From af5d7d8263003d6f8f4d247c9efb6508e4e02450 Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Mon, 14 Sep 2020 01:30:55 +0300 Subject: [PATCH] Fix missing SSL hostname validation [MiM Vuln] fixes ConradIrwin/em-imap#25 Based on: https://github.com/lostisland/faraday/commit/63cf47c95b573539f047c729bd9ad67560bc83ff https://github.com/igrigorik/em-http-request/issues/339 ** missing file --- lib/em-imap/ssl_verifier.rb | 61 +++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 lib/em-imap/ssl_verifier.rb diff --git a/lib/em-imap/ssl_verifier.rb b/lib/em-imap/ssl_verifier.rb new file mode 100644 index 0000000..b2d77c6 --- /dev/null +++ b/lib/em-imap/ssl_verifier.rb @@ -0,0 +1,61 @@ +require 'openssl' + +module EventMachine + # Provides the ssl_verify_peer method to EM::IMAP::Connection to verify certificates + # for use in ssl connections + # + module IMAP + module Connection + def ssl_verify_peer(cert_string) + cert = nil + begin + cert = OpenSSL::X509::Certificate.new(cert_string) + rescue OpenSSL::X509::CertificateError + return false + end + + @last_seen_cert = cert + + if certificate_store.verify(@last_seen_cert) + begin + certificate_store.add_cert(@last_seen_cert) + rescue OpenSSL::X509::StoreError => e + raise e unless e.message == 'cert already in hash table' + end + true + else + raise OpenSSL::SSL::SSLError.new(%(unable to verify the server certificate for "#{host}")) + end + end + + def ssl_handshake_completed + return true unless verify_peer? + unless OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, host) + raise OpenSSL::SSL::SSLError.new(%(host "#{host}" does not match the server certificate)) + else + true + end + end + + + def verify_peer? + true +# parent.connopts.tls[:verify_peer] + end + + def certificate_store + @certificate_store ||= begin + store = OpenSSL::X509::Store.new + store.set_default_paths +# ca_file = parent.connopts.tls[:cert_chain_file] + ca_file = nil + store.add_file(ca_file) if ca_file + store + end + + + end + end + end +end +