Attachment #547768 for bug #647616

View | Details | Raw Unified | Return to bug 647616
Collapse All | Expand All




static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj);
static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat);
static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size,
			       long *contd);

  BIO *bio;
  X509 *cert;
  unsigned long sl,tl;
  char cert_subj[250];
  char *s,*t,*err,tmp[MAILTMPLEN];
  sslcertificatequery_t scq =
    (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);

  if (SSL_write (stream->con,"",0) < 0)
    return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
				/* need to validate host names? */
  if (!(flags & NET_NOVALIDATECERT)) {
    cert_subj[0] = '\0';
    cert = SSL_get_peer_certificate(stream->con);
    if (cert)
      X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj));
    err = ssl_validate_cert (cert, host, cert_subj);
    if (err)
      /* application callback */
      if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : "";
    /* error message to return via mm_log() */
    sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???");
    return ssl_last_error = cpystr (tmp);
  }
  return NIL;

 * Returns: NIL if validated, else string of error message
 */

static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj)
{
  int i,n;
  char *s,*t,*ret;

				/* make sure have a certificate */
  if (!cert) ret = "No certificate from server";
				/* and that it has a name */
  else if (cert_subj[0] == '\0') ret = "No name in certificate";
				/* locate CN */
  else if (s = strstr (cert_subj,"/CN=")) {
    if (t = strchr (s += 4,'/')) *t = '\0';
				/* host name matches pattern? */
    ret = ssl_compare_hostnames (host,s) ? NIL :

Return to bug 647616

Lines 59-65 Link Here

(-)a/src/osdep/unix/ssl_unix.c (-11 / +16 lines)
59	static SSLSTREAM ssl_start(TCPSTREAM tstream,char *host,unsigned long flags);	59	static SSLSTREAM ssl_start(TCPSTREAM tstream,char *host,unsigned long flags);
60	static char ssl_start_work (SSLSTREAM stream,char *host,unsigned long flags);	60	static char ssl_start_work (SSLSTREAM stream,char *host,unsigned long flags);
61	static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);	61	static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
62	static char ssl_validate_cert (X509 cert,char *host);	62	static char ssl_validate_cert (X509 cert,char host, char cert_subj);
63	static long ssl_compare_hostnames (unsigned char s,unsigned char pat);	63	static long ssl_compare_hostnames (unsigned char s,unsigned char pat);
64	static char ssl_getline_work (SSLSTREAM stream,unsigned long *size,	64	static char ssl_getline_work (SSLSTREAM stream,unsigned long *size,
65	long *contd);	65	long *contd);
Lines 210-215 Link Here
210	BIO *bio;	210	BIO *bio;
211	X509 *cert;	211	X509 *cert;
212	unsigned long sl,tl;	212	unsigned long sl,tl;
		213	char cert_subj[250];
213	char s,t,*err,tmp[MAILTMPLEN];	214	char s,t,*err,tmp[MAILTMPLEN];
214	sslcertificatequery_t scq =	215	sslcertificatequery_t scq =
215	(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);	216	(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
Lines 266-278 Link Here
266	if (SSL_write (stream->con,"",0) < 0)	267	if (SSL_write (stream->con,"",0) < 0)
267	return ssl_last_error ? ssl_last_error : "SSL negotiation failed";	268	return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
268	/* need to validate host names? */	269	/* need to validate host names? */
269	if (!(flags & NET_NOVALIDATECERT) &&	270	if (!(flags & NET_NOVALIDATECERT)) {
270	(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),	271	cert_subj[0] = '\0';
271	host))) {	272	cert = SSL_get_peer_certificate(stream->con);
272	/* application callback */	273	if (cert)
273	if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : "";	274	X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj));
274	/* error message to return via mm_log() */	275	err = ssl_validate_cert (cert, host, cert_subj);
275	sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");	276	if (err)
		277	/* application callback */
		278	if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : "";
		279	/* error message to return via mm_log() */
		280	sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???");
276	return ssl_last_error = cpystr (tmp);	281	return ssl_last_error = cpystr (tmp);
277	}	282	}
278	return NIL;	283	return NIL;
Lines 313-319 Link Here
313	* Returns: NIL if validated, else string of error message	318	* Returns: NIL if validated, else string of error message
314	*/	319	*/
315		320
316	static char ssl_validate_cert (X509 cert,char *host)	321	static char ssl_validate_cert (X509 cert,char host, char cert_subj)
317	{	322	{
318	int i,n;	323	int i,n;
319	char s,t,*ret;	324	char s,t,*ret;
Lines 322-330 Link Here
322	/* make sure have a certificate */	327	/* make sure have a certificate */
323	if (!cert) ret = "No certificate from server";	328	if (!cert) ret = "No certificate from server";
324	/* and that it has a name */	329	/* and that it has a name */
325	else if (!cert->name) ret = "No name in certificate";	330	else if (cert_subj[0] == '\0') ret = "No name in certificate";
326	/* locate CN */	331	/* locate CN */
327	else if (s = strstr (cert->name,"/CN=")) {	332	else if (s = strstr (cert_subj,"/CN=")) {
328	if (t = strchr (s += 4,'/')) *t = '\0';	333	if (t = strchr (s += 4,'/')) *t = '\0';
329	/* host name matches pattern? */	334	/* host name matches pattern? */
330	ret = ssl_compare_hostnames (host,s) ? NIL :	335	ret = ssl_compare_hostnames (host,s) ? NIL :