projects / claws.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add port to certificate checker
[claws.git] / src / ssl_certificate.c
diff --git a/src/ssl_certificate.c b/src/ssl_certificate.c
index 6632d3abfac404b3cac66df606774b7cc7e7f948..572bb20ff67ccc2f874bb3b9827930c6bfd59f87 100644 (file)
--- a/src/ssl_certificate.c
+++ b/src/ssl_certificate.c
@@ -29,8 +29,10 @@
 #include "alertpanel.h"
 #include "utils.h"
 #include "intl.h"
+#include "prefs_common.h"
 
 static void ssl_certificate_destroy(SSLCertificate *cert);
+static char *ssl_certificate_check_signer (X509 *cert); 
 
 static char * readable_fingerprint(unsigned char *src, int len) 
 {
@@ -54,7 +56,7 @@ static char * readable_fingerprint(unsigned char *src, int len)
        return ret;
 }
 
-SSLCertificate *ssl_certificate_new(X509 *x509_cert, gchar *host)
+SSLCertificate *ssl_certificate_new(X509 *x509_cert, gchar *host, gushort port)
 {
        SSLCertificate *cert = g_new0(SSLCertificate, 1);
        
@@ -65,13 +67,15 @@ SSLCertificate *ssl_certificate_new(X509 *x509_cert, gchar *host)
 
        cert->x509_cert = X509_dup(x509_cert);
        cert->host = g_strdup(host);
+       cert->port = port;
        return cert;
 }
 
 static void ssl_certificate_save (SSLCertificate *cert)
 {
-       gchar *file;
+       gchar *file, *port;
        FILE *fp;
+
        file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
                          "certs", G_DIR_SEPARATOR_S, NULL);
        
@@ -79,10 +83,12 @@ static void ssl_certificate_save (SSLCertificate *cert)
                make_dir_hier(file);
        g_free(file);
 
+       port = g_strdup_printf("%d", cert->port);
        file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
                          "certs", G_DIR_SEPARATOR_S,
-                         cert->host, ".cert", NULL);
+                         cert->host, ".", port, ".cert", NULL);
 
+       g_free(port);
        fp = fopen(file, "w");
        if (fp == NULL) {
                g_free(file);
@@ -97,24 +103,70 @@ static void ssl_certificate_save (SSLCertificate *cert)
 
 static char* ssl_certificate_to_string(SSLCertificate *cert)
 {
-       char *ret, *issuer, *subject, *fingerprint;
-       int j;
+       char *ret, buf[100];
+       char *issuer_commonname, *issuer_location, *issuer_organization;
+       char *subject_commonname, *subject_location, *subject_organization;
+       char *fingerprint, *sig_status;
        unsigned int n;
        unsigned char md[EVP_MAX_MD_SIZE];      
-               
+       
+       /* issuer */    
+        X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert), 
+                                       NID_commonName, buf, 100);
+        issuer_commonname = g_strdup(buf);
+        X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert), 
+                                       NID_localityName, buf, 100);
+        issuer_location = g_strdup(buf);
+        X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert), 
+                                       NID_countryName, buf, 100);
+        issuer_location = g_strconcat(issuer_location,", ",buf, NULL);
+        X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert), 
+                                       NID_organizationName, buf, 100);
+        issuer_organization = g_strdup(buf);
+
+       /* issuer */    
+        X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert), 
+                                       NID_commonName, buf, 100);
+        subject_commonname = g_strdup(buf);
+        X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert), 
+                                       NID_localityName, buf, 100);
+        subject_location = g_strdup(buf);
+        X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert), 
+                                       NID_countryName, buf, 100);
+        subject_location = g_strconcat(subject_location,", ",buf, NULL);
+        X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert), 
+                                       NID_organizationName, buf, 100);
+        subject_organization = g_strdup(buf);
+                
+       /* fingerprint */
        X509_digest(cert->x509_cert, EVP_md5(), md, &n);
-       issuer = X509_NAME_oneline(X509_get_issuer_name(cert->x509_cert), 0, 0);
-       subject = X509_NAME_oneline(X509_get_subject_name(cert->x509_cert), 0, 0);
-       fingerprint = readable_fingerprint(md, (int)n);         
-       ret = g_strdup_printf("  Issuer: %s\n  Subject: %s\n  Fingerprint: %s",
-                               issuer, subject, fingerprint);
-
-       if (issuer)
-               g_free(issuer);
-       if (subject)
-               g_free(subject);
+       fingerprint = readable_fingerprint(md, (int)n);
+
+       /* signature */
+       sig_status = ssl_certificate_check_signer(cert->x509_cert);
+
+       ret = g_strdup_printf(_("  Owner: %s (%s) in %s\n  Signed by: %s (%s) in %s\n  Fingerprint: %s\n  Signature status: %s"),
+                               subject_commonname, subject_organization, subject_location, 
+                               issuer_commonname, issuer_organization, issuer_location, 
+                               fingerprint,
+                               (sig_status==NULL ? "correct":sig_status));
+
+       if (issuer_commonname)
+               g_free(issuer_commonname);
+       if (issuer_location)
+               g_free(issuer_location);
+       if (issuer_organization)
+               g_free(issuer_organization);
+       if (subject_commonname)
+               g_free(subject_commonname);
+       if (subject_location)
+               g_free(subject_location);
+       if (subject_organization)
+               g_free(subject_organization);
        if (fingerprint)
                g_free(fingerprint);
+       if (sig_status)
+               g_free(sig_status);
        return ret;
 }
        
@@ -129,18 +181,20 @@ void ssl_certificate_destroy(SSLCertificate *cert)
        cert = NULL;
 }
 
-static SSLCertificate *ssl_certificate_find (gchar *host)
+static SSLCertificate *ssl_certificate_find (gchar *host, gushort port)
 {
        gchar *file;
-       gchar buf[1024], *subject, *issuer, *fingerprint;
+       gchar *buf;
        SSLCertificate *cert = NULL;
        X509 *tmp_x509;
        FILE *fp;
        
+       buf = g_strdup_printf("%d", port);
        file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
                          "certs", G_DIR_SEPARATOR_S,
-                         host, ".cert", NULL);
+                         host, ".", buf, ".cert", NULL);
 
+       g_free(buf);
        fp = fopen(file, "r");
        if (fp == NULL) {
                g_free(file);
@@ -149,7 +203,7 @@ static SSLCertificate *ssl_certificate_find (gchar *host)
        
        
        if ((tmp_x509 = d2i_X509_fp(fp, 0)) != NULL) {
-               cert = ssl_certificate_new(tmp_x509, host);
+               cert = ssl_certificate_new(tmp_x509, host, port);
                X509_free(tmp_x509);
        }
        fclose(fp);
@@ -179,7 +233,7 @@ static char *ssl_certificate_check_signer (X509 *cert)
        store = X509_STORE_new();
        if (store == NULL) {
                printf("Can't create X509_STORE\n");
-               return FALSE;
+               return NULL;
        }
        if (X509_STORE_set_default_paths(store)) 
                ok++;
@@ -208,9 +262,9 @@ static char *ssl_certificate_check_signer (X509 *cert)
        return NULL;
 }
 
-gboolean ssl_certificate_check (X509 *x509_cert, gchar *host)
+gboolean ssl_certificate_check (X509 *x509_cert, gchar *host, gushort port)
 {
-       SSLCertificate *current_cert = ssl_certificate_new(x509_cert, host);
+       SSLCertificate *current_cert = ssl_certificate_new(x509_cert, host, port);
        SSLCertificate *known_cert;
 
        if (current_cert == NULL) {
@@ -218,26 +272,27 @@ gboolean ssl_certificate_check (X509 *x509_cert, gchar *host)
                return FALSE;
        }
 
-       known_cert = ssl_certificate_find (host);
+       known_cert = ssl_certificate_find (host, port);
 
        if (known_cert == NULL) {
                gint val;
                gchar *err_msg, *cur_cert_str;
-               gchar *sig_status = NULL;
                
                cur_cert_str = ssl_certificate_to_string(current_cert);
                
-               sig_status = ssl_certificate_check_signer(x509_cert);
-
-               err_msg = g_strdup_printf(_("The SSL certificate presented by %s is unknown.\nPresented certificate is:\n%s\n\n%s%s"),
+               err_msg = g_strdup_printf(_("%s presented an unknown SSL certificate:\n%s"),
                                          host,
-                                         cur_cert_str,
-                                         (sig_status == NULL)?"The presented certificate signature is correct.":"The presented certificate signature is not correct: ",
-                                         (sig_status == NULL)?"":sig_status);
+                                         cur_cert_str);
                g_free (cur_cert_str);
-               if (sig_status)
-                       g_free (sig_status);
+
+               if (prefs_common.no_recv_err_panel) {
+                       log_error(_("%s\n\nMail won't be retrieved on this account until you save the certificate.\n(Uncheck the \"%s\" preference).\n"),
+                                       err_msg,
+                                       _("Don't popup error dialog on receive error"));
+                       g_free(err_msg);
+                       return FALSE;
+               }
+                
                val = alertpanel(_("Warning"),
                               err_msg,
                               _("Accept and save"), _("Cancel connection"), NULL);
@@ -261,17 +316,23 @@ gboolean ssl_certificate_check (X509 *x509_cert, gchar *host)
 
                known_cert_str = ssl_certificate_to_string(known_cert);
                cur_cert_str = ssl_certificate_to_string(current_cert);
-               err_msg = g_strdup_printf(_("The SSL certificate presented by %s differs from the known one.\nKnown certificate is:\n%s\nPresented certificate is:\n%s\n\n%s%s"),
+               err_msg = g_strdup_printf(_("%s's SSL certificate changed !\nWe have saved this one:\n%s\n\nIt is now:\n%s\n\nThis could mean the server answering is not the known one."),
                                          host,
                                          known_cert_str,
-                                         cur_cert_str,
-                                         (sig_status == NULL)?"The presented certificate signature is correct.":"The presented certificate signature is not correct: ",
-                                         (sig_status == NULL)?"":sig_status);
+                                         cur_cert_str);
                g_free (cur_cert_str);
                g_free (known_cert_str);
                if (sig_status)
                        g_free (sig_status);
 
+               if (prefs_common.no_recv_err_panel) {
+                       log_error(_("%s\n\nMail won't be retrieved on this account until you save the certificate.\n(Uncheck the \"%s\" preference).\n"),
+                                       err_msg,
+                                       _("Don't popup error dialog on receive error"));
+                       g_free(err_msg);
+                       return FALSE;
+               }
+
                val = alertpanel(_("Warning"),
                               err_msg,
                               _("Accept and save"), _("Cancel connection"), NULL);
Claws Mail