[Pkg-wmaker-commits] [wmbiff] 38/84: restore certificate checking
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:01:53 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_10
in repository wmbiff.
commit a6601f46f0df89a1a4972ca2cdc8da7277ef0177
Author: bluehal <bluehal>
Date: Mon Jun 24 07:16:54 2002 +0000
restore certificate checking
---
wmbiff/tlsComm.c | 76 ++++++++++++++++++++++++++++++++------------------------
1 file changed, 44 insertions(+), 32 deletions(-)
diff --git a/wmbiff/tlsComm.c b/wmbiff/tlsComm.c
index f55ab53..c203db3 100644
--- a/wmbiff/tlsComm.c
+++ b/wmbiff/tlsComm.c
@@ -37,7 +37,7 @@ extern const char *certificate_filename;
that holds the per-mailbox debug flag. */
#define TDM(lvl, args...) DM(scs->pc, lvl, "comm: " args)
-/* how long to wait for the server to do its thing
+/* how long to wait for the server to do its thing
when we issue it a command (in seconds) */
#define EXPECT_TIMEOUT 20
@@ -267,47 +267,56 @@ void tlscomm_printf(struct connection_state *scs, const char *format, ...)
gnutls to make this as easy as it should be, or someone
to port Andrew McDonald's gnutls-for-mutt patch.
*/
-#ifdef FAILS_TO_COMPILE
int tls_check_certificate(struct connection_state *scs)
{
- CertificateStatus certstat; */
+ GNUTLS_CertificateStatus certstat;
const gnutls_datum *cert_list;
int cert_list_size = 0;
- if (gnutls_auth_get_type(scs->state) != GNUTLS_X509PKI) {
+ if (gnutls_auth_get_type(scs->state) != GNUTLS_CRD_CERTIFICATE) {
TDM(DEBUG_ERROR, "Unable to get certificate from peer.\n");
exit(1);
}
- certstat =
- gnutls_x509pki_client_get_peer_certificate_status(scs->state);
- switch (certstat) {
- case GNUTLS_CERT_TRUSTED:
- TDM(DEBUG_INFO, "certificate is trusted.\n");
- return 0;
- case GNUTLS_CERT_NOT_TRUSTED:
- /* note, here is one place where we provide no security */
- TDM(DEBUG_INFO, "certificate is not trusted (but valid).\n");
- return 0;
- case GNUTLS_CERT_INVALID:
- TDM(DEBUG_ERROR, "certificate is invalid.\n");
+ certstat = gnutls_certificate_verify_peers(scs->state);
+ if (certstat ==
+ (GNUTLS_CertificateStatus) GNUTLS_E_NO_CERTIFICATE_FOUND) {
+ TDM(DEBUG_ERROR, "server has no certificate.\n");
exit(1);
- case GNUTLS_CERT_EXPIRED:
- TDM(DEBUG_ERROR, "certificate has expired.\n");
+ } else if (certstat & GNUTLS_CERT_CORRUPTED) {
+ TDM(DEBUG_ERROR, "server's certificate is corrupt.\n");
exit(1);
- case GNUTLS_CERT_NONE:
- TDM(DEBUG_ERROR, "server has no certificate.\n");
+ } else if (certstat & GNUTLS_CERT_REVOKED) {
+ TDM(DEBUG_ERROR, "server's certificate has been revoked.\n");
+ exit(1);
+ } else if (certstat & GNUTLS_CERT_INVALID) {
+ TDM(DEBUG_ERROR, "server's certificate is invalid.\n");
exit(1);
+ } else if (certstat & GNUTLS_CERT_NOT_TRUSTED) {
+ TDM(DEBUG_INFO, "server's certificate is not trusted.\n");
+ TDM(DEBUG_INFO,
+ "at the moment, wmbiff doesn't trust certificates.\n");
}
+
/* not checking for not-yet-valid certs... this would make sense
if we weren't just comparing to stored ones */
- cert_list =
- gnutls_x509pki_client_get_peer_certificate_list(scs->state,
- &cert_list_size);
+ cert_list = gnutls_certificate_get_peers(scs->state, &cert_list_size);
+
+ if (gnutls_x509_extract_certificate_expiration_time(&cert_list[0]) <
+ time(NULL)) {
+ TDM(DEBUG_ERROR, "server's certificate has expired.\n");
+ exit(1);
+ } else
+ if (gnutls_x509_extract_certificate_activation_time(&cert_list[0])
+ > time(NULL)) {
+ TDM(DEBUG_ERROR, "server's certificate is not yet valid.\n");
+ exit(1);
+ } else {
+ TDM(DEBUG_INFO, "certificate passed time check.\n");
+ }
TDM(DEBUG_INFO, "certificate check ok.\n");
return (0);
}
-#endif
struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
{
@@ -328,11 +337,15 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
{
const int protocols[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int ciphers[] =
- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
+ { GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_3DES_CBC,
+ GNUTLS_CIPHER_RIJNDAEL_256_CBC, GNUTLS_CIPHER_TWOFISH_128_CBC,
+ GNUTLS_CIPHER_ARCFOUR, 0
+ };
const int compress[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- const int key_exch[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
- GNUTLS_KX_ANON_DH, 0 };
+ const int key_exch[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS,
+ GNUTLS_KX_DHE_RSA, 0
+ };
+ /* mutt with gnutls doesn't use kx_srp or kx_anon_dh */
const int mac[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
assert(gnutls_protocol_set_priority(scs->state, protocols) == 0);
assert(gnutls_cipher_set_priority(scs->state, ciphers) == 0);
@@ -354,8 +367,9 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
exit(1);
}
zok = gnutls_certificate_set_x509_trust_file(scs->xcred,
- certificate_filename,
- GNUTLS_X509_FMT_PEM);
+ (char *)
+ certificate_filename,
+ GNUTLS_X509_FMT_PEM);
if (zok != 0) {
DMA(DEBUG_ERROR,
"GNUTLS did not like your certificate file %s.\n",
@@ -371,9 +385,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
zok = gnutls_handshake(scs->state);
} while (zok == GNUTLS_E_INTERRUPTED || zok == GNUTLS_E_AGAIN);
-#ifdef FAILS_TO_COMPILE
tls_check_certificate(scs);
-#endif
}
if (zok < 0) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list