* Check for name of server in "server validation code" in more places.

* Document request message for first time use reports IMAP for any remote connection. Report the correct type of service instead.
author: Eduardo Chappa <chappa@washington.edu> 2019-10-06 13:52:15 -0600
committer: Eduardo Chappa <chappa@washington.edu> 2019-10-06 13:52:15 -0600
commit: 87e4a6a156eeeda45f686d05aaccda546703f308 (patch)
tree: 78e59749edd4653d27affcc9fcee0456ce77de8d
parent: 9abfe45e6f2a2d37886b2979cef788621ab2b033 (diff)
download: alpine-87e4a6a156eeeda45f686d05aaccda546703f308.tar.xz
4 files changed, 96 insertions, 43 deletions
diff --git a/alpine/send.c b/alpine/send.c
index 41dff03..f41bb75 100644
--- a/alpine/send.c
+++ b/alpine/send.c
@@ -5556,6 +5556,7 @@ phone_home(char *addr)
     char       tmp[MAX_ADDRESS], revision[128];
     ENVELOPE  *outgoing;
     BODY      *body;
+    NETMBX     mb;
 
     outgoing = mail_newenvelope();
     if(!addr || !strindex(addr, '@')){
@@ -5583,8 +5584,12 @@ phone_home(char *addr)
 	if(ps_global->first_time_user)
 	  so_puts((STORE_S *)body->contents.text.data, " for New Users");
 
-	if(ps_global->VAR_INBOX_PATH && ps_global->VAR_INBOX_PATH[0] == '{')
-	  so_puts((STORE_S *)body->contents.text.data, " and IMAP");
+	if(ps_global->VAR_INBOX_PATH
+	   && ps_global->VAR_INBOX_PATH[0] == '{'
+	   && mail_valid_net_parse(ps_global->VAR_INBOX_PATH, &mb)){
+	   so_puts((STORE_S *)body->contents.text.data, " and ");
+	   so_puts((STORE_S *)body->contents.text.data, *mb.service ? mb.service : "UNKNOWN SERVICE");
+	}
 
 	if(ps_global->VAR_NNTP_SERVER && ps_global->VAR_NNTP_SERVER[0]
 	      && ps_global->VAR_NNTP_SERVER[0][0])
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 6aeb3c5..3b0118d 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,39 +501,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,n;
-  char *s=NULL,*t,*ret;
+  int i,j,n;
+  char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
   X509_NAME *cname;
   X509_NAME_ENTRY *e;
   char    buf[256];
 				/* make sure have a certificate */
-  if (!cert) ret = "No certificate from server";
-				/* and that it has a name */
-  else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate";
-				/* locate CN */
-  else{
-     if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){
-       X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
-       s = (char *) buf;
-     }
-     else s = NULL;
-  }
-  if (s != NULL) {
+  if (!cert) return "No certificate from server";
+				/* Method 1: locate CN */
+  if (cert->name == NIL)
+     ret = "No name in certificate";
+  else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
-    ret = ssl_compare_hostnames (host,s) ? NIL :
+     ret = ssl_compare_hostnames (host,s) ? NIL :
       "Server name does not match certificate";
+     if (t) *t = '/';		/* restore smashed delimiter */
 				/* if mismatch, see if in extensions */
-    if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+     if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
 	(n = sk_GENERAL_NAME_num (ext)))
-      /* older versions of OpenSSL use "ia5" instead of dNSName */
-      for (i = 0; ret && (i < n); i++)
-	if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+       /* older versions of OpenSSL use "ia5" instead of dNSName */
+       for (i = 0; ret && (i < n); i++)
+	 if ((name = sk_GENERAL_NAME_value (ext,i)) &&
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
-  else ret = "Unable to locate common name in certificate";
+				/* Method 2, use Cname */
+  if(ret != NIL){
+     for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+        if((e = X509_NAME_get_entry(cname, j)) != NULL){
+           X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
+           s = (char *) buf;
+        }
+        else s = NIL;
+        if (s != NIL) {
+				/* host name matches pattern? */
+	   ret = ssl_compare_hostnames (host,s) ? NIL :
+		 "Server name does not match certificate";
+				/* if mismatch, see if in extensions */
+	   if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+		(n = sk_GENERAL_NAME_num (ext)))
+	           /* older versions of OpenSSL use "ia5" instead of dNSName */
+	      for (i = 0; ret && (i < n); i++)
+		  if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+		     (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+		     ssl_compare_hostnames (host,s)) ret = NIL;
+        }
+     }
+  }
+
+  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+	ret = "No name in certificate";
+
+  if (ret == NIL && s == NIL) 
+	ret = "Unable to locate common name in certificate";
+
   return ret;
 }
 
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 78b6c83..0033e55 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,39 +504,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,n;
-  char *s=NULL,*t,*ret;
+  int i,j,n;
+  char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
   X509_NAME *cname;
   X509_NAME_ENTRY *e;
   char    buf[256];
 				/* make sure have a certificate */
-  if (!cert) ret = "No certificate from server";
-				/* and that it has a name */
-  else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate";
-				/* locate CN */
-  else{
-     if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){
-       X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
-       s = (char *) buf;
-     }
-     else s = NULL;
-  }
-  if (s != NULL) {
+  if (!cert) return "No certificate from server";
+				/* Method 1: locate CN */
+  if (cert->name == NIL)
+     ret = "No name in certificate";
+  else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
-    ret = ssl_compare_hostnames (host,s) ? NIL :
+     ret = ssl_compare_hostnames (host,s) ? NIL :
       "Server name does not match certificate";
+     if (t) *t = '/';		/* restore smashed delimiter */
 				/* if mismatch, see if in extensions */
-    if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+     if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
 	(n = sk_GENERAL_NAME_num (ext)))
-      /* older versions of OpenSSL use "ia5" instead of dNSName */
-      for (i = 0; ret && (i < n); i++)
-	if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+       /* older versions of OpenSSL use "ia5" instead of dNSName */
+       for (i = 0; ret && (i < n); i++)
+	 if ((name = sk_GENERAL_NAME_value (ext,i)) &&
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
-  else ret = "Unable to locate common name in certificate";
+				/* Method 2, use Cname */
+  if(ret != NIL){
+     for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+        if((e = X509_NAME_get_entry(cname, j)) != NULL){
+           X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
+           s = (char *) buf;
+        }
+        else s = NIL;
+        if (s != NIL) {
+				/* host name matches pattern? */
+	   ret = ssl_compare_hostnames (host,s) ? NIL :
+		 "Server name does not match certificate";
+				/* if mismatch, see if in extensions */
+	   if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+		(n = sk_GENERAL_NAME_num (ext)))
+	           /* older versions of OpenSSL use "ia5" instead of dNSName */
+	      for (i = 0; ret && (i < n); i++)
+		  if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+		     (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+		     ssl_compare_hostnames (host,s)) ret = NIL;
+        }
+     }
+  }
+
+  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+	ret = "No name in certificate";
+
+  if (ret == NIL && s == NIL) 
+	ret = "Unable to locate common name in certificate";
+
   return ret;
 }
 
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 86e9ac8..d52ab90 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 371 2019-10-03 00:47:58
+Alpine Commit 372 2019-10-06 13:43:04
 ============= h_news =================
 <HTML>
 <HEAD>
author	Eduardo Chappa <chappa@washington.edu>	2019-10-06 13:52:15 -0600
committer	Eduardo Chappa <chappa@washington.edu>	2019-10-06 13:52:15 -0600
commit	87e4a6a156eeeda45f686d05aaccda546703f308 (patch)
tree	78e59749edd4653d27affcc9fcee0456ce77de8d
parent	9abfe45e6f2a2d37886b2979cef788621ab2b033 (diff)
download	alpine-87e4a6a156eeeda45f686d05aaccda546703f308.tar.xz