summaryrefslogtreecommitdiff
blob: 918f0bd3fbd5dce2e0eb1c78caa3dbe65db574bb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
diff -Nru a/src/osdep/unix/ssl_unix.c b/src/osdep/unix/ssl_unix.c
--- a/src/osdep/unix/ssl_unix.c	2011-07-23 02:20:10.000000000 +0200
+++ b/src/osdep/unix/ssl_unix.c	2018-09-22 09:34:26.492765776 +0200
@@ -59,7 +59,7 @@
 static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
 static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
 static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
-static char *ssl_validate_cert (X509 *cert,char *host);
+static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj);
 static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat);
 static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size,
 			       long *contd);
@@ -210,6 +210,7 @@
   BIO *bio;
   X509 *cert;
   unsigned long sl,tl;
+  char cert_subj[250];
   char *s,*t,*err,tmp[MAILTMPLEN];
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
@@ -266,13 +267,17 @@
   if (SSL_write (stream->con,"",0) < 0)
     return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
 				/* need to validate host names? */
-  if (!(flags & NET_NOVALIDATECERT) &&
-      (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
-				host))) {
-				/* application callback */
-    if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : "";
-				/* error message to return via mm_log() */
-    sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
+  if (!(flags & NET_NOVALIDATECERT)) {
+    cert_subj[0] = '\0';
+    cert = SSL_get_peer_certificate(stream->con);
+    if (cert)
+      X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj));
+    err = ssl_validate_cert (cert, host, cert_subj);
+    if (err)
+      /* application callback */
+      if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : "";
+    /* error message to return via mm_log() */
+    sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???");
     return ssl_last_error = cpystr (tmp);
   }
   return NIL;
@@ -313,7 +318,7 @@
  * Returns: NIL if validated, else string of error message
  */
 
-static char *ssl_validate_cert (X509 *cert,char *host)
+static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj)
 {
   int i,n;
   char *s,*t,*ret;
@@ -322,9 +327,9 @@
 				/* make sure have a certificate */
   if (!cert) ret = "No certificate from server";
 				/* and that it has a name */
-  else if (!cert->name) ret = "No name in certificate";
+  else if (cert_subj[0] == '\0') ret = "No name in certificate";
 				/* locate CN */
-  else if (s = strstr (cert->name,"/CN=")) {
+  else if (s = strstr (cert_subj,"/CN=")) {
     if (t = strchr (s += 4,'/')) *t = '\0';
 				/* host name matches pattern? */
     ret = ssl_compare_hostnames (host,s) ? NIL :