From a74e15a5c7185b941a24b0b61bc134397c8d5737 Mon Sep 17 00:00:00 2001 From: Nepu User Date: Sun, 27 Apr 2014 14:56:01 +0200 Subject: [PATCH 3/3] upstream commit 4d0f2b9b14819b26fbaa72ad129ec0c03e41400f --- src/common/ssl_certificate.c | 114 +++++++++++++++++++++++++++++-------------- src/etpan/etpan-ssl.c | 1 + src/etpan/imap-thread.c | 4 +- src/etpan/nntp-thread.c | 2 +- 4 files changed, 82 insertions(+), 39 deletions(-) diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c index 72f73ac..48e55c9 100644 --- a/src/common/ssl_certificate.c +++ b/src/common/ssl_certificate.c @@ -207,33 +207,73 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output) return key_size; } -static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format) +static int gnutls_d2i_X509_list_fp(FILE *fp, int format, gnutls_x509_crt_t **cert_list, gint *num_certs) { - gnutls_x509_crt_t cert = NULL; + gnutls_x509_crt_t *crt_list; + unsigned int max = 512; + unsigned int flags = 0; gnutls_datum_t tmp; struct stat s; int r; + + *cert_list = NULL; + *num_certs = 0; + + if (fp == NULL) + return -ENOENT; + if (fstat(fileno(fp), &s) < 0) { perror("fstat"); - return NULL; + return -errno; } + + crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t)); tmp.data = malloc(s.st_size); memset(tmp.data, 0, s.st_size); tmp.size = s.st_size; if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) { perror("fread"); free(tmp.data); - return NULL; + free(crt_list); + return -EIO; } - gnutls_x509_crt_init(&cert); - if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) { + if ((r = gnutls_x509_crt_list_import(crt_list, &max, + &tmp, format, flags)) < 0) { debug_print("cert import failed: %s\n", gnutls_strerror(r)); - gnutls_x509_crt_deinit(cert); - cert = NULL; + free(tmp.data); + free(crt_list); + return r; } free(tmp.data); - debug_print("got cert! %p\n", cert); + debug_print("got %d certs in crt_list! %p\n", max, &crt_list); + + *cert_list = crt_list; + *num_certs = max; + + return r; +} + +/* return one certificate, read from file */ +static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format) +{ + gnutls_x509_crt_t *certs = NULL; + gnutls_x509_crt_t cert = NULL; + int i, ncerts, r; + + if ((r = gnutls_d2i_X509_list_fp(fp, format, &certs, &ncerts)) < 0) { + return NULL; + } + + if (ncerts == 0) + return NULL; + + for (i = 1; i < ncerts; i++) + gnutls_x509_crt_deinit(certs[i]); + + cert = certs[0]; + free(certs); + return cert; } @@ -474,8 +514,6 @@ static guint check_cert(gnutls_x509_crt_t cert) gnutls_x509_crt_t *ca_list; unsigned int max = 512; unsigned int flags = 0; - gnutls_datum_t tmp; - struct stat s; int r, i; unsigned int status; FILE *fp; @@ -485,34 +523,12 @@ static guint check_cert(gnutls_x509_crt_t cert) else return (guint)-1; - if (fstat(fileno(fp), &s) < 0) { - perror("fstat"); - fclose(fp); - return (guint)-1; - } - - ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t)); - tmp.data = malloc(s.st_size); - memset(tmp.data, 0, s.st_size); - tmp.size = s.st_size; - if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) { - perror("fread"); - free(tmp.data); - free(ca_list); - fclose(fp); - return (guint)-1; - } - - if ((r = gnutls_x509_crt_list_import(ca_list, &max, - &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) { + if ((r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max)) < 0) { debug_print("cert import failed: %s\n", gnutls_strerror(r)); - free(tmp.data); - free(ca_list); fclose(fp); return (guint)-1; } - free(tmp.data); - debug_print("got %d certs in ca_list! %p\n", max, &ca_list); + r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status); fclose(fp); @@ -649,18 +665,44 @@ gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len, const gchar *host, gushort port) { + int ncas = 0, ncrls = 0; + gnutls_x509_crt_t *cas = NULL; + gnutls_x509_crl_t *crls = NULL; gboolean result = FALSE; + int i; gint status; + if (claws_ssl_get_cert_file()) { + FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb"); + int r = -errno; + + if (fp) { + r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas); + fclose(fp); + } + + if (r < 0) + g_warning("Can't read SSL_CERT_FILE %s: %s\n", + claws_ssl_get_cert_file(), + gnutls_strerror(r)); + } else { + debug_print("Can't find SSL ca-certificates file\n"); + } + + gnutls_x509_crt_list_verify (certs, chain_len, - NULL, 0, + cas, ncas, NULL, 0, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &status); result = ssl_certificate_check(certs[0], status, host, port); + for (i = 0; i < ncas; i++) + gnutls_x509_crt_deinit(cas[i]); + free(cas); + return result; } diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c index c9dc9d8..f99955b 100644 --- a/src/etpan/etpan-ssl.c +++ b/src/etpan/etpan-ssl.c @@ -125,6 +125,7 @@ gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port for (i = 0; i < chain_len; i++) gnutls_x509_crt_deinit(certs[i]); + free(certs); return result; #endif diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c index 4332f59..f0b504e 100644 --- a/src/etpan/imap-thread.c +++ b/src/etpan/imap-thread.c @@ -570,7 +570,7 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port) if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED || result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) { - if (etpan_certificate_check(imap->imap_stream, server, port) < 0) + if (etpan_certificate_check(imap->imap_stream, server, port) != TRUE) result.error = MAILIMAP_ERROR_SSL; } debug_print("connect %d with imap %p\n", result.error, imap); @@ -1107,7 +1107,7 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port) debug_print("imap starttls - end\n"); if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) { - if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0) + if (etpan_certificate_check(param.imap->imap_stream, host, port) != TRUE) return MAILIMAP_ERROR_SSL; } return result.error; diff --git a/src/etpan/nntp-thread.c b/src/etpan/nntp-thread.c index 84a2f83..7708d31 100644 --- a/src/etpan/nntp-thread.c +++ b/src/etpan/nntp-thread.c @@ -423,7 +423,7 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port) threaded_run(folder, ¶m, &result, connect_ssl_run); if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) { - if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0) + if (etpan_certificate_check(nntp->nntp_stream, server, port) != TRUE) return -1; } debug_print("connect %d with nntp %p\n", result.error, nntp); -- 1.9.2