diff options
Diffstat (limited to 'nonprism/claws-mail-nonprism/claws-ssl-3.patch')
-rw-r--r-- | nonprism/claws-mail-nonprism/claws-ssl-3.patch | 241 |
1 files changed, 241 insertions, 0 deletions
diff --git a/nonprism/claws-mail-nonprism/claws-ssl-3.patch b/nonprism/claws-mail-nonprism/claws-ssl-3.patch new file mode 100644 index 000000000..cf3306337 --- /dev/null +++ b/nonprism/claws-mail-nonprism/claws-ssl-3.patch @@ -0,0 +1,241 @@ +From a74e15a5c7185b941a24b0b61bc134397c8d5737 Mon Sep 17 00:00:00 2001 +From: Nepu User <nepu@localhost.localdomain> +Date: Sun, 27 Apr 2014 14:56:01 +0200 +Subject: [PATCH 3/3] upstream commit 4d0f2b9b14819b26fbaa72ad129ec0c03e41400f + +--- + src/common/ssl_certificate.c | 114 +++++++++++++++++++++++++++++-------------- + src/etpan/etpan-ssl.c | 1 + + src/etpan/imap-thread.c | 4 +- + src/etpan/nntp-thread.c | 2 +- + 4 files changed, 82 insertions(+), 39 deletions(-) + +diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c +index 72f73ac..48e55c9 100644 +--- a/src/common/ssl_certificate.c ++++ b/src/common/ssl_certificate.c +@@ -207,33 +207,73 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output) + return key_size; + } + +-static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format) ++static int gnutls_d2i_X509_list_fp(FILE *fp, int format, gnutls_x509_crt_t **cert_list, gint *num_certs) + { +- gnutls_x509_crt_t cert = NULL; ++ gnutls_x509_crt_t *crt_list; ++ unsigned int max = 512; ++ unsigned int flags = 0; + gnutls_datum_t tmp; + struct stat s; + int r; ++ ++ *cert_list = NULL; ++ *num_certs = 0; ++ ++ if (fp == NULL) ++ return -ENOENT; ++ + if (fstat(fileno(fp), &s) < 0) { + perror("fstat"); +- return NULL; ++ return -errno; + } ++ ++ crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t)); + tmp.data = malloc(s.st_size); + memset(tmp.data, 0, s.st_size); + tmp.size = s.st_size; + if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) { + perror("fread"); + free(tmp.data); +- return NULL; ++ free(crt_list); ++ return -EIO; + } + +- gnutls_x509_crt_init(&cert); +- if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) { ++ if ((r = gnutls_x509_crt_list_import(crt_list, &max, ++ &tmp, format, flags)) < 0) { + debug_print("cert import failed: %s\n", gnutls_strerror(r)); +- gnutls_x509_crt_deinit(cert); +- cert = NULL; ++ free(tmp.data); ++ free(crt_list); ++ return r; + } + free(tmp.data); +- debug_print("got cert! %p\n", cert); ++ debug_print("got %d certs in crt_list! %p\n", max, &crt_list); ++ ++ *cert_list = crt_list; ++ *num_certs = max; ++ ++ return r; ++} ++ ++/* return one certificate, read from file */ ++static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format) ++{ ++ gnutls_x509_crt_t *certs = NULL; ++ gnutls_x509_crt_t cert = NULL; ++ int i, ncerts, r; ++ ++ if ((r = gnutls_d2i_X509_list_fp(fp, format, &certs, &ncerts)) < 0) { ++ return NULL; ++ } ++ ++ if (ncerts == 0) ++ return NULL; ++ ++ for (i = 1; i < ncerts; i++) ++ gnutls_x509_crt_deinit(certs[i]); ++ ++ cert = certs[0]; ++ free(certs); ++ + return cert; + } + +@@ -474,8 +514,6 @@ static guint check_cert(gnutls_x509_crt_t cert) + gnutls_x509_crt_t *ca_list; + unsigned int max = 512; + unsigned int flags = 0; +- gnutls_datum_t tmp; +- struct stat s; + int r, i; + unsigned int status; + FILE *fp; +@@ -485,34 +523,12 @@ static guint check_cert(gnutls_x509_crt_t cert) + else + return (guint)-1; + +- if (fstat(fileno(fp), &s) < 0) { +- perror("fstat"); +- fclose(fp); +- return (guint)-1; +- } +- +- ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t)); +- tmp.data = malloc(s.st_size); +- memset(tmp.data, 0, s.st_size); +- tmp.size = s.st_size; +- if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) { +- perror("fread"); +- free(tmp.data); +- free(ca_list); +- fclose(fp); +- return (guint)-1; +- } +- +- if ((r = gnutls_x509_crt_list_import(ca_list, &max, +- &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) { ++ if ((r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max)) < 0) { + debug_print("cert import failed: %s\n", gnutls_strerror(r)); +- free(tmp.data); +- free(ca_list); + fclose(fp); + return (guint)-1; + } +- free(tmp.data); +- debug_print("got %d certs in ca_list! %p\n", max, &ca_list); ++ + r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status); + fclose(fp); + +@@ -649,18 +665,44 @@ gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const + + gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len, const gchar *host, gushort port) + { ++ int ncas = 0, ncrls = 0; ++ gnutls_x509_crt_t *cas = NULL; ++ gnutls_x509_crl_t *crls = NULL; + gboolean result = FALSE; ++ int i; + gint status; + ++ if (claws_ssl_get_cert_file()) { ++ FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb"); ++ int r = -errno; ++ ++ if (fp) { ++ r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas); ++ fclose(fp); ++ } ++ ++ if (r < 0) ++ g_warning("Can't read SSL_CERT_FILE %s: %s\n", ++ claws_ssl_get_cert_file(), ++ gnutls_strerror(r)); ++ } else { ++ debug_print("Can't find SSL ca-certificates file\n"); ++ } ++ ++ + gnutls_x509_crt_list_verify (certs, + chain_len, +- NULL, 0, ++ cas, ncas, + NULL, 0, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, + &status); + + result = ssl_certificate_check(certs[0], status, host, port); + ++ for (i = 0; i < ncas; i++) ++ gnutls_x509_crt_deinit(cas[i]); ++ free(cas); ++ + return result; + } + +diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c +index c9dc9d8..f99955b 100644 +--- a/src/etpan/etpan-ssl.c ++++ b/src/etpan/etpan-ssl.c +@@ -125,6 +125,7 @@ gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port + + for (i = 0; i < chain_len; i++) + gnutls_x509_crt_deinit(certs[i]); ++ free(certs); + + return result; + #endif +diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c +index 4332f59..f0b504e 100644 +--- a/src/etpan/imap-thread.c ++++ b/src/etpan/imap-thread.c +@@ -570,7 +570,7 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port) + + if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED || + result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) { +- if (etpan_certificate_check(imap->imap_stream, server, port) < 0) ++ if (etpan_certificate_check(imap->imap_stream, server, port) != TRUE) + result.error = MAILIMAP_ERROR_SSL; + } + debug_print("connect %d with imap %p\n", result.error, imap); +@@ -1107,7 +1107,7 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port) + debug_print("imap starttls - end\n"); + + if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) { +- if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0) ++ if (etpan_certificate_check(param.imap->imap_stream, host, port) != TRUE) + return MAILIMAP_ERROR_SSL; + } + return result.error; +diff --git a/src/etpan/nntp-thread.c b/src/etpan/nntp-thread.c +index 84a2f83..7708d31 100644 +--- a/src/etpan/nntp-thread.c ++++ b/src/etpan/nntp-thread.c +@@ -423,7 +423,7 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port) + threaded_run(folder, ¶m, &result, connect_ssl_run); + + if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) { +- if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0) ++ if (etpan_certificate_check(nntp->nntp_stream, server, port) != TRUE) + return -1; + } + debug_print("connect %d with nntp %p\n", result.error, nntp); +-- +1.9.2 + |