2012-08-09 [colin] 3.8.1cvs26
authorColin Leroy <colin@colino.net>
Thu, 9 Aug 2012 11:32:26 +0000 (11:32 +0000)
committerColin Leroy <colin@colino.net>
Thu, 9 Aug 2012 11:32:26 +0000 (11:32 +0000)
* src/common/ssl.c
* src/common/ssl_certificate.c
* src/common/ssl_certificate.h
* src/gtk/sslcertwindow.c
Fix bug 2718, "Failure to check peer hostname
when checking certificate"

ChangeLog
PATCHSETS
configure.ac
src/common/ssl.c
src/common/ssl_certificate.c
src/common/ssl_certificate.h
src/gtk/sslcertwindow.c

index 5ec622a..7fd9f43 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-08-09 [colin]     3.8.1cvs26
+
+       * src/common/ssl.c
+       * src/common/ssl_certificate.c
+       * src/common/ssl_certificate.h
+       * src/gtk/sslcertwindow.c
+               Fix bug 2718, "Failure to check peer hostname
+               when checking certificate"
+
 2012-08-05 [ticho]     3.8.1cvs25
 
        * src/compose.c
index b385b31..03c77c3 100644 (file)
--- a/PATCHSETS
+++ b/PATCHSETS
 ( cvs diff -u -r 1.5.2.63 -r 1.5.2.64 src/gtk/pluginwindow.c;  cvs diff -u -r 1.12.2.61 -r 1.12.2.62 src/gtk/prefswindow.c;  ) > 3.8.1cvs23.patchset
 ( cvs diff -u -r 1.382.2.605 -r 1.382.2.606 src/compose.c;  ) > 3.8.1cvs24.patchset
 ( cvs diff -u -r 1.382.2.606 -r 1.382.2.607 src/compose.c;  ) > 3.8.1cvs25.patchset
+( cvs diff -u -r 1.9.2.53 -r 1.9.2.54 src/common/ssl.c;  cvs diff -u -r 1.4.2.43 -r 1.4.2.44 src/common/ssl_certificate.c;  cvs diff -u -r 1.1.4.19 -r 1.1.4.20 src/common/ssl_certificate.h;  cvs diff -u -r 1.9.2.35 -r 1.9.2.36 src/gtk/sslcertwindow.c;  ) > 3.8.1cvs26.patchset
index 8b958d7..d1394f2 100644 (file)
@@ -12,7 +12,7 @@ MINOR_VERSION=8
 MICRO_VERSION=1
 INTERFACE_AGE=0
 BINARY_AGE=0
-EXTRA_VERSION=25
+EXTRA_VERSION=26
 EXTRA_RELEASE=
 EXTRA_GTK2_VERSION=
 
index e1f3e80..9e8b242 100644 (file)
@@ -105,6 +105,7 @@ const gchar *claws_ssl_get_cert_file(void)
        const char *cert_files[]={
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",
+               "/etc/ssl/ca-bundle.pem",
                "/usr/share/ssl/certs/ca-bundle.crt",
                "/etc/ssl/certs/ca-certificates.crt",
                "/usr/local/ssl/certs/ca-bundle.crt",
index a25e891..efc5c53 100644 (file)
@@ -834,4 +834,22 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
                gnutls_pkcs12_deinit(p12);
        }
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+       return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */
index f5380ed..0b6dce5 100644 (file)
@@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SSLCertificate *cert);
 char * readable_fingerprint(unsigned char *src, int len);
 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status);
 
-#ifdef USE_GNUTLS
 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file);
 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file);
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, 
                        const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key);
 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output);
 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output);
-#endif
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert);
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert);
 #endif /* USE_GNUTLS */
 #endif /* SSL_CERTIFICATE_H */
index 9b7b4c5..f954eef 100644 (file)
@@ -285,6 +285,7 @@ static gboolean sslcert_ask_hook(gpointer source, gpointer data)
        } else {
                hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
        }
+
        return TRUE;
 }
 
@@ -304,6 +305,24 @@ void sslcertwindow_show_cert(SSLCertificate *cert)
        g_free(buf);
 }
 
+static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
+{
+       gchar *subject_cn = NULL;
+       gchar *str = NULL;
+
+       if (ssl_certificate_check_subject_cn(cert))
+               return g_strdup("");
+       
+       subject_cn = ssl_certificate_get_subject_cn(cert);
+       
+       str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
+                               "You may be connecting to a rogue server.\n\n"), 
+                               subject_cn, cert->host);
+       g_free(subject_cn);
+       
+       return str;
+}
+
 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 {
        gchar *buf, *sig_status;
@@ -312,9 +331,11 @@ static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -337,7 +358,12 @@ static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-       val = alertpanel_full(_("Unknown SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid");
+       else
+               title = _("SSL Certificate is unknown");
+
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
@@ -352,9 +378,13 @@ static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
+       g_free(invalid_str);
+
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -378,7 +408,12 @@ static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-       val = alertpanel_full(_("Expired SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid and expired");
+       else
+               title = _("SSL certificate is expired");
+
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
@@ -395,7 +430,9 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        GtkWidget *label;
        GtkWidget *button;
        AlertValue val;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
        label = gtk_label_new(_("New certificate:"));
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
@@ -409,7 +446,9 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        gtk_widget_show_all(vbox);
        
        vbox2 = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host);
+       buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
+       g_free(invalid_str);
+
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
@@ -432,7 +471,11 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
        gtk_container_add(GTK_CONTAINER(button), vbox);
 
-       val = alertpanel_full(_("Changed SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(new_cert))
+               title = _("SSL certificate changed and is invalid");
+       else
+               title = _("SSL certificate changed");
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);