Fixed cname handling in TLS certificate verification
Resolves: rhbz#1942582
This commit is contained in:
Jaroslav Škarvada
parent
9c656af5d1
commit
40d0187a59
|
|
@ -0,0 +1,154 @@
|
|||
diff --git a/src/host.c b/src/host.c
|
||||
index 0e0e013..99bbba7 100644
|
||||
--- a/src/host.c
|
||||
+++ b/src/host.c
|
||||
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
|
||||
int af;
|
||||
#endif
|
||||
|
||||
+#ifndef DISABLE_TLS
|
||||
+/* Copy the host name at this point to the value which is used for
|
||||
+TLS certificate name checking, before anything modifies it. */
|
||||
+
|
||||
+host->certname = host->name;
|
||||
+#endif
|
||||
+
|
||||
/* Make sure DNS options are set as required. This appears to be necessary in
|
||||
some circumstances when the get..byname() function actually calls the DNS. */
|
||||
|
||||
@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
|
||||
{
|
||||
host_item *next = store_get(sizeof(host_item), FALSE);
|
||||
next->name = host->name;
|
||||
+#ifndef DISABLE_TLS
|
||||
+ next->certname = host->certname;
|
||||
+#endif
|
||||
next->mx = host->mx;
|
||||
next->address = text_address;
|
||||
next->port = PORT_NONE;
|
||||
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
|
||||
NULL. If temp_error is set, at least one of the lookups gave a temporary error,
|
||||
so we pass that back. */
|
||||
|
||||
-if (host->address == NULL)
|
||||
+if (!host->address)
|
||||
{
|
||||
uschar *msg =
|
||||
#ifndef STAND_ALONE
|
||||
- (message_id[0] == 0 && smtp_in != NULL)?
|
||||
- string_sprintf("no IP address found for host %s (during %s)", host->name,
|
||||
+ message_id[0] == 0 && smtp_in
|
||||
+ ? string_sprintf("no IP address found for host %s (during %s)", host->name,
|
||||
smtp_get_connection_info()) :
|
||||
#endif
|
||||
string_sprintf("no IP address found for host %s", host->name);
|
||||
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
|
||||
BOOL dnssec_fail = FALSE;
|
||||
int i;
|
||||
|
||||
+#ifndef DISABLE_TLS
|
||||
+/* Copy the host name at this point to the value which is used for
|
||||
+TLS certificate name checking, before any CNAME-following modifies it. */
|
||||
+
|
||||
+host->certname = host->name;
|
||||
+#endif
|
||||
+
|
||||
/* If allow_ip is set, a name which is an IP address returns that value
|
||||
as its address. This is used for MX records when allow_mx_to_ip is set, for
|
||||
those sites that feel they have to flaunt the RFC rules. */
|
||||
diff --git a/src/structs.h b/src/structs.h
|
||||
index c6700d5..206237f 100644
|
||||
--- a/src/structs.h
|
||||
+++ b/src/structs.h
|
||||
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
|
||||
|
||||
typedef struct host_item {
|
||||
struct host_item *next;
|
||||
- const uschar *name; /* Host name */
|
||||
- const uschar *address; /* IP address in text form */
|
||||
- int port; /* port value in host order (if SRV lookup) */
|
||||
- int mx; /* MX value if found via MX records */
|
||||
- int sort_key; /* MX*1000 plus random "fraction" */
|
||||
- int status; /* Usable, unusable, or unknown */
|
||||
- int why; /* Why host is unusable */
|
||||
- int last_try; /* Time of last try if known */
|
||||
+ const uschar *name; /* Host name */
|
||||
+#ifndef DISABLE_TLS
|
||||
+ const uschar *certname; /* Name used for certificate checks */
|
||||
+#endif
|
||||
+ const uschar *address; /* IP address in text form */
|
||||
+ int port; /* port value in host order (if SRV lookup) */
|
||||
+ int mx; /* MX value if found via MX records */
|
||||
+ int sort_key; /* MX*1000 plus random "fraction" */
|
||||
+ int status; /* Usable, unusable, or unknown */
|
||||
+ int why; /* Why host is unusable */
|
||||
+ int last_try; /* Time of last try if known */
|
||||
dnssec_status_t dnssec;
|
||||
} host_item;
|
||||
|
||||
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
|
||||
index 24114f0..875c82e 100644
|
||||
--- a/src/tls-gnu.c
|
||||
+++ b/src/tls-gnu.c
|
||||
@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
|
||||
{
|
||||
state->exp_tls_verify_cert_hostnames =
|
||||
#ifdef SUPPORT_I18N
|
||||
- string_domain_utf8_to_alabel(host->name, NULL);
|
||||
+ string_domain_utf8_to_alabel(host->certname, NULL);
|
||||
#else
|
||||
- host->name;
|
||||
+ host->certname;
|
||||
#endif
|
||||
DEBUG(D_tls)
|
||||
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
|
||||
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
|
||||
index 8c9d8aa..a623229 100644
|
||||
--- a/src/tls-openssl.c
|
||||
+++ b/src/tls-openssl.c
|
||||
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
|
||||
} ocsp_resplist;
|
||||
|
||||
typedef struct tls_ext_ctx_cb {
|
||||
- tls_support * tlsp;
|
||||
- uschar *certificate;
|
||||
- uschar *privatekey;
|
||||
- BOOL is_server;
|
||||
+ tls_support * tlsp;
|
||||
+ uschar * certificate;
|
||||
+ uschar * privatekey;
|
||||
+ BOOL is_server;
|
||||
#ifndef DISABLE_OCSP
|
||||
STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
|
||||
union {
|
||||
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
|
||||
} client;
|
||||
} u_ocsp;
|
||||
#endif
|
||||
- uschar *dhparam;
|
||||
+ uschar * dhparam;
|
||||
/* these are cached from first expand */
|
||||
- uschar *server_cipher_list;
|
||||
+ uschar * server_cipher_list;
|
||||
/* only passed down to tls_error: */
|
||||
- host_item *host;
|
||||
+ host_item * host;
|
||||
const uschar * verify_cert_hostnames;
|
||||
#ifndef DISABLE_EVENT
|
||||
- uschar * event_action;
|
||||
+ uschar * event_action;
|
||||
#endif
|
||||
} tls_ext_ctx_cb;
|
||||
|
||||
@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
|
||||
{
|
||||
cbinfo->verify_cert_hostnames =
|
||||
#ifdef SUPPORT_I18N
|
||||
- string_domain_utf8_to_alabel(host->name, NULL);
|
||||
+ string_domain_utf8_to_alabel(host->certname, NULL);
|
||||
#else
|
||||
- host->name;
|
||||
+ host->certname;
|
||||
#endif
|
||||
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
|
||||
cbinfo->verify_cert_hostnames);
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
Summary: The exim mail transfer agent
|
||||
Name: exim
|
||||
Version: 4.94
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Url: https://www.exim.org/
|
||||
|
||||
|
|
@ -46,6 +46,8 @@ Patch0: exim-4.94-config.patch
|
|||
Patch1: exim-4.94-libdir.patch
|
||||
Patch2: exim-4.94-dlopen-localscan.patch
|
||||
Patch3: exim-4.85-pic.patch
|
||||
# https://bugs.exim.org/show_bug.cgi?id=2594
|
||||
Patch4: exim-4.94-tls-cname-handling-fix.patch
|
||||
|
||||
Requires: /etc/pki/tls/certs /etc/pki/tls/private
|
||||
Requires: /etc/aliases
|
||||
|
|
@ -159,6 +161,7 @@ greylisting unconditional.
|
|||
%patch1 -p1 -b .libdir
|
||||
%patch2 -p1 -b .dl
|
||||
%patch3 -p1 -b .fpic
|
||||
%patch4 -p1 -b .tls-cname-handling-fix
|
||||
|
||||
cp src/EDITME Local/Makefile
|
||||
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
|
||||
|
|
@ -476,6 +479,10 @@ fi
|
|||
%{_sysconfdir}/cron.daily/greylist-tidy.sh
|
||||
|
||||
%changelog
|
||||
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-2
|
||||
- Fixed cname handling in TLS certificate verification
|
||||
Resolves: rhbz#1942582
|
||||
|
||||
* Mon Jun 1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
|
||||
- New version
|
||||
Resolves: rhbz#1842590
|
||||
|
|
|
|||
Loading…
Reference in New Issue