diff --git a/elinks-0.12pre6-ssl-hostname.patch b/elinks-0.12pre6-ssl-hostname.patch index a51c6b8..95447e6 100644 --- a/elinks-0.12pre6-ssl-hostname.patch +++ b/elinks-0.12pre6-ssl-hostname.patch @@ -1,7 +1,7 @@ From 30d96f81dbefffd3f1523256cc5a5328ea1c7ecb Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Mon, 2 May 2011 14:41:40 +0300 -Subject: [PATCH 1/3] 1024: Use RFC 3546 server_name TLS extension +Subject: [PATCH 1/4] 1024: Use RFC 3546 server_name TLS extension For both GnuTLS and OpenSSL. Not tested with nss-compat-openssl. @@ -138,7 +138,7 @@ index 7c54a7a..bfd94e1 100644 From e7484a980572b665747c28aa1376e29a12fb4b19 Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Tue, 3 May 2011 03:52:21 +0300 -Subject: [PATCH 2/3] 1024: Verify server certificate hostname with OpenSSL +Subject: [PATCH 2/4] 1024: Verify server certificate hostname with OpenSSL Not tested with nss-compat-ossl. @@ -669,7 +669,7 @@ index 0000000..f2196eb +top_builddir=../../../.. +include $(top_builddir)/Makefile.config + -+SUBDIRS = ++SUBDIRS = +TEST_PROGS = match-hostname-test +TESTDEPS += \ + $(top_builddir)/src/network/ssl/match-hostname.o @@ -802,7 +802,7 @@ index 0000000..fbdf6fa + done_string(&hostname_str); + done_string(&pattern_str); + return count_fail ? EXIT_FAILURE : EXIT_SUCCESS; -+ ++ +} diff --git a/src/network/ssl/test/test-match-hostname b/src/network/ssl/test/test-match-hostname new file mode 100755 @@ -820,7 +820,7 @@ index 0000000..01d7173 From 0cb6967bb9ccabc583bbdc6ee76baf4fdf0f90cc Mon Sep 17 00:00:00 2001 From: mancha Date: Sun, 15 Jul 2012 23:27:53 +0200 -Subject: [PATCH 3/3] Fix hostname verification code. +Subject: [PATCH 3/4] Fix hostname verification code. [ From bug 1123 attachment 569. --KON ] @@ -845,3 +845,130 @@ index 9a64bb4..80d93b0 100644 -- 2.1.0 + +From cf8586b0389911d944d767646d5a91c2e1bae86c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 5 Jun 2015 17:08:46 +0200 +Subject: [PATCH 4/4] ssl: use the OpenSSL-provided host name check + +... if built against a new enough version of OpenSSL + +Suggested-by: Christian Heimes +--- + configure.in | 3 +++ + src/network/ssl/socket.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/configure.in b/configure.in +index 91d0257..1d858bd 100644 +--- a/configure.in ++++ b/configure.in +@@ -1044,6 +1044,9 @@ else + fi + + AC_MSG_RESULT($cf_result) ++if test "$cf_result" = yes; then ++ AC_CHECK_FUNCS(X509_VERIFY_PARAM_set1_host) ++fi + + # ---- GNU TLS + +diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c +index a67bbde..c9e2be4 100644 +--- a/src/network/ssl/socket.c ++++ b/src/network/ssl/socket.c +@@ -7,6 +7,9 @@ + #ifdef CONFIG_OPENSSL + #include + #include ++#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST ++#include ++#endif + #define USE_OPENSSL + #elif defined(CONFIG_NSS_COMPAT_OSSL) + #include +@@ -97,6 +100,30 @@ ssl_set_no_tls(struct socket *socket) + + #ifdef USE_OPENSSL + ++#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST ++/* activate the OpenSSL-provided host name check */ ++static int ++ossl_set_hostname(void *ssl, unsigned char *server_name) ++{ ++ int ret = -1; ++ ++ X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); ++ if (vpm) { ++ if (X509_VERIFY_PARAM_set1_host(vpm, (char *) server_name, 0) ++ && SSL_set1_param(ssl, vpm)) ++ { ++ /* successfully activated the OpenSSL host name check */ ++ ret = 0; ++ } ++ ++ X509_VERIFY_PARAM_free(vpm); ++ } ++ ++ return ret; ++} ++ ++#else /* HAVE_X509_VERIFY_PARAM_SET1_HOST */ ++ + /** Checks whether the host component of a URI matches a host name in + * the server certificate. + * +@@ -289,6 +316,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + mem_free(host_in_uri); + return matched; + } ++#endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */ + + #endif /* USE_OPENSSL */ + +@@ -329,6 +357,9 @@ ssl_connect(struct socket *socket) + int ret; + unsigned char *server_name; + struct connection *conn = socket->conn; ++#ifdef USE_OPENSSL ++ int (*verify_callback_ptr)(int, X509_STORE_CTX *); ++#endif /* USE_OPENSSL */ + + /* TODO: Recode server_name to UTF-8. */ + server_name = get_uri_string(conn->proxied_uri, URI_HOST); +@@ -347,6 +378,23 @@ ssl_connect(struct socket *socket) + return -1; + } + ++#ifdef USE_OPENSSL ++#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST ++ /* activate the OpenSSL-provided host name check */ ++ if (ossl_set_hostname(socket->ssl, server_name)) { ++ mem_free_if(server_name); ++ socket->ops->done(socket, connection_state(S_SSL_ERROR)); ++ return -1; ++ } ++ ++ /* verify_callback() is not needed with X509_VERIFY_PARAM_set1_host() */ ++ verify_callback_ptr = NULL; ++#else ++ /* use our own callback implementing the host name check */ ++ verify_callback_ptr = verify_callback; ++#endif ++#endif /* USE_OPENSSL */ ++ + mem_free_if(server_name); + + if (socket->no_tls) +@@ -358,7 +406,7 @@ ssl_connect(struct socket *socket) + if (get_opt_bool("connection.ssl.cert_verify")) + SSL_set_verify(socket->ssl, SSL_VERIFY_PEER + | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, +- verify_callback); ++ verify_callback_ptr); + + if (get_opt_bool("connection.ssl.client_cert.enable")) { + unsigned char *client_cert; +-- +2.4.3 + diff --git a/elinks.spec b/elinks.spec index 9d6c3d3..ca9840d 100644 --- a/elinks.spec +++ b/elinks.spec @@ -3,7 +3,7 @@ Name: elinks Summary: A text-mode Web browser Version: 0.12 -Release: 0.46.%{prerel}%{?dist} +Release: 0.47.%{prerel}%{?dist} License: GPLv2 URL: http://elinks.or.cz Group: Applications/Internet @@ -174,6 +174,9 @@ exit 0 %{_mandir}/man5/* %changelog +* Tue Jul 07 2015 Kamil Dudka - 0.12-0.47.pre6 +- use the OpenSSL-provided host name check (#881399) + * Wed Jun 17 2015 Fedora Release Engineering - 0.12-0.46.pre6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild