From fe5ffafc188fe02e8a8c11dad1b8747f0ac17ff2 Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Tue, 8 Oct 2019 21:05:08 -0600 Subject: * Compilation problem and error in logic in function ssl_validate_cert. The issue with logic was that of the two checks for validation of if the first one was not done, the second one would not be done. The intention was to do the second check if the first check failed. Reported by Erich Ecknet. --- imap/src/osdep/nt/ssl_nt.c | 14 +++++++++++--- imap/src/osdep/unix/ssl_unix.c | 16 ++++++++++++---- pith/pine.hlp | 2 +- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index 3b0118d..d39fdf0 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,j,n; + int i,j,n, m = 0;; char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; @@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) /* make sure have a certificate */ if (!cert) return "No certificate from server"; /* Method 1: locate CN */ +#ifndef OPENSSL_1_1_0 if (cert->name == NIL) ret = "No name in certificate"; else if ((s = strstr (cert->name,"/CN=")) != NIL) { + m++; /* count that we tried this method */ if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : @@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host) (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } +#endif /* OPENSSL_1_1_0 */ /* Method 2, use Cname */ - if(ret != NIL){ + if(m == 0 || ret != NIL){ + cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ if((e = X509_NAME_get_entry(cname, j)) != NULL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); @@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) } } - if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + if (ret == NIL +#ifndef OPENSSL_1_1_0 + && !cert->name +#endif /* OPENSSL_1_1_9 */ + && !X509_get_subject_name(cert)) ret = "No name in certificate"; if (ret == NIL && s == NIL) diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 0033e55..24f91e1 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { - int i,j,n; + int i,j,n, m = 0; char *s=NULL,*t,*ret = NIL; void *ext; GENERAL_NAME *name; @@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) /* make sure have a certificate */ if (!cert) return "No certificate from server"; /* Method 1: locate CN */ +#ifndef OPENSSL_1_1_0 if (cert->name == NIL) ret = "No name in certificate"; else if ((s = strstr (cert->name,"/CN=")) != NIL) { + m++; /* count that we tried this method */ if (t = strchr (s += 4,'/')) *t = '\0'; /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : @@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host) (name->type = GEN_DNS) && (s = name->d.ia5->data) && ssl_compare_hostnames (host,s)) ret = NIL; } - /* Method 2, use Cname */ - if(ret != NIL){ +#endif /* OPENSSL_1_1_0 */ + /* Method 2, use cname */ + if(m == 0 || ret != NIL){ + cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ if((e = X509_NAME_get_entry(cname, j)) != NULL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); @@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host) } } - if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert))) + if (ret == NIL +#ifndef OPENSSL_1_1_0 + && !cert->name +#endif /* OPENSSL_1_1_0 */ + && !X509_get_subject_name(cert)) ret = "No name in certificate"; if (ret == NIL && s == NIL) diff --git a/pith/pine.hlp b/pith/pine.hlp index d52ab90..5219650 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 372 2019-10-06 13:43:04 +Alpine Commit 373 2019-10-08 21:05:01 ============= h_news ================= -- cgit v1.2.3-54-g00ecf