Do more like what mutt does so hopefully this'll fix bug #16363 and
2002-01-02 Jeffrey Stedfast <fejj@ximian.com> * camel-tcp-stream-ssl.c (ssl_bad_cert): Do more like what mutt does so hopefully this'll fix bug #16363 and #16300. svn path=/trunk/; revision=15226
This commit is contained in:
Jeffrey Stedfast
committed by
Jeffrey Stedfast
Jeffrey Stedfast
parent
178c7af85f
commit
57a95b0977
@ -1,3 +1,8 @@
|
|||||||
|
2002-01-02 Jeffrey Stedfast <fejj@ximian.com>
|
||||||
|
|
||||||
|
* camel-tcp-stream-ssl.c (ssl_bad_cert): Do more like what mutt
|
||||||
|
does so hopefully this'll fix bug #16363 and #16300.
|
||||||
|
|
||||||
2001-12-21 Jeffrey Stedfast <fejj@ximian.com>
|
2001-12-21 Jeffrey Stedfast <fejj@ximian.com>
|
||||||
|
|
||||||
* broken-date-parser.c (parse_broken_date): Completely
|
* broken-date-parser.c (parse_broken_date): Completely
|
||||||
|
|||||||
@ -41,10 +41,12 @@
|
|||||||
#include <cert.h>
|
#include <cert.h>
|
||||||
#include <certdb.h>
|
#include <certdb.h>
|
||||||
#include <pk11func.h>
|
#include <pk11func.h>
|
||||||
|
#include <sechash.h>
|
||||||
|
|
||||||
#include "camel-tcp-stream-ssl.h"
|
#include "camel-tcp-stream-ssl.h"
|
||||||
#include "camel-session.h"
|
#include "camel-session.h"
|
||||||
|
|
||||||
|
|
||||||
static CamelTcpStreamClass *parent_class = NULL;
|
static CamelTcpStreamClass *parent_class = NULL;
|
||||||
|
|
||||||
/* Returns the class for a CamelTcpStreamSSL */
|
/* Returns the class for a CamelTcpStreamSSL */
|
||||||
@ -253,8 +255,8 @@ ssl_get_client_auth (void *data, PRFileDesc *sockfd,
|
|||||||
|
|
||||||
proto_win = SSL_RevealPinArg (sockfd);
|
proto_win = SSL_RevealPinArg (sockfd);
|
||||||
|
|
||||||
if ((char *)data) {
|
if ((char *) data) {
|
||||||
cert = PK11_FindCertFromNickname ((char *)data, proto_win);
|
cert = PK11_FindCertFromNickname ((char *) data, proto_win);
|
||||||
if (cert) {
|
if (cert) {
|
||||||
privKey = PK11_FindKeyByAnyCert (cert, proto_win);
|
privKey = PK11_FindKeyByAnyCert (cert, proto_win);
|
||||||
if (privkey) {
|
if (privkey) {
|
||||||
@ -274,7 +276,6 @@ ssl_get_client_auth (void *data, PRFileDesc *sockfd,
|
|||||||
|
|
||||||
if (names != NULL) {
|
if (names != NULL) {
|
||||||
for (i = 0; i < names->numnicknames; i++) {
|
for (i = 0; i < names->numnicknames; i++) {
|
||||||
|
|
||||||
cert = PK11_FindCertFromNickname (names->nicknames[i],
|
cert = PK11_FindCertFromNickname (names->nicknames[i],
|
||||||
proto_win);
|
proto_win);
|
||||||
if (!cert)
|
if (!cert)
|
||||||
@ -345,7 +346,7 @@ ssl_auth_cert (void *data, PRFileDesc *sockfd, PRBool checksig, PRBool is_server
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (host)
|
if (host)
|
||||||
PR_Free (hostName);
|
PR_Free (host);
|
||||||
|
|
||||||
return secStatus;
|
return secStatus;
|
||||||
}
|
}
|
||||||
@ -401,11 +402,13 @@ ssl_cert_is_saved (const char *certid)
|
|||||||
static SECStatus
|
static SECStatus
|
||||||
ssl_bad_cert (void *data, PRFileDesc *sockfd)
|
ssl_bad_cert (void *data, PRFileDesc *sockfd)
|
||||||
{
|
{
|
||||||
CamelTcpStreamSSL *ssl;
|
unsigned char md5sum[16], fingerprint[40], *f;
|
||||||
CERTCertificate *cert;
|
CERTCertificate *cert, *issuer;
|
||||||
CamelService *service;
|
gboolean accept, valid_cert;
|
||||||
char *prompt, *cert_str;
|
char *prompt, *cert_str;
|
||||||
gboolean accept;
|
CamelTcpStreamSSL *ssl;
|
||||||
|
CamelService *service;
|
||||||
|
int i;
|
||||||
|
|
||||||
g_return_val_if_fail (data != NULL, SECFailure);
|
g_return_val_if_fail (data != NULL, SECFailure);
|
||||||
g_return_val_if_fail (CAMEL_IS_TCP_STREAM_SSL (data), SECFailure);
|
g_return_val_if_fail (CAMEL_IS_TCP_STREAM_SSL (data), SECFailure);
|
||||||
@ -419,23 +422,25 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd)
|
|||||||
|
|
||||||
cert = SSL_PeerCertificate (sockfd);
|
cert = SSL_PeerCertificate (sockfd);
|
||||||
|
|
||||||
cert_str = g_strdup_printf (_("EMail: %s\n"
|
/* calculate the MD5 hash of the raw certificate */
|
||||||
"Common Name: %s\n"
|
/*md5_get_digest (cert->derCert.data, cert->derCert.len, md5sum);*/
|
||||||
"Organization Unit: %s\n"
|
HASH_HashBuf (HASH_AlgMD5, md5sum, cert->derCert.data, cert->derCert.len);
|
||||||
"Organization: %s\n"
|
for (i = 0, f = fingerprint; i < 16; i++, f += 3)
|
||||||
"Locality: %s\n"
|
sprintf (f, "%.2x%c", md5sum[i], i != 15 ? ':' : '\0');
|
||||||
"State: %s\n"
|
|
||||||
"Country: %s"),
|
issuer = CERT_FindCertByName (CERT_GetDefaultCertDB (), &cert->derIssuer);
|
||||||
cert->emailAddr ? cert->emailAddr : "",
|
valid_cert = issuer && CERT_VerifySignedData (&cert->signatureWrap, issuer, PR_Now (), NULL);
|
||||||
CERT_GetCommonName (&cert->issuer) ? CERT_GetCommonName (&cert->issuer) : "",
|
|
||||||
CERT_GetOrgUnitName (&cert->issuer) ? CERT_GetOrgUnitName (&cert->issuer) : "",
|
cert_str = g_strdup_printf (_("Issuer: %s\n"
|
||||||
CERT_GetOrgName (&cert->issuer) ? CERT_GetOrgName (&cert->issuer) : "",
|
"Subject: %s\n"
|
||||||
CERT_GetLocalityName (&cert->issuer) ? CERT_GetLocalityName (&cert->issuer) : "",
|
"Fingerprint: %s\n"
|
||||||
CERT_GetStateName (&cert->issuer) ? CERT_GetStateName (&cert->issuer) : "",
|
"Signature: %s"),
|
||||||
CERT_GetCountryName (&cert->issuer) ? CERT_GetCountryName (&cert->issuer) : "");
|
CERT_NameToAscii (&cert->issuer),
|
||||||
|
CERT_NameToAscii (&cert->subject),
|
||||||
|
fingerprint, valid_cert ? _("GOOD") : _("BAD"));
|
||||||
|
|
||||||
/* construct our user prompt */
|
/* construct our user prompt */
|
||||||
prompt = g_strdup_printf (_("Bad certificate from %s:\n\n%s\n\nDo you wish to accept anyway?"),
|
prompt = g_strdup_printf (_("SSL Certificate check for %s:\n\n%s\n\nDo you wish to accept?"),
|
||||||
service->url->host, cert_str);
|
service->url->host, cert_str);
|
||||||
g_free (cert_str);
|
g_free (cert_str);
|
||||||
|
|
||||||
@ -444,6 +449,17 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd)
|
|||||||
g_free (prompt);
|
g_free (prompt);
|
||||||
|
|
||||||
if (accept) {
|
if (accept) {
|
||||||
|
#if 0
|
||||||
|
/* this is how mutt does it but last time I tried to
|
||||||
|
use CERT_AddTempCertToPerm() I got link errors and
|
||||||
|
I have also been told by the nss devs that that
|
||||||
|
function has been deprecated... */
|
||||||
|
CERTCertTrust trust;
|
||||||
|
|
||||||
|
CERT_DecodeTrustString (&trust, "P,,");
|
||||||
|
|
||||||
|
CERT_AddTempCertToPerm (cert, NULL, &trust);
|
||||||
|
#else
|
||||||
SECItem *certs[1];
|
SECItem *certs[1];
|
||||||
|
|
||||||
if (!cert->trust)
|
if (!cert->trust)
|
||||||
@ -457,9 +473,9 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd)
|
|||||||
NULL, TRUE, FALSE, cert->nickname);
|
NULL, TRUE, FALSE, cert->nickname);
|
||||||
|
|
||||||
/* and since the above code doesn't seem to
|
/* and since the above code doesn't seem to
|
||||||
work... time for a good ol' fashioned hack */
|
work... time for a good ol' fashioned hack */
|
||||||
save_ssl_cert (ssl->priv->expected_host);
|
save_ssl_cert (ssl->priv->expected_host);
|
||||||
|
#endif
|
||||||
return SECSuccess;
|
return SECSuccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -495,7 +511,7 @@ stream_connect (CamelTcpStream *stream, struct hostent *host, int port)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *)certNickname);*/
|
/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
|
||||||
/*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/
|
/*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/
|
||||||
SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl);
|
SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user