libinterimap: make SSL_verify check the hostname as well.

More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option.  Previously it was only verifying the
chain of trust.

This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.

1 files changed, 27 insertions, 5 deletions

diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index e3a539d..a0efcc1 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -24,7 +24,7 @@ use strict;
 use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/;
 use Config::Tiny ();
 use Errno qw/EEXIST EINTR/;
-use Net::SSLeay 1.73 ();
+use Net::SSLeay 1.83 ();
 use List::Util qw/all first/;
 use POSIX ':signal_h';
 use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR
@@ -1691,6 +1691,7 @@ BEGIN {
 #   Upgrade the $socket to SSL/TLS.
 sub _start_ssl($$) {
     my ($self, $socket) = @_;
+    my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
     my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!");
     my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
 
@@ -1733,25 +1734,46 @@ sub _start_ssl($$) {
             or $self->_ssl_error("Can't set cipher list");
     }
 
+    my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()");
+    my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER();
+    $self->_ssl_error("X509_VERIFY_PARAM_set_purpose()") unless Net::SSLeay::X509_VERIFY_PARAM_set_purpose($vpm, $purpose) == 1;
+    $self->_ssl_error("CTX_set_purpose()") unless Net::SSLeay::CTX_set_purpose($ctx, $purpose) == 1;
+
     if ($self->{SSL_verify} // 1) {
-        # verify the certificate chain
+        # for X509_VERIFY_PARAM_set1_{ip,host}()
+        $self->panic("Failed requirement libssl >=1.0.2") if $openssl_version < 0x1000200f;
+
+        # verify certificate chain
         my ($file, $path) = ($self->{SSL_CAfile} // '', $self->{SSL_CApath} // '');
         if ($file ne '' or $path ne '') {
             Net::SSLeay::CTX_load_verify_locations($ctx, $file, $path)
                 or $self->_ssl_error("Can't load verify locations");
         }
+
+        # verify DNS hostname or IP literal
+        my $host = $self->{host} // $self->panic();
+        my ($hostip, $hostipfam) = _parse_hostip($host);
+        if (defined $hostipfam) {
+            my $addr = Socket::inet_pton($hostipfam, $hostip) // $self->panic();
+            $self->_ssl_error("X509_VERIFY_PARAM_set1_ip()")
+                unless Net::SSLeay::X509_VERIFY_PARAM_set1_ip($vpm, $addr) == 1;
+        } else {
+            $self->_ssl_error("X509_VERIFY_PARAM_set1_host()")
+                unless Net::SSLeay::X509_VERIFY_PARAM_set1_host($vpm, $host) == 1;
+        }
     }
     else {
         Net::SSLeay::CTX_set_verify_depth($ctx, 0);
     }
-    Net::SSLeay::CTX_set_purpose($ctx, Net::SSLeay::X509_PURPOSE_SSL_SERVER())
-        or $self->_ssl_error("Can't set purpose");
     Net::SSLeay::CTX_set_verify($ctx, Net::SSLeay::VERIFY_PEER(), sub($$) {$self->_ssl_verify(@_)});
+    $self->_ssl_error("CTX_SSL_set1_param()") unless Net::SSLeay::CTX_set1_param($ctx, $vpm) == 1;
 
     my $ssl = Net::SSLeay::new($ctx) or $self->fail("Can't create new SSL structure");
     Net::SSLeay::set_fd($ssl, fileno $socket) or $self->fail("SSL filehandle association failed");
     $self->_ssl_error("Can't initiate TLS/SSL handshake") unless Net::SSLeay::connect($ssl) == 1;
-    $self->panic("Couldn't verify") unless $self->{_SSL_PEER_VERIFIED}; # sanity check
+    $self->panic() unless $self->{_SSL_PEER_VERIFIED}; # sanity check
+    $self->panic() if ($self->{SSL_verify} // 1) and Net::SSLeay::get_verify_result($ssl) != Net::SSLeay::X509_V_OK();
+    Net::SSLeay::X509_VERIFY_PARAM_free($vpm);
 
     if ($self->{debug}) {
         my $v = Net::SSLeay::version($ssl);