main/elinks/elinks-0.12pre6-ssl-hostname.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

From 135272d2c8528e70d9c201ce661ef44ddbe6fa75 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 19 Sep 2013 16:02:58 +0000
Subject: rename to elinks-0.12pre6-ssl-hostname.patch

... so that it reflects the actual version of elinks
---
(limited to 'elinks-0.12pre6-ssl-hostname.patch')

diff --git a/elinks-0.12pre6-ssl-hostname.patch b/elinks-0.12pre6-ssl-hostname.patch
new file mode 100644
index 0000000..5a3820f
--- /dev/null
+++ b/elinks-0.12pre6-ssl-hostname.patch
@@ -0,0 +1,70 @@
+From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 18 Sep 2013 13:42:40 +0200
+Subject: [PATCH] verify server certificate hostname with nss_compat_ossl
+
+Bug: https://bugzilla.redhat.com/881411
+---
+ src/network/ssl/socket.c |   32 ++++++++++++++++++++++++++++++++
+ 1 files changed, 32 insertions(+), 0 deletions(-)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index 3265107..0aeb037 100644
+--- a/src/network/ssl/socket.c
++++ b/src/network/ssl/socket.c
+@@ -9,6 +9,9 @@
+ #define USE_OPENSSL
+ #elif defined(CONFIG_NSS_COMPAT_OSSL)
+ #include <nss_compat_ossl/nss_compat_ossl.h>
++#include <nspr.h>		/* for PR_GetError()    */
++#include <ssl.h>		/* for SSL_SetURL()     */
++#include "protocol/uri.h"	/* for get_uri_string() */
+ #define USE_OPENSSL
+ #elif defined(CONFIG_GNUTLS)
+ #include <gnutls/gnutls.h>
+@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
+ 	}
+ }
+ 
++#ifdef CONFIG_NSS_COMPAT_OSSL
++/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
++SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
++static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
++{
++	if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
++		return SECFailure;
++
++	/* fallback to the default hook of nss_compat_ossl */
++	return BadCertHandler(arg, ssl);
++}
++#endif
++
+ /* Return -1 on error, 0 or success. */
+ int
+ ssl_connect(struct socket *socket)
+@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
+ 		return -1;
+ 	}
+ 
++#ifdef CONFIG_NSS_COMPAT_OSSL
++	/* fix for https://bugzilla.redhat.com/881411 */
++	{
++		struct connection *conn = socket->conn;
++		unsigned char *host = get_uri_string(conn->uri, URI_HOST);
++		if (!host
++				|| SECSuccess != SSL_SetURL(socket->ssl, host)
++				|| SECSuccess != SSL_BadCertHook(socket->ssl,
++					nss_bad_cert_hook, /* XXX */ NULL))
++		{
++			socket->ops->done(socket, connection_state(S_SSL_ERROR));
++			return -1;
++		}
++	}
++#endif
++
+ 	if (socket->no_tls)
+ 		ssl_set_no_tls(socket);
+ 
+-- 
+1.7.1
+
--
cgit v0.9.2