global/git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2026-03-12 18:09:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bb/imap-send-openssl-4.0-prep' into jch

Browse Source 
"imap-send" used to use functions whose use is going to be removed
with OpenSSL 4.0; rewrite them using public API that has been
available since OpenSSL 1.1 since 2016 or so.

Comments?

* bb/imap-send-openssl-4.0-prep:
  imap-send: move common code into function host_matches()
  imap-send: use the OpenSSL API to access the subject common name
  imap-send: use the OpenSSL API to access the subject alternative names
This commit is contained in:
Junio C Hamano
2026-03-11 17:23:14 -07:00
parent 1b2493afe8 6392a0b75d
commit 556f35fbc6
1 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
imap-send.c
View File

@@ -219,8 +219,14 @@ static int ssl_socket_connect(struct imap_socket *sock UNUSED,
#else
static int host_matches(const char *host, const char *pattern)
static int host_matches(const char *host, const ASN1_STRING *asn1_str)
{
const char *pattern = (const char *)ASN1_STRING_get0_data(asn1_str);
/* embedded NUL characters may open a security hole */
if (memchr(pattern, '\0', ASN1_STRING_length(asn1_str)))
return 0;
if (pattern[0] == '*' && pattern[1] == '.') {
pattern += 2;
if (!(host = strchr(host, '.')))
@@ -233,9 +239,13 @@ static int host_matches(const char *host, const char *pattern)
static int verify_hostname(X509 *cert, const char *hostname)
{
int len;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const X509_NAME *subj;
#else
X509_NAME *subj;
char cname[1000];
#endif
const X509_NAME_ENTRY *cname_entry;
const ASN1_STRING *cname;
int i, found;
STACK_OF(GENERAL_NAME) *subj_alt_names;
@@ -244,10 +254,11 @@ static int verify_hostname(X509 *cert, const char *hostname)
if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names);
for (i = 0; !found && i < num_subj_alt_names; i++) {
int ntype;
GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
if (subj_alt_name->type == GEN_DNS &&
strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length &&
host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data)))
ASN1_STRING *subj_alt_str = GENERAL_NAME_get0_value(subj_alt_name, &ntype);
if (ntype == GEN_DNS && host_matches(hostname, subj_alt_str))
found = 1;
}
sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free);
@@ -258,12 +269,14 @@ static int verify_hostname(X509 *cert, const char *hostname)
/* try the common name */
if (!(subj = X509_get_subject_name(cert)))
return error("cannot get certificate subject");
if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0)
if ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, -1)) < 0 ||
(cname_entry = X509_NAME_get_entry(subj, i)) == NULL ||
(cname = X509_NAME_ENTRY_get_data(cname_entry)) == NULL)
return error("cannot get certificate common name");
if (strlen(cname) == (size_t)len && host_matches(hostname, cname))
if (host_matches(hostname, cname))
return 0;
return error("certificate owner '%s' does not match hostname '%s'",
cname, hostname);
ASN1_STRING_get0_data(cname), hostname);
}
static int ssl_socket_connect(struct imap_socket *sock,