diff options
Diffstat (limited to 'community/alpine/0001-ssl_unix-fix-server-name-validation.patch')
-rw-r--r-- | community/alpine/0001-ssl_unix-fix-server-name-validation.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/community/alpine/0001-ssl_unix-fix-server-name-validation.patch b/community/alpine/0001-ssl_unix-fix-server-name-validation.patch deleted file mode 100644 index fd85bad5aa2..00000000000 --- a/community/alpine/0001-ssl_unix-fix-server-name-validation.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 381647e651dd17f2a48b66a1cc358db3f3be6f98 Mon Sep 17 00:00:00 2001 -From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> -Date: Fri, 6 Mar 2020 20:05:14 +0200 -Subject: [PATCH] ssl_unix: fix server name validation - -look for CN instead of checking only the first RDN ---- - imap/src/osdep/unix/ssl_unix.c | 29 ++++++++++++----------------- - 1 file changed, 12 insertions(+), 17 deletions(-) - -diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c -index 4ebe1ae..24a503f 100644 ---- a/imap/src/osdep/unix/ssl_unix.c -+++ b/imap/src/osdep/unix/ssl_unix.c -@@ -507,7 +507,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) - - static char *ssl_validate_cert (X509 *cert,char *host) - { -- int i,j,n, m = 0; -+ int i,n, m = 0; - char *s=NULL,*t,*ret = NIL; - void *ext; - GENERAL_NAME *name; -@@ -540,25 +540,20 @@ static char *ssl_validate_cert (X509 *cert,char *host) - /* Method 2, use cname */ - if(m == 0 || ret != NIL){ - cname = X509_get_subject_name(cert); -- for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ -- if((e = X509_NAME_get_entry(cname, j)) != NULL){ -- X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); -- s = (char *) buf; -- } -- else s = NIL; -- if (s != NIL) { -+ s = X509_NAME_get_text_by_NID(cname, NID_commonName, buf, sizeof(buf)) > 0 ? -+ (char *) buf : NIL; -+ if (s != NIL) { - /* host name matches pattern? */ -- ret = ssl_compare_hostnames (host,s) ? NIL : -- "Server name does not match certificate"; -+ ret = ssl_compare_hostnames (host,s) ? NIL : -+ "Server name does not match certificate"; - /* if mismatch, see if in extensions */ -- if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && -- (n = sk_GENERAL_NAME_num (ext))) -+ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && -+ (n = sk_GENERAL_NAME_num (ext))) - /* older versions of OpenSSL use "ia5" instead of dNSName */ -- for (i = 0; ret && (i < n); i++) -- if ((name = sk_GENERAL_NAME_value (ext,i)) && -- (name->type = GEN_DNS) && (s = name->d.ia5->data) && -- ssl_compare_hostnames (host,s)) ret = NIL; -- } -+ for (i = 0; ret && (i < n); i++) -+ if ((name = sk_GENERAL_NAME_value (ext,i)) && -+ (name->type = GEN_DNS) && (s = name->d.ia5->data) && -+ ssl_compare_hostnames (host,s)) ret = NIL; - } - } - --- -2.25.1 - |