summaryrefslogtreecommitdiff
path: root/imap/src
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2019-10-08 21:05:08 -0600
committerEduardo Chappa <chappa@washington.edu>2019-10-08 21:05:08 -0600
commitfe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch)
tree2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16 /imap/src
parent87e4a6a156eeeda45f686d05aaccda546703f308 (diff)
downloadalpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz
* Compilation problem and error in logic in function ssl_validate_cert.
The issue with logic was that of the two checks for validation of if the first one was not done, the second one would not be done. The intention was to do the second check if the first check failed. Reported by Erich Ecknet.
Diffstat (limited to 'imap/src')
-rw-r--r--imap/src/osdep/nt/ssl_nt.c14
-rw-r--r--imap/src/osdep/unix/ssl_unix.c16
2 files changed, 23 insertions, 7 deletions
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 3b0118db..d39fdf08 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,j,n;
+ int i,j,n, m = 0;;
char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
@@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
/* make sure have a certificate */
if (!cert) return "No certificate from server";
/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
if (cert->name == NIL)
ret = "No name in certificate";
else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ m++; /* count that we tried this method */
if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
+#endif /* OPENSSL_1_1_0 */
/* Method 2, use Cname */
- if(ret != NIL){
+ if(m == 0 || ret != NIL){
+ cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
if((e = X509_NAME_get_entry(cname, j)) != NULL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
}
}
- if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ if (ret == NIL
+#ifndef OPENSSL_1_1_0
+ && !cert->name
+#endif /* OPENSSL_1_1_9 */
+ && !X509_get_subject_name(cert))
ret = "No name in certificate";
if (ret == NIL && s == NIL)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 0033e55d..24f91e1c 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,j,n;
+ int i,j,n, m = 0;
char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
@@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
/* make sure have a certificate */
if (!cert) return "No certificate from server";
/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
if (cert->name == NIL)
ret = "No name in certificate";
else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ m++; /* count that we tried this method */
if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
- /* Method 2, use Cname */
- if(ret != NIL){
+#endif /* OPENSSL_1_1_0 */
+ /* Method 2, use cname */
+ if(m == 0 || ret != NIL){
+ cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
if((e = X509_NAME_get_entry(cname, j)) != NULL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
}
}
- if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ if (ret == NIL
+#ifndef OPENSSL_1_1_0
+ && !cert->name
+#endif /* OPENSSL_1_1_0 */
+ && !X509_get_subject_name(cert))
ret = "No name in certificate";
if (ret == NIL && s == NIL)