You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

81 lines
3.4 KiB

  1. From c3f68d987c00284d91ad6599a013b7111662545b Mon Sep 17 00:00:00 2001
  2. From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
  3. Date: Fri, 2 Sep 2016 21:33:33 +0000
  4. Subject: [PATCH] uw-imap: compile against openssl 1.1.0
  5. I *think* I replaced access to cert->name with certificate's subject name. I
  6. assume that the re-aranged C-code is doing the same thing. A double check
  7. wouldn't hurt :)
  8. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
  9. ---
  10. src/osdep/unix/ssl_unix.c | 28 +++++++++++++++++-----------
  11. 1 file changed, 17 insertions(+), 11 deletions(-)
  12. --- a/src/osdep/unix/ssl_unix.c
  13. +++ b/src/osdep/unix/ssl_unix.c
  14. @@ -59,7 +59,7 @@ typedef struct ssl_stream {
  15. static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
  16. static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
  17. static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
  18. -static char *ssl_validate_cert (X509 *cert,char *host);
  19. +static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj);
  20. static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat);
  21. static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size,
  22. long *contd);
  23. @@ -210,6 +210,7 @@ static char *ssl_start_work (SSLSTREAM *
  24. BIO *bio;
  25. X509 *cert;
  26. unsigned long sl,tl;
  27. + char cert_subj[250];
  28. char *s,*t,*err,tmp[MAILTMPLEN];
  29. sslcertificatequery_t scq =
  30. (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
  31. @@ -266,14 +267,19 @@ static char *ssl_start_work (SSLSTREAM *
  32. if (SSL_write (stream->con,"",0) < 0)
  33. return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
  34. /* need to validate host names? */
  35. - if (!(flags & NET_NOVALIDATECERT) &&
  36. - (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
  37. - host))) {
  38. - /* application callback */
  39. - if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : "";
  40. + if (!(flags & NET_NOVALIDATECERT)) {
  41. +
  42. + cert_subj[0] = '\0';
  43. + cert = SSL_get_peer_certificate(stream->con);
  44. + if (cert)
  45. + X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj));
  46. + err = ssl_validate_cert (cert, host, cert_subj);
  47. + if (err)
  48. + /* application callback */
  49. + if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : "";
  50. /* error message to return via mm_log() */
  51. - sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
  52. - return ssl_last_error = cpystr (tmp);
  53. + sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???");
  54. + return ssl_last_error = cpystr (tmp);
  55. }
  56. return NIL;
  57. }
  58. @@ -313,7 +319,7 @@ static int ssl_open_verify (int ok,X509_
  59. * Returns: NIL if validated, else string of error message
  60. */
  61. -static char *ssl_validate_cert (X509 *cert,char *host)
  62. +static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj)
  63. {
  64. int i,n;
  65. char *s,*t,*ret;
  66. @@ -322,9 +328,9 @@ static char *ssl_validate_cert (X509 *ce
  67. /* make sure have a certificate */
  68. if (!cert) ret = "No certificate from server";
  69. /* and that it has a name */
  70. - else if (!cert->name) ret = "No name in certificate";
  71. + else if (cert_subj[0] == '\0') ret = "No name in certificate";
  72. /* locate CN */
  73. - else if (s = strstr (cert->name,"/CN=")) {
  74. + else if (s = strstr (cert_subj,"/CN=")) {
  75. if (t = strchr (s += 4,'/')) *t = '\0';
  76. /* host name matches pattern? */
  77. ret = ssl_compare_hostnames (host,s) ? NIL :