summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2019-10-06 13:52:15 -0600
committerEduardo Chappa <chappa@washington.edu>2019-10-06 13:52:15 -0600
commit87e4a6a156eeeda45f686d05aaccda546703f308 (patch)
tree78e59749edd4653d27affcc9fcee0456ce77de8d
parent9abfe45e6f2a2d37886b2979cef788621ab2b033 (diff)
downloadalpine-87e4a6a156eeeda45f686d05aaccda546703f308.tar.xz
* Check for name of server in "server validation code" in more places.
* Document request message for first time use reports IMAP for any remote connection. Report the correct type of service instead.
-rw-r--r--alpine/send.c9
-rw-r--r--imap/src/osdep/nt/ssl_nt.c64
-rw-r--r--imap/src/osdep/unix/ssl_unix.c64
-rw-r--r--pith/pine.hlp2
4 files changed, 96 insertions, 43 deletions
diff --git a/alpine/send.c b/alpine/send.c
index 41dff033..f41bb75b 100644
--- a/alpine/send.c
+++ b/alpine/send.c
@@ -5556,6 +5556,7 @@ phone_home(char *addr)
char tmp[MAX_ADDRESS], revision[128];
ENVELOPE *outgoing;
BODY *body;
+ NETMBX mb;
outgoing = mail_newenvelope();
if(!addr || !strindex(addr, '@')){
@@ -5583,8 +5584,12 @@ phone_home(char *addr)
if(ps_global->first_time_user)
so_puts((STORE_S *)body->contents.text.data, " for New Users");
- if(ps_global->VAR_INBOX_PATH && ps_global->VAR_INBOX_PATH[0] == '{')
- so_puts((STORE_S *)body->contents.text.data, " and IMAP");
+ if(ps_global->VAR_INBOX_PATH
+ && ps_global->VAR_INBOX_PATH[0] == '{'
+ && mail_valid_net_parse(ps_global->VAR_INBOX_PATH, &mb)){
+ so_puts((STORE_S *)body->contents.text.data, " and ");
+ so_puts((STORE_S *)body->contents.text.data, *mb.service ? mb.service : "UNKNOWN SERVICE");
+ }
if(ps_global->VAR_NNTP_SERVER && ps_global->VAR_NNTP_SERVER[0]
&& ps_global->VAR_NNTP_SERVER[0][0])
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 6aeb3c5d..3b0118db 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,39 +501,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,n;
- char *s=NULL,*t,*ret;
+ int i,j,n;
+ char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
X509_NAME *cname;
X509_NAME_ENTRY *e;
char buf[256];
/* make sure have a certificate */
- if (!cert) ret = "No certificate from server";
- /* and that it has a name */
- else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate";
- /* locate CN */
- else{
- if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){
- X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
- s = (char *) buf;
- }
- else s = NULL;
- }
- if (s != NULL) {
+ if (!cert) return "No certificate from server";
+ /* Method 1: locate CN */
+ if (cert->name == NIL)
+ ret = "No name in certificate";
+ else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
- ret = ssl_compare_hostnames (host,s) ? NIL :
+ ret = ssl_compare_hostnames (host,s) ? NIL :
"Server name does not match certificate";
+ if (t) *t = '/'; /* restore smashed delimiter */
/* if mismatch, see if in extensions */
- if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
(n = sk_GENERAL_NAME_num (ext)))
- /* older versions of OpenSSL use "ia5" instead of dNSName */
- for (i = 0; ret && (i < n); i++)
- if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+ /* older versions of OpenSSL use "ia5" instead of dNSName */
+ for (i = 0; ret && (i < n); i++)
+ if ((name = sk_GENERAL_NAME_value (ext,i)) &&
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
- else ret = "Unable to locate common name in certificate";
+ /* Method 2, use Cname */
+ if(ret != NIL){
+ for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+ if((e = X509_NAME_get_entry(cname, j)) != NULL){
+ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
+ s = (char *) buf;
+ }
+ else s = NIL;
+ if (s != NIL) {
+ /* host name matches pattern? */
+ ret = ssl_compare_hostnames (host,s) ? NIL :
+ "Server name does not match certificate";
+ /* if mismatch, see if in extensions */
+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+ (n = sk_GENERAL_NAME_num (ext)))
+ /* older versions of OpenSSL use "ia5" instead of dNSName */
+ for (i = 0; ret && (i < n); i++)
+ if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+ (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+ ssl_compare_hostnames (host,s)) ret = NIL;
+ }
+ }
+ }
+
+ if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ ret = "No name in certificate";
+
+ if (ret == NIL && s == NIL)
+ ret = "Unable to locate common name in certificate";
+
return ret;
}
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 78b6c839..0033e55d 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,39 +504,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,n;
- char *s=NULL,*t,*ret;
+ int i,j,n;
+ char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
X509_NAME *cname;
X509_NAME_ENTRY *e;
char buf[256];
/* make sure have a certificate */
- if (!cert) ret = "No certificate from server";
- /* and that it has a name */
- else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate";
- /* locate CN */
- else{
- if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){
- X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
- s = (char *) buf;
- }
- else s = NULL;
- }
- if (s != NULL) {
+ if (!cert) return "No certificate from server";
+ /* Method 1: locate CN */
+ if (cert->name == NIL)
+ ret = "No name in certificate";
+ else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
- ret = ssl_compare_hostnames (host,s) ? NIL :
+ ret = ssl_compare_hostnames (host,s) ? NIL :
"Server name does not match certificate";
+ if (t) *t = '/'; /* restore smashed delimiter */
/* if mismatch, see if in extensions */
- if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
(n = sk_GENERAL_NAME_num (ext)))
- /* older versions of OpenSSL use "ia5" instead of dNSName */
- for (i = 0; ret && (i < n); i++)
- if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+ /* older versions of OpenSSL use "ia5" instead of dNSName */
+ for (i = 0; ret && (i < n); i++)
+ if ((name = sk_GENERAL_NAME_value (ext,i)) &&
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
- else ret = "Unable to locate common name in certificate";
+ /* Method 2, use Cname */
+ if(ret != NIL){
+ for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+ if((e = X509_NAME_get_entry(cname, j)) != NULL){
+ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
+ s = (char *) buf;
+ }
+ else s = NIL;
+ if (s != NIL) {
+ /* host name matches pattern? */
+ ret = ssl_compare_hostnames (host,s) ? NIL :
+ "Server name does not match certificate";
+ /* if mismatch, see if in extensions */
+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+ (n = sk_GENERAL_NAME_num (ext)))
+ /* older versions of OpenSSL use "ia5" instead of dNSName */
+ for (i = 0; ret && (i < n); i++)
+ if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+ (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+ ssl_compare_hostnames (host,s)) ret = NIL;
+ }
+ }
+ }
+
+ if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ ret = "No name in certificate";
+
+ if (ret == NIL && s == NIL)
+ ret = "Unable to locate common name in certificate";
+
return ret;
}
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 86e9ac82..d52ab905 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
reasonable place to be called from.
Dummy change to get revision in pine.hlp
============= h_revision =================
-Alpine Commit 371 2019-10-03 00:47:58
+Alpine Commit 372 2019-10-06 13:43:04
============= h_news =================
<HTML>
<HEAD>