[exim-cvs] Restrict certificate name checkin for wildcards.

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] Restrict certificate name checkin for wildcards.
Gitweb: http://git.exim.org/exim.git/commitdiff/d8e7834aeddc637bd49730444f4d257eb8267135
Commit:     d8e7834aeddc637bd49730444f4d257eb8267135
Parent:     533aaf9166d3e1cca6dac7e309914a88b25e4260
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon May 26 10:35:50 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon May 26 10:35:50 2014 +0100


    Restrict certificate name checkin for wildcards.


    On more recent OpenSSL library versions the builtin wildcard checking
    can take a restriction option that we want, to disallow the more
    complex possibilities of wildcarding.
---
 src/src/tls-openssl.c |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bcca506..9609d62 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -327,13 +327,25 @@ else
          /* client, wanting hostname check */


 # if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
+#  ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+#   define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+#  endif
     {
     int sep = 0;
     uschar * list = verify_cert_hostnames;
     uschar * name;
-    while (name = string_nextinlist(&list, &sep, NULL, 0))
-      if (X509_check_host(cert, name, 0, 0))
+    int rc;
+    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+      if ((rc = X509_check_host(cert, name, 0,
+          X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+    {
+    if (rc < 0)
+      {
+      log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
+      name = NULL;
+      }
     break;
+    }
     if (!name)
       {
       log_write(0, LOG_MAIN,