diff --git a/libesmtp.changes b/libesmtp.changes index f353a51..c3e4731 100644 --- a/libesmtp.changes +++ b/libesmtp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Apr 28 08:16:43 UTC 2010 - freitag@novell.com + +- Add libestmp-commonname.diff to do stricter check on commonName + bnc#585393. + ------------------------------------------------------------------- Wed Aug 06 13:52:23 CEST 2008 - bwalle@suse.de diff --git a/libesmtp.spec b/libesmtp.spec index 73b7e89..e96abc8 100644 --- a/libesmtp.spec +++ b/libesmtp.spec @@ -1,7 +1,7 @@ # # spec file for package libesmtp (Version 1.0.4) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,16 +21,18 @@ Name: libesmtp BuildRequires: openssl-devel Url: http://www.stafford.uklinux.net/libesmtp/ -License: GPL v2 or later; LGPL v2.1 or later +License: GPLv2+ ; LGPLv2.1+ Group: Development/Libraries/C and C++ Summary: A Library for Posting Electronic Mail Version: 1.0.4 -Release: 157 +Release: 171 BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: %{name}-%{version}.tar.bz2 Patch0: libesmtp-removedecls.diff Patch1: libesmtp-1.0.4-bloat.patch Patch2: libesmtp-1.0.4-multiple-cc.patch +# PATCH-FIX-UPSTREAM libestmp-commonname.diff bnc#585393 freitag@novell.com -- Stricter checking on CommonName +Patch3: libestmp-commonname.diff %description libESMTP is a library to manage posting (or submission of) electronic @@ -46,7 +48,7 @@ Authors: Brian Stafford %package devel -License: GPL v2 or later; LGPL v2.1 or later +License: GPLv2+ ; LGPLv2.1+ Summary: A Library for Posting Electronic Mail Group: Development/Libraries/C and C++ Requires: libesmtp = %{version} @@ -69,6 +71,7 @@ Authors: %patch0 %patch1 %patch2 -p1 +%patch3 %build autoreconf -fi @@ -104,31 +107,3 @@ rm -rf %{buildroot} %{_libdir}/libesmtp.*so %changelog -* Wed Aug 06 2008 bwalle@suse.de -- allow multiple calls of smtp_set_header() for Cc and Bcc headers -- disable lwres because we don't want to have a daemon (the lwresd) - running just for address resolution -* Tue Sep 04 2007 mrueckert@suse.de -- remove postfix from the buildrequires -- do not package generic INSTALL file -* Tue Sep 04 2007 crrodriguez@suse.de -- fix #307257 missing requires of the libesmtp-devel package -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Tue Jan 17 2006 lmichnovic@suse.cz -- Updated to version 1.0.4 -- enabled support for lwres: lwres_includedir.patch; bind-devel added into NFB -- enabled support for ntlm, etrn -* Wed Nov 02 2005 dmueller@suse.de -- don't build as root -* Tue Sep 27 2005 mls@suse.de -- move .so symlink into devel package -- make devel package require base package -* Sun May 08 2005 mmj@suse.de -- Don't declare things we have for sure on linux -* Fri Mar 26 2004 mmj@suse.de -- Add postfix to # neededforbuild -* Thu Feb 19 2004 sbrabec@suse.cz -- Updated to version 1.0.2. -* Wed Jul 30 2003 hhetter@suse.de -- initial SuSE package diff --git a/libestmp-commonname.diff b/libestmp-commonname.diff new file mode 100644 index 0000000..5dbe940 --- /dev/null +++ b/libestmp-commonname.diff @@ -0,0 +1,173 @@ +--- smtp-tls.c.orig 2005-12-15 18:59:49.000000000 +0000 ++++ smtp-tls.c 2010-03-17 01:15:06.000000000 +0000 +@@ -439,15 +439,32 @@ + match_component (const char *dom, const char *edom, + const char *ref, const char *eref) + { +- while (dom < edom && ref < eref) ++ /* If ref is the single character '*' then accept this as a wildcard ++ matching any valid domainname component, i.e. characters from the ++ range A-Z, a-z, 0-9, - or _ ++ NB this is more restrictive than RFC 2818 which allows multiple ++ wildcard characters in the component pattern */ ++ if (eref == ref + 1 && *ref == '*') ++ while (dom < edom) ++ { ++ if (!(isalnum (*dom) || *dom == '-' /*|| *dom == '_'*/)) ++ return 0; ++ dom++; ++ } ++ else + { +- /* Accept a final '*' in the reference as a wildcard */ +- if (*ref == '*' && ref + 1 == eref) +- break; +- /* compare the domain name case insensitive */ +- if (!(*dom == *ref || tolower (*dom) == tolower (*ref))) +- return 0; +- ref++, dom++; ++ while (dom < edom && ref < eref) ++ { ++ /* check for valid domainname character */ ++ if (!(isalnum (*dom) || *dom == '-' /*|| *dom == '_'*/)) ++ return 0; ++ /* compare the domain name case-insensitively */ ++ if (!(*dom == *ref || tolower (*dom) == tolower (*ref))) ++ return 0; ++ ref++, dom++; ++ } ++ if (dom < edom || ref < eref) ++ return 0; + } + return 1; + } +@@ -541,65 +560,83 @@ + } + else + { +- int i, j, extcount; ++ char buf[256] = { 0 }; ++ STACK_OF(GENERAL_NAME) *altnames; ++ int hasaltname = 0; + +- extcount = X509_get_ext_count (cert); +- for (i = 0; i < extcount; i++) ++ altnames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); ++ if (altnames != NULL) + { +- const char *extstr; +- X509_EXTENSION *ext = X509_get_ext (cert, i); ++ int i; + +- extstr = OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext))); +- if (strcmp (extstr, "subjectAltName") == 0) ++ for (i = 0; i < sk_GENERAL_NAME_num (altnames); ++i) + { +- unsigned char *data; +- STACK_OF(CONF_VALUE) *val; +- CONF_VALUE *nval; +- X509V3_EXT_METHOD *meth; +- void *ext_str = NULL; +- int stack_len; +- +- meth = X509V3_EXT_get (ext); +- if (meth == NULL) +- break; +- data = ext->value->data; +-#if (OPENSSL_VERSION_NUMBER > 0x00907000L) +- if (meth->it) +- ext_str = ASN1_item_d2i (NULL, &data, ext->value->length, +- ASN1_ITEM_ptr (meth->it)); +- else +-#endif +- ext_str = meth->d2i (NULL, &data, ext->value->length); +- val = meth->i2v (meth, ext_str, NULL); +- stack_len = sk_CONF_VALUE_num (val); +- for (j = 0; j < stack_len; j++) ++ GENERAL_NAME *name = sk_GENERAL_NAME_value (altnames, i); ++ ++ if (name->type == GEN_DNS) + { +- nval = sk_CONF_VALUE_value (val, j); +- if (strcmp (nval->name, "DNS") == 0 +- && match_domain (session->host, nval->value)) ++ const char *ia5str = (const char *) name->d.ia5->data; ++ int ia5len = name->d.ia5->length; ++ ++ hasaltname = 1; ++ if (strlen (ia5str) == ia5len ++ && match_domain (session->host, ia5str)) ++ ok = 1; ++ else + { +- ok = 1; +- break; ++ buf[0] = '\0'; ++ strncat (buf, ia5str, sizeof buf - 1); + } + } ++ // TODO: handle GEN_IPADD + } +- if (ok) +- break; ++ sk_GENERAL_NAME_pop_free (altnames, GENERAL_NAME_free); + } +- if (!ok) ++ ++ if (!hasaltname) + { +- /* Matching by subjectAltName failed, try commonName */ +- X509_NAME_get_text_by_NID (X509_get_subject_name (cert), +- NID_commonName, buf, sizeof buf); +- if (!match_domain (session->host, buf) != 0) ++ X509_NAME *subj = X509_get_subject_name (cert); ++ ++ if (subj != NULL) + { +- if (session->event_cb != NULL) +- (*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE, +- session->event_cb_arg, &ok, buf, ssl); ++ ASN1_STRING *cn; ++ int idx, i = -1; ++ ++ do ++ { ++ idx = i; ++ i = X509_NAME_get_index_by_NID (subj, NID_commonName, i); ++ } ++ while (i >= 0); ++ ++ if (idx >= 0 ++ && (cn = X509_NAME_ENTRY_get_data ( ++ X509_NAME_get_entry (subj, idx) ++ )) != NULL) ++ { ++ unsigned char *str = NULL; ++ int len = ASN1_STRING_to_UTF8 (&str, cn); ++ ++ if (str != NULL) ++ { ++ if (strlen ((char *) str) == len ++ && match_domain (session->host, (char *) str)) ++ ok = 1; ++ else ++ { ++ buf[0] = '\0'; ++ strncat (buf, (char *) str, sizeof buf - 1); ++ } ++ OPENSSL_free (str); ++ } ++ } + } +- else +- ok = 1; + } ++ ++ if (!ok && session->event_cb != NULL) ++ (*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE, ++ session->event_cb_arg, &ok, buf, ssl); ++ + X509_free (cert); + } + return ok; +