71 lines
2.0 KiB
Diff
71 lines
2.0 KiB
Diff
From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Wed, 18 Sep 2013 13:42:40 +0200
|
|
Subject: [PATCH] verify server certificate hostname with nss_compat_ossl
|
|
|
|
Bug: https://bugzilla.redhat.com/881411
|
|
---
|
|
src/network/ssl/socket.c | 32 ++++++++++++++++++++++++++++++++
|
|
1 files changed, 32 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
|
|
index 3265107..0aeb037 100644
|
|
--- a/src/network/ssl/socket.c
|
|
+++ b/src/network/ssl/socket.c
|
|
@@ -9,6 +9,9 @@
|
|
#define USE_OPENSSL
|
|
#elif defined(CONFIG_NSS_COMPAT_OSSL)
|
|
#include <nss_compat_ossl/nss_compat_ossl.h>
|
|
+#include <nspr.h> /* for PR_GetError() */
|
|
+#include <ssl.h> /* for SSL_SetURL() */
|
|
+#include "protocol/uri.h" /* for get_uri_string() */
|
|
#define USE_OPENSSL
|
|
#elif defined(CONFIG_GNUTLS)
|
|
#include <gnutls/gnutls.h>
|
|
@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
|
|
}
|
|
}
|
|
|
|
+#ifdef CONFIG_NSS_COMPAT_OSSL
|
|
+/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
|
|
+SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
|
|
+static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
|
|
+{
|
|
+ if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
|
|
+ return SECFailure;
|
|
+
|
|
+ /* fallback to the default hook of nss_compat_ossl */
|
|
+ return BadCertHandler(arg, ssl);
|
|
+}
|
|
+#endif
|
|
+
|
|
/* Return -1 on error, 0 or success. */
|
|
int
|
|
ssl_connect(struct socket *socket)
|
|
@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
|
|
return -1;
|
|
}
|
|
|
|
+#ifdef CONFIG_NSS_COMPAT_OSSL
|
|
+ /* fix for https://bugzilla.redhat.com/881411 */
|
|
+ {
|
|
+ struct connection *conn = socket->conn;
|
|
+ unsigned char *host = get_uri_string(conn->uri, URI_HOST);
|
|
+ if (!host
|
|
+ || SECSuccess != SSL_SetURL(socket->ssl, host)
|
|
+ || SECSuccess != SSL_BadCertHook(socket->ssl,
|
|
+ nss_bad_cert_hook, /* XXX */ NULL))
|
|
+ {
|
|
+ socket->ops->done(socket, connection_state(S_SSL_ERROR));
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (socket->no_tls)
|
|
ssl_set_no_tls(socket);
|
|
|
|
--
|
|
1.7.1
|
|
|