projects / claws.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Switch core from strerror to g_strerror
[claws.git] / src / common / ssl_certificate.c
diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index a8070cbc42742ece25a402761018c243721ff939..013f96ed660635b757b9734e14985d1a0c77fa25 100644 (file)
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -1,6 +1,6 @@
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2007 Colin Leroy <colin@colino.net> 
+ * Copyright (C) 1999-2015 Colin Leroy <colin@colino.net>
  * and the Claws Mail team
  *
  * This program is free software; you can redistribute it and/or modify
@@ -15,11 +15,12 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  */
 
 #ifdef HAVE_CONFIG_H
 #  include "config.h"
+#include "claws-features.h"
 #endif
 
 #ifdef USE_GNUTLS
@@ -33,6 +34,7 @@
 #include <stdio.h>
 #include <glib.h>
 #include <glib/gi18n.h>
+#include <errno.h>
 #ifdef G_OS_WIN32
 #  include <winsock2.h>
 #else
@@ -63,50 +65,14 @@ static gchar *get_certificate_path(const gchar *host, const gchar *port, const g
                          host, ".", port, ".cert", NULL);
 }
 
-static SSLCertificate *ssl_certificate_new_lookup(gnutls_x509_crt x509_cert, gchar *host, gushort port, gboolean lookup);
-static char * get_fqdn(char *host)
+static gchar *get_certificate_chain_path(const gchar *host, const gchar *port, const gchar *fp)
 {
-#ifdef INET6
-        gint gai_err;
-        struct addrinfo hints, *res;
-#else
-       struct hostent *hp;
-#endif
+       gchar *tmp = get_certificate_path(host, port, fp);
+       gchar *result = g_strconcat(tmp, ".chain", NULL);
 
-       if (host == NULL || strlen(host) == 0)
-               return g_strdup("");
-#ifdef INET6
-        memset(&hints, 0, sizeof(hints));
-        hints.ai_flags = AI_CANONNAME;
-        hints.ai_family = AF_UNSPEC;
-        hints.ai_socktype = SOCK_STREAM;
-        hints.ai_protocol = IPPROTO_TCP;
-
-        gai_err = getaddrinfo(host, NULL, &hints, &res);
-        if (gai_err != 0) {
-                g_warning("getaddrinfo for %s failed: %s\n",
-                          host, gai_strerror(gai_err));
-               return g_strdup(host);
-        }
-       if (res != NULL) {
-               if (res->ai_canonname && strlen(res->ai_canonname)) {
-                       gchar *fqdn = g_strdup(res->ai_canonname);
-                       freeaddrinfo(res);
-                       return fqdn;
-               } else {
-                       freeaddrinfo(res);
-                       return g_strdup(host);
-               }
-       } else {
-               return g_strdup(host);
-       }
-#else
-       hp = my_gethostbyname(host);
-       if (hp == NULL)
-               return g_strdup(host); /*caller should free*/
-       else 
-               return g_strdup(hp->h_name);
-#endif
+       g_free(tmp);
+
+       return result;
 }
 
 char * readable_fingerprint(unsigned char *src, int len) 
@@ -132,12 +98,13 @@ char * readable_fingerprint(unsigned char *src, int len)
 }
 
 #if USE_GNUTLS
-static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
+static gnutls_x509_crt_t x509_crt_copy(gnutls_x509_crt_t src)
 {
     int ret;
     size_t size;
-    gnutls_datum tmp;
-    gnutls_x509_crt dest;
+    gnutls_datum_t tmp;
+    gnutls_x509_crt_t dest;
+    size = 0;
     
     if (gnutls_x509_crt_init(&dest) != 0) {
        g_warning("couldn't gnutls_x509_crt_init\n");
@@ -173,7 +140,7 @@ static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
 }
 #endif
 
-static SSLCertificate *ssl_certificate_new_lookup(gnutls_x509_crt x509_cert, gchar *host, gushort port, gboolean lookup)
+static SSLCertificate *ssl_certificate_new(gnutls_x509_crt_t x509_cert, const gchar *host, gushort port)
 {
        SSLCertificate *cert = g_new0(SSLCertificate, 1);
        size_t n;
@@ -185,37 +152,34 @@ static SSLCertificate *ssl_certificate_new_lookup(gnutls_x509_crt x509_cert, gch
        }
        cert->x509_cert = x509_crt_copy(x509_cert);
        cert->status = (guint)-1;
-       if (lookup)
-               cert->host = get_fqdn(host);
-       else
-               cert->host = g_strdup(host);
+       cert->host = g_strdup(host);
        cert->port = port;
        
        /* fingerprint */
-       n = 128;
+       n = sizeof(md);
        gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
        cert->fingerprint = readable_fingerprint(md, (int)n);
        return cert;
 }
 
-#ifdef USE_GNUTLS
-static void gnutls_i2d_X509_fp(FILE *fp, gnutls_x509_crt x509_cert)
+static void gnutls_export_X509_fp(FILE *fp, gnutls_x509_crt_t x509_cert, gnutls_x509_crt_fmt_t format)
 {
        char output[10*1024];
        size_t cert_size = 10*1024;
        int r;
        
-       if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, output, &cert_size)) < 0) {
+       if ((r = gnutls_x509_crt_export(x509_cert, format, output, &cert_size)) < 0) {
                g_warning("couldn't export cert %s (%zd)\n", gnutls_strerror(r), cert_size);
                return;
        }
+
        debug_print("writing %zd bytes\n",cert_size);
        if (fwrite(&output, 1, cert_size, fp) < cert_size) {
-               g_warning("failed to write cert\n");
+               g_warning("failed to write cert: %d %s\n", errno, g_strerror(errno));
        }
 }
 
-size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
+size_t gnutls_i2d_X509(gnutls_x509_crt_t x509_cert, unsigned char **output)
 {
        size_t cert_size = 10*1024;
        int r;
@@ -234,7 +198,7 @@ size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
        return cert_size;
 }
 
-size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
+size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)
 {
        size_t key_size = 10*1024;
        int r;
@@ -253,40 +217,81 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
        return key_size;
 }
 
-static gnutls_x509_crt gnutls_d2i_X509_fp(FILE *fp, int format)
+static int gnutls_import_X509_list_fp(FILE *fp, gnutls_x509_crt_fmt_t format,
+                                  gnutls_x509_crt_t **cert_list, gint *num_certs)
 {
-       gnutls_x509_crt cert = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_crt_t *crt_list;
+       unsigned int max = 512;
+       unsigned int flags = 0;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
+
+       *cert_list = NULL;
+       *num_certs = 0;
+
+       if (fp == NULL)
+               return -ENOENT;
+
        if (fstat(fileno(fp), &s) < 0) {
                perror("fstat");
-               return NULL;
+               return -errno;
        }
+
+       crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
                perror("fread");
                free(tmp.data);
-               return NULL;
+               free(crt_list);
+               return -EIO;
        }
 
-       gnutls_x509_crt_init(&cert);
-       if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+       if ((r = gnutls_x509_crt_list_import(crt_list, &max, 
+                       &tmp, format, flags)) < 0) {
                debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               gnutls_x509_crt_deinit(cert);
-               cert = NULL;
+               free(tmp.data);
+               free(crt_list);
+               return r;
        }
        free(tmp.data);
-       debug_print("got cert! %p\n", cert);
+       debug_print("got %d certs in crt_list! %p\n", max, &crt_list);
+
+       *cert_list = crt_list;
+       *num_certs = max;
+
+       return r;
+}
+
+/* return one certificate, read from file */
+static gnutls_x509_crt_t gnutls_import_X509_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
+{
+       gnutls_x509_crt_t *certs = NULL;
+       gnutls_x509_crt_t cert = NULL;
+       int i, ncerts, r;
+
+       if ((r = gnutls_import_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {
+               return NULL;
+       }
+
+       if (ncerts == 0)
+               return NULL;
+
+       for (i = 1; i < ncerts; i++)
+               gnutls_x509_crt_deinit(certs[i]);
+
+       cert = certs[0];
+       free(certs);
+
        return cert;
 }
 
-static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
+static gnutls_x509_privkey_t gnutls_import_key_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
-       gnutls_x509_privkey key = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_privkey_t key = NULL;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
@@ -303,7 +308,7 @@ static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
        }
 
        gnutls_x509_privkey_init(&key);
-       if ((r = gnutls_x509_privkey_import(key, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+       if ((r = gnutls_x509_privkey_import(key, &tmp, format)) < 0) {
                debug_print("key import failed: %s\n", gnutls_strerror(r));
                gnutls_x509_privkey_deinit(key);
                key = NULL;
@@ -313,29 +318,32 @@ static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
        return key;
 }
 
-static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
+static gnutls_pkcs12_t gnutls_import_PKCS12_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
        gnutls_pkcs12_t p12 = NULL;
-       gnutls_datum tmp;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
+               log_error(LOG_PROTOCOL, _("Cannot stat P12 certificate file (%s)\n"),
+                                 g_strerror(errno));
                return NULL;
        }
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
+               log_error(LOG_PROTOCOL, _("Cannot read P12 certificate file (%s)\n"),
+                                 g_strerror(errno));
                free(tmp.data);
                return NULL;
        }
 
        gnutls_pkcs12_init(&p12);
 
-       if ((r = gnutls_pkcs12_import(p12, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM,0)) < 0) {
-               g_warning("p12 import failed: %s\n", gnutls_strerror(r));
+       if ((r = gnutls_pkcs12_import(p12, &tmp, format, 0)) < 0) {
+               log_error(LOG_PROTOCOL, _("Cannot import P12 certificate file (%s)\n"),
+                                 gnutls_strerror(r));
                gnutls_pkcs12_deinit(p12);
                p12 = NULL;
        }
@@ -344,8 +352,6 @@ static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
        return p12;
 }
 
-#endif
-
 static void ssl_certificate_save (SSLCertificate *cert)
 {
        gchar *file, *port;
@@ -368,11 +374,9 @@ static void ssl_certificate_save (SSLCertificate *cert)
                debug_print("Can't save certificate !\n");
                return;
        }
-#ifdef USE_GNUTLS
-       gnutls_i2d_X509_fp(fp, cert->x509_cert);
-#else
-       i2d_X509_fp(fp, cert->x509_cert);
-#endif
+
+       gnutls_export_X509_fp(fp, cert->x509_cert, GNUTLS_X509_FMT_DER);
+
        g_free(file);
        fclose(fp);
 
@@ -399,40 +403,32 @@ void ssl_certificate_delete_from_disk(SSLCertificate *cert)
        file = get_certificate_path(cert->host, buf, cert->fingerprint);
        claws_unlink (file);
        g_free(file);
+       file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
+       claws_unlink (file);
+       g_free(file);
        g_free(buf);
 }
 
-SSLCertificate *ssl_certificate_find (gchar *host, gushort port, const gchar *fingerprint)
-{
-       return ssl_certificate_find_lookup (host, port, fingerprint, TRUE);
-}
-
-SSLCertificate *ssl_certificate_find_lookup (gchar *host, gushort port, const gchar *fingerprint, gboolean lookup)
+SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gchar *fingerprint)
 {
        gchar *file = NULL;
        gchar *buf;
-       gchar *fqdn_host;
        SSLCertificate *cert = NULL;
-       gnutls_x509_crt tmp_x509;
+       gnutls_x509_crt_t tmp_x509;
        FILE *fp = NULL;
        gboolean must_rename = FALSE;
 
-       if (lookup)
-               fqdn_host = get_fqdn(host);
-       else
-               fqdn_host = g_strdup(host);
-
        buf = g_strdup_printf("%d", port);
        
        if (fingerprint != NULL) {
-               file = get_certificate_path(fqdn_host, buf, fingerprint);
+               file = get_certificate_path(host, buf, fingerprint);
                fp = g_fopen(file, "rb");
        }
        if (fp == NULL) {
                /* see if we have the old one */
                debug_print("didn't get %s\n", file);
                g_free(file);
-               file = get_certificate_path(fqdn_host, buf, NULL);
+               file = get_certificate_path(host, buf, NULL);
                fp = g_fopen(file, "rb");
 
                if (fp) {
@@ -444,29 +440,28 @@ SSLCertificate *ssl_certificate_find_lookup (gchar *host, gushort port, const gc
        }
        if (fp == NULL) {
                g_free(file);
-               g_free(fqdn_host);
                g_free(buf);
                return NULL;
        }
        
-       if ((tmp_x509 = gnutls_d2i_X509_fp(fp, 0)) != NULL) {
-               cert = ssl_certificate_new_lookup(tmp_x509, fqdn_host, port, lookup);
+       if ((tmp_x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_DER)) != NULL) {
+               cert = ssl_certificate_new(tmp_x509, host, port);
                debug_print("got cert %p\n", cert);
                gnutls_x509_crt_deinit(tmp_x509);
        }
+
        fclose(fp);
        g_free(file);
        
        if (must_rename) {
-               gchar *old = get_certificate_path(fqdn_host, buf, NULL);
-               gchar *new = get_certificate_path(fqdn_host, buf, fingerprint);
+               gchar *old = get_certificate_path(host, buf, NULL);
+               gchar *new = get_certificate_path(host, buf, fingerprint);
                if (strcmp(old, new))
                        move_file(old, new, TRUE);
                g_free(old);
                g_free(new);
        }
        g_free(buf);
-       g_free(fqdn_host);
 
        return cert;
 }
@@ -493,8 +488,8 @@ static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate
                return FALSE;
        }
 
-       output_a = malloc(cert_size_a);
-       output_b = malloc(cert_size_b);
+       output_a = g_malloc(cert_size_a);
+       output_b = g_malloc(cert_size_b);
        if ((r = gnutls_x509_crt_export(cert_a->x509_cert, GNUTLS_X509_FMT_DER, output_a, &cert_size_a)) < 0) {
                g_warning("couldn't gnutls_x509_crt_export a %s\n", gnutls_strerror(r));
                g_free(output_a);
@@ -525,54 +520,87 @@ static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate
        return TRUE;
 }
 
-static guint check_cert(gnutls_x509_crt cert)
+static guint check_cert(SSLCertificate *cert)
 {
-       gnutls_x509_crt *ca_list;
-       unsigned int max = 512;
+       gnutls_x509_crt_t *ca_list = NULL;
+       gnutls_x509_crt_t *chain = NULL;
+       unsigned int max_ca = 512, max_certs;
        unsigned int flags = 0;
-       gnutls_datum tmp;
-       struct stat s;
        int r, i;
        unsigned int status;
+       gchar *chain_file = NULL, *buf = NULL;
        FILE *fp;
 
        if (claws_ssl_get_cert_file())
-               fp = fopen(claws_ssl_get_cert_file(), "r");
+               fp = g_fopen(claws_ssl_get_cert_file(), "r");
        else
                return (guint)-1;
 
-       if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
-               fclose(fp);
+       if (fp == NULL)
                return (guint)-1;
-       }
 
-       ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
-       tmp.data = malloc(s.st_size);
-       memset(tmp.data, 0, s.st_size);
-       tmp.size = s.st_size;
-       if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
-               free(tmp.data);
-               free(ca_list);
+       if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max_ca)) < 0) {
+               debug_print("CA import failed: %s\n", gnutls_strerror(r));
                fclose(fp);
                return (guint)-1;
        }
-
-       if ((r = gnutls_x509_crt_list_import(ca_list, &max, 
-                       &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {
-               debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               free(tmp.data);
-               free(ca_list);
+       fclose(fp);
+       fp = NULL;
+       
+       buf = g_strdup_printf("%d", cert->port);
+       chain_file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
+       g_free(buf);
+       if (is_file_exist(chain_file)) {
+               unsigned char md[128];
+               size_t n;
+               char *fingerprint;
+
+               fp = g_fopen(chain_file, "r");
+               if (fp == NULL) {
+                       debug_print("fopen %s failed: %s\n", chain_file, g_strerror(errno));
+                       g_free(chain_file);
+                       return (guint)-1;
+               }
+               if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &chain, &max_certs)) < 0) {
+                       debug_print("chain import failed: %s\n", gnutls_strerror(r));
+                       fclose(fp);
+                       g_free(chain_file);
+                       return (guint)-1;
+               }
+               g_free(chain_file);
                fclose(fp);
-               return (guint)-1;
+               fp = NULL;
+
+               gnutls_x509_crt_get_fingerprint(chain[0], GNUTLS_DIG_MD5, md, &n);
+               fingerprint = readable_fingerprint(md, n);
+               if (!fingerprint || strcmp(fingerprint, cert->fingerprint)) {
+                       debug_print("Saved chain fingerprint does not match current : %s / %s",
+                               cert->fingerprint, fingerprint);
+                               
+                       return (guint)-1;
+               }
+               g_free(fingerprint);
+
+               r = gnutls_x509_crt_list_verify (chain,
+                                    max_certs,
+                                    ca_list, max_ca,
+                                    NULL, 0,
+                                    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                                    &status);
+               if (r < 0)
+                       debug_print("chain check failed: %s\n", gnutls_strerror(r));
+
+               for (i = 0; i < max_certs; i++)
+                       gnutls_x509_crt_deinit(chain[i]);
+               free(chain);
+
+       } else {
+               r = gnutls_x509_crt_verify(cert->x509_cert, ca_list, max_ca, flags, &status);
+               if (r < 0)
+                       debug_print("cert check failed: %s\n", gnutls_strerror(r));
        }
-       free(tmp.data);
-       debug_print("got %d certs in ca_list! %p\n", max, &ca_list);
-       r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);
-       fclose(fp);
 
-       for (i = 0; i < max; i++)
+       for (i = 0; i < max_ca; i++)
                gnutls_x509_crt_deinit(ca_list[i]);
        free(ca_list);
 
@@ -583,15 +611,31 @@ static guint check_cert(gnutls_x509_crt cert)
 
 }
 
-char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
+static gboolean ssl_certificate_is_valid(SSLCertificate *cert, guint status)
+{
+       gchar *str_status = ssl_certificate_check_signer(cert, status);
+
+       if (str_status != NULL) {
+               g_free(str_status);
+               return FALSE;
+       }
+       return ssl_certificate_check_subject_cn(cert);
+}
+
+char *ssl_certificate_check_signer (SSLCertificate *cert, guint status) 
 {
+       gnutls_x509_crt_t x509_cert = cert ? cert->x509_cert : NULL;
+
+       if (!cert) 
+               return g_strdup(_("Internal error"));
+
        if (status == (guint)-1) {
                status = check_cert(cert);
                if (status == -1)
                        return g_strdup(_("Uncheckable"));
        }
        if (status & GNUTLS_CERT_INVALID) {
-               if (gnutls_x509_crt_check_issuer(cert, cert))
+               if (gnutls_x509_crt_check_issuer(x509_cert, x509_cert))
                        return g_strdup(_("Self-signed certificate"));
        }
        if (status & GNUTLS_CERT_REVOKED)
@@ -605,52 +649,92 @@ char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status)
        return NULL;
 }
 
-gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, gchar *fqdn, gchar *host, gushort port)
+static void ssl_certificate_save_chain(gnutls_x509_crt_t *certs, gint len, const gchar *host, gushort port)
+{
+       gint i;
+       gchar *file = NULL;
+       FILE *fp = NULL;
+       
+       for (i = 0; i < len; i++) {
+               size_t n;
+               unsigned char md[128];  
+               gnutls_x509_crt_t cert = certs[i];
+               gchar *fingerprint;
+
+               if (i == 0) {
+                       n = sizeof(md);
+                       gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, md, &n);
+                       fingerprint = readable_fingerprint(md, n);
+                       gchar *buf = g_strdup_printf("%d", port);
+
+                       file = get_certificate_chain_path(host, buf, fingerprint);
+
+                       g_free(buf);
+
+                       fp = g_fopen(file, "wb");
+                       if (fp == NULL) {
+                               g_free(file);
+                               debug_print("Can't save certificate !\n");
+                               return;
+                       }
+                       g_free(file);
+               }
+
+               gnutls_export_X509_fp(fp, cert, GNUTLS_X509_FMT_PEM);
+
+       }
+       if (fp)
+               fclose(fp);
+}
+
+gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, 
+                               const gchar *host, gushort port,
+                               gboolean accept_if_valid)
 {
        SSLCertificate *current_cert = NULL;
        SSLCertificate *known_cert;
        SSLCertHookData cert_hook_data;
-       gchar *fqdn_host = NULL;        
        gchar *fingerprint;
        size_t n;
-       unsigned char md[128];  
+       unsigned char md[128];
+       gboolean valid = FALSE;
+
+       current_cert = ssl_certificate_new(x509_cert, host, port);
 
-       if (fqdn)
-               fqdn_host = g_strdup(fqdn);
-       else if (host)
-               fqdn_host = get_fqdn(host);
-       else {
-               g_warning("no host!\n");
-               return FALSE;
-       }
-               
-       current_cert = ssl_certificate_new_lookup(x509_cert, fqdn_host, port, FALSE);
-       
        if (current_cert == NULL) {
                debug_print("Buggy certificate !\n");
-               g_free(fqdn_host);
                return FALSE;
        }
 
        current_cert->status = status;
        /* fingerprint */
-       n = 128;
+       n = sizeof(md);
        gnutls_x509_crt_get_fingerprint(x509_cert, GNUTLS_DIG_MD5, md, &n);
        fingerprint = readable_fingerprint(md, n);
 
-       known_cert = ssl_certificate_find_lookup (fqdn_host, port, fingerprint, FALSE);
+       known_cert = ssl_certificate_find(host, port, fingerprint);
 
        g_free(fingerprint);
-       g_free(fqdn_host);
+
+       if (accept_if_valid)
+               valid = ssl_certificate_is_valid(current_cert, status);
+       else
+               valid = FALSE; /* Force check */
 
        if (known_cert == NULL) {
+               if (valid) {
+                       ssl_certificate_save(current_cert);
+                       ssl_certificate_destroy(current_cert);
+                       return TRUE;
+               }
+
                cert_hook_data.cert = current_cert;
                cert_hook_data.old_cert = NULL;
                cert_hook_data.expired = FALSE;
                cert_hook_data.accept = FALSE;
-               
+
                hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
-               
+
                if (!cert_hook_data.accept) {
                        ssl_certificate_destroy(current_cert);
                        return FALSE;
@@ -660,11 +744,18 @@ gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, gchar *
                        return TRUE;
                }
        } else if (!ssl_certificate_compare (current_cert, known_cert)) {
+               if (valid) {
+                       ssl_certificate_save(current_cert);
+                       ssl_certificate_destroy(current_cert);
+                       ssl_certificate_destroy(known_cert);
+                       return TRUE;
+               }
+
                cert_hook_data.cert = current_cert;
                cert_hook_data.old_cert = known_cert;
                cert_hook_data.expired = FALSE;
                cert_hook_data.accept = FALSE;
-               
+
                hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
 
                if (!cert_hook_data.accept) {
@@ -679,22 +770,22 @@ gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, gchar *
                }
        } else if (gnutls_x509_crt_get_expiration_time(current_cert->x509_cert) < time(NULL)) {
                gchar *tmp = g_strdup_printf("%s:%d", current_cert->host, current_cert->port);
-               
+
                if (warned_expired == NULL)
                        warned_expired = g_hash_table_new(g_str_hash, g_str_equal);
-               
+
                if (g_hash_table_lookup(warned_expired, tmp)) {
                        g_free(tmp);
                        ssl_certificate_destroy(current_cert);
                        ssl_certificate_destroy(known_cert);
                        return TRUE;
                }
-                       
+
                cert_hook_data.cert = current_cert;
                cert_hook_data.old_cert = NULL;
                cert_hook_data.expired = TRUE;
                cert_hook_data.accept = FALSE;
-               
+
                hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
 
                if (!cert_hook_data.accept) {
@@ -715,40 +806,97 @@ gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, gchar *
        return TRUE;
 }
 
-gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file)
+gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len,
+                                    const gchar *host, gushort port,
+                                    gboolean accept_if_valid)
 {
-       gnutls_x509_crt x509 = NULL;
+       int ncas = 0;
+       gnutls_x509_crt_t *cas = NULL;
+       gboolean result = FALSE;
+       int i;
+       gint status;
+
+       if (claws_ssl_get_cert_file()) {
+               FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb");
+               int r = -errno;
+
+               if (fp) {
+                       r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);
+                       fclose(fp);
+               }
+
+               if (r < 0)
+                       g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+                               claws_ssl_get_cert_file(), 
+                               gnutls_strerror(r));
+       } else {
+               debug_print("Can't find SSL ca-certificates file\n");
+       }
+
+
+       gnutls_x509_crt_list_verify (certs,
+                             chain_len,
+                             cas, ncas,
+                             NULL, 0,
+                             GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                             &status);
+
+       result = ssl_certificate_check(certs[0], status, host, port,
+                                       accept_if_valid);
+
+       if (result == TRUE) {
+               ssl_certificate_save_chain(certs, chain_len, host, port);
+       }
+
+       for (i = 0; i < ncas; i++)
+               gnutls_x509_crt_deinit(cas[i]);
+       free(cas);
+
+       return result;
+}
+
+gnutls_x509_crt_t ssl_certificate_get_x509_from_pem_file(const gchar *file)
+{
+       gnutls_x509_crt_t x509 = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       x509 = gnutls_d2i_X509_fp(fp, 1);
+                       x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return x509;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open certificate file %s: %s\n"),
+                                 file, g_strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
+               log_error(LOG_PROTOCOL, _("Certificate file %s missing (%s)\n"),
+                         file, g_strerror(errno));
        }
        return NULL;
 }
 
-gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
+gnutls_x509_privkey_t ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 {
-       gnutls_x509_privkey key = NULL;
+       gnutls_x509_privkey_t key = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       key = gnutls_d2i_key_fp(fp, 1);
+                       key = gnutls_import_key_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return key;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open key file %s (%s)\n"),
+                       file, g_strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, "Can not open key file %s\n", file);
+               log_error(LOG_PROTOCOL, _("Key file %s missing (%s)\n"), file,
+                         g_strerror(errno));
        }
        return NULL;
 }
@@ -757,10 +905,10 @@ gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 static int
 parse_pkcs12 (gnutls_pkcs12_t p12,
              const char *password,
-             gnutls_x509_privkey * key,
+             gnutls_x509_privkey_t * key,
              gnutls_x509_crt_t * cert)
 {
-  gnutls_pkcs12_bag bag = NULL;
+  gnutls_pkcs12_bag_t bag = NULL;
   int index = 0;
   int ret;
 
@@ -808,7 +956,7 @@ parse_pkcs12 (gnutls_pkcs12_t p12,
       for (i = 0; i < elements_in_bag; i++)
        {
          int type;
-         gnutls_datum data;
+         gnutls_datum_t data;
 
          type = gnutls_pkcs12_bag_get_type (bag, i);
          if (type < 0)
@@ -878,7 +1026,7 @@ done:
   return ret;
 }
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
-                       gnutls_x509_crt *x509, gnutls_x509_privkey *pkey)
+                       gnutls_x509_crt_t *x509, gnutls_x509_privkey_t *pkey)
 {
        gnutls_pkcs12_t p12 = NULL;
 
@@ -892,11 +1040,18 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       p12 = gnutls_d2i_PKCS12_fp(fp, 0);
+                       p12 = gnutls_import_PKCS12_fp(fp, GNUTLS_X509_FMT_DER);
                        fclose(fp);
+                       if (!p12) {
+                               log_error(LOG_PROTOCOL, _("Failed to read P12 certificate file %s\n"), file);
+                       }
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open P12 certificate file %s (%s)\n"),
+                                 file, g_strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
+               log_error(LOG_PROTOCOL, _("P12 Certificate file %s missing (%s)\n"), file,
+                         g_strerror(errno));
        }
        if (p12 != NULL) {
                if ((r = parse_pkcs12(p12, password, pkey, x509)) == 0) {
@@ -907,4 +1062,22 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
                gnutls_pkcs12_deinit(p12);
        }
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               return g_strdup(_("<not in certificate>"));
+
+       return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */
Claws Mail