* Compilation problem and error in logic in function ssl_validate_cert.

The issue with logic was that of the two checks for validation of if the first one was not done, the second one would not be done. The intention was to do the second check if the first check failed. Reported by Erich Ecknet.
author: Eduardo Chappa <chappa@washington.edu> 2019-10-08 21:05:08 -0600
committer: Eduardo Chappa <chappa@washington.edu> 2019-10-08 21:05:08 -0600
commit: fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch)
tree: 2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16 /imap/src/osdep
parent: 87e4a6a156eeeda45f686d05aaccda546703f308 (diff)
download: alpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz
2 files changed, 23 insertions, 7 deletions
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 3b0118db..d39fdf08 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,j,n;
+  int i,j,n, m = 0;;
   char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
@@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 				/* make sure have a certificate */
   if (!cert) return "No certificate from server";
 				/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
   if (cert->name == NIL)
      ret = "No name in certificate";
   else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     m++; /* count that we tried this method */
      if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
      ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
+#endif /* OPENSSL_1_1_0 */
 				/* Method 2, use Cname */
-  if(ret != NIL){
+  if(m == 0 || ret != NIL){
+     cname = X509_get_subject_name(cert);
      for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
         if((e = X509_NAME_get_entry(cname, j)) != NULL){
            X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
      }
   }
 
-  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+  if (ret == NIL
+#ifndef OPENSSL_1_1_0
+       && !cert->name
+#endif /* OPENSSL_1_1_9 */
+       && !X509_get_subject_name(cert))
 	ret = "No name in certificate";
 
   if (ret == NIL && s == NIL) 
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 0033e55d..24f91e1c 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,j,n;
+  int i,j,n, m = 0;
   char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
@@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 				/* make sure have a certificate */
   if (!cert) return "No certificate from server";
 				/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
   if (cert->name == NIL)
      ret = "No name in certificate";
   else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+     m++; /* count that we tried this method */
      if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
      ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 	    (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
 	    ssl_compare_hostnames (host,s)) ret = NIL;
   }
-				/* Method 2, use Cname */
-  if(ret != NIL){
+#endif /* OPENSSL_1_1_0 */
+				/* Method 2, use cname */
+  if(m == 0 || ret != NIL){
+     cname = X509_get_subject_name(cert);
      for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
         if((e = X509_NAME_get_entry(cname, j)) != NULL){
            X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
      }
   }
 
-  if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+  if (ret == NIL
+#ifndef OPENSSL_1_1_0
+       && !cert->name
+#endif /* OPENSSL_1_1_0 */
+       && !X509_get_subject_name(cert))
 	ret = "No name in certificate";
 
   if (ret == NIL && s == NIL)
author	Eduardo Chappa <chappa@washington.edu>	2019-10-08 21:05:08 -0600
committer	Eduardo Chappa <chappa@washington.edu>	2019-10-08 21:05:08 -0600
commit	fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch)
tree	2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16 /imap/src/osdep
parent	87e4a6a156eeeda45f686d05aaccda546703f308 (diff)
download	alpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz