[Pkg-wmaker-commits] [wmbiff] 04/07: 0.4.24, supporting newer gnutls, I think
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:05:57 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_24
in repository wmbiff.
commit d0f5df4648da27c54c61a70e733c993b9d250d90
Author: bluehal <bluehal>
Date: Sat Jun 19 20:53:00 2004 +0000
0.4.24, supporting newer gnutls, I think
---
NEWS | 6 +-
configure.ac | 8 +-
wmbiff/Client.h | 6 +-
wmbiff/Imap4Client.c | 9 +-
wmbiff/Pop3Client.c | 21 +-
wmbiff/gnutls-common.c | 703 ++++++++++++++++++++++++++++++++++++-------------
wmbiff/gnutls-common.h | 40 ++-
wmbiff/tlsComm.c | 170 +++++++++---
wmbiff/wmbiff.c | 16 +-
wmgeneral/wmgeneral.c | 2 +-
10 files changed, 740 insertions(+), 241 deletions(-)
diff --git a/NEWS b/NEWS
index a8aba14..28022cb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
Release Notes
~~~~~~~~~~~~~
+Release 0.4.24 - Unreleased
+ * Use GNUTLS 1.0.4 and GCRYPT 1.1.90, current Debian
+ unstable package libgnutls10-dev.
+
Release 0.4.23 - April 27, 2004
* Allow server hostnames in IMAP to be IP addresses
(start with a number).
@@ -471,4 +475,4 @@ Release 0.1 - Wed, 17 Nov 1999 00:00:00 +0000
* Initial release by Gennady Belyakov <gb at ccat.elect.ru>.
-$Id: NEWS,v 1.57 2004/04/27 23:35:58 bluehal Exp $
+$Id: NEWS,v 1.58 2004/06/19 20:53:00 bluehal Exp $
diff --git a/configure.ac b/configure.ac
index 2b917d2..1ad36e1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,9 +6,9 @@ dnl and configure:
dnl installation prefix
dnl version
-AC_INIT(WMBiff, 0.4.23, wmbiff-devel at lists.sourceforge.net, wmbiff)
+AC_INIT(WMBiff, 0.4.24, wmbiff-devel at lists.sourceforge.net, wmbiff)
AC_CONFIG_AUX_DIR(autoconf)
-AM_INIT_AUTOMAKE(wmbiff, 0.4.23) dnl tarded syntax for automake <= 1.5
+AM_INIT_AUTOMAKE(wmbiff, 0.4.24) dnl tarded syntax for automake <= 1.5
AM_CONFIG_HEADER(config.h)
dnl make sure autoheader finds version, implicitly defined above.
AH_TEMPLATE([VERSION], [wmbiff's release version])
@@ -74,7 +74,7 @@ AC_ARG_ENABLE(crypto, AC_HELP_STRING([ --disable-crypto ], [ disable gnutls/gcry
GNUTLS_MAN_STATUS="This copy of WMBiff was not compiled with GNUTLS."
if test "$gnutls" = "ok"; then
- AM_PATH_LIBGNUTLS(0.5.9, [LIBS="$LIBS $LIBGNUTLS_LIBS"
+ AM_PATH_LIBGNUTLS(1.0.4, [LIBS="$LIBS $LIBGNUTLS_LIBS"
CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS"
GNUTLS_COMMON_O="gnutls-common.o"
@@ -87,7 +87,7 @@ fi
GCRYPT_MAN_STATUS="This copy of WMBiff was not compiled with gcrypt."
if test "$gcrypt" = "ok"; then
- AM_PATH_LIBGCRYPT(1.1.8, [CFLAGS="$CFLAGS $LIBGCRYPT_CFLAGS"
+ AM_PATH_LIBGCRYPT(1.1.90, [CFLAGS="$CFLAGS $LIBGCRYPT_CFLAGS"
CPPFLAGS="$CPPFLAGS $LIBGCRYPT_CFLAGS"
GCRYPT_MAN_STATUS="This copy of WMBiff was compiled with gcrypt."
AC_CHECK_HEADERS(gcrypt.h) ],
diff --git a/wmbiff/Client.h b/wmbiff/Client.h
index 77c9aa1..f9162e5 100644
--- a/wmbiff/Client.h
+++ b/wmbiff/Client.h
@@ -1,11 +1,11 @@
-/* $Id: Client.h,v 1.40 2004/04/28 00:19:03 bluehal Exp $ */
+/* $Id: Client.h,v 1.41 2004/06/19 20:53:01 bluehal Exp $ */
/* Author : Scott Holden ( scotth at thezone.net )
Modified : Yong-iL Joh ( tolkien at mizi.com )
Modified : Jorge Garc�a ( Jorge.Garcia at uv.es )
*
* Email Checker Pop3/Imap4/Licq/Gicu/mbox/maildir/finger
*
- * Last Updated : $Date: 2004/04/28 00:19:03 $
+ * Last Updated : $Date: 2004/06/19 20:53:01 $
*
*/
@@ -124,7 +124,7 @@ int fileHasChanged(const char *mbox_filename, time_t * atime,
time_t * mtime, off_t * size);
int grabCommandOutput(Pop3 pc, const char *command,
/*@out@ */ char **output,
-/*@out@ *//*@null@ */ char **details);
+ /*@out@ *//*@null@ */ char **details);
int exists(const char *filename); /* test -f */
/* _NONE is for silent operation. _ERROR is for things that should
diff --git a/wmbiff/Imap4Client.c b/wmbiff/Imap4Client.c
index 5f9c1f8..be5d972 100644
--- a/wmbiff/Imap4Client.c
+++ b/wmbiff/Imap4Client.c
@@ -642,7 +642,8 @@ authenticate_md5(Pop3 pc,
char buf[BUF_SIZE];
char buf2[BUF_SIZE];
unsigned char *md5;
- GCRY_MD_HD gmh;
+ gcry_md_hd_t gmh;
+ gcry_error_t rc;
if (!strstr(capabilities, "AUTH=CRAM-MD5")) {
/* server doesn't support cram-md5. */
@@ -659,7 +660,11 @@ authenticate_md5(Pop3 pc,
strcpy(buf, PCU.userName);
strcat(buf, " ");
ask_user_for_password(pc, 0);
- gmh = gcry_md_open(GCRY_MD_MD5, GCRY_MD_FLAG_HMAC);
+ rc = gcry_md_open(&gmh, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC);
+ if (rc != 0) {
+ IMAP_DM(pc, DEBUG_INFO, "unable to initialize gcrypt md5\n");
+ return 0;
+ }
DEFROB(PCU.password);
gcry_md_setkey(gmh, PCU.password, strlen(PCU.password));
ENFROB(PCU.password);
diff --git a/wmbiff/Pop3Client.c b/wmbiff/Pop3Client.c
index cce9af1..dd138db 100644
--- a/wmbiff/Pop3Client.c
+++ b/wmbiff/Pop3Client.c
@@ -1,4 +1,4 @@
-/* $Id: Pop3Client.c,v 1.21 2004/04/06 20:58:53 bluehal Exp $ */
+/* $Id: Pop3Client.c,v 1.22 2004/06/19 20:53:01 bluehal Exp $ */
/* Author : Scott Holden ( scotth at thezone.net )
Modified : Yong-iL Joh ( tolkien at mizi.com )
Modified : Jorge Garc�a ( Jorge.Garcia at uv.es )
@@ -260,7 +260,8 @@ static FILE *authenticate_md5(Pop3 pc, FILE * fp, char *apop_str
char buf[BUF_SIZE];
char buf2[BUF_SIZE];
unsigned char *md5;
- GCRY_MD_HD gmh;
+ gcry_md_hd_t gmh;
+ gcry_error_t rc;
/* See if MD5 is supported */
fprintf(fp, "AUTH CRAM-MD5\r\n");
@@ -280,7 +281,11 @@ static FILE *authenticate_md5(Pop3 pc, FILE * fp, char *apop_str
strcat(buf, " ");
- gmh = gcry_md_open(GCRY_MD_MD5, GCRY_MD_FLAG_HMAC);
+ rc = gcry_md_open(&gmh, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC);
+ if (rc != 0) {
+ POP_DM(pc, DEBUG_ERROR, "unable to initialize gcrypt md5.\n");
+ return NULL;
+ }
gcry_md_setkey(gmh, PCU.password, strlen(PCU.password));
gcry_md_write(gmh, (unsigned char *) buf2, strlen(buf2));
gcry_md_final(gmh);
@@ -311,10 +316,12 @@ static FILE *authenticate_md5(Pop3 pc, FILE * fp, char *apop_str
static FILE *authenticate_apop(Pop3 pc, FILE * fp, char *apop_str)
{
- GCRY_MD_HD gmh;
+ gcry_md_hd_t gmh;
+ gcry_error_t rc;
char buf[BUF_SIZE];
unsigned char *md5;
+
if (apop_str[0] == '\0') {
/* server doesn't support apop. */
return (NULL);
@@ -322,7 +329,11 @@ static FILE *authenticate_apop(Pop3 pc, FILE * fp, char *apop_str)
POP_DM(pc, DEBUG_INFO, "APOP challenge: %s\n", apop_str);
strcat(apop_str, PCU.password);
- gmh = gcry_md_open(GCRY_MD_MD5, 0);
+ rc = gcry_md_open(&gmh, GCRY_MD_MD5, 0);
+ if (rc != 0) {
+ POP_DM(pc, DEBUG_ERROR, "unable to initialize gcrypt md5.\n");
+ return NULL;
+ }
gcry_md_write(gmh, (unsigned char *) apop_str, strlen(apop_str));
gcry_md_final(gmh);
md5 = gcry_md_read(gmh, 0);
diff --git a/wmbiff/gnutls-common.c b/wmbiff/gnutls-common.c
index 9b0397d..0905577 100644
--- a/wmbiff/gnutls-common.c
+++ b/wmbiff/gnutls-common.c
@@ -1,138 +1,292 @@
+#include <config.h>
#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
#include <gnutls/gnutls.h>
#include <gnutls/extra.h>
+#include <gnutls/x509.h>
+#include <gnutls/openpgp.h>
#include <time.h>
+#include <gnutls-common.h>
+
+#define TEST_STRING
+
+int xml = 0;
+int print_cert;
+
+static char buffer[5*1024];
#define PRINTX(x,y) if (y[0]!=0) printf(" # %s %s\n", x, y)
-#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \
- PRINTX( "OU:", X.organizational_unit_name); \
- PRINTX( "O:", X.organization); \
- PRINTX( "L:", X.locality_name); \
- PRINTX( "S:", X.state_or_province_name); \
- PRINTX( "C:", X.country); \
- PRINTX( "E:", X.email)
-#define PRINT_PGP_NAME(X) PRINTX( "NAME:", X.name); \
- PRINTX( "EMAIL:", X.email)
+#define PRINT_PGP_NAME(X) PRINTX( "NAME:", name)
-static const char* my_ctime( time_t* tv) {
-static char buf[256];
-struct tm* tp;
+const char str_unknown[] = "(unknown)";
+
+static const char *my_ctime(const time_t * tv)
+{
+ static char buf[256];
+ struct tm *tp;
-tp = localtime(tv);
-strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp);
+ if ( ( (tp = localtime(tv)) == NULL ) ||
+ (!strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp)) )
+ strcpy(buf, str_unknown);/* make sure buf text isn't garbage */
-return buf;
+ return buf;
}
-void print_x509_info(GNUTLS_STATE state)
+void print_x509_info(gnutls_session session, const char* hostname)
{
-
- gnutls_x509_dn dn;
+ gnutls_x509_crt crt;
const gnutls_datum *cert_list;
- int cert_list_size = 0;
+ int cert_list_size = 0, ret;
char digest[20];
char serial[40];
+ char dn[256];
+ size_t dn_size;
size_t digest_size = sizeof(digest);
- int i;
- int serial_size = sizeof(serial);
- char printable[120];
+ unsigned int i, j;
+ size_t serial_size = sizeof(serial);
+ char printable[256];
char *print;
- int bits, algo;
- time_t expiret = gnutls_certificate_expiration_time_peers(state);
- time_t activet = gnutls_certificate_activation_time_peers(state);
+ unsigned int bits, algo;
+ time_t expiret, activet;
+
+ cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
- cert_list = gnutls_certificate_get_peers(state, &cert_list_size);
- if (cert_list_size <= 0)
+ if (cert_list_size == 0) {
+ fprintf(stderr, "No certificates found!\n");
return;
+ }
- printf(" - Certificate info:\n");
+ printf(" - Got a certificate list of %d certificates.\n\n",
+ cert_list_size);
- printf(" # Certificate is valid since: %s", my_ctime( &activet));
- printf(" # Certificate expires: %s", my_ctime( &expiret));
+ for (j = 0; j < (unsigned int)cert_list_size; j++) {
- /* Print the fingerprint of the certificate
- */
- if (gnutls_x509_fingerprint
- (GNUTLS_DIG_MD5, &cert_list[0], digest, &digest_size) >= 0) {
- print = printable;
- for (i = 0; i < digest_size; i++) {
- sprintf(print, "%.2x ", (unsigned char) digest[i]);
- print += 3;
+ gnutls_x509_crt_init(&crt);
+ ret =
+ gnutls_x509_crt_import(crt, &cert_list[j],
+ GNUTLS_X509_FMT_DER);
+ if (ret < 0) {
+ const char* str = gnutls_strerror(ret);
+ if (str == NULL) str = str_unknown;
+ fprintf(stderr, "Decoding error: %s\n", str);
+ return;
}
- printf(" # Certificate fingerprint: %s\n", printable);
- }
-
- /* Print the serial number of the certificate.
- */
- if (gnutls_x509_extract_certificate_serial
- (&cert_list[0], serial, &serial_size) >= 0) {
- print = printable;
- for (i = 0; i < serial_size; i++) {
- sprintf(print, "%.2x ", (unsigned char) serial[i]);
- print += 3;
+ printf(" - Certificate[%d] info:\n", j);
+
+ if (print_cert) {
+ size_t size;
+
+ size = sizeof(buffer);
+
+ ret = gnutls_x509_crt_export( crt, GNUTLS_X509_FMT_PEM, buffer, &size);
+ if (ret < 0) {
+ fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret));
+ return;
+ }
+ fputs( "\n", stdout);
+ fputs( buffer, stdout);
+ fputs( "\n", stdout);
+ }
+
+ if (j==0 && hostname != NULL) { /* Check the hostname of the first certificate
+ * if it matches the name of the host we
+ * connected to.
+ */
+ if (gnutls_x509_crt_check_hostname( crt, hostname)==0) {
+ printf(" # The hostname in the certificate does NOT match '%s'.\n", hostname);
+ } else {
+ printf(" # The hostname in the certificate matches '%s'.\n", hostname);
+ }
}
- printf(" # Certificate serial number: %s\n", printable);
- }
- /* Print the version of the X.509
- * certificate.
- */
- printf(" # Certificate version: #%d\n",
- gnutls_x509_extract_certificate_version(&cert_list[0]));
-
- algo = gnutls_x509_extract_certificate_pk_algorithm( &cert_list[0], &bits);
- printf(" # Certificate public key algorithm: ");
-
- if (algo==GNUTLS_PK_RSA) {
- printf("RSA\n");
- printf(" # Modulus: %d bits\n", bits);
- } else if (algo==GNUTLS_PK_DSA) {
- printf("DSA\n");
- printf(" # Exponent: %d bits\n", bits);
- } else {
- printf("UNKNOWN\n");
- }
- gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
- PRINT_DN(dn);
+ if (xml) {
+#ifdef ENABLE_PKI
+ gnutls_datum xml_data;
+
+ ret = gnutls_x509_crt_to_xml( crt, &xml_data, 0);
+ if (ret < 0) {
+ const char* str = gnutls_strerror(ret);
+ if (str == NULL) str = str_unknown;
+ fprintf(stderr, "XML encoding error: %s\n",
+ str);
+ return;
+ }
+
+ printf("%s", xml_data.data);
+ gnutls_free( xml_data.data);
+#endif
+ } else {
+
+ expiret = gnutls_x509_crt_get_expiration_time(crt);
+ activet = gnutls_x509_crt_get_activation_time(crt);
+
+ printf(" # valid since: %s", my_ctime(&activet));
+ printf(" # expires at: %s", my_ctime(&expiret));
+
+
+ /* Print the serial number of the certificate.
+ */
+ if (gnutls_x509_crt_get_serial(crt, serial, &serial_size)
+ >= 0) {
+ print = printable;
+ for (i = 0; i < serial_size; i++) {
+ sprintf(print, "%.2x ",
+ (unsigned char) serial[i]);
+ print += 3;
+ }
+ printf(" # serial number: %s\n", printable);
+ }
+
+ /* Print the fingerprint of the certificate
+ */
+ digest_size = sizeof(digest);
+ if ((ret=gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_MD5, digest, &digest_size))
+ < 0) {
+ const char* str = gnutls_strerror(ret);
+ if (str == NULL) str = str_unknown;
+ fprintf(stderr, "Error in fingerprint calculation: %s\n", str);
+ } else {
+ print = printable;
+ for (i = 0; i < digest_size; i++) {
+ sprintf(print, "%.2x ",
+ (unsigned char) digest[i]);
+ print += 3;
+ }
+ printf(" # fingerprint: %s\n", printable);
+ }
+
+ /* Print the version of the X.509
+ * certificate.
+ */
+ printf(" # version: #%d\n",
+ gnutls_x509_crt_get_version(crt));
+
+ algo = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
+ printf(" # public key algorithm: ");
+ if (algo == GNUTLS_PK_RSA) {
+ printf("RSA\n");
+ printf(" # Modulus: %d bits\n", bits);
+ } else if (algo == GNUTLS_PK_DSA) {
+ printf("DSA\n");
+ printf(" # Exponent: %d bits\n", bits);
+ } else {
+ printf("UNKNOWN\n");
+ }
+
+ dn_size = sizeof(dn);
+ ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size);
+ if (ret >= 0)
+ printf(" # Subject's DN: %s\n", dn);
+
+ dn_size = sizeof(dn);
+ ret = gnutls_x509_crt_get_issuer_dn(crt, dn, &dn_size);
+ if (ret >= 0)
+ printf(" # Issuer's DN: %s\n", dn);
+ }
- gnutls_x509_extract_certificate_issuer_dn(&cert_list[0], &dn);
- printf(" # Certificate Issuer's info:\n");
- PRINT_DN(dn);
+ gnutls_x509_crt_deinit(crt);
+
+ printf("\n");
+
+ }
}
-#ifdef undef_wmbiff_dont_need_no_extra
-void print_openpgp_info(GNUTLS_STATE state)
+#ifdef HAVE_LIBOPENCDK
+
+void print_openpgp_info(gnutls_session session, const char* hostname)
{
- gnutls_openpgp_name pgp_name;
char digest[20];
- int digest_size = sizeof(digest), i;
+ size_t digest_size = sizeof(digest);
+ unsigned int i;
+ int ret;
char printable[120];
char *print;
+ char name[256];
+ size_t name_len = sizeof(name);
+ gnutls_openpgp_key crt;
const gnutls_datum *cert_list;
int cert_list_size = 0;
- time_t expiret = gnutls_certificate_expiration_time_peers(state);
- time_t activet = gnutls_certificate_activation_time_peers(state);
-
- cert_list = gnutls_certificate_get_peers(state, &cert_list_size);
+ time_t expiret;
+ time_t activet;
+
+ cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size > 0) {
- int algo, bits;
+ unsigned int algo, bits;
+
+ gnutls_openpgp_key_init(&crt);
+ ret =
+ gnutls_openpgp_key_import(crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
+ if (ret < 0) {
+ const char* str = gnutls_strerror(ret);
+ if (str == NULL) str = str_unknown;
+ fprintf(stderr, "Decoding error: %s\n", str);
+ return;
+ }
+
+ if (print_cert) {
+ size_t size;
+
+ size = sizeof(buffer);
+
+ ret = gnutls_openpgp_key_export( crt, GNUTLS_OPENPGP_FMT_BASE64, buffer, &size);
+ if (ret < 0) {
+ fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret));
+ return;
+ }
+ fputs( "\n", stdout);
+ fputs( buffer, stdout);
+ fputs( "\n", stdout);
+ }
+
+ if (hostname != NULL) { /* Check the hostname of the first certificate
+ * if it matches the name of the host we
+ * connected to.
+ */
+ if (gnutls_openpgp_key_check_hostname( crt, hostname)==0) {
+ printf(" # The hostname in the key does NOT match '%s'.\n", hostname);
+ } else {
+ printf(" # The hostname in the key matches '%s'.\n", hostname);
+ }
+ }
+
+ if (xml) {
+ gnutls_datum xml_data;
- printf(" # Key was created at: %s", my_ctime( &activet));
+ ret = gnutls_openpgp_key_to_xml( crt, &xml_data, 0);
+ if (ret < 0) {
+ const char* str = gnutls_strerror(ret);
+ if (str == NULL) str = str_unknown;
+ fprintf(stderr, "XML encoding error: %s\n",
+ str);
+ return;
+ }
+
+ printf("%s", xml_data.data);
+ gnutls_free( xml_data.data);
+
+ return;
+ }
+
+ activet = gnutls_openpgp_key_get_creation_time( crt);
+ expiret = gnutls_openpgp_key_get_expiration_time( crt);
+
+ printf(" # Key was created at: %s", my_ctime(&activet));
printf(" # Key expires: ");
if (expiret != 0)
- printf("%s", my_ctime( &expiret));
+ printf("%s", my_ctime(&expiret));
else
printf("Never\n");
-
- if (gnutls_openpgp_fingerprint
- (&cert_list[0], digest, &digest_size) >= 0) {
+
+ if (gnutls_openpgp_key_get_fingerprint(crt, digest, &digest_size) >= 0)
+ {
print = printable;
for (i = 0; i < digest_size; i++) {
sprintf(print, "%.2x ",
@@ -140,41 +294,48 @@ void print_openpgp_info(GNUTLS_STATE state)
print += 3;
}
- printf(" # PGP Key version: %d\n",
- gnutls_openpgp_extract_key_version(&cert_list[0]));
+ printf(" # PGP Key version: %d\n",
+ gnutls_openpgp_key_get_version(crt));
+
+ algo =
+ gnutls_openpgp_key_get_pk_algorithm(crt, &bits);
- algo = gnutls_openpgp_extract_key_pk_algorithm( &cert_list[0], &bits);
-
printf(" # PGP Key public key algorithm: ");
- if (algo==GNUTLS_PK_RSA) {
+ if (algo == GNUTLS_PK_RSA) {
printf("RSA\n");
printf(" # Modulus: %d bits\n", bits);
- } else if (algo==GNUTLS_PK_DSA) {
+ } else if (algo == GNUTLS_PK_DSA) {
printf("DSA\n");
printf(" # Exponent: %d bits\n", bits);
} else {
printf("UNKNOWN\n");
}
- printf(" # PGP Key fingerprint: %s\n",
- printable);
+ printf(" # PGP Key fingerprint: %s\n", printable);
- gnutls_openpgp_extract_key_name(&cert_list
- [0], 0, &pgp_name);
- PRINT_PGP_NAME(pgp_name);
+ name_len = sizeof(name);
+ if (gnutls_openpgp_key_get_name(crt, 0, name, &name_len) < 0) {
+ fprintf(stderr,
+ "Could not extract name\n");
+ } else {
+ PRINT_PGP_NAME(name);
+ }
}
+
+ gnutls_openpgp_key_deinit( crt);
}
}
+
#endif
-void print_cert_vrfy(GNUTLS_STATE state)
+void print_cert_vrfy(gnutls_session session)
{
int status;
- status = gnutls_certificate_verify_peers(state);
+ status = gnutls_certificate_verify_peers(session);
printf("\n");
if (status == GNUTLS_E_NO_CERTIFICATE_FOUND) {
@@ -182,101 +343,132 @@ void print_cert_vrfy(GNUTLS_STATE state)
return;
}
if (status < 0) {
- printf("- Could not verify certificate (err %d)\n", status);
+ printf("- Could not verify certificate (err: %s)\n",
+ gnutls_strerror(status));
return;
}
- if (status & GNUTLS_CERT_INVALID)
- printf("- Peer's certificate is invalid\n");
- if (status & GNUTLS_CERT_NOT_TRUSTED)
- printf("- Peer's certificate is NOT trusted\n");
- else
- printf("- Peer's certificate is trusted\n");
- if (status & GNUTLS_CERT_CORRUPTED)
- printf("- Peer's certificate is corrupted\n");
-
+ if (gnutls_certificate_type_get(session)==GNUTLS_CRT_X509) {
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ printf("- Peer's certificate issuer is unknown\n");
+ if (status & GNUTLS_CERT_INVALID)
+ printf("- Peer's certificate is NOT trusted\n");
+ else
+ printf("- Peer's certificate is trusted\n");
+ } else {
+ if (status & GNUTLS_CERT_INVALID)
+ printf("- Peer's key is invalid\n");
+ else
+ printf("- Peer's key is valid\n");
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ printf("- Could not find a signer of the peer's key\n");
+ }
}
-int print_info(GNUTLS_STATE state)
+int print_info(gnutls_session session, const char* hostname)
{
const char *tmp;
- GNUTLS_CredType cred;
- GNUTLS_KXAlgorithm kx;
+ gnutls_credentials_type cred;
+ gnutls_kx_algorithm kx;
/* print the key exchange's algorithm name
*/
- kx = gnutls_kx_get(state);
+ kx = gnutls_kx_get(session);
- cred = gnutls_auth_get_type(state);
+ cred = gnutls_auth_get_type(session);
switch (cred) {
+#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
printf("- Anonymous DH using prime of %d bits, secret key "
- "of %d bits, and peer's public key is %d bits.\n",
- gnutls_dh_get_prime_bits(state), gnutls_dh_get_secret_bits(state),
- gnutls_dh_get_peers_public_bits(state));
+ "of %d bits, and peer's public key is %d bits.\n",
+ gnutls_dh_get_prime_bits(session),
+ gnutls_dh_get_secret_bits(session),
+ gnutls_dh_get_peers_public_bits(session));
break;
+#endif
+#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
-#ifdef undef_wmbiff_dont_need_no_extra
/* This should be only called in server
* side.
*/
- if (gnutls_srp_server_get_username(state) != NULL)
+ if (gnutls_srp_server_get_username(session) != NULL)
printf("- SRP authentication. Connected as '%s'\n",
- gnutls_srp_server_get_username(state));
-#endif
+ gnutls_srp_server_get_username(session));
break;
- case GNUTLS_CRD_CERTIFICATE:
- switch (gnutls_cert_type_get(state)) {
- case GNUTLS_CRT_X509:
- printf
- ("- Peer requested X.509 certificate authentication.\n");
-
- print_x509_info(state);
-
- break;
- case GNUTLS_CRT_OPENPGP:{
- printf
- ("- Peer requested OpenPGP certificate authentication.\n");
-
-#ifdef undef_wmbiff_dont_need_no_extra
- print_openpgp_info(state);
#endif
-
- break;
+ case GNUTLS_CRD_CERTIFICATE:
+ {
+ char dns[256];
+ size_t dns_size = sizeof(dns);
+ unsigned int type;
+
+ /* This fails in client side */
+ if (gnutls_server_name_get
+ (session, dns, &dns_size, &type, 0) == 0) {
+ printf("- Given server name[%d]: %s\n",
+ type, dns);
}
}
- print_cert_vrfy(state);
+ print_cert_info(session, hostname);
+ print_cert_vrfy(session);
+
/* Check if we have been using ephemeral Diffie Hellman.
*/
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
- printf("- Ephemeral DH using prime of %d bits, secret key "
- "of %d bits, and peer's public key is %d bits.\n",
- gnutls_dh_get_prime_bits(state), gnutls_dh_get_secret_bits(state),
- gnutls_dh_get_peers_public_bits(state));
+ printf
+ ("- Ephemeral DH using prime of %d bits, secret key "
+ "of %d bits, and peer's public key is %d bits.\n",
+ gnutls_dh_get_prime_bits(session),
+ gnutls_dh_get_secret_bits(session),
+ gnutls_dh_get_peers_public_bits(session));
}
+ default:
+ break;
}
- tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state));
- printf("- Version: %s\n", tmp);
+ tmp =
+ gnutls_protocol_get_name(gnutls_protocol_get_version(session));
+ if (tmp != NULL) printf("- Version: %s\n", tmp);
tmp = gnutls_kx_get_name(kx);
- printf("- Key Exchange: %s\n", tmp);
+ if (tmp != NULL) printf("- Key Exchange: %s\n", tmp);
- tmp = gnutls_cipher_get_name(gnutls_cipher_get(state));
- printf("- Cipher: %s\n", tmp);
+ tmp = gnutls_cipher_get_name(gnutls_cipher_get(session));
+ if (tmp != NULL) printf("- Cipher: %s\n", tmp);
- tmp = gnutls_mac_get_name(gnutls_mac_get(state));
- printf("- MAC: %s\n", tmp);
+ tmp = gnutls_mac_get_name(gnutls_mac_get(session));
+ if (tmp != NULL) printf("- MAC: %s\n", tmp);
- tmp = gnutls_compression_get_name(gnutls_compression_get(state));
- printf("- Compression: %s\n", tmp);
+ tmp = gnutls_compression_get_name(gnutls_compression_get(session));
+ if (tmp != NULL) printf("- Compression: %s\n", tmp);
+
+ fflush (stdout);
return 0;
}
+void print_cert_info(gnutls_session session, const char* hostname)
+{
+
+ printf("- Certificate type: ");
+ switch (gnutls_certificate_type_get(session)) {
+ case GNUTLS_CRT_X509:
+ printf("X.509\n");
+ print_x509_info(session, hostname);
+ break;
+#ifdef HAVE_LIBOPENCDK
+ case GNUTLS_CRT_OPENPGP:
+ printf("OpenPGP\n");
+ print_openpgp_info(session, hostname);
+ break;
+#endif
+ }
+
+}
+
void print_list(void)
{
/* FIXME: This is hard coded. Make it print all the supported
@@ -292,42 +484,199 @@ void print_list(void)
printf(", SSL3.0\n");
printf("Ciphers:");
- printf(" RIJNDAEL_128_CBC");
- printf(", TWOFISH_128_CBC");
- printf(", 3DES_CBC");
- printf(", ARCFOUR\n");
+ printf(" AES-128-CBC");
+ printf(", 3DES-CBC");
+ printf(", ARCFOUR");
+ printf(", ARCFOUR-40\n");
printf("MACs:");
printf(" MD5");
- printf(", SHA-1\n");
+ printf(", RMD160");
+ printf(", SHA1\n");
printf("Key exchange algorithms:");
printf(" RSA");
- printf(", DHE_DSS");
- printf(", DHE_RSA");
+ printf(", RSA-EXPORT");
+ printf(", DHE-DSS");
+ printf(", DHE-RSA");
printf(", SRP");
- printf(", ANON_DH\n");
+ printf(", SRP-RSA");
+ printf(", SRP-DSS");
+ printf(", ANON-DH\n");
printf("Compression methods:");
printf(" ZLIB");
+ printf(", LZO");
printf(", NULL\n");
-
- return;
}
void print_license(void)
{
- fprintf(stdout,
- "\nCopyright (C) 2001-2002 Nikos Mavroyanopoulos\n"
- "This program is free software; you can redistribute it and/or modify \n"
- "it under the terms of the GNU General Public License as published by \n"
- "the Free Software Foundation; either version 2 of the License, or \n"
- "(at your option) any later version. \n" "\n"
- "This program is distributed in the hope that it will be useful, \n"
- "but WITHOUT ANY WARRANTY; without even the implied warranty of \n"
- "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n"
- "GNU General Public License for more details. \n" "\n"
- "You should have received a copy of the GNU General Public License \n"
- "along with this program; if not, write to the Free Software \n"
- "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n");
+ fprintf(stdout,
+ "\nCopyright (C) 2001-2003 Nikos Mavroyanopoulos\n"
+ "This program is free software; you can redistribute it and/or modify \n"
+ "it under the terms of the GNU General Public License as published by \n"
+ "the Free Software Foundation; either version 2 of the License, or \n"
+ "(at your option) any later version. \n" "\n"
+ "This program is distributed in the hope that it will be useful, \n"
+ "but WITHOUT ANY WARRANTY; without even the implied warranty of \n"
+ "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n"
+ "GNU General Public License for more details. \n" "\n"
+ "You should have received a copy of the GNU General Public License \n"
+ "along with this program; if not, write to the Free Software \n"
+ "Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.\n\n");
+}
+
+void parse_protocols(char **protocols, int protocols_size,
+ int *protocol_priority)
+{
+ int i, j;
+
+ if (protocols != NULL && protocols_size > 0) {
+ for (j = i = 0; i < protocols_size; i++) {
+ if (strncasecmp(protocols[i], "SSL", 3) == 0)
+ protocol_priority[j++] = GNUTLS_SSL3;
+ if (strncasecmp(protocols[i], "TLS", 3) == 0)
+ protocol_priority[j++] = GNUTLS_TLS1;
+ }
+ protocol_priority[j] = 0;
+ }
+}
+
+void parse_ciphers(char **ciphers, int nciphers, int *cipher_priority)
+{
+ int j, i;
+
+ if (ciphers != NULL && nciphers > 0) {
+ for (j = i = 0; i < nciphers; i++) {
+ if (strncasecmp(ciphers[i], "AES", 3) == 0)
+ cipher_priority[j++] =
+ GNUTLS_CIPHER_AES_128_CBC;
+ if (strncasecmp(ciphers[i], "3DE", 3) == 0)
+ cipher_priority[j++] =
+ GNUTLS_CIPHER_3DES_CBC;
+ if (strcasecmp(ciphers[i], "ARCFOUR-40") == 0)
+ cipher_priority[j++] =
+ GNUTLS_CIPHER_ARCFOUR_40;
+ if (strcasecmp(ciphers[i], "ARCFOUR") == 0)
+ cipher_priority[j++] =
+ GNUTLS_CIPHER_ARCFOUR_128;
+ if (strncasecmp(ciphers[i], "NUL", 3) == 0)
+ cipher_priority[j++] = GNUTLS_CIPHER_NULL;
+ }
+ cipher_priority[j] = 0;
+ }
+}
+
+void parse_macs(char **macs, int nmacs, int *mac_priority)
+{
+ int i, j;
+ if (macs != NULL && nmacs > 0) {
+ for (j = i = 0; i < nmacs; i++) {
+ if (strncasecmp(macs[i], "MD5", 3) == 0)
+ mac_priority[j++] = GNUTLS_MAC_MD5;
+ if (strncasecmp(macs[i], "RMD", 3) == 0)
+ mac_priority[j++] = GNUTLS_MAC_RMD160;
+ if (strncasecmp(macs[i], "SHA", 3) == 0)
+ mac_priority[j++] = GNUTLS_MAC_SHA;
+ }
+ mac_priority[j] = 0;
+ }
+}
+
+void parse_ctypes(char **ctype, int nctype, int *cert_type_priority)
+{
+ int i, j;
+ if (ctype != NULL && nctype > 0) {
+ for (j = i = 0; i < nctype; i++) {
+ if (strncasecmp(ctype[i], "OPE", 3) == 0)
+ cert_type_priority[j++] =
+ GNUTLS_CRT_OPENPGP;
+ if (strncasecmp(ctype[i], "X", 1) == 0)
+ cert_type_priority[j++] = GNUTLS_CRT_X509;
+ }
+ cert_type_priority[j] = 0;
+ }
+}
+
+void parse_kx(char **kx, int nkx, int *kx_priority)
+{
+ int i, j;
+ if (kx != NULL && nkx > 0) {
+ for (j = i = 0; i < nkx; i++) {
+ if (strcasecmp(kx[i], "SRP") == 0)
+ kx_priority[j++] = GNUTLS_KX_SRP;
+ if (strcasecmp(kx[i], "SRP-RSA") == 0)
+ kx_priority[j++] = GNUTLS_KX_SRP_RSA;
+ if (strcasecmp(kx[i], "SRP-DSS") == 0)
+ kx_priority[j++] = GNUTLS_KX_SRP_DSS;
+ if (strcasecmp(kx[i], "RSA") == 0)
+ kx_priority[j++] = GNUTLS_KX_RSA;
+ if (strcasecmp(kx[i], "RSA-EXPORT") == 0)
+ kx_priority[j++] = GNUTLS_KX_RSA_EXPORT;
+ if (strncasecmp(kx[i], "DHE-RSA", 7) == 0)
+ kx_priority[j++] = GNUTLS_KX_DHE_RSA;
+ if (strncasecmp(kx[i], "DHE-DSS", 7) == 0)
+ kx_priority[j++] = GNUTLS_KX_DHE_DSS;
+ if (strncasecmp(kx[i], "ANON", 4) == 0)
+ kx_priority[j++] = GNUTLS_KX_ANON_DH;
+ }
+ kx_priority[j] = 0;
+ }
+}
+
+void parse_comp(char **comp, int ncomp, int *comp_priority)
+{
+ int i, j;
+ if (comp != NULL && ncomp > 0) {
+ for (j = i = 0; i < ncomp; i++) {
+ if (strncasecmp(comp[i], "NUL", 3) == 0)
+ comp_priority[j++] = GNUTLS_COMP_NULL;
+ if (strncasecmp(comp[i], "ZLI", 3) == 0)
+ comp_priority[j++] = GNUTLS_COMP_ZLIB;
+ if (strncasecmp(comp[i], "LZO", 3) == 0)
+ comp_priority[j++] = GNUTLS_COMP_LZO;
+ }
+ comp_priority[j] = 0;
+ }
+
+}
+
+#ifndef HAVE_INET_NTOP
+
+#ifdef _WIN32
+# include <winsock.h>
+#else
+# include <sys/socket.h>
+# include <netinet/in.h>
+# include <arpa/inet.h>
+#endif
+
+const char *inet_ntop(int af __attribute__((unused)), const void *src,
+ char *dst, size_t cnt)
+{
+char* ret;
+
+ ret = inet_ntoa( *((struct in_addr*)src));
+
+ if (strlen(ret) > cnt) {
+ return NULL;
+ }
+ strcpy( dst, ret);
+
+ return dst;
+}
+#endif
+
+void sockets_init( void)
+{
+#ifdef _WIN32
+ WORD wVersionRequested;
+ WSADATA wsaData;
+
+ wVersionRequested = MAKEWORD(1, 1);
+ if (WSAStartup(wVersionRequested, &wsaData) != 0) {
+ perror("WSA_STARTUP_ERROR");
+ }
+#endif
}
diff --git a/wmbiff/gnutls-common.h b/wmbiff/gnutls-common.h
index f0e4652..6c82088 100644
--- a/wmbiff/gnutls-common.h
+++ b/wmbiff/gnutls-common.h
@@ -1,7 +1,43 @@
#define PORT 5556
#define SERVER "127.0.0.1"
+#include <config.h>
#include <gnutls/gnutls.h>
-int print_info( GNUTLS_STATE state);
-int print_list(void);
+#ifdef _WIN32
+# include <winsock.h>
+# include <io.h>
+# include <winbase.h>
+# define socklen_t int
+# define close closesocket
+#else
+# include <sys/socket.h>
+# include <netinet/in.h>
+# include <arpa/inet.h>
+# include <unistd.h>
+# include <netdb.h>
+# include <signal.h>
+#endif
+
+/* the number of elements in the priority structures.
+ */
+#define PRI_MAX 16
+
+extern const char str_unknown[];
+
+int print_info( gnutls_session state, const char* hostname);
+void print_cert_info( gnutls_session state, const char* hostname);
+void print_list(void);
+
+void parse_comp( char** comp, int ncomp, int* comp_priority);
+void parse_kx( char** kx, int nkx, int* kx_priority);
+void parse_ctypes( char** ctype, int nctype, int * cert_type_priority);
+void parse_macs( char** macs, int nmacs, int *mac_priority);
+void parse_ciphers( char** ciphers, int nciphers, int* cipher_priority);
+void parse_protocols( char** protocols, int protocols_size, int* protocol_priority);
+
+void sockets_init( void);
+#ifndef HAVE_INET_NTOP
+const char *inet_ntop(int af, const void *src,
+ char *dst, size_t cnt);
+#endif
diff --git a/wmbiff/tlsComm.c b/wmbiff/tlsComm.c
index 272b296..81a56c1 100644
--- a/wmbiff/tlsComm.c
+++ b/wmbiff/tlsComm.c
@@ -22,6 +22,8 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
#define USE_GNUTLS
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <sys/stat.h>
#endif
#ifdef USE_DMALLOC
#include <dmalloc.h>
@@ -59,8 +61,8 @@ struct connection_state {
int sd;
char *name;
#ifdef USE_GNUTLS
- GNUTLS_STATE tls_state;
- GNUTLS_CERTIFICATE_CLIENT_CREDENTIALS xcred;
+ gnutls_session tls_state;
+ gnutls_certificate_credentials xcred;
#else
/*@null@ */ void *tls_state;
/*@null@ */ void *xcred;
@@ -83,7 +85,7 @@ void tlscomm_close(struct connection_state *scs)
if (scs->tls_state) {
#ifdef USE_GNUTLS
gnutls_bye(scs->tls_state, GNUTLS_SHUT_RDWR);
- gnutls_certificate_free_sc(scs->xcred);
+ gnutls_certificate_free_credentials(scs->xcred);
gnutls_deinit(scs->tls_state);
scs->xcred = NULL;
#endif
@@ -182,7 +184,7 @@ tlscomm_expect(struct connection_state *scs,
const char *prefix, char *linebuf, int buflen)
{
int prefixlen = (int) strlen(prefix);
- int readbytes = 0;
+ int buffered_bytes = 0;
memset(linebuf, 0, buflen);
TDM(DEBUG_INFO, "%s: expecting: %s\n", scs->name, prefix);
/* if(scs->unprocessed[0]) {
@@ -190,15 +192,15 @@ tlscomm_expect(struct connection_state *scs,
} */
while (scs->unprocessed[0] != '\0'
|| wait_for_it(scs->sd, EXPECT_TIMEOUT)) {
- if (scs->unprocessed[readbytes] == '\0') {
+ if (scs->unprocessed[buffered_bytes] == '\0') {
int thisreadbytes;
#ifdef USE_GNUTLS
if (scs->tls_state) {
/* BUF_SIZE - 1 leaves room for trailing \0 */
thisreadbytes =
gnutls_read(scs->tls_state,
- &scs->unprocessed[readbytes],
- BUF_SIZE - 1 - readbytes);
+ &scs->unprocessed[buffered_bytes],
+ BUF_SIZE - 1 - buffered_bytes);
if (thisreadbytes < 0) {
handle_gnutls_read_error(thisreadbytes, scs);
return 0;
@@ -207,47 +209,47 @@ tlscomm_expect(struct connection_state *scs,
#endif
{
thisreadbytes =
- read(scs->sd, &scs->unprocessed[readbytes],
- BUF_SIZE - 1 - readbytes);
+ read(scs->sd, &scs->unprocessed[buffered_bytes],
+ BUF_SIZE - 1 - buffered_bytes);
if (thisreadbytes < 0) {
TDM(DEBUG_ERROR, "%s: error reading: %s\n",
scs->name, strerror(errno));
return 0;
}
}
- readbytes += thisreadbytes;
+ buffered_bytes += thisreadbytes;
/* force null termination */
- scs->unprocessed[readbytes] = '\0';
- if (readbytes == 0) {
+ scs->unprocessed[buffered_bytes] = '\0';
+ if (buffered_bytes == 0) {
return 0; /* bummer */
}
} else {
- readbytes = strlen(scs->unprocessed);
+ buffered_bytes = strlen(scs->unprocessed);
}
- while (readbytes >= prefixlen) {
+ while (buffered_bytes >= prefixlen) {
int linebytes;
linebytes =
getline_from_buffer(scs->unprocessed, linebuf, buflen);
if (linebytes == 0) {
- readbytes = 0;
+ buffered_bytes = 0;
} else {
- readbytes -= linebytes;
+ buffered_bytes -= linebytes;
if (strncmp(linebuf, prefix, prefixlen) == 0) {
TDM(DEBUG_INFO, "%s: got: %*s", scs->name,
linebytes, linebuf);
return 1; /* got it! */
}
TDM(DEBUG_INFO, "%s: dumped(%d/%d): %.*s", scs->name,
- linebytes, readbytes, linebytes, linebuf);
+ linebytes, buffered_bytes, linebytes, linebuf);
}
}
}
- if (readbytes == -1) {
+ if (buffered_bytes == -1) {
TDM(DEBUG_INFO, "%s: timed out while expecting '%s'\n",
scs->name, prefix);
} else {
TDM(DEBUG_ERROR, "%s: expecting: '%s', saw (%d): %s%s",
- scs->name, prefix, readbytes, linebuf,
+ scs->name, prefix, buffered_bytes, linebuf,
/* only print the newline if the linebuf lacks it */
(linebuf[strlen(linebuf) - 1] == '\n') ? "\n" : "");
}
@@ -314,68 +316,154 @@ bad_certificate(const struct connection_state *scs, const char *msg)
gnutls to make this as easy as it should be, or someone
to port Andrew McDonald's gnutls-for-mutt patch.
*/
+
+#define CERT_SEP "-----BEGIN"
+
+/* this bit is based on read_ca_file() in gnutls */
+static int tls_compare_certificates(const gnutls_datum * peercert)
+{
+ gnutls_datum cert;
+ unsigned char *ptr;
+ FILE *fd1;
+ int ret;
+ gnutls_datum b64_data;
+ unsigned char *b64_data_data;
+ struct stat filestat;
+
+ if (stat(certificate_filename, &filestat) == -1)
+ return 0;
+
+ b64_data.size = filestat.st_size + 1;
+ b64_data_data = (unsigned char *) malloc(b64_data.size);
+ b64_data_data[b64_data.size - 1] = '\0';
+ b64_data.data = b64_data_data;
+
+ fd1 = fopen(certificate_filename, "r");
+ if (fd1 == NULL) {
+ return 0;
+ }
+
+ b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1);
+ fclose(fd1);
+
+ do {
+ ret = gnutls_pem_base64_decode_alloc(NULL, &b64_data, &cert);
+ if (ret != 0) {
+ free(b64_data_data);
+ return 0;
+ }
+
+ ptr = (unsigned char *) strstr(b64_data.data, CERT_SEP) + 1;
+ ptr = (unsigned char *) strstr(ptr, CERT_SEP);
+
+ b64_data.size = b64_data.size - (ptr - b64_data.data);
+ b64_data.data = ptr;
+
+ if (cert.size == peercert->size) {
+ if (memcmp(cert.data, peercert->data, cert.size) == 0) {
+ /* match found */
+ gnutls_free(cert.data);
+ free(b64_data_data);
+ return 1;
+ }
+ }
+
+ gnutls_free(cert.data);
+ } while (ptr != NULL);
+
+ /* no match found */
+ free(b64_data_data);
+ return 0;
+}
+
+
int
tls_check_certificate(struct connection_state *scs,
const char *remote_hostname)
{
- GNUTLS_CertificateStatus certstat;
+ int certstat;
const gnutls_datum *cert_list;
int cert_list_size = 0;
+ gnutls_x509_crt cert;
if (gnutls_auth_get_type(scs->tls_state) != GNUTLS_CRD_CERTIFICATE) {
bad_certificate(scs, "Unable to get certificate from peer.\n");
}
certstat = gnutls_certificate_verify_peers(scs->tls_state);
- if (certstat ==
- (GNUTLS_CertificateStatus) GNUTLS_E_NO_CERTIFICATE_FOUND) {
+ if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+ bad_certificate(scs, "server presented no certificate.\n");
+#ifdef GNUTLS_CERT_CORRUPTED
} else if (certstat & GNUTLS_CERT_CORRUPTED) {
bad_certificate(scs, "server's certificate is corrupt.\n");
+#endif
} else if (certstat & GNUTLS_CERT_REVOKED) {
bad_certificate(scs, "server's certificate has been revoked.\n");
} else if (certstat & GNUTLS_CERT_INVALID) {
- bad_certificate(scs, "server's certificate is invalid.\n"
- "there may be a problem with the certificate stored in your certfile");
+ if (gnutls_certificate_type_get(scs->tls_state) == GNUTLS_CRT_X509) {
+ /* bad_certificate(scs, "server's certificate is not trusted.\n"
+ "there may be a problem with the certificate stored in your certfile\n"); */
+ } else {
+ bad_certificate(scs,
+ "server's certificate is invalid or not X.509.\n"
+ "there may be a problem with the certificate stored in your certfile\n");
+ }
} else if (certstat & GNUTLS_CERT_NOT_TRUSTED) {
TDM(DEBUG_INFO, "server's certificate is not trusted.\n");
TDM(DEBUG_INFO,
"to verify that a certificate is trusted, use the certfile option.\n");
}
+ if (gnutls_x509_crt_init(&cert) < 0) {
+ bad_certificate(scs,
+ "Unable to initialize certificate data structure");
+ }
+
+
/* not checking for not-yet-valid certs... this would make sense
if we weren't just comparing to stored ones */
cert_list =
gnutls_certificate_get_peers(scs->tls_state, &cert_list_size);
- if (gnutls_x509_extract_certificate_expiration_time(&cert_list[0]) <
- time(NULL)) {
+ if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) <
+ 0) {
+ bad_certificate(scs, "Error processing certificate data");
+ }
+
+ if (gnutls_x509_crt_get_expiration_time(cert) < time(NULL)) {
bad_certificate(scs, "server's certificate has expired.\n");
- } else
- if (gnutls_x509_extract_certificate_activation_time(&cert_list[0])
- > time(NULL)) {
+ } else if (gnutls_x509_crt_get_activation_time(cert)
+ > time(NULL)) {
bad_certificate(scs, "server's certificate is not yet valid.\n");
} else {
TDM(DEBUG_INFO, "certificate passed time check.\n");
}
- if (gnutls_x509_check_certificates_hostname
- (&cert_list[0], remote_hostname) == 0) {
- gnutls_DN dn;
- gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
- TDM(DEBUG_ERROR,
+ if (gnutls_x509_crt_check_hostname(cert, remote_hostname) == 0) {
+ char certificate_hostname[256];
+ int buflen = 255;
+ gnutls_x509_crt_get_dn(cert, certificate_hostname, &buflen);
+ /* gnutls_x509_extract_certificate_dn(&cert_list[0], &dn); */
+ TDM(DEBUG_INFO,
"server's certificate (%s) does not match its hostname (%s).\n",
- dn.common_name, remote_hostname);
+ certificate_hostname, remote_hostname);
bad_certificate(scs,
"server's certificate does not match its hostname.\n");
} else {
if ((scs->pc)->debug >= DEBUG_INFO) {
- gnutls_DN dn;
- gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
+ char certificate_hostname[256];
+ int buflen = 255;
+ gnutls_x509_crt_get_dn(cert, certificate_hostname, &buflen);
+ /* gnutls_x509_extract_certificate_dn(&cert_list[0], &dn); */
TDM(DEBUG_INFO,
"server's certificate (%s) matched its hostname (%s).\n",
- dn.common_name, remote_hostname);
+ certificate_hostname, remote_hostname);
}
}
+ tls_compare_certificates(&cert_list[0]);
+
+ gnutls_x509_crt_deinit(cert);
+
TDM(DEBUG_INFO, "certificate check ok.\n");
return (0);
}
@@ -402,7 +490,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc,
const int protocols[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int ciphers[] =
{ GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_3DES_CBC,
- GNUTLS_CIPHER_RIJNDAEL_256_CBC, GNUTLS_CIPHER_TWOFISH_128_CBC,
+ GNUTLS_CIPHER_RIJNDAEL_256_CBC,
GNUTLS_CIPHER_ARCFOUR, 0
};
const int compress[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
@@ -419,7 +507,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc,
assert(gnutls_kx_set_priority(scs->tls_state, key_exch) == 0);
assert(gnutls_mac_set_priority(scs->tls_state, mac) == 0);
/* no client private key */
- if (gnutls_certificate_allocate_sc(&scs->xcred) < 0) {
+ if (gnutls_certificate_allocate_credentials(&scs->xcred) < 0) {
DMA(DEBUG_ERROR, "gnutls memory error\n");
exit(1);
}
@@ -477,7 +565,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc,
} else {
TDM(DEBUG_INFO, "%s: Handshake was completed\n", name);
if (scs->pc->debug >= DEBUG_INFO)
- print_info(scs->tls_state);
+ print_info(scs->tls_state, remote_hostname);
scs->sd = sd;
scs->name = name;
}
diff --git a/wmbiff/wmbiff.c b/wmbiff/wmbiff.c
index 022ce71..8374877 100644
--- a/wmbiff/wmbiff.c
+++ b/wmbiff/wmbiff.c
@@ -1,4 +1,6 @@
-/* $Id: wmbiff.c,v 1.64 2004/06/18 21:29:11 bluehal Exp $ */
+/* $Id: wmbiff.c,v 1.65 2004/06/19 20:53:01 bluehal Exp $ */
+
+// typedef int gcry_error_t;
#ifdef HAVE_CONFIG_H
#include <config.h>
@@ -65,7 +67,7 @@ static const char *globalnotify = NULL;
static const char *skin_search_path = DEFAULT_SKIN_PATH;
/* for gnutls */
/*@null@*/
-const char *certificate_filename = NULL; /* not yet supported */
+const char *certificate_filename = NULL;
/* it could be argued that a better default exists. */
#define DEFAULT_FONT "-*-fixed-*-r-*-*-10-*-*-*-*-*-*-*"
@@ -406,7 +408,7 @@ static int Read_Config_File(char *filename, int *loopinterval)
static void init_biff(char *config_file)
{
#ifdef HAVE_GCRYPT_H
- int zok;
+ gcry_error_t rc;
#endif
int loopinterval = DEFAULT_LOOP;
unsigned int i;
@@ -429,17 +431,21 @@ static void init_biff(char *config_file)
}
#ifdef HAVE_GCRYPT_H
+ /* recently made a requirement, section 2.4 of gcrypt manual */
+ if (gcry_check_version("1.1.42") == NULL) {
+ DMA(DEBUG_ERROR, "Error: incompatible gcrypt version.\n");
+ }
/* gcrypt is a little strange, in that it doesn't
* seem to initialize its memory pool by itself.
* I believe we *expect* "Warning: using insecure memory!"
*/
- if ((zok = gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0)) != 0) {
+ if ((rc = gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0)) != 0) {
DMA(DEBUG_ERROR,
"Error: gcry_control() to initialize secure memory returned non-zero: %d\n"
" Message: %s\n"
" libgcrypt version: %s\n"
" recovering: will fail later if using CRAM-MD5 or APOP authentication.\n",
- zok, gcry_strerror(gcry_errno()), gcry_check_version(NULL));
+ rc, gcry_strerror(rc), gcry_check_version(NULL));
};
#endif
diff --git a/wmgeneral/wmgeneral.c b/wmgeneral/wmgeneral.c
index 2d9dca3..37720dd 100644
--- a/wmgeneral/wmgeneral.c
+++ b/wmgeneral/wmgeneral.c
@@ -72,7 +72,7 @@ int d_depth;
XSizeHints mysizehints;
XWMHints mywmhints;
Pixel back_pix, fore_pix;
-static const char *Geometry = "";
+// static const char *Geometry = "";
Window iconwin, win;
GC NormalGC;
XpmIcon wmgen_bkg;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list