[Pkg-wmaker-commits] [wmbiff] 06/84: a start at certificate checking (a daunting task at the moment)

Doug Torrance dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:01:45 UTC 2015 

This is an automated email from the git hooks/post-receive script.

dtorrance-guest pushed a commit to tag wmbiff_0_4_10
in repository wmbiff.

commit 72b7ec0173f46405db2bc271371624f09c12f0c0
Author: bluehal <bluehal>
Date:   Sat Jun 1 06:00:20 2002 +0000

    a start at certificate checking (a daunting task at the moment)
---
 wmbiff/tlsComm.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 81 insertions(+), 1 deletion(-)

diff --git a/wmbiff/tlsComm.c b/wmbiff/tlsComm.c
index fb6764c..d902a53 100644
--- a/wmbiff/tlsComm.c
+++ b/wmbiff/tlsComm.c
@@ -30,6 +30,9 @@
 
 #include "Client.h"				/* debugging messages */
 
+/* if non-null, set to a file for certificate verification */
+extern const char *certificate_filename;
+
 /* WARNING: implcitly uses scs to gain access to the mailbox
    that holds the per-mailbox debug flag. */
 #define TDM(lvl, args...) DM(scs->pc, lvl, "comm: " args)
@@ -346,6 +349,51 @@ static int print_info(GNUTLS_STATE state)
 	return 0;
 }
 
+/* a start of a hack at verifying certificates.  does not
+   provide any security at all.  I'm waiting for either
+   gnutls to make this as easy as it should be, or someone
+   to port Andrew McDonald's gnutls-for-mutt patch.
+*/
+int tls_check_certificate(struct connection_state *scs)
+{
+	CertificateStatus certstat;
+	const gnutls_datum *cert_list;
+	int cert_list_size = 0;
+
+	if (gnutls_auth_get_type(scs->state) != GNUTLS_X509PKI) {
+		TDM(DEBUG_ERROR, "Unable to get certificate from peer.\n");
+		exit(1);
+	}
+	certstat =
+		gnutls_x509pki_client_get_peer_certificate_status(scs->state);
+	switch (certstat) {
+	case GNUTLS_CERT_TRUSTED:
+		TDM(DEBUG_INFO, "certificate is trusted.\n");
+		return 0;
+	case GNUTLS_CERT_NOT_TRUSTED:
+		/* note, here is one place where we provide no security */
+		TDM(DEBUG_INFO, "certificate is not trusted (but valid).\n");
+		return 0;
+	case GNUTLS_CERT_INVALID:
+		TDM(DEBUG_ERROR, "certificate is invalid.\n");
+		exit(1);
+	case GNUTLS_CERT_EXPIRED:
+		TDM(DEBUG_ERROR, "certificate has expired.\n");
+		exit(1);
+	case GNUTLS_CERT_NONE:
+		TDM(DEBUG_ERROR, "server has no certificate.\n");
+		exit(1);
+	}
+	/* not checking for not-yet-valid certs... this would make sense
+	   if we weren't just comparing to stored ones */
+	cert_list =
+		gnutls_x509pki_client_get_peer_certificate_list(scs->state,
+														&cert_list_size);
+
+	TDM(DEBUG_INFO, "certificate check ok.\n");
+	return (0);
+}
+
 struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
 {
 	static int gnutls_initialized;
@@ -375,15 +423,38 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
 		assert(gnutls_kx_set_priority(scs->state, key_exch) == 0);
 		assert(gnutls_mac_set_priority(scs->state, mac) == 0);
 		/* no client private key */
-		if (gnutls_x509pki_allocate_sc(&scs->xcred, 0) < 0) {
+		if (gnutls_x509pki_allocate_sc(&scs->xcred, 1) < 0) {
 			DMA(DEBUG_ERROR, "gnutls memory error\n");
 			exit(1);
 		}
+
+		/* certfile really isn't supported; this is just a start. */
+		if (certificate_filename != NULL) {
+			if (!exists(certificate_filename)) {
+				DMA(DEBUG_ERROR,
+					"Certificate file (certfile=) %s not found.\n",
+					certificate_filename);
+				exit(1);
+			}
+			zok = gnutls_x509pki_set_client_trust_file(scs->xcred,
+													   certificate_filename,
+													   "");
+			if (zok != 0) {
+				DMA(DEBUG_ERROR,
+					"GNUTLS did not like your certificate file %s.\n",
+					certificate_filename);
+				gnutls_perror(zok);
+				exit(1);
+			}
+		}
+
 		gnutls_cred_set(scs->state, GNUTLS_X509PKI, scs->xcred);
 		gnutls_transport_set_ptr(scs->state, sd);
 		do {
 			zok = gnutls_handshake(scs->state);
 		} while (zok == GNUTLS_E_INTERRUPTED || zok == GNUTLS_E_AGAIN);
+
+		tls_check_certificate(scs);
 	}
 
 	if (zok < 0) {
@@ -479,3 +550,12 @@ int tlscomm_is_blacklisted(const struct connection_state *scs)
 {
 	return (scs != NULL && scs->sd == -1);
 }
+
+/* vim:set ts=4: */
+/*
+ * Local Variables:
+ * tab-width: 4
+ * c-indent-level: 4
+ * c-basic-offset: 4
+ * End:
+ */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git

More information about the Pkg-wmaker-commits mailing list