Mirror/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-07-23 19:25:25 +03:00
Code Issues Wiki Activity

community/alpine: fix download, cert validation

Browse source 
also create debug subpackage
This commit is contained in:
Kaarle Ritvanen 2020-03-06 20:12:25 +02:00
parent e16abe5408
commit 46394f56c5
2 changed files with 72 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

63
community/alpine/0001-ssl_unix-fix-server-name-validation.patch Normal file
View file

@ -0,0 +1,63 @@
From 381647e651dd17f2a48b66a1cc358db3f3be6f98 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Fri, 6 Mar 2020 20:05:14 +0200
Subject: [PATCH] ssl_unix: fix server name validation
look for CN instead of checking only the first RDN
---
imap/src/osdep/unix/ssl_unix.c | 29 ++++++++++++-----------------
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 4ebe1ae..24a503f 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -507,7 +507,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,j,n, m = 0;
+ int i,n, m = 0;
char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
@@ -540,25 +540,20 @@ static char *ssl_validate_cert (X509 *cert,char *host)
/* Method 2, use cname */
if(m == 0 || ret != NIL){
cname = X509_get_subject_name(cert);
- for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
- if((e = X509_NAME_get_entry(cname, j)) != NULL){
- X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
- s = (char *) buf;
- }
- else s = NIL;
- if (s != NIL) {
+ s = X509_NAME_get_text_by_NID(cname, NID_commonName, buf, sizeof(buf)) > 0 ?
+ (char *) buf : NIL;
+ if (s != NIL) {
/* host name matches pattern? */
- ret = ssl_compare_hostnames (host,s) ? NIL :
- "Server name does not match certificate";
+ ret = ssl_compare_hostnames (host,s) ? NIL :
+ "Server name does not match certificate";
/* if mismatch, see if in extensions */
- if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
- (n = sk_GENERAL_NAME_num (ext)))
+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+ (n = sk_GENERAL_NAME_num (ext)))
/* older versions of OpenSSL use "ia5" instead of dNSName */
- for (i = 0; ret && (i < n); i++)
- if ((name = sk_GENERAL_NAME_value (ext,i)) &&
- (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
- ssl_compare_hostnames (host,s)) ret = NIL;
- }
+ for (i = 0; ret && (i < n); i++)
+ if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+ (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+ ssl_compare_hostnames (host,s)) ret = NIL;
}
}
--
2.25.1