diff options
Diffstat (limited to 'camel/camel-tcp-stream-ssl.c')
-rw-r--r-- | camel/camel-tcp-stream-ssl.c | 68 |
1 files changed, 24 insertions, 44 deletions
diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c index b63586ac9c..46a8dfa6e3 100644 --- a/camel/camel-tcp-stream-ssl.c +++ b/camel/camel-tcp-stream-ssl.c @@ -42,14 +42,9 @@ #include <certdb.h> #include <pk11func.h> -/* this is commented because otherwise we get an error about the - redefinition of MD5Context...yay */ -/*#include <e-util/md5-utils.h>*/ - #include "camel-tcp-stream-ssl.h" #include "camel-session.h" - static CamelTcpStreamClass *parent_class = NULL; /* Returns the class for a CamelTcpStreamSSL */ @@ -258,8 +253,8 @@ ssl_get_client_auth (void *data, PRFileDesc *sockfd, proto_win = SSL_RevealPinArg (sockfd); - if ((char *) data) { - cert = PK11_FindCertFromNickname ((char *) data, proto_win); + if ((char *)data) { + cert = PK11_FindCertFromNickname ((char *)data, proto_win); if (cert) { privKey = PK11_FindKeyByAnyCert (cert, proto_win); if (privkey) { @@ -279,6 +274,7 @@ ssl_get_client_auth (void *data, PRFileDesc *sockfd, if (names != NULL) { for (i = 0; i < names->numnicknames; i++) { + cert = PK11_FindCertFromNickname (names->nicknames[i], proto_win); if (!cert) @@ -349,7 +345,7 @@ ssl_auth_cert (void *data, PRFileDesc *sockfd, PRBool checksig, PRBool is_server } if (host) - PR_Free (host); + PR_Free (hostName); return secStatus; } @@ -405,13 +401,11 @@ ssl_cert_is_saved (const char *certid) static SECStatus ssl_bad_cert (void *data, PRFileDesc *sockfd) { - unsigned char md5sum[16], fingerprint[40], *f; - gboolean accept, valid_cert; - char *prompt, *cert_str; CamelTcpStreamSSL *ssl; CERTCertificate *cert; CamelService *service; - int i; + char *prompt, *cert_str; + gboolean accept; g_return_val_if_fail (data != NULL, SECFailure); g_return_val_if_fail (CAMEL_IS_TCP_STREAM_SSL (data), SECFailure); @@ -425,26 +419,23 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd) cert = SSL_PeerCertificate (sockfd); - /* calculate the MD5 hash of the raw certificate */ - md5_get_digest (cert->derCert.data, cert->derCert.len, md5sum); - /*HASH_HashBuf (HASH_AlgMD5, md5sum, cert->derCert.data, cert->derCert.len);*/ - for (i = 0, f = fingerprint; i < 16; i++, f += 3) - sprintf (f, "%.2x%c", md5sum[i], i != 15 ? ':' : '\0'); - - valid_cert = CERT_VerifyCertNow (CERT_GetDefaultCertDB (), cert, TRUE, certUsageSSLClient, NULL); - /*issuer = CERT_FindCertByName (CERT_GetDefaultCertDB (), &cert->derIssuer); - valid_cert = issuer && CERT_VerifySignedData (&cert->signatureWrap, issuer, PR_Now (), NULL);*/ - - cert_str = g_strdup_printf (_("Issuer: %s\n" - "Subject: %s\n" - "Fingerprint: %s\n" - "Signature: %s"), - CERT_NameToAscii (&cert->issuer), - CERT_NameToAscii (&cert->subject), - fingerprint, valid_cert ? _("GOOD") : _("BAD")); + cert_str = g_strdup_printf (_("EMail: %s\n" + "Common Name: %s\n" + "Organization Unit: %s\n" + "Organization: %s\n" + "Locality: %s\n" + "State: %s\n" + "Country: %s"), + cert->emailAddr ? cert->emailAddr : "", + CERT_GetCommonName (&cert->issuer) ? CERT_GetCommonName (&cert->issuer) : "", + CERT_GetOrgUnitName (&cert->issuer) ? CERT_GetOrgUnitName (&cert->issuer) : "", + CERT_GetOrgName (&cert->issuer) ? CERT_GetOrgName (&cert->issuer) : "", + CERT_GetLocalityName (&cert->issuer) ? CERT_GetLocalityName (&cert->issuer) : "", + CERT_GetStateName (&cert->issuer) ? CERT_GetStateName (&cert->issuer) : "", + CERT_GetCountryName (&cert->issuer) ? CERT_GetCountryName (&cert->issuer) : ""); /* construct our user prompt */ - prompt = g_strdup_printf (_("SSL Certificate check for %s:\n\n%s\n\nDo you wish to accept?"), + prompt = g_strdup_printf (_("Bad certificate from %s:\n\n%s\n\nDo you wish to accept anyway?"), service->url->host, cert_str); g_free (cert_str); @@ -453,17 +444,6 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd) g_free (prompt); if (accept) { -#if 0 - /* this is how mutt does it but last time I tried to - use CERT_AddTempCertToPerm() I got link errors and - I have also been told by the nss devs that that - function has been deprecated... */ - CERTCertTrust trust; - - CERT_DecodeTrustString (&trust, "P,,"); - - CERT_AddTempCertToPerm (cert, NULL, &trust); -#else SECItem *certs[1]; if (!cert->trust) @@ -477,9 +457,9 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd) NULL, TRUE, FALSE, cert->nickname); /* and since the above code doesn't seem to - work... time for a good ol' fashioned hack */ + work... time for a good ol' fashioned hack */ save_ssl_cert (ssl->priv->expected_host); -#endif + return SECSuccess; } @@ -515,7 +495,7 @@ stream_connect (CamelTcpStream *stream, struct hostent *host, int port) return -1; } - /*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/ + /*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *)certNickname);*/ /*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/ SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl); |