ngircd/debian/patches/0005-S2S-TLS-OpenSSL-Always-setup-host-name-verification.patch

From 3ec63bec484149255268e691f29d4784177bc0ce Mon Sep 17 00:00:00 2001
From: Alexander Barton <alex@barton.de>
Date: Mon, 1 Jan 2024 19:58:35 +0100
Subject: [PATCH 05/20] S2S-TLS/OpenSSL: Always setup host name verification

Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.

(cherry picked from commit 84b019b11f761b71c8239d60e7f8db0b82a55df3)
---
 src/ngircd/conn-ssl.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -671,25 +671,27 @@
 	if (!ret)
 		return false;
 	Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
 	assert(c->ssl_state.ssl);
-	if (s->SSLVerify) {
-		X509_VERIFY_PARAM *param = NULL;
-		param = SSL_get0_param(c->ssl_state.ssl);
-		X509_VERIFY_PARAM_set_hostflags(param,
-						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
-		if (err != 1) {
-			Log(LOG_ERR,
-			    "Cannot set up hostname verification for '%s': %u",
-			    s->host, err);
-			return false;
-		}
+
+	X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
+	if (err != 1) {
+		Log(LOG_ERR,
+		    "Cannot set up hostname verification for '%s': %u",
+		    s->host, err);
+		return false;
+	}
+
+	if (s->SSLVerify)
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
 			       Verify_openssl);
-	} else
+	else
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
 	return true;
 }