verify server certificate hostname with nss_compat_ossl (#881411)

2013-09-18 14:27:30 +02:00 · 2013-09-18 14:27:30 +02:00 · 8ceec5fa3b
commit 8ceec5fa3b
parent 8622b2db76
2 changed files with 78 additions and 1 deletions
--- a/elinks-0.12pre5-ssl-hostname.patch
+++ b/elinks-0.12pre5-ssl-hostname.patch
@ -0,0 +1,70 @@
+From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 18 Sep 2013 13:42:40 +0200
+Subject: [PATCH] verify server certificate hostname with nss_compat_ossl
+
+Bug: https://bugzilla.redhat.com/881411
+---
+ src/network/ssl/socket.c |   32 ++++++++++++++++++++++++++++++++
+ 1 files changed, 32 insertions(+), 0 deletions(-)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index 3265107..0aeb037 100644
+--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
+@@ -9,6 +9,9 @@
+ #define USE_OPENSSL
+ #elif defined(CONFIG_NSS_COMPAT_OSSL)
+ #include <nss_compat_ossl/nss_compat_ossl.h>
+#include <nspr.h>		/* for PR_GetError()    */
+#include <ssl.h>		/* for SSL_SetURL()     */
+#include "protocol/uri.h"	/* for get_uri_string() */
+ #define USE_OPENSSL
+ #elif defined(CONFIG_GNUTLS)
+ #include <gnutls/gnutls.h>
+@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
+ 	}
+ }
+ 
+#ifdef CONFIG_NSS_COMPAT_OSSL
+/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
+SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
+static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
+{
+	if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
+		return SECFailure;
+
+	/* fallback to the default hook of nss_compat_ossl */
+	return BadCertHandler(arg, ssl);
+}
+#endif
+
+ /* Return -1 on error, 0 or success. */
+ int
+ ssl_connect(struct socket *socket)
+@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
+ 		return -1;
+ 	}
+ 
+#ifdef CONFIG_NSS_COMPAT_OSSL
+	/* fix for https://bugzilla.redhat.com/881411 */
+	{
+		struct connection *conn = socket->conn;
+		unsigned char *host = get_uri_string(conn->uri, URI_HOST);
+		if (!host
+				|| SECSuccess != SSL_SetURL(socket->ssl, host)
+				|| SECSuccess != SSL_BadCertHook(socket->ssl,
+					nss_bad_cert_hook, /* XXX */ NULL))
+		{
+			socket->ops->done(socket, connection_state(S_SSL_ERROR));
+			return -1;
+		}
+	}
+#endif
+
+ 	if (socket->no_tls)
+ 		ssl_set_no_tls(socket);
+ 
+-- 
+1.7.1
+
--- a/elinks.spec
+++ b/elinks.spec
@ -3,7 +3,7 @@
 Name:      elinks
 Summary:   A text-mode Web browser
 Version:   0.12
-Release:   0.36.%{prerel}%{?dist}
+Release:   0.37.%{prerel}%{?dist}
 License:   GPLv2
 URL:       http://elinks.or.cz
 Group:     Applications/Internet
@ -41,6 +41,7 @@ Patch10: elinks-nss-inc.patch
 Patch11: elinks-0.12pre5-js185.patch
 Patch12: elinks-0.12pre5-ddg-search.patch
 Patch13: elinks-0.12pre6-autoconf.patch
+Patch14: elinks-0.12pre5-ssl-hostname.patch

 %description
 Elinks is a text-based Web browser. Elinks does not display any images,
@ -87,6 +88,9 @@ quickly and swiftly displays Web pages.
 # add missing AC_LANG_PROGRAM around the first argument of AC_COMPILE_IFELSE
 %patch13 -p1

+# verify server certificate hostname with nss_compat_ossl (#881411)
+%patch14 -p1
+
 # remove bogus serial numbers
 sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4

@ -155,6 +159,9 @@ exit 0
 %{_mandir}/man5/*

 %changelog
+* Wed Sep 18 2013 Kamil Dudka <kdudka@redhat.com> - 0.12-0.37.pre6
+- verify server certificate hostname with nss_compat_ossl (#881411)
+
 * Tue Sep 03 2013 Kamil Dudka <kdudka@redhat.com> - 0.12-0.36.pre6
 - remove ancient Obsoletes tag against links (#1002132)