community/alpine/0001-ssl_unix-fix-server-name-validation.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

From 381647e651dd17f2a48b66a1cc358db3f3be6f98 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Fri, 6 Mar 2020 20:05:14 +0200
Subject: [PATCH] ssl_unix: fix server name validation

look for CN instead of checking only the first RDN
---
 imap/src/osdep/unix/ssl_unix.c | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 4ebe1ae..24a503f 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -507,7 +507,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
 
 static char *ssl_validate_cert (X509 *cert,char *host)
 {
-  int i,j,n, m = 0;
+  int i,n, m = 0;
   char *s=NULL,*t,*ret = NIL;
   void *ext;
   GENERAL_NAME *name;
@@ -540,25 +540,20 @@ static char *ssl_validate_cert (X509 *cert,char *host)
 				/* Method 2, use cname */
   if(m == 0 || ret != NIL){
      cname = X509_get_subject_name(cert);
-     for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
-        if((e = X509_NAME_get_entry(cname, j)) != NULL){
-           X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
-           s = (char *) buf;
-        }
-        else s = NIL;
-        if (s != NIL) {
+     s = X509_NAME_get_text_by_NID(cname, NID_commonName, buf, sizeof(buf)) > 0 ?
+           (char *) buf : NIL;
+     if (s != NIL) {
 				/* host name matches pattern? */
-	   ret = ssl_compare_hostnames (host,s) ? NIL :
-		 "Server name does not match certificate";
+	ret = ssl_compare_hostnames (host,s) ? NIL :
+	      "Server name does not match certificate";
 				/* if mismatch, see if in extensions */
-	   if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
-		(n = sk_GENERAL_NAME_num (ext)))
+	if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+	     (n = sk_GENERAL_NAME_num (ext)))
 	           /* older versions of OpenSSL use "ia5" instead of dNSName */
-	      for (i = 0; ret && (i < n); i++)
-		  if ((name = sk_GENERAL_NAME_value (ext,i)) &&
-		     (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
-		     ssl_compare_hostnames (host,s)) ret = NIL;
-        }
+	   for (i = 0; ret && (i < n); i++)
+	       if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+		  (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+		  ssl_compare_hostnames (host,s)) ret = NIL;
      }
   }
 
-- 
2.25.1