<<< Date Index >>>     <<< Thread Index >>>

[PATCH] mutt_ssl.c incorrect search for a matching hostname in TLS extensions.



Hi there,

 Attached is a little patch against upstream
to fix the search for a mathing hostname within the X509v3
Subject Alternative Names with a DNS type.

Without the fix mutt does not compare the hostname
with the good data of subj_alt_name, thus always failling over
to the Common Name of the certificate; causing mutt,
when the CN is not equal to the hostname, to always warn:

  Certificate host check failed: certificate owner does not match hostname 
<hostname>

Compiling also gives a warning:

  mutt_ssl.c: In function âcheck_hostâ:
  mutt_ssl.c:763: warning: passing argument 1 of âmutt_strlenâ from 
incompatible pointer type
  lib.h:193: note: expected âconst char *â but argument is of type âstruct 
GENERAL_NAME *â

The fix consists only in passing to mutt_strlen
the same value that is passed to hostname_match thereafter,
i.e.: (char *)(subj_alt_name->d.ia5->data).

Hope that it will be fixed upstream soon,
 Julien Moutinho.
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 1a45672..9a5fb37 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -760,7 +760,7 @@ static int check_host (X509 *x509cert, const char 
*hostname, char *err, size_t e
       subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
       if (subj_alt_name->type == GEN_DNS)
       {
-       if (mutt_strlen(subj_alt_name) == subj_alt_name->d.ia5->length  &&
+       if (mutt_strlen((char *)(subj_alt_name->d.ia5->data)) == 
subj_alt_name->d.ia5->length  &&
            (match_found = hostname_match(hostname_ascii,
                                          (char 
*)(subj_alt_name->d.ia5->data))))
        {

Attachment: pgp2mx4VTJwip.pgp
Description: PGP signature