2012-08-09 [colin] 3.8.1cvs26

	* src/common/ssl.c
	* src/common/ssl_certificate.c
	* src/common/ssl_certificate.h
	* src/gtk/sslcertwindow.c
		Fix bug 2718, "Failure to check peer hostname
		when checking certificate"

diff --git a/ChangeLog b/ChangeLog
index 5ec622acac4ed624495e7b874d569788e67fe0bc..7fd9f439b5429d7f6918b33fee9d010cf6c38bbd 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-08-09 [colin]     3.8.1cvs26
+
+       * src/common/ssl.c
+       * src/common/ssl_certificate.c
+       * src/common/ssl_certificate.h
+       * src/gtk/sslcertwindow.c
+               Fix bug 2718, "Failure to check peer hostname
+               when checking certificate"
+

 2012-08-05 [ticho]     3.8.1cvs25
 
        * src/compose.c
 2012-08-05 [ticho]     3.8.1cvs25
 
        * src/compose.c

diff --git a/PATCHSETS b/PATCHSETS
index b385b31fb08cd1890507216292d3d2c665226895..03c77c3522280cf3d328148b168f739a1acadeff 100644 (file)
--- a/PATCHSETS
+++ b/PATCHSETS
@@ -4400,3 +4400,4 @@
 ( cvs diff -u -r 1.5.2.63 -r 1.5.2.64 src/gtk/pluginwindow.c;  cvs diff -u -r 1.12.2.61 -r 1.12.2.62 src/gtk/prefswindow.c;  ) > 3.8.1cvs23.patchset
 ( cvs diff -u -r 1.382.2.605 -r 1.382.2.606 src/compose.c;  ) > 3.8.1cvs24.patchset
 ( cvs diff -u -r 1.382.2.606 -r 1.382.2.607 src/compose.c;  ) > 3.8.1cvs25.patchset
 ( cvs diff -u -r 1.5.2.63 -r 1.5.2.64 src/gtk/pluginwindow.c;  cvs diff -u -r 1.12.2.61 -r 1.12.2.62 src/gtk/prefswindow.c;  ) > 3.8.1cvs23.patchset
 ( cvs diff -u -r 1.382.2.605 -r 1.382.2.606 src/compose.c;  ) > 3.8.1cvs24.patchset
 ( cvs diff -u -r 1.382.2.606 -r 1.382.2.607 src/compose.c;  ) > 3.8.1cvs25.patchset

+( cvs diff -u -r 1.9.2.53 -r 1.9.2.54 src/common/ssl.c;  cvs diff -u -r 1.4.2.43 -r 1.4.2.44 src/common/ssl_certificate.c;  cvs diff -u -r 1.1.4.19 -r 1.1.4.20 src/common/ssl_certificate.h;  cvs diff -u -r 1.9.2.35 -r 1.9.2.36 src/gtk/sslcertwindow.c;  ) > 3.8.1cvs26.patchset

diff --git a/configure.ac b/configure.ac
index 8b958d7880525bfb7e9101b35963830ffdb74e38..d1394f2e2247e5eba9d9d37c4b61de4d6e077a3c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@ MINOR_VERSION=8
 MICRO_VERSION=1
 INTERFACE_AGE=0
 BINARY_AGE=0
 MICRO_VERSION=1
 INTERFACE_AGE=0
 BINARY_AGE=0

-EXTRA_VERSION=25
+EXTRA_VERSION=26

 EXTRA_RELEASE=
 EXTRA_GTK2_VERSION=
 
 EXTRA_RELEASE=
 EXTRA_GTK2_VERSION=
 

diff --git a/src/common/ssl.c b/src/common/ssl.c
index e1f3e806532f294cf0711296303bcec6899cc74a..9e8b242b7548bfac03a7cb5a6cab89043de7cc5a 100644 (file)
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -105,6 +105,7 @@ const gchar *claws_ssl_get_cert_file(void)
        const char *cert_files[]={
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",
        const char *cert_files[]={
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",

+               "/etc/ssl/ca-bundle.pem",

                "/usr/share/ssl/certs/ca-bundle.crt",
                "/etc/ssl/certs/ca-certificates.crt",
                "/usr/local/ssl/certs/ca-bundle.crt",
                "/usr/share/ssl/certs/ca-bundle.crt",
                "/etc/ssl/certs/ca-certificates.crt",
                "/usr/local/ssl/certs/ca-bundle.crt",

diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index a25e891e1ed1414a98e7623db637092080011fcb..efc5c53e3e7e88331b74036090cbdcc706103f63 100644 (file)
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -834,4 +834,22 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
                gnutls_pkcs12_deinit(p12);
        }
 }
                gnutls_pkcs12_deinit(p12);
        }
 }

+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+       return g_strdup(subject_cn);
+}
+

 #endif /* USE_GNUTLS */
 #endif /* USE_GNUTLS */

diff --git a/src/common/ssl_certificate.h b/src/common/ssl_certificate.h
index f5380ed4661f873c190c009f0e58194eedcb926f..0b6dce51ed025ecb5ccea66c128f44506a3d4db0 100644 (file)
--- a/src/common/ssl_certificate.h
+++ b/src/common/ssl_certificate.h
@@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SSLCertificate *cert);
 char * readable_fingerprint(unsigned char *src, int len);
 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status);
 
 char * readable_fingerprint(unsigned char *src, int len);
 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status);
 

-#ifdef USE_GNUTLS

 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file);
 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file);
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, 
                        const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key);
 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output);
 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output);
 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file);
 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file);
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, 
                        const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key);
 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output);
 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output);

-#endif
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert);
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert);

 #endif /* USE_GNUTLS */
 #endif /* SSL_CERTIFICATE_H */
 #endif /* USE_GNUTLS */
 #endif /* SSL_CERTIFICATE_H */

diff --git a/src/gtk/sslcertwindow.c b/src/gtk/sslcertwindow.c
index 9b7b4c5b3d1df3000b4220b9c03c788d7879017c..f954eef6c9ee875bf43b03ed0edaa1feba3a12e2 100644 (file)
--- a/src/gtk/sslcertwindow.c
+++ b/src/gtk/sslcertwindow.c
@@ -285,6 +285,7 @@ static gboolean sslcert_ask_hook(gpointer source, gpointer data)
        } else {
                hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
        }
        } else {
                hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
        }

+

        return TRUE;
 }
 
        return TRUE;
 }
 


@@ -304,6 +305,24 @@ void sslcertwindow_show_cert(SSLCertificate *cert)
        g_free(buf);
 }
 
        g_free(buf);
 }
 

+static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
+{
+       gchar *subject_cn = NULL;
+       gchar *str = NULL;
+
+       if (ssl_certificate_check_subject_cn(cert))
+               return g_strdup("");
+       
+       subject_cn = ssl_certificate_get_subject_cn(cert);
+       
+       str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
+                               "You may be connecting to a rogue server.\n\n"), 
+                               subject_cn, cert->host);
+       g_free(subject_cn);
+       
+       return str;
+}
+

 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 {
        gchar *buf, *sig_status;
 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 {
        gchar *buf, *sig_status;


@@ -312,9 +331,11 @@ static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;

-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+

        vbox = gtk_vbox_new(FALSE, 5);
        vbox = gtk_vbox_new(FALSE, 5);

-       buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);

        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);


@@ -337,7 +358,12 @@ static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 

-       val = alertpanel_full(_("Unknown SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid");
+       else
+               title = _("SSL Certificate is unknown");
+
+       val = alertpanel_full(title, NULL,

                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        


@@ -352,9 +378,13 @@ static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;

-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+

        vbox = gtk_vbox_new(FALSE, 5);
        vbox = gtk_vbox_new(FALSE, 5);

-       buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
+       g_free(invalid_str);
+

        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);


@@ -378,7 +408,12 @@ static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 

-       val = alertpanel_full(_("Expired SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid and expired");
+       else
+               title = _("SSL certificate is expired");
+
+       val = alertpanel_full(title, NULL,

                              _("_Cancel connection"), _("_Accept"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
                              _("_Cancel connection"), _("_Accept"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        


@@ -395,7 +430,9 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        GtkWidget *label;
        GtkWidget *button;
        AlertValue val;
        GtkWidget *label;
        GtkWidget *button;
        AlertValue val;

-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
+       const gchar *title;
+

        vbox = gtk_vbox_new(FALSE, 5);
        label = gtk_label_new(_("New certificate:"));
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        vbox = gtk_vbox_new(FALSE, 5);
        label = gtk_label_new(_("New certificate:"));
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);


@@ -409,7 +446,9 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        gtk_widget_show_all(vbox);
        
        vbox2 = gtk_vbox_new(FALSE, 5);
        gtk_widget_show_all(vbox);
        
        vbox2 = gtk_vbox_new(FALSE, 5);

-       buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host);
+       buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
+       g_free(invalid_str);
+

        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);


@@ -432,7 +471,11 @@ static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCert
        gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
        gtk_container_add(GTK_CONTAINER(button), vbox);
 
        gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
        gtk_container_add(GTK_CONTAINER(button), vbox);
 

-       val = alertpanel_full(_("Changed SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(new_cert))
+               title = _("SSL certificate changed and is invalid");
+       else
+               title = _("SSL certificate changed");
+       val = alertpanel_full(title, NULL,

                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);
        
                              _("_Cancel connection"), _("_Accept and save"), NULL,
                              FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);