diff options
author | Eduardo Chappa <chappa@washington.edu> | 2019-10-06 13:52:15 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2019-10-06 13:52:15 -0600 |
commit | 87e4a6a156eeeda45f686d05aaccda546703f308 (patch) | |
tree | 78e59749edd4653d27affcc9fcee0456ce77de8d | |
parent | 9abfe45e6f2a2d37886b2979cef788621ab2b033 (diff) | |
download | alpine-87e4a6a156eeeda45f686d05aaccda546703f308.tar.xz |
* Check for name of server in "server validation code" in more places.
* Document request message for first time use reports IMAP for any remote
connection. Report the correct type of service instead.
-rw-r--r-- | alpine/send.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_nt.c | 64 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 64 | ||||
-rw-r--r-- | pith/pine.hlp | 2 |
4 files changed, 96 insertions, 43 deletions
diff --git a/alpine/send.c b/alpine/send.c index 41dff033..f41bb75b 100644 --- a/alpine/send.c +++ b/alpine/send.c @@ -5556,6 +5556,7 @@ phone_home(char *addr) char tmp[MAX_ADDRESS], revision[128]; ENVELOPE *outgoing; BODY *body; + NETMBX mb; outgoing = mail_newenvelope(); if(!addr || !strindex(addr, '@')){ @@ -5583,8 +5584,12 @@ phone_home(char *addr) if(ps_global->first_time_user) so_puts((STORE_S *)body->contents.text.data, " for New Users"); - if(ps_global->VAR_INBOX_PATH && ps_global->VAR_INBOX_PATH[0] == '{') - so_puts((STORE_S *)body->contents.text.data, " and IMAP"); + if(ps_global->VAR_INBOX_PATH + && ps_global->VAR_INBOX_PATH[0] == '{' + && mail_valid_net_parse(ps_global->VAR_INBOX_PATH, &mb)){ + so_puts((STORE_S *)body->contents.text.data, " and "); + so_puts((STORE_S *)body->contents.text.data, *mb.service ? mb.service : "UNKNOWN SERVICE"); + } if(ps_global->VAR_NNTP_SERVER && ps_global->VAR_NNTP_SERVER[0] && ps_global->VAR_NNTP_SERVER[0][0]) diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index 6aeb3c5d..3b0118db 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -501,39 +501,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,n; - char *s=NULL,*t,*ret; + int i,j,n; + char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; X509_NAME *cname; X509_NAME_ENTRY *e; char buf[256]; /* make sure have a certificate */ - if (!cert) ret = "No certificate from server"; - /* and that it has a name */ - else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate"; - /* locate CN */ - else{ - if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){ - X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); - s = (char *) buf; - } - else s = NULL; - } - if (s != NULL) { + if (!cert) return "No certificate from server"; + /* Method 1: locate CN */ + if (cert->name == NIL) + ret = "No name in certificate"; + else if ((s = strstr (cert->name,"/CN=")) != NIL) { + if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ - ret = ssl_compare_hostnames (host,s) ? NIL : + ret = ssl_compare_hostnames (host,s) ? NIL : "Server name does not match certificate"; + if (t) *t = '/'; /* restore smashed delimiter */ /* if mismatch, see if in extensions */ - if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && + if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && (n = sk_GENERAL_NAME_num (ext))) - /* older versions of OpenSSL use "ia5" instead of dNSName */ - for (i = 0; ret && (i < n); i++) - if ((name = sk_GENERAL_NAME_value (ext,i)) && + /* older versions of OpenSSL use "ia5" instead of dNSName */ + for (i = 0; ret && (i < n); i++) + if ((name = sk_GENERAL_NAME_value (ext,i)) && (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } - else ret = "Unable to locate common name in certificate"; + /* Method 2, use Cname */ + if(ret != NIL){ + for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ + if((e = X509_NAME_get_entry(cname, j)) != NULL){ + X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); + s = (char *) buf; + } + else s = NIL; + if (s != NIL) { + /* host name matches pattern? */ + ret = ssl_compare_hostnames (host,s) ? NIL : + "Server name does not match certificate"; + /* if mismatch, see if in extensions */ + if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && + (n = sk_GENERAL_NAME_num (ext))) + /* older versions of OpenSSL use "ia5" instead of dNSName */ + for (i = 0; ret && (i < n); i++) + if ((name = sk_GENERAL_NAME_value (ext,i)) && + (name->type = GEN_DNS) && (s = name->d.ia5->data) && + ssl_compare_hostnames (host,s)) ret = NIL; + } + } + } + + if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + ret = "No name in certificate"; + + if (ret == NIL && s == NIL) + ret = "Unable to locate common name in certificate"; + return ret; } diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 78b6c839..0033e55d 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -504,39 +504,63 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,n; - char *s=NULL,*t,*ret; + int i,j,n; + char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; X509_NAME *cname; X509_NAME_ENTRY *e; char buf[256]; /* make sure have a certificate */ - if (!cert) ret = "No certificate from server"; - /* and that it has a name */ - else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate"; - /* locate CN */ - else{ - if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){ - X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); - s = (char *) buf; - } - else s = NULL; - } - if (s != NULL) { + if (!cert) return "No certificate from server"; + /* Method 1: locate CN */ + if (cert->name == NIL) + ret = "No name in certificate"; + else if ((s = strstr (cert->name,"/CN=")) != NIL) { + if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ - ret = ssl_compare_hostnames (host,s) ? NIL : + ret = ssl_compare_hostnames (host,s) ? NIL : "Server name does not match certificate"; + if (t) *t = '/'; /* restore smashed delimiter */ /* if mismatch, see if in extensions */ - if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && + if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && (n = sk_GENERAL_NAME_num (ext))) - /* older versions of OpenSSL use "ia5" instead of dNSName */ - for (i = 0; ret && (i < n); i++) - if ((name = sk_GENERAL_NAME_value (ext,i)) && + /* older versions of OpenSSL use "ia5" instead of dNSName */ + for (i = 0; ret && (i < n); i++) + if ((name = sk_GENERAL_NAME_value (ext,i)) && (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } - else ret = "Unable to locate common name in certificate"; + /* Method 2, use Cname */ + if(ret != NIL){ + for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ + if((e = X509_NAME_get_entry(cname, j)) != NULL){ + X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); + s = (char *) buf; + } + else s = NIL; + if (s != NIL) { + /* host name matches pattern? */ + ret = ssl_compare_hostnames (host,s) ? NIL : + "Server name does not match certificate"; + /* if mismatch, see if in extensions */ + if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && + (n = sk_GENERAL_NAME_num (ext))) + /* older versions of OpenSSL use "ia5" instead of dNSName */ + for (i = 0; ret && (i < n); i++) + if ((name = sk_GENERAL_NAME_value (ext,i)) && + (name->type = GEN_DNS) && (s = name->d.ia5->data) && + ssl_compare_hostnames (host,s)) ret = NIL; + } + } + } + + if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + ret = "No name in certificate"; + + if (ret == NIL && s == NIL) + ret = "Unable to locate common name in certificate"; + return ret; } diff --git a/pith/pine.hlp b/pith/pine.hlp index 86e9ac82..d52ab905 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 371 2019-10-03 00:47:58 +Alpine Commit 372 2019-10-06 13:43:04 ============= h_news ================= <HTML> <HEAD> |