From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 18 Sep 2013 13:42:40 +0200
Subject: [PATCH] verify server certificate hostname with nss_compat_ossl

Bug: https://bugzilla.redhat.com/881411
---
 src/network/ssl/socket.c |   32 ++++++++++++++++++++++++++++++++
 1 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index 3265107..0aeb037 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -9,6 +9,9 @@
 #define USE_OPENSSL
 #elif defined(CONFIG_NSS_COMPAT_OSSL)
 #include <nss_compat_ossl/nss_compat_ossl.h>
+#include <nspr.h>		/* for PR_GetError()    */
+#include <ssl.h>		/* for SSL_SetURL()     */
+#include "protocol/uri.h"	/* for get_uri_string() */
 #define USE_OPENSSL
 #elif defined(CONFIG_GNUTLS)
 #include <gnutls/gnutls.h>
@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
 	}
 }
 
+#ifdef CONFIG_NSS_COMPAT_OSSL
+/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
+SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
+static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
+{
+	if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
+		return SECFailure;
+
+	/* fallback to the default hook of nss_compat_ossl */
+	return BadCertHandler(arg, ssl);
+}
+#endif
+
 /* Return -1 on error, 0 or success. */
 int
 ssl_connect(struct socket *socket)
@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
 		return -1;
 	}
 
+#ifdef CONFIG_NSS_COMPAT_OSSL
+	/* fix for https://bugzilla.redhat.com/881411 */
+	{
+		struct connection *conn = socket->conn;
+		unsigned char *host = get_uri_string(conn->uri, URI_HOST);
+		if (!host
+				|| SECSuccess != SSL_SetURL(socket->ssl, host)
+				|| SECSuccess != SSL_BadCertHook(socket->ssl,
+					nss_bad_cert_hook, /* XXX */ NULL))
+		{
+			socket->ops->done(socket, connection_state(S_SSL_ERROR));
+			return -1;
+		}
+	}
+#endif
+
 	if (socket->no_tls)
 		ssl_set_no_tls(socket);
 
-- 
1.7.1