diff options
| author | Sam Varshavchik | 2017-03-15 22:34:31 -0400 |
|---|---|---|
| committer | Sam Varshavchik | 2017-03-15 22:34:31 -0400 |
| commit | 5e522ab14f45c6f4f43c43e32a2f72fbf6354f1c (patch) | |
| tree | f8bcbf56caa4c6ae65ce16c93309c1a8f65271b7 | |
| parent | a448501abc675a55364eff75acce901e4685331e (diff) | |
| download | courier-libs-5e522ab14f45c6f4f43c43e32a2f72fbf6354f1c.tar.bz2 | |
Fix TLS verification when DNS lookup comes back with CNAMEs.
| -rw-r--r-- | rfc1035/rfc1035mxlist.c | 38 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 3 |
2 files changed, 30 insertions, 11 deletions
diff --git a/rfc1035/rfc1035mxlist.c b/rfc1035/rfc1035mxlist.c index 2608a02..de2448e 100644 --- a/rfc1035/rfc1035mxlist.c +++ b/rfc1035/rfc1035mxlist.c @@ -179,18 +179,35 @@ static int harvest_records(struct rfc1035_res *res, int q_type, int *found, int flags, int port) { -struct rfc1035_reply *areply=0; -int index; + char lookup_name[RFC1035_MAXNAMESIZE+1]; + + struct rfc1035_reply *areply=0; + int index; #if RFC1035_IPV6 -struct in6_addr in; + struct in6_addr in; #else -struct in_addr in; + struct in_addr in; #endif + /* + ** Make a copy of mxname, because resolve_cname modifies it. + ** That is rather rude, since harvest_records gets called multiple + ** times. + ** + ** We still need to know what resolve_cname() did, since + ** after resolve_cname() we call replysearch_all(), which needs to + ** have the same hostname. + ** + ** mxname always points to a char[RFC1035_MAXNAMESIZE_1], so what's + ** good for the goose is good for the gander. + */ + + strcpy(lookup_name, mxname); + index= -1; if (!mxreply || ( - ((index=rfc1035_replysearch_all( res, mxreply, mxname, + ((index=rfc1035_replysearch_all( res, mxreply, lookup_name, q_type, RFC1035_CLASS_IN, 0)) < 0 || @@ -198,7 +215,7 @@ struct in_addr in; && (flags & HARVEST_AUTOQUERY)) ) { - index=rfc1035_resolve_cname(res, mxname, + index=rfc1035_resolve_cname(res, lookup_name, q_type, RFC1035_CLASS_IN, &areply, RFC1035_X_RANDOMIZE); if (index < 0) @@ -223,10 +240,11 @@ struct in_addr in; } for ( ; index >= 0 ; - index=rfc1035_replysearch_all( res, mxreply, mxname, - q_type, - RFC1035_CLASS_IN, - index+1)) + index=rfc1035_replysearch_all( res, mxreply, + lookup_name, + q_type, + RFC1035_CLASS_IN, + index+1)) { if (mxreply->allrrs[index]->rrtype != q_type) continue; diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 367cbba..321b812 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -778,6 +778,7 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, closedir(dirp); } } + SSL_CTX_set_verify(ctx, get_peer_verify_level(info), ssl_verify_callback); @@ -1487,7 +1488,7 @@ void tls_dump_connection_info(ssl_handle ssl, for (i=0; peer_cert_chain && i<sk_X509_num(peer_cert_chain); i++) - dump_x509((X509 *)sk_X509_value(peer_cert_chain,0), + dump_x509((X509 *)sk_X509_value(peer_cert_chain, i), dump_func, dump_arg); } |