From c3f68d987c00284d91ad6599a013b7111662545b Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Fri, 2 Sep 2016 21:33:33 +0000 Subject: [PATCH] uw-imap: compile against openssl 1.1.0 I *think* I replaced access to cert->name with certificate's subject name. I assume that the re-aranged C-code is doing the same thing. A double check wouldn't hurt :) Signed-off-by: Sebastian Andrzej Siewior --- src/osdep/unix/ssl_unix.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/src/osdep/unix/ssl_unix.c b/src/osdep/unix/ssl_unix.c index 3bfdff3..836e9fa 100644 --- a/src/osdep/unix/ssl_unix.c +++ b/src/osdep/unix/ssl_unix.c @@ -59,7 +59,7 @@ typedef struct ssl_stream { static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); -static char *ssl_validate_cert (X509 *cert,char *host); +static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj); static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat); static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size, long *contd); @@ -210,6 +210,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) BIO *bio; X509 *cert; unsigned long sl,tl; + char cert_subj[250]; char *s,*t,*err,tmp[MAILTMPLEN]; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); @@ -266,14 +267,19 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) if (SSL_write (stream->con,"",0) < 0) return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; /* need to validate host names? */ - if (!(flags & NET_NOVALIDATECERT) && - (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), - host))) { - /* application callback */ - if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""; + if (!(flags & NET_NOVALIDATECERT)) { + + cert_subj[0] = '\0'; + cert = SSL_get_peer_certificate(stream->con); + if (cert) + X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj)); + err = ssl_validate_cert (cert, host, cert_subj); + if (err) + /* application callback */ + if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : ""; /* error message to return via mm_log() */ - sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); - return ssl_last_error = cpystr (tmp); + sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???"); + return ssl_last_error = cpystr (tmp); } return NIL; } @@ -313,7 +319,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) * Returns: NIL if validated, else string of error message */ -static char *ssl_validate_cert (X509 *cert,char *host) +static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj) { int i,n; char *s,*t,*ret; @@ -322,9 +328,9 @@ static char *ssl_validate_cert (X509 *cert,char *host) /* make sure have a certificate */ if (!cert) ret = "No certificate from server"; /* and that it has a name */ - else if (!cert->name) ret = "No name in certificate"; + else if (cert_subj[0] == '\0') ret = "No name in certificate"; /* locate CN */ - else if (s = strstr (cert->name,"/CN=")) { + else if (s = strstr (cert_subj,"/CN=")) { if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : -- 2.9.3