[Pkg-wmaker-commits] [wmbiff] 67/84: Check certificate hostname, using gnutls's new function
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:02:02 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_10
in repository wmbiff.
commit 34d51e71562281ed22458404106360bbe4557c43
Author: bluehal <bluehal>
Date: Sun Oct 13 21:28:02 2002 +0000
Check certificate hostname, using gnutls's new function
---
wmbiff/Imap4Client.c | 2 +-
wmbiff/tlsComm.c | 26 +++++++++++++++++++++++---
wmbiff/tlsComm.h | 2 +-
3 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/wmbiff/Imap4Client.c b/wmbiff/Imap4Client.c
index b0d23ca..727c167 100644
--- a/wmbiff/Imap4Client.c
+++ b/wmbiff/Imap4Client.c
@@ -219,7 +219,7 @@ FILE *imap_open(Pop3 pc)
/* either we've negotiated ssl from starttls, or
we're starting an encrypted connection now */
if (PCU.dossl != 0) {
- scs = initialize_gnutls(sd, connection_name, pc);
+ scs = initialize_gnutls(sd, connection_name, pc, PCU.serverName);
if (scs == NULL) {
IMAP_DM(pc, DEBUG_ERROR, "Failed to initialize TLS\n");
return NULL;
diff --git a/wmbiff/tlsComm.c b/wmbiff/tlsComm.c
index e865099..4ea44c1 100644
--- a/wmbiff/tlsComm.c
+++ b/wmbiff/tlsComm.c
@@ -272,7 +272,8 @@ void tlscomm_printf(struct connection_state *scs, const char *format, ...)
gnutls to make this as easy as it should be, or someone
to port Andrew McDonald's gnutls-for-mutt patch.
*/
-int tls_check_certificate(struct connection_state *scs)
+int tls_check_certificate(struct connection_state *scs,
+ const char *remote_hostname)
{
GNUTLS_CertificateStatus certstat;
const gnutls_datum *cert_list;
@@ -319,11 +320,30 @@ int tls_check_certificate(struct connection_state *scs)
TDM(DEBUG_INFO, "certificate passed time check.\n");
}
+ if (gnutls_x509_check_certificates_hostname
+ (&cert_list[0], remote_hostname) == 0) {
+ gnutls_DN dn;
+ gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
+ TDM(DEBUG_ERROR,
+ "server's certificate (%s) does not match its hostname (%s).\n",
+ dn.common_name, remote_hostname);
+ exit(1);
+ } else {
+ if ((scs->pc)->debug >= DEBUG_INFO) {
+ gnutls_DN dn;
+ gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
+ TDM(DEBUG_INFO,
+ "server's certificate (%s) matched its hostname (%s).\n",
+ dn.common_name, remote_hostname);
+ }
+ }
+
TDM(DEBUG_INFO, "certificate check ok.\n");
return (0);
}
-struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
+struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc,
+ const char *remote_hostname)
{
static int gnutls_initialized;
int zok;
@@ -390,7 +410,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
zok = gnutls_handshake(scs->state);
} while (zok == GNUTLS_E_INTERRUPTED || zok == GNUTLS_E_AGAIN);
- tls_check_certificate(scs);
+ tls_check_certificate(scs, remote_hostname);
}
if (zok < 0) {
diff --git a/wmbiff/tlsComm.h b/wmbiff/tlsComm.h
index 4968e6c..5c13433 100644
--- a/wmbiff/tlsComm.h
+++ b/wmbiff/tlsComm.h
@@ -20,7 +20,7 @@ struct connection_state;
over it */
/*@only@*/
struct connection_state *initialize_gnutls(int sd, /*@only@ */ char *name,
- Pop3 pc);
+ Pop3 pc, const char *hostname);
/* take a socket descriptor and bundle it into a connection
state structure for later communication */
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list