[elinks/f19] verify server certificate hostname with nss_compat_ossl (#881411)
Kamil Dudka
kdudka at fedoraproject.org
Fri Oct 4 14:27:32 UTC 2013
commit f444529d8d345464550312f5b9345434d963523d
Author: Kamil Dudka <kdudka at redhat.com>
Date: Wed Sep 18 14:27:30 2013 +0200
verify server certificate hostname with nss_compat_ossl (#881411)
elinks-0.12pre6-ssl-hostname.patch | 70 ++++++++++++++++++++++++++++++++++++
elinks.spec | 9 ++++-
2 files changed, 78 insertions(+), 1 deletions(-)
---
diff --git a/elinks-0.12pre6-ssl-hostname.patch b/elinks-0.12pre6-ssl-hostname.patch
new file mode 100644
index 0000000..5a3820f
--- /dev/null
+++ b/elinks-0.12pre6-ssl-hostname.patch
@@ -0,0 +1,70 @@
+From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 18 Sep 2013 13:42:40 +0200
+Subject: [PATCH] verify server certificate hostname with nss_compat_ossl
+
+Bug: https://bugzilla.redhat.com/881411
+---
+ src/network/ssl/socket.c | 32 ++++++++++++++++++++++++++++++++
+ 1 files changed, 32 insertions(+), 0 deletions(-)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index 3265107..0aeb037 100644
+--- a/src/network/ssl/socket.c
++++ b/src/network/ssl/socket.c
+@@ -9,6 +9,9 @@
+ #define USE_OPENSSL
+ #elif defined(CONFIG_NSS_COMPAT_OSSL)
+ #include <nss_compat_ossl/nss_compat_ossl.h>
++#include <nspr.h> /* for PR_GetError() */
++#include <ssl.h> /* for SSL_SetURL() */
++#include "protocol/uri.h" /* for get_uri_string() */
+ #define USE_OPENSSL
+ #elif defined(CONFIG_GNUTLS)
+ #include <gnutls/gnutls.h>
+@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
+ }
+ }
+
++#ifdef CONFIG_NSS_COMPAT_OSSL
++/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
++SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
++static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
++{
++ if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
++ return SECFailure;
++
++ /* fallback to the default hook of nss_compat_ossl */
++ return BadCertHandler(arg, ssl);
++}
++#endif
++
+ /* Return -1 on error, 0 or success. */
+ int
+ ssl_connect(struct socket *socket)
+@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
+ return -1;
+ }
+
++#ifdef CONFIG_NSS_COMPAT_OSSL
++ /* fix for https://bugzilla.redhat.com/881411 */
++ {
++ struct connection *conn = socket->conn;
++ unsigned char *host = get_uri_string(conn->uri, URI_HOST);
++ if (!host
++ || SECSuccess != SSL_SetURL(socket->ssl, host)
++ || SECSuccess != SSL_BadCertHook(socket->ssl,
++ nss_bad_cert_hook, /* XXX */ NULL))
++ {
++ socket->ops->done(socket, connection_state(S_SSL_ERROR));
++ return -1;
++ }
++ }
++#endif
++
+ if (socket->no_tls)
+ ssl_set_no_tls(socket);
+
+--
+1.7.1
+
diff --git a/elinks.spec b/elinks.spec
index 0ee0fa3..a41a5e3 100644
--- a/elinks.spec
+++ b/elinks.spec
@@ -3,7 +3,7 @@
Name: elinks
Summary: A text-mode Web browser
Version: 0.12
-Release: 0.34.%{prerel}%{?dist}
+Release: 0.35.%{prerel}%{?dist}
License: GPLv2
URL: http://elinks.or.cz
Group: Applications/Internet
@@ -42,6 +42,7 @@ Patch10: elinks-nss-inc.patch
Patch11: elinks-0.12pre5-js185.patch
Patch12: elinks-0.12pre5-ddg-search.patch
Patch13: elinks-0.12pre6-autoconf.patch
+Patch14: elinks-0.12pre6-ssl-hostname.patch
%description
Elinks is a text-based Web browser. Elinks does not display any images,
@@ -88,6 +89,9 @@ quickly and swiftly displays Web pages.
# add missing AC_LANG_PROGRAM around the first argument of AC_COMPILE_IFELSE
%patch13 -p1
+# verify server certificate hostname with nss_compat_ossl (#881411)
+%patch14 -p1
+
# remove bogus serial numbers
sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4
@@ -156,6 +160,9 @@ exit 0
%{_mandir}/man5/*
%changelog
+* Wed Sep 18 2013 Kamil Dudka <kdudka at redhat.com> - 0.12-0.35.pre6
+- verify server certificate hostname with nss_compat_ossl (#881411)
+
* Mon Feb 25 2013 Kamil Dudka <kdudka at redhat.com> - 0.12-0.34.pre6
- update to latest upstream pre-release
- drop unneeded patches
More information about the scm-commits
mailing list