mutt/mutt-1.5.21-testcert.patch
Honza Horák a5d2d9c94b Fixed hostname verification of x.509 certificates.
(rhbz#688756, CVE-2011-1429)
2011-04-15 14:28:59 +02:00

31 lines
1.1 KiB
Diff

diff -up mutt-1.5.21/mutt_ssl_gnutls.c.old mutt-1.5.21/mutt_ssl_gnutls.c
--- mutt-1.5.21/mutt_ssl_gnutls.c.old 2011-03-23 11:46:28.760386765 +0100
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2011-03-23 14:34:45.839456449 +0100
@@ -978,6 +978,7 @@ static int tls_check_certificate (CONNEC
unsigned int cert_list_size = 0;
gnutls_certificate_status certstat;
int certerr, i, preauthrc, savedcert, rc = 0;
+ int rcpeer;
if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
{
@@ -1003,6 +1004,9 @@ static int tls_check_certificate (CONNEC
for (i = 0; i < cert_list_size; i++) {
rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
&certerr, &savedcert);
+ if (i == 0)
+ rcpeer = rc;
+
preauthrc += rc;
if (savedcert)
@@ -1028,7 +1032,7 @@ static int tls_check_certificate (CONNEC
dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
certstat = tls_verify_peers (state);
- if (!certstat)
+ if (!certstat && !rcpeer)
return 1;
}
}