diff options
author | Eduardo Chappa <chappa@washington.edu> | 2019-10-08 21:05:08 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2019-10-08 21:05:08 -0600 |
commit | fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 (patch) | |
tree | 2b0d84bdda5d48e958bb9db5a1f7c3102e0f5d16 /imap/src | |
parent | 87e4a6a156eeeda45f686d05aaccda546703f308 (diff) | |
download | alpine-fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2.tar.xz |
* Compilation problem and error in logic in function ssl_validate_cert.
The issue with logic was that of the two checks for validation of
if the first one was not done, the second one would not
be done. The intention was to do the second check if the
first check failed. Reported by Erich Ecknet.
Diffstat (limited to 'imap/src')
-rw-r--r-- | imap/src/osdep/nt/ssl_nt.c | 14 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 16 |
2 files changed, 23 insertions, 7 deletions
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index 3b0118db..d39fdf08 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,j,n; + int i,j,n, m = 0;; char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; @@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) /* make sure have a certificate */ if (!cert) return "No certificate from server"; /* Method 1: locate CN */ +#ifndef OPENSSL_1_1_0 if (cert->name == NIL) ret = "No name in certificate"; else if ((s = strstr (cert->name,"/CN=")) != NIL) { + m++; /* count that we tried this method */ if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : @@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host) (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } +#endif /* OPENSSL_1_1_0 */ /* Method 2, use Cname */ - if(ret != NIL){ + if(m == 0 || ret != NIL){ + cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ if((e = X509_NAME_get_entry(cname, j)) != NULL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); @@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) } } - if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + if (ret == NIL +#ifndef OPENSSL_1_1_0 + && !cert->name +#endif /* OPENSSL_1_1_9 */ + && !X509_get_subject_name(cert)) ret = "No name in certificate"; if (ret == NIL && s == NIL) diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 0033e55d..24f91e1c 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,j,n; + int i,j,n, m = 0; char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; @@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) /* make sure have a certificate */ if (!cert) return "No certificate from server"; /* Method 1: locate CN */ +#ifndef OPENSSL_1_1_0 if (cert->name == NIL) ret = "No name in certificate"; else if ((s = strstr (cert->name,"/CN=")) != NIL) { + m++; /* count that we tried this method */ if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : @@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host) (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } - /* Method 2, use Cname */ - if(ret != NIL){ +#endif /* OPENSSL_1_1_0 */ + /* Method 2, use cname */ + if(m == 0 || ret != NIL){ + cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ if((e = X509_NAME_get_entry(cname, j)) != NULL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); @@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) } } - if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + if (ret == NIL +#ifndef OPENSSL_1_1_0 + && !cert->name +#endif /* OPENSSL_1_1_0 */ + && !X509_get_subject_name(cert)) ret = "No name in certificate"; if (ret == NIL && s == NIL) |