:180:1:1::517:b8d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "bureaucracy.bureaucracy.de",
 Issuer "bureaucracy.bureaucracy.de" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4480D8402F
 for <ports@FreeBSD.org>; Sun, 11 Mar 2018 23:09:34 +0000 (UTC)
 (envelope-from philipp@bureaucracy.de)
Received: from notebook.bureaucracy.de (localhost [IPv6:::1])
 by bureaucracy.bureaucracy.de (OpenSMTPD) with ESMTP id e2a67cbd
 for <ports@FreeBSD.org>; Mon, 12 Mar 2018 00:09:32 +0100 (CET)
Received: from localhost (notebook.bureaucracy.de [local])
 by notebook.bureaucracy.de (OpenSMTPD) with ESMTPA id fd70e5f7
 for <ports@FreeBSD.org>; Mon, 12 Mar 2018 00:09:32 +0100 (CET)
From: satanist+freebsd@bureaucracy.de
To: ports@FreeBSD.org
Subject: mail/cclient hostname verification broken
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-ID: <47015.1520809771.0@localhost>
Date: Mon, 12 Mar 2018 00:09:32 +0100
Sender: Philipp Takacs <philipp@bureaucracy.de>
Message-Id: <6056b73caf6a48f9@notebook.bureaucracy.de>
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2018 23:09:36 -0000

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <47015.1520809771.1@localhost>

Hi

Since the last patch for mail/cclient the hostname verification is
broken. I have attached a patch which should fix the problem. Can
someone with a bit more OpenSSL experience look at it?

satanist

------- =_aaaaaaaaaa0
Content-Type: text/x-diff; charset="us-ascii";
	name="patch-src_osdep_unix_ssl__unix.c"; charset="us-ascii"
Content-Description: patch-src_osdep_unix_ssl__unix.c
Content-Disposition: attachment; filename="patch-src_osdep_unix_ssl__unix.c"
Content-Transfer-Encoding: quoted-printable

--- src/osdep/unix/ssl_unix.c.orig	2011-07-23 02:20:10.000000000 +0200
+++ src/osdep/unix/ssl_unix.c	2018-03-12 00:03:36.550613000 +0100
@@ -210,7 +210,7 @@
   BIO *bio;
   X509 *cert;
   unsigned long sl,tl;
-  char *s,*t,*err,tmp[MAILTMPLEN];
+  char *s,*t,*err,tmp[MAILTMPLEN], hostname[MAILTMPLEN];
   sslcertificatequery_t scq =3D
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,N=
IL);
   sslclientcert_t scc =3D
@@ -270,9 +270,9 @@
       (err =3D ssl_validate_cert (cert =3D SSL_get_peer_certificate (strea=
m->con),
 				host))) {
 				/* application callback */
-    if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""=
;
+    if (scq) return (*scq) (err,host,cert ? X509_NAME_oneline (X509_get_su=
bject_name(cert), NULL, 0) : "???") ? NIL : "";
 				/* error message to return via mm_log() */
-    sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
+    sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_NAME_oneline (X509_get_=
subject_name(cert), hostname, MAILTMPLEN) : "???");
     return ssl_last_error =3D cpystr (tmp);
   }
   return NIL;
@@ -316,15 +316,15 @@
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
   int i,n;
-  char *s,*t,*ret;
+  char *s,*t,*ret, hostname[MAILTMPLEN];
   void *ext;
   GENERAL_NAME *name;
 				/* make sure have a certificate */
   if (!cert) ret =3D "No certificate from server";
 				/* and that it has a name */
-  else if (!cert->name) ret =3D "No name in certificate";
+  else if (!X509_NAME_oneline(X509_get_subject_name(cert), hostname, MAILT=
MPLEN)) ret =3D "No name in certificate";
 				/* locate CN */
-  else if (s =3D strstr (cert->name,"/CN=3D")) {
+  else if (s =3D strstr (hostname,"/CN=3D")) {
     if (t =3D strchr (s +=3D 4,'/')) *t =3D '\0';
 				/* host name matches pattern? */
     ret =3D ssl_compare_hostnames (host,s) ? NIL :

------- =_aaaaaaaaaa0--