* Compilation problem and error in logic in function ssl_validate_cert.

The issue with logic was that of the two checks for validation of if the first one was not done, the second one would not be done. The intention was to do the second check if the first check failed. Reported by Erich Ecknet.
author: Eduardo Chappa <chappa@washington.edu> 2019-10-08 21:05:08 -0600
committer: Eduardo Chappa <chappa@washington.edu> 2019-10-08 21:05:08 -0600
commit: fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch)
tree: 2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16
parent: 87e4a6a156eeeda45f686d05aaccda546703f308 (diff)
download: alpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz
3 files changed, 24 insertions, 8 deletions
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 3b0118d..d39fdf0 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,j,n;
+  int i,j,n, m = 0;;
   char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
@@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 				/* make sure have a certificate */
   if (!cert) return "No certificate from server";
 				/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
   if (cert->name == NIL)
      ret = "No name in certificate";
   else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     m++; /* count that we tried this method */
      if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
      ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
+#endif /* OPENSSL_1_1_0 */
 				/* Method 2, use Cname */
-  if(ret != NIL){
+  if(m == 0 || ret != NIL){
+     cname = X509_get_subject_name(cert);
      for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
         if((e = X509_NAME_get_entry(cname, j)) != NULL){
            X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
      }
   }
 
-  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+  if (ret == NIL
+#ifndef OPENSSL_1_1_0
+       && !cert->name
+#endif /* OPENSSL_1_1_9 */
+       && !X509_get_subject_name(cert))
 	ret = "No name in certificate";
 
   if (ret == NIL && s == NIL) 
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 0033e55..24f91e1 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,j,n;
+  int i,j,n, m = 0;
   char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
@@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 				/* make sure have a certificate */
   if (!cert) return "No certificate from server";
 				/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
   if (cert->name == NIL)
      ret = "No name in certificate";
   else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     m++; /* count that we tried this method */
      if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
      ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
-				/* Method 2, use Cname */
-  if(ret != NIL){
+#endif /* OPENSSL_1_1_0 */
+				/* Method 2, use cname */
+  if(m == 0 || ret != NIL){
+     cname = X509_get_subject_name(cert);
      for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
         if((e = X509_NAME_get_entry(cname, j)) != NULL){
            X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
      }
   }
 
-  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+  if (ret == NIL
+#ifndef OPENSSL_1_1_0
+       && !cert->name
+#endif /* OPENSSL_1_1_0 */
+       && !X509_get_subject_name(cert))
 	ret = "No name in certificate";
 
   if (ret == NIL && s == NIL) 
diff --git a/pith/pine.hlp b/pith/pine.hlp
index d52ab90..5219650 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 372 2019-10-06 13:43:04
+Alpine Commit 373 2019-10-08 21:05:01
 ============= h_news =================
 <HTML>
 <HEAD>
author	Eduardo Chappa <chappa@washington.edu>	2019-10-08 21:05:08 -0600
committer	Eduardo Chappa <chappa@washington.edu>	2019-10-08 21:05:08 -0600
commit	fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch)
tree	2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16
parent	87e4a6a156eeeda45f686d05aaccda546703f308 (diff)
download	alpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz