Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | From 4c684542816a08b95444b8e2515f24d084e6e3c3 Mon Sep 17 00:00:00 2001 |
| 2 | From: Khem Raj <raj.khem@gmail.com> |
| 3 | Date: Tue, 4 Sep 2018 22:05:17 -0700 |
| 4 | Subject: [PATCH] Support OpenSSL 1.1 |
| 5 | |
| 6 | When building with OpenSSL 1.1 and newer, use the new built-in |
| 7 | hostname verification instead of code that doesn't compile due to |
| 8 | structs having been made opaque. |
| 9 | Bug-Debian: https://bugs.debian.org/828589 |
| 10 | |
Andrew Geissler | 6aa7eec | 2023-03-03 12:41:14 -0600 | [diff] [blame^] | 11 | Upstream-Status: Pending [Unknown] |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 12 | |
| 13 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 14 | --- |
| 15 | src/osdep/unix/ssl_unix.c | 14 +++++++++++++- |
| 16 | 1 file changed, 13 insertions(+), 1 deletion(-) |
| 17 | |
| 18 | diff --git a/src/osdep/unix/ssl_unix.c b/src/osdep/unix/ssl_unix.c |
| 19 | index 3bfdff3..dec9467 100644 |
| 20 | --- a/src/osdep/unix/ssl_unix.c |
| 21 | +++ b/src/osdep/unix/ssl_unix.c |
| 22 | @@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) |
| 23 | /* disable certificate validation? */ |
| 24 | if (flags & NET_NOVALIDATECERT) |
| 25 | SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); |
| 26 | - else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); |
| 27 | + else { |
| 28 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
| 29 | + X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); |
| 30 | + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); |
| 31 | + X509_VERIFY_PARAM_set1_host(param, host, 0); |
| 32 | +#endif |
| 33 | + |
| 34 | + SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); |
| 35 | /* set default paths to CAs... */ |
| 36 | + } |
| 37 | SSL_CTX_set_default_verify_paths (stream->context); |
| 38 | /* ...unless a non-standard path desired */ |
| 39 | if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) |
| 40 | @@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) |
| 41 | if (SSL_write (stream->con,"",0) < 0) |
| 42 | return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; |
| 43 | /* need to validate host names? */ |
| 44 | +#if OPENSSL_VERSION_NUMBER < 0x10100000 |
| 45 | if (!(flags & NET_NOVALIDATECERT) && |
| 46 | (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), |
| 47 | host))) { |
| 48 | @@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) |
| 49 | sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); |
| 50 | return ssl_last_error = cpystr (tmp); |
| 51 | } |
| 52 | +#endif |
| 53 | return NIL; |
| 54 | } |
| 55 | |
| 56 | @@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) |
| 57 | * Returns: NIL if validated, else string of error message |
| 58 | */ |
| 59 | |
| 60 | +#if OPENSSL_VERSION_NUMBER < 0x10100000 |
| 61 | static char *ssl_validate_cert (X509 *cert,char *host) |
| 62 | { |
| 63 | int i,n; |
| 64 | @@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *cert,char *host) |
| 65 | else ret = "Unable to locate common name in certificate"; |
| 66 | return ret; |
| 67 | } |
| 68 | +#endif |
| 69 | |
| 70 | /* Case-independent wildcard pattern match |
| 71 | * Accepts: base string |