2008-10-10 [colin] 3.6.1cvs2

	* src/common/ssl.h
	* src/common/ssl_certificate.c
	* src/gtk/sslcertwindow.c
		Add offline certificate verification,
		thanks to Nikos Mavrogiannopoulos for the
		hints

diff --git a/ChangeLog b/ChangeLog
index c9209bf..f0302d2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2008-10-10 [colin]     3.6.1cvs2
+
+       * src/common/ssl.h
+       * src/common/ssl_certificate.c
+       * src/gtk/sslcertwindow.c
+               Add offline certificate verification,
+               thanks to Nikos Mavrogiannopoulos for the
+               hints
+
 2008-10-10 [colin]     3.6.1cvs1
 
        * src/common/ssl_certificate.c

diff --git a/PATCHSETS b/PATCHSETS
index 6e473af..3ae80f2 100644 (file)
--- a/PATCHSETS
+++ b/PATCHSETS
@@ -3583,3 +3583,4 @@
 ( cvs diff -u -r 1.1.2.2 -r 1.1.2.3 claws-mail.pc.in;  ) > 3.6.0cvs24.patchset
 ( cvs diff -u -r 1.9.2.33 -r 1.9.2.34 src/common/ssl.c;  ) > 3.6.0cvs25.patchset
 ( cvs diff -u -r 1.4.2.30 -r 1.4.2.31 src/common/ssl_certificate.c;  cvs diff -u -r 1.9.2.24 -r 1.9.2.25 src/gtk/sslcertwindow.c;  ) > 3.6.1cvs1.patchset
+( cvs diff -u -r 1.2.2.10 -r 1.2.2.11 src/common/ssl.h;  cvs diff -u -r 1.4.2.31 -r 1.4.2.32 src/common/ssl_certificate.c;  cvs diff -u -r 1.9.2.25 -r 1.9.2.26 src/gtk/sslcertwindow.c;  ) > 3.6.1cvs2.patchset

diff --git a/configure.ac b/configure.ac
index 5e6a9cb..d91b239 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -11,7 +11,7 @@ MINOR_VERSION=6
 MICRO_VERSION=1
 INTERFACE_AGE=0
 BINARY_AGE=0
-EXTRA_VERSION=1
+EXTRA_VERSION=2
 EXTRA_RELEASE=
 EXTRA_GTK2_VERSION=
 

diff --git a/src/common/ssl.h b/src/common/ssl.h
index 4dbb1f2..14d6459 100644 (file)
--- a/src/common/ssl.h
+++ b/src/common/ssl.h
@@ -72,6 +72,7 @@ struct _SSLClientCertHookData
 SSL_CTX *ssl_get_ctx(void);
 #endif
                
+const gchar *claws_ssl_get_cert_file(void);
 #endif /* USE_OPENSSL */
 
 #endif /* __SSL_H__ */

diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index b0242b4..2cfce30 100644 (file)
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -649,11 +649,71 @@ char *ssl_certificate_check_signer (X509 *cert)
        return NULL;
 }
 #else
-char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
+guint check_cert(gnutls_x509_crt cert)
 {
-       if (status == (guint)-1)
-               return g_strdup(_("Uncheckable"));
+       gnutls_x509_crt *ca_list;
+       unsigned int max = 512;
+       unsigned int flags = 0;
+       gnutls_datum tmp;
+       struct stat s;
+       int r, i;
+       unsigned int status;
+       FILE *fp;
+
+       if (claws_ssl_get_cert_file())
+               fp = fopen(claws_ssl_get_cert_file(), "r");
+       else
+               return (guint)-1;
+
+       if (fstat(fileno(fp), &s) < 0) {
+               perror("fstat");
+               fclose(fp);
+               return (guint)-1;
+       }
+
+       ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
+       tmp.data = malloc(s.st_size);
+       memset(tmp.data, 0, s.st_size);
+       tmp.size = s.st_size;
+       if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
+               perror("fread");
+               free(tmp.data);
+               free(ca_list);
+               fclose(fp);
+               return (guint)-1;
+       }
+
+       if ((r = gnutls_x509_crt_list_import(ca_list, &max, 
+                       &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {
+               debug_print("cert import failed: %s\n", gnutls_strerror(r));
+               free(tmp.data);
+               free(ca_list);
+               fclose(fp);
+               return (guint)-1;
+       }
+       free(tmp.data);
+       debug_print("got %d certs in ca_list! %p\n", max, &ca_list);
+       r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);
+       fclose(fp);
 
+       for (i = 0; i < max; i++)
+               gnutls_x509_crt_deinit(ca_list[i]);
+       free(ca_list);
+
+       if (r < 0)
+               return (guint)-1;
+       else
+               return status;
+
+}
+
+char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
+{
+       if (status == (guint)-1) {
+               status = check_cert(cert);
+               if (status == -1)
+                       return g_strdup(_("Uncheckable"));
+       }
        if (status & GNUTLS_CERT_INVALID) {
                if (gnutls_x509_crt_check_issuer(cert, cert))
                        return g_strdup(_("Self-signed certificate"));

diff --git a/src/gtk/sslcertwindow.c b/src/gtk/sslcertwindow.c
index aa2a2da..2151770 100644 (file)
--- a/src/gtk/sslcertwindow.c
+++ b/src/gtk/sslcertwindow.c
@@ -229,7 +229,7 @@ static GtkWidget *cert_presenter(SSLCertificate *cert)
 #endif
 
        if (sig_status==NULL)
-               sig_status = g_strdup(_("correct"));
+               sig_status = g_strdup(_("Correct"));
 
        vbox = gtk_vbox_new(FALSE, 5);
        hbox = gtk_hbox_new(FALSE, 5);
@@ -398,7 +398,7 @@ static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
        sig_status = ssl_certificate_check_signer(cert->x509_cert, cert->status);
 #endif
        if (sig_status==NULL)
-               sig_status = g_strdup(_("correct"));
+               sig_status = g_strdup(_("Correct"));
 
        buf = g_strdup_printf(_("Signature status: %s"), sig_status);
        label = gtk_label_new(buf);
@@ -443,7 +443,7 @@ static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
 #endif
 
        if (sig_status==NULL)
-               sig_status = g_strdup(_("correct"));
+               sig_status = g_strdup(_("Correct"));
 
        buf = g_strdup_printf(_("Signature status: %s"), sig_status);
        label = gtk_label_new(buf);
@@ -502,7 +502,7 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
 #endif
 
        if (sig_status==NULL)
-               sig_status = g_strdup(_("correct"));
+               sig_status = g_strdup(_("Correct"));
 
        buf = g_strdup_printf(_("Signature status: %s"), sig_status);
        label = gtk_label_new(buf);