FreeBSD Bugzilla – Attachment 198493 Details for
Bug 226621
mail/cclient: hostname verification broken
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
svn diff for mail/cclient
patch-mail_cclient-OpenSSL1.1 (text/plain), 4.08 KB, created by
Bernard Spil
on 2018-10-23 13:00:51 UTC
(
hide
)
Description:
svn diff for mail/cclient
Filename:
MIME Type:
Creator:
Bernard Spil
Created:
2018-10-23 13:00:51 UTC
Size:
4.08 KB
patch
obsolete
>Index: mail/cclient/Makefile >=================================================================== >--- mail/cclient/Makefile (revision 482478) >+++ mail/cclient/Makefile (working copy) >@@ -3,7 +3,7 @@ > > PORTNAME= cclient > PORTVERSION= 2007f >-PORTREVISION= 3 >+PORTREVISION= 4 > PORTEPOCH= 1 > CATEGORIES= mail devel ipv6 > MASTER_SITES= ftp://ftp.cac.washington.edu/imap/%SUBDIR%/ \ >Index: mail/cclient/files/patch-src_osdep_unix_ssl__unix.c >=================================================================== >--- mail/cclient/files/patch-src_osdep_unix_ssl__unix.c (revision 482478) >+++ mail/cclient/files/patch-src_osdep_unix_ssl__unix.c (working copy) >@@ -1,26 +1,59 @@ >---- src/osdep/unix/ssl_unix.c.orig 2011-07-23 00:20:10 UTC >+Description: Support OpenSSL 1.1 >+ When building with OpenSSL 1.1 and newer, use the new built-in >+ hostname verification instead of code that doesn't compile due to >+ structs having been made opaque. >+Bug-Debian: https://bugs.debian.org/828589 >+ >+Obtained from: https://sources.debian.org/data/main/u/uw-imap/8:2007f~dfsg-5/debian/patches/1006_openssl1.1_autoverify.patch >+--- src/osdep/unix/ssl_unix.c.orig > +++ src/osdep/unix/ssl_unix.c >-@@ -270,9 +270,9 @@ static char *ssl_start_work (SSLSTREAM * >+@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM * >+ /* disable certificate validation? */ >+ if (flags & NET_NOVALIDATECERT) >+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); >+- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); >++ else { >++#if OPENSSL_VERSION_NUMBER >= 0x10100000 >++ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); >++ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); >++ X509_VERIFY_PARAM_set1_host(param, host, 0); >++#endif >++ >++ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); >+ /* set default paths to CAs... */ >++ } >+ SSL_CTX_set_default_verify_paths (stream->context); >+ /* ...unless a non-standard path desired */ >+ if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) >+@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM * >+ if (SSL_write (stream->con,"",0) < 0) >+ return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; >+ /* need to validate host names? */ >++#if OPENSSL_VERSION_NUMBER < 0x10100000 >+ if (!(flags & NET_NOVALIDATECERT) && > (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), > host))) { >- /* application callback */ >-- if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""; >-+ if (scq) return (*scq) (err,host,cert ? X509_get_subject_name(cert) : "???") ? NIL : ""; >- /* error message to return via mm_log() */ >-- sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); >-+ sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_get_subject_name(cert) : "???"); >+@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM * >+ sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); > return ssl_last_error = cpystr (tmp); > } >++#endif > return NIL; >-@@ -322,9 +322,9 @@ static char *ssl_validate_cert (X509 *ce >- /* make sure have a certificate */ >- if (!cert) ret = "No certificate from server"; >- /* and that it has a name */ >-- else if (!cert->name) ret = "No name in certificate"; >-+ else if (!X509_get_subject_name(cert)) ret = "No name in certificate"; >- /* locate CN */ >-- else if (s = strstr (cert->name,"/CN=")) { >-+ else if (s = strstr (X509_get_subject_name(cert),"/CN=")) { >- if (t = strchr (s += 4,'/')) *t = '\0'; >- /* host name matches pattern? */ >- ret = ssl_compare_hostnames (host,s) ? NIL : >+ } >+ >+@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_ >+ * Returns: NIL if validated, else string of error message >+ */ >+ >++#if OPENSSL_VERSION_NUMBER < 0x10100000 >+ static char *ssl_validate_cert (X509 *cert,char *host) >+ { >+ int i,n; >+@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce >+ else ret = "Unable to locate common name in certificate"; >+ return ret; >+ } >++#endif >+ >+ /* Case-independent wildcard pattern match >+ * Accepts: base string
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=198493">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
brnrd
:
maintainer-approval?
Actions:
View
|
Diff
Attachments on
bug 226621
:
191514
| 198493