svn commit: r527991 - in head/mail/cclient: . files
Thomas Zander
riggs at FreeBSD.org
Sun Mar 8 00:48:47 UTC 2020
Author: riggs
Date: Sun Mar 8 00:48:45 2020
New Revision: 527991
URL: https://svnweb.freebsd.org/changeset/ports/527991
Log:
Fix hostname verification
PR: 226621
Submitted by: satanist+freebsd at bureaucracy.de
Reviewed by: brnrd
Modified:
head/mail/cclient/Makefile
head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c
Modified: head/mail/cclient/Makefile
==============================================================================
--- head/mail/cclient/Makefile Sat Mar 7 22:55:10 2020 (r527990)
+++ head/mail/cclient/Makefile Sun Mar 8 00:48:45 2020 (r527991)
@@ -3,7 +3,7 @@
PORTNAME= cclient
PORTVERSION= 2007f
-PORTREVISION= 3
+PORTREVISION= 4
PORTEPOCH= 1
CATEGORIES= mail devel
MASTER_SITES= ftp://ftp.cac.washington.edu/imap/%SUBDIR%/ \
Modified: head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c
==============================================================================
--- head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c Sat Mar 7 22:55:10 2020 (r527990)
+++ head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c Sun Mar 8 00:48:45 2020 (r527991)
@@ -1,26 +1,59 @@
---- src/osdep/unix/ssl_unix.c.orig 2011-07-23 00:20:10 UTC
+Description: Support OpenSSL 1.1
+ When building with OpenSSL 1.1 and newer, use the new built-in
+ hostname verification instead of code that doesn't compile due to
+ structs having been made opaque.
+Bug-Debian: https://bugs.debian.org/828589
+
+Obtained from: https://sources.debian.org/data/main/u/uw-imap/8:2007f~dfsg-5/debian/patches/1006_openssl1.1_autoverify.patch
+--- src/osdep/unix/ssl_unix.c.orig
+++ src/osdep/unix/ssl_unix.c
-@@ -270,9 +270,9 @@ static char *ssl_start_work (SSLSTREAM *
+@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
+ /* disable certificate validation? */
+ if (flags & NET_NOVALIDATECERT)
+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
+- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
++ else {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000
++ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
++ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
++ X509_VERIFY_PARAM_set1_host(param, host, 0);
++#endif
++
++ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+ /* set default paths to CAs... */
++ }
+ SSL_CTX_set_default_verify_paths (stream->context);
+ /* ...unless a non-standard path desired */
+ if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
+@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
+ if (SSL_write (stream->con,"",0) < 0)
+ return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
+ /* need to validate host names? */
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ if (!(flags & NET_NOVALIDATECERT) &&
(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
host))) {
- /* application callback */
-- if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : "";
-+ if (scq) return (*scq) (err,host,cert ? X509_get_subject_name(cert) : "???") ? NIL : "";
- /* error message to return via mm_log() */
-- sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
-+ sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_get_subject_name(cert) : "???");
+@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
+ sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
return ssl_last_error = cpystr (tmp);
}
++#endif
return NIL;
-@@ -322,9 +322,9 @@ static char *ssl_validate_cert (X509 *ce
- /* make sure have a certificate */
- if (!cert) ret = "No certificate from server";
- /* and that it has a name */
-- else if (!cert->name) ret = "No name in certificate";
-+ else if (!X509_get_subject_name(cert)) ret = "No name in certificate";
- /* locate CN */
-- else if (s = strstr (cert->name,"/CN=")) {
-+ else if (s = strstr (X509_get_subject_name(cert),"/CN=")) {
- if (t = strchr (s += 4,'/')) *t = '\0';
- /* host name matches pattern? */
- ret = ssl_compare_hostnames (host,s) ? NIL :
+ }
+
+@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
+ * Returns: NIL if validated, else string of error message
+ */
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ static char *ssl_validate_cert (X509 *cert,char *host)
+ {
+ int i,n;
+@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
+ else ret = "Unable to locate common name in certificate";
+ return ret;
+ }
++#endif
+
+ /* Case-independent wildcard pattern match
+ * Accepts: base string
More information about the svn-ports-all
mailing list