Fixed cname handling in TLS certificate verification
Resolves: rhbz#1942583
This commit is contained in:
parent
5787faece7
commit
b08df76248
154
exim-4.94-tls-cname-handling-fix.patch
Normal file
154
exim-4.94-tls-cname-handling-fix.patch
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
diff --git a/src/host.c b/src/host.c
|
||||||
|
index 0e0e013..99bbba7 100644
|
||||||
|
--- a/src/host.c
|
||||||
|
+++ b/src/host.c
|
||||||
|
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
|
||||||
|
int af;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifndef DISABLE_TLS
|
||||||
|
+/* Copy the host name at this point to the value which is used for
|
||||||
|
+TLS certificate name checking, before anything modifies it. */
|
||||||
|
+
|
||||||
|
+host->certname = host->name;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Make sure DNS options are set as required. This appears to be necessary in
|
||||||
|
some circumstances when the get..byname() function actually calls the DNS. */
|
||||||
|
|
||||||
|
@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
|
||||||
|
{
|
||||||
|
host_item *next = store_get(sizeof(host_item), FALSE);
|
||||||
|
next->name = host->name;
|
||||||
|
+#ifndef DISABLE_TLS
|
||||||
|
+ next->certname = host->certname;
|
||||||
|
+#endif
|
||||||
|
next->mx = host->mx;
|
||||||
|
next->address = text_address;
|
||||||
|
next->port = PORT_NONE;
|
||||||
|
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
|
||||||
|
NULL. If temp_error is set, at least one of the lookups gave a temporary error,
|
||||||
|
so we pass that back. */
|
||||||
|
|
||||||
|
-if (host->address == NULL)
|
||||||
|
+if (!host->address)
|
||||||
|
{
|
||||||
|
uschar *msg =
|
||||||
|
#ifndef STAND_ALONE
|
||||||
|
- (message_id[0] == 0 && smtp_in != NULL)?
|
||||||
|
- string_sprintf("no IP address found for host %s (during %s)", host->name,
|
||||||
|
+ message_id[0] == 0 && smtp_in
|
||||||
|
+ ? string_sprintf("no IP address found for host %s (during %s)", host->name,
|
||||||
|
smtp_get_connection_info()) :
|
||||||
|
#endif
|
||||||
|
string_sprintf("no IP address found for host %s", host->name);
|
||||||
|
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
|
||||||
|
BOOL dnssec_fail = FALSE;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
+#ifndef DISABLE_TLS
|
||||||
|
+/* Copy the host name at this point to the value which is used for
|
||||||
|
+TLS certificate name checking, before any CNAME-following modifies it. */
|
||||||
|
+
|
||||||
|
+host->certname = host->name;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* If allow_ip is set, a name which is an IP address returns that value
|
||||||
|
as its address. This is used for MX records when allow_mx_to_ip is set, for
|
||||||
|
those sites that feel they have to flaunt the RFC rules. */
|
||||||
|
diff --git a/src/structs.h b/src/structs.h
|
||||||
|
index c6700d5..206237f 100644
|
||||||
|
--- a/src/structs.h
|
||||||
|
+++ b/src/structs.h
|
||||||
|
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
|
||||||
|
|
||||||
|
typedef struct host_item {
|
||||||
|
struct host_item *next;
|
||||||
|
- const uschar *name; /* Host name */
|
||||||
|
- const uschar *address; /* IP address in text form */
|
||||||
|
- int port; /* port value in host order (if SRV lookup) */
|
||||||
|
- int mx; /* MX value if found via MX records */
|
||||||
|
- int sort_key; /* MX*1000 plus random "fraction" */
|
||||||
|
- int status; /* Usable, unusable, or unknown */
|
||||||
|
- int why; /* Why host is unusable */
|
||||||
|
- int last_try; /* Time of last try if known */
|
||||||
|
+ const uschar *name; /* Host name */
|
||||||
|
+#ifndef DISABLE_TLS
|
||||||
|
+ const uschar *certname; /* Name used for certificate checks */
|
||||||
|
+#endif
|
||||||
|
+ const uschar *address; /* IP address in text form */
|
||||||
|
+ int port; /* port value in host order (if SRV lookup) */
|
||||||
|
+ int mx; /* MX value if found via MX records */
|
||||||
|
+ int sort_key; /* MX*1000 plus random "fraction" */
|
||||||
|
+ int status; /* Usable, unusable, or unknown */
|
||||||
|
+ int why; /* Why host is unusable */
|
||||||
|
+ int last_try; /* Time of last try if known */
|
||||||
|
dnssec_status_t dnssec;
|
||||||
|
} host_item;
|
||||||
|
|
||||||
|
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
|
||||||
|
index 24114f0..875c82e 100644
|
||||||
|
--- a/src/tls-gnu.c
|
||||||
|
+++ b/src/tls-gnu.c
|
||||||
|
@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
|
||||||
|
{
|
||||||
|
state->exp_tls_verify_cert_hostnames =
|
||||||
|
#ifdef SUPPORT_I18N
|
||||||
|
- string_domain_utf8_to_alabel(host->name, NULL);
|
||||||
|
+ string_domain_utf8_to_alabel(host->certname, NULL);
|
||||||
|
#else
|
||||||
|
- host->name;
|
||||||
|
+ host->certname;
|
||||||
|
#endif
|
||||||
|
DEBUG(D_tls)
|
||||||
|
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
|
||||||
|
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
|
||||||
|
index 8c9d8aa..a623229 100644
|
||||||
|
--- a/src/tls-openssl.c
|
||||||
|
+++ b/src/tls-openssl.c
|
||||||
|
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
|
||||||
|
} ocsp_resplist;
|
||||||
|
|
||||||
|
typedef struct tls_ext_ctx_cb {
|
||||||
|
- tls_support * tlsp;
|
||||||
|
- uschar *certificate;
|
||||||
|
- uschar *privatekey;
|
||||||
|
- BOOL is_server;
|
||||||
|
+ tls_support * tlsp;
|
||||||
|
+ uschar * certificate;
|
||||||
|
+ uschar * privatekey;
|
||||||
|
+ BOOL is_server;
|
||||||
|
#ifndef DISABLE_OCSP
|
||||||
|
STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
|
||||||
|
union {
|
||||||
|
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
|
||||||
|
} client;
|
||||||
|
} u_ocsp;
|
||||||
|
#endif
|
||||||
|
- uschar *dhparam;
|
||||||
|
+ uschar * dhparam;
|
||||||
|
/* these are cached from first expand */
|
||||||
|
- uschar *server_cipher_list;
|
||||||
|
+ uschar * server_cipher_list;
|
||||||
|
/* only passed down to tls_error: */
|
||||||
|
- host_item *host;
|
||||||
|
+ host_item * host;
|
||||||
|
const uschar * verify_cert_hostnames;
|
||||||
|
#ifndef DISABLE_EVENT
|
||||||
|
- uschar * event_action;
|
||||||
|
+ uschar * event_action;
|
||||||
|
#endif
|
||||||
|
} tls_ext_ctx_cb;
|
||||||
|
|
||||||
|
@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
|
||||||
|
{
|
||||||
|
cbinfo->verify_cert_hostnames =
|
||||||
|
#ifdef SUPPORT_I18N
|
||||||
|
- string_domain_utf8_to_alabel(host->name, NULL);
|
||||||
|
+ string_domain_utf8_to_alabel(host->certname, NULL);
|
||||||
|
#else
|
||||||
|
- host->name;
|
||||||
|
+ host->certname;
|
||||||
|
#endif
|
||||||
|
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
|
||||||
|
cbinfo->verify_cert_hostnames);
|
@ -15,7 +15,7 @@
|
|||||||
Summary: The exim mail transfer agent
|
Summary: The exim mail transfer agent
|
||||||
Name: exim
|
Name: exim
|
||||||
Version: 4.94
|
Version: 4.94
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Url: https://www.exim.org/
|
Url: https://www.exim.org/
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -56,6 +56,8 @@ Patch0: exim-4.94-config.patch
|
|||||||
Patch1: exim-4.94-libdir.patch
|
Patch1: exim-4.94-libdir.patch
|
||||||
Patch2: exim-4.94-dlopen-localscan.patch
|
Patch2: exim-4.94-dlopen-localscan.patch
|
||||||
Patch3: exim-4.85-pic.patch
|
Patch3: exim-4.85-pic.patch
|
||||||
|
# https://bugs.exim.org/show_bug.cgi?id=2594
|
||||||
|
Patch4: exim-4.94-tls-cname-handling-fix.patch
|
||||||
|
|
||||||
Requires: /etc/pki/tls/certs /etc/pki/tls/private
|
Requires: /etc/pki/tls/certs /etc/pki/tls/private
|
||||||
Requires: /etc/aliases
|
Requires: /etc/aliases
|
||||||
@ -204,6 +206,7 @@ greylisting unconditional.
|
|||||||
%patch1 -p1 -b .libdir
|
%patch1 -p1 -b .libdir
|
||||||
%patch2 -p1 -b .dl
|
%patch2 -p1 -b .dl
|
||||||
%patch3 -p1 -b .fpic
|
%patch3 -p1 -b .fpic
|
||||||
|
%patch4 -p1 -b .tls-cname-handling-fix
|
||||||
|
|
||||||
cp src/EDITME Local/Makefile
|
cp src/EDITME Local/Makefile
|
||||||
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
|
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
|
||||||
@ -605,6 +608,10 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
|
|||||||
%{_sysconfdir}/cron.daily/greylist-tidy.sh
|
%{_sysconfdir}/cron.daily/greylist-tidy.sh
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-2
|
||||||
|
- Fixed cname handling in TLS certificate verification
|
||||||
|
Resolves: rhbz#1942583
|
||||||
|
|
||||||
* Mon Jun 1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
|
* Mon Jun 1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
|
||||||
- New version
|
- New version
|
||||||
Resolves: rhbz#1842590
|
Resolves: rhbz#1842590
|
||||||
|
Loading…
Reference in New Issue
Block a user