rpms/elinks
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #881399 - use the OpenSSL-provided host name check

Browse Source
This commit is contained in:
Kamil Dudka 2015-07-07 13:28:32 +02:00
parent ba2413a2cd
commit f94b775082
2 changed files with 136 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
elinks-0.12pre6-ssl-hostname.patch
View File

@ -1,7 +1,7 @@
From 30d96f81dbefffd3f1523256cc5a5328ea1c7ecb Mon Sep 17 00:00:00 2001
From: Kalle Olavi Niemitalo <kon@iki.fi>
Date: Mon, 2 May 2011 14:41:40 +0300
Subject: [PATCH 1/3] 1024: Use RFC 3546 server_name TLS extension
Subject: [PATCH 1/4] 1024: Use RFC 3546 server_name TLS extension
For both GnuTLS and OpenSSL. Not tested with nss-compat-openssl.
@ -138,7 +138,7 @@ index 7c54a7a..bfd94e1 100644
From e7484a980572b665747c28aa1376e29a12fb4b19 Mon Sep 17 00:00:00 2001
From: Kalle Olavi Niemitalo <kon@iki.fi>
Date: Tue, 3 May 2011 03:52:21 +0300
Subject: [PATCH 2/3] 1024: Verify server certificate hostname with OpenSSL
Subject: [PATCH 2/4] 1024: Verify server certificate hostname with OpenSSL
Not tested with nss-compat-ossl.
@ -669,7 +669,7 @@ index 0000000..f2196eb
+top_builddir=../../../..
+include $(top_builddir)/Makefile.config
+
+SUBDIRS =
+SUBDIRS =
+TEST_PROGS = match-hostname-test
+TESTDEPS += \
+ $(top_builddir)/src/network/ssl/match-hostname.o
@ -802,7 +802,7 @@ index 0000000..fbdf6fa
+ done_string(&hostname_str);
+ done_string(&pattern_str);
+ return count_fail ? EXIT_FAILURE : EXIT_SUCCESS;
+
+
+}
diff --git a/src/network/ssl/test/test-match-hostname b/src/network/ssl/test/test-match-hostname
new file mode 100755
@ -820,7 +820,7 @@ index 0000000..01d7173
From 0cb6967bb9ccabc583bbdc6ee76baf4fdf0f90cc Mon Sep 17 00:00:00 2001
From: mancha <mancha@mac.hush.com>
Date: Sun, 15 Jul 2012 23:27:53 +0200
Subject: [PATCH 3/3] Fix hostname verification code.
Subject: [PATCH 3/4] Fix hostname verification code.
[ From bug 1123 attachment 569. --KON ]
@ -845,3 +845,130 @@ index 9a64bb4..80d93b0 100644
--
2.1.0
From cf8586b0389911d944d767646d5a91c2e1bae86c Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 5 Jun 2015 17:08:46 +0200
Subject: [PATCH 4/4] ssl: use the OpenSSL-provided host name check
... if built against a new enough version of OpenSSL
Suggested-by: Christian Heimes
---
configure.in | 3 +++
src/network/ssl/socket.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/configure.in b/configure.in
index 91d0257..1d858bd 100644
--- a/configure.in
+++ b/configure.in
@@ -1044,6 +1044,9 @@ else
fi
AC_MSG_RESULT($cf_result)
+if test "$cf_result" = yes; then
+ AC_CHECK_FUNCS(X509_VERIFY_PARAM_set1_host)
+fi
# ---- GNU TLS
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index a67bbde..c9e2be4 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -7,6 +7,9 @@
#ifdef CONFIG_OPENSSL
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
+#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
+#include <openssl/x509_vfy.h>
+#endif
#define USE_OPENSSL
#elif defined(CONFIG_NSS_COMPAT_OSSL)
#include <nss_compat_ossl/nss_compat_ossl.h>
@@ -97,6 +100,30 @@ ssl_set_no_tls(struct socket *socket)
#ifdef USE_OPENSSL
+#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
+/* activate the OpenSSL-provided host name check */
+static int
+ossl_set_hostname(void *ssl, unsigned char *server_name)
+{
+ int ret = -1;
+
+ X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new();
+ if (vpm) {
+ if (X509_VERIFY_PARAM_set1_host(vpm, (char *) server_name, 0)
+ && SSL_set1_param(ssl, vpm))
+ {
+ /* successfully activated the OpenSSL host name check */
+ ret = 0;
+ }
+
+ X509_VERIFY_PARAM_free(vpm);
+ }
+
+ return ret;
+}
+
+#else /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
+
/** Checks whether the host component of a URI matches a host name in
* the server certificate.
*
@@ -289,6 +316,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
mem_free(host_in_uri);
return matched;
}
+#endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
#endif /* USE_OPENSSL */
@@ -329,6 +357,9 @@ ssl_connect(struct socket *socket)
int ret;
unsigned char *server_name;
struct connection *conn = socket->conn;
+#ifdef USE_OPENSSL
+ int (*verify_callback_ptr)(int, X509_STORE_CTX *);
+#endif /* USE_OPENSSL */
/* TODO: Recode server_name to UTF-8. */
server_name = get_uri_string(conn->proxied_uri, URI_HOST);
@@ -347,6 +378,23 @@ ssl_connect(struct socket *socket)
return -1;
}
+#ifdef USE_OPENSSL
+#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
+ /* activate the OpenSSL-provided host name check */
+ if (ossl_set_hostname(socket->ssl, server_name)) {
+ mem_free_if(server_name);
+ socket->ops->done(socket, connection_state(S_SSL_ERROR));
+ return -1;
+ }
+
+ /* verify_callback() is not needed with X509_VERIFY_PARAM_set1_host() */
+ verify_callback_ptr = NULL;
+#else
+ /* use our own callback implementing the host name check */
+ verify_callback_ptr = verify_callback;
+#endif
+#endif /* USE_OPENSSL */
+
mem_free_if(server_name);
if (socket->no_tls)
@@ -358,7 +406,7 @@ ssl_connect(struct socket *socket)
if (get_opt_bool("connection.ssl.cert_verify"))
SSL_set_verify(socket->ssl, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
- verify_callback);
+ verify_callback_ptr);
if (get_opt_bool("connection.ssl.client_cert.enable")) {
unsigned char *client_cert;
--
2.4.3

5
elinks.spec
View File

@ -3,7 +3,7 @@
Name: elinks
Summary: A text-mode Web browser
Version: 0.12
Release: 0.46.%{prerel}%{?dist}
Release: 0.47.%{prerel}%{?dist}
License: GPLv2
URL: http://elinks.or.cz
Group: Applications/Internet
@ -174,6 +174,9 @@ exit 0
%{_mandir}/man5/*
%changelog
* Tue Jul 07 2015 Kamil Dudka <kdudka@redhat.com> - 0.12-0.47.pre6
- use the OpenSSL-provided host name check (#881399)
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-0.46.pre6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild