diff --git a/elinks-0.12pre5-ssl-hostname.patch b/elinks-0.12pre5-ssl-hostname.patch new file mode 100644 index 0000000..5a3820f --- /dev/null +++ b/elinks-0.12pre5-ssl-hostname.patch @@ -0,0 +1,70 @@ +From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 18 Sep 2013 13:42:40 +0200 +Subject: [PATCH] verify server certificate hostname with nss_compat_ossl + +Bug: https://bugzilla.redhat.com/881411 +--- + src/network/ssl/socket.c | 32 ++++++++++++++++++++++++++++++++ + 1 files changed, 32 insertions(+), 0 deletions(-) + +diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c +index 3265107..0aeb037 100644 +--- a/src/network/ssl/socket.c ++++ b/src/network/ssl/socket.c +@@ -9,6 +9,9 @@ + #define USE_OPENSSL + #elif defined(CONFIG_NSS_COMPAT_OSSL) + #include ++#include /* for PR_GetError() */ ++#include /* for SSL_SetURL() */ ++#include "protocol/uri.h" /* for get_uri_string() */ + #define USE_OPENSSL + #elif defined(CONFIG_GNUTLS) + #include +@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket) + } + } + ++#ifdef CONFIG_NSS_COMPAT_OSSL ++/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */ ++SECStatus BadCertHandler(void *arg, PRFileDesc *ssl); ++static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl) ++{ ++ if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError()) ++ return SECFailure; ++ ++ /* fallback to the default hook of nss_compat_ossl */ ++ return BadCertHandler(arg, ssl); ++} ++#endif ++ + /* Return -1 on error, 0 or success. */ + int + ssl_connect(struct socket *socket) +@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket) + return -1; + } + ++#ifdef CONFIG_NSS_COMPAT_OSSL ++ /* fix for https://bugzilla.redhat.com/881411 */ ++ { ++ struct connection *conn = socket->conn; ++ unsigned char *host = get_uri_string(conn->uri, URI_HOST); ++ if (!host ++ || SECSuccess != SSL_SetURL(socket->ssl, host) ++ || SECSuccess != SSL_BadCertHook(socket->ssl, ++ nss_bad_cert_hook, /* XXX */ NULL)) ++ { ++ socket->ops->done(socket, connection_state(S_SSL_ERROR)); ++ return -1; ++ } ++ } ++#endif ++ + if (socket->no_tls) + ssl_set_no_tls(socket); + +-- +1.7.1 + diff --git a/elinks.spec b/elinks.spec index 60b1263..595b011 100644 --- a/elinks.spec +++ b/elinks.spec @@ -3,7 +3,7 @@ Name: elinks Summary: A text-mode Web browser Version: 0.12 -Release: 0.36.%{prerel}%{?dist} +Release: 0.37.%{prerel}%{?dist} License: GPLv2 URL: http://elinks.or.cz Group: Applications/Internet @@ -41,6 +41,7 @@ Patch10: elinks-nss-inc.patch Patch11: elinks-0.12pre5-js185.patch Patch12: elinks-0.12pre5-ddg-search.patch Patch13: elinks-0.12pre6-autoconf.patch +Patch14: elinks-0.12pre5-ssl-hostname.patch %description Elinks is a text-based Web browser. Elinks does not display any images, @@ -87,6 +88,9 @@ quickly and swiftly displays Web pages. # add missing AC_LANG_PROGRAM around the first argument of AC_COMPILE_IFELSE %patch13 -p1 +# verify server certificate hostname with nss_compat_ossl (#881411) +%patch14 -p1 + # remove bogus serial numbers sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4 @@ -155,6 +159,9 @@ exit 0 %{_mandir}/man5/* %changelog +* Wed Sep 18 2013 Kamil Dudka - 0.12-0.37.pre6 +- verify server certificate hostname with nss_compat_ossl (#881411) + * Tue Sep 03 2013 Kamil Dudka - 0.12-0.36.pre6 - remove ancient Obsoletes tag against links (#1002132)