raster pushed a commit to branch master. http://git.enlightenment.org/core/efl.git/commit/?id=96d90fa5d655fcc18bfb6fc21a17f7b0f70cd586
commit 96d90fa5d655fcc18bfb6fc21a17f7b0f70cd586 Author: Carsten Haitzler (Rasterman) <ras...@rasterman.com> Date: Tue Dec 6 16:14:01 2016 +0900 efl_net check openssl x509 check o runtime dlsym checks this fixes T4814 --- src/lib/ecore_con/efl_net_ssl_conn-openssl.c | 57 +++++++++++++++++++++------- 1 file changed, 43 insertions(+), 14 deletions(-) diff --git a/src/lib/ecore_con/efl_net_ssl_conn-openssl.c b/src/lib/ecore_con/efl_net_ssl_conn-openssl.c index dbc540d..9572a34 100644 --- a/src/lib/ecore_con/efl_net_ssl_conn-openssl.c +++ b/src/lib/ecore_con/efl_net_ssl_conn-openssl.c @@ -13,6 +13,22 @@ # include <arpa/inet.h> #endif +#if defined HAVE_DLOPEN && ! defined _WIN32 +# include <dlfcn.h> +#endif + +#ifdef HAVE_EVIL +# include <Evil.h> +#endif + +#ifdef HAVE_ESCAPE +# include <Escape.h> +#endif + +#ifdef HAVE_EXOTIC +# include <Exotic.h> +#endif + /* OpenSSL's BIO is the abstraction for I/O, provide one for Efl.Io.* */ static int efl_net_socket_bio_create(BIO *b) @@ -390,33 +406,44 @@ efl_net_ssl_conn_read(Efl_Net_Ssl_Conn *conn, Eina_Rw_Slice *slice) return 0; } -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT /* OpenSSL 1.0.2 introduced X509_check_host() and X509_check_ip_asc() * and with them the X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT define. */ static int -X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) +_replace_X509_check_host(X509 *x EINA_UNUSED, + const char *chk EINA_UNUSED, + size_t chklen EINA_UNUSED, + unsigned int flags EINA_UNUSED, + char **peername EINA_UNUSED) { ERR("your OpenSSL do not support X509_check_ip_asc() - no verification can be done"); return 0; - (void)x; - (void)chk; - (void)chklen; - (void)flags; - (void)peername; } static int -X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) +_replace_X509_check_ip_asc(X509 *x EINA_UNUSED, + const char *ipasc EINA_UNUSED, + unsigned int flags EINA_UNUSED) { ERR("your OpenSSL do not support X509_check_ip_asc() - no verification can be done"); return 0; - (void)x; - (void)ipasc; - (void)flags; } -#endif +static int (*_sym_X509_check_host) (X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) = NULL; +static int (*_sym_X509_check_ip_asc) (X509 *x, const char *ipasc, unsigned int flags) = NULL; + +static inline void +_X509_check_init(void) +{ + if (_sym_X509_check_host) return; +#ifdef HAVE_DLOPEN + _sym_X509_check_host = dlsym(NULL, "X509_check_host"); + _sym_X509_check_ip_asc = dlsym(NULL, "_X509_check_ip_asc"); + if (_sym_X509_check_host && _sym_X509_check_ip_asc) return; +#endif + _sym_X509_check_host = _replace_X509_check_host; + _sym_X509_check_ip_asc = _replace_X509_check_ip_asc; +} static Eina_Error _efl_net_ssl_conn_hostname_verify(Efl_Net_Ssl_Conn *conn) @@ -440,16 +467,18 @@ _efl_net_ssl_conn_hostname_verify(Efl_Net_Ssl_Conn *conn) return EFL_NET_SOCKET_SSL_ERROR_HANDSHAKE; } + _X509_check_init(); + if (strchr(conn->hostname, ':')) family = AF_INET6; if (inet_pton(family, conn->hostname, &addr) == 1) { label = "IP address"; - r = X509_check_ip_asc(x509, conn->hostname, 0); + r = _sym_X509_check_ip_asc(x509, conn->hostname, 0); } else { label = "hostname"; - r = X509_check_host(x509, conn->hostname, 0, 0, NULL); + r = _sym_X509_check_host(x509, conn->hostname, 0, 0, NULL); } if (r != 1) --