Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.2
claws-mail
claws-mail-verify-hostname.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File claws-mail-verify-hostname.patch of Package claws-mail
Index: src/common/ssl.c =================================================================== --- src/common/ssl.c.orig +++ src/common/ssl.c @@ -104,6 +104,7 @@ const gchar *claws_ssl_get_cert_file(voi const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", + "/etc/ssl/ca-bundle.pem", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", Index: src/common/ssl_certificate.c =================================================================== --- src/common/ssl_certificate.c.orig +++ src/common/ssl_certificate.c @@ -833,4 +833,22 @@ void ssl_certificate_get_x509_and_pkey_f gnutls_pkcs12_deinit(p12); } } + +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert) +{ + return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0; +} + +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert) +{ + gchar subject_cn[BUFFSIZE]; + size_t n = BUFFSIZE; + + if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, + GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n)) + strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE); + + return g_strdup(subject_cn); +} + #endif /* USE_GNUTLS */ Index: src/common/ssl_certificate.h =================================================================== --- src/common/ssl_certificate.h.orig +++ src/common/ssl_certificate.h @@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SS char * readable_fingerprint(unsigned char *src, int len); char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status); -#ifdef USE_GNUTLS gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file); gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file); void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key); size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output); size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output); -#endif +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert); +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert); #endif /* USE_GNUTLS */ #endif /* SSL_CERTIFICATE_H */ Index: src/gtk/sslcertwindow.c =================================================================== --- src/gtk/sslcertwindow.c.orig +++ src/gtk/sslcertwindow.c @@ -284,6 +284,7 @@ static gboolean sslcert_ask_hook(gpointe } else { hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert); } + return TRUE; } @@ -303,6 +304,24 @@ void sslcertwindow_show_cert(SSLCertific g_free(buf); } +static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert) +{ + gchar *subject_cn = NULL; + gchar *str = NULL; + + if (ssl_certificate_check_subject_cn(cert)) + return g_strdup(""); + + subject_cn = ssl_certificate_get_subject_cn(cert); + + str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n" + "You may be connecting to a rogue server.\n\n"), + subject_cn, cert->host); + g_free(subject_cn); + + return str; +} + static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert) { gchar *buf, *sig_status; @@ -311,9 +330,11 @@ static gboolean sslcertwindow_ask_new_ce GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str); label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -336,7 +357,12 @@ static gboolean sslcertwindow_ask_new_ce cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Unknown SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid"); + else + title = _("SSL Certificate is unknown"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -351,9 +377,13 @@ static gboolean sslcertwindow_ask_expire GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -377,7 +407,12 @@ static gboolean sslcertwindow_ask_expire cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Expired SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid and expired"); + else + title = _("SSL certificate is expired"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -394,7 +429,9 @@ static gboolean sslcertwindow_ask_change GtkWidget *label; GtkWidget *button; AlertValue val; - + gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); label = gtk_label_new(_("New certificate:")); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); @@ -408,7 +445,9 @@ static gboolean sslcertwindow_ask_change gtk_widget_show_all(vbox); vbox2 = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host); + buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0); @@ -431,7 +470,11 @@ static gboolean sslcertwindow_ask_change gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0); gtk_container_add(GTK_CONTAINER(button), vbox); - val = alertpanel_full(_("Changed SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(new_cert)) + title = _("SSL certificate changed and is invalid"); + else + title = _("SSL certificate changed"); + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor