[pan2/testing: 241/279] some ssl fixes and (c) utf-8 fix
- From: Heinrich MÃller <henmull src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [pan2/testing: 241/279] some ssl fixes and (c) utf-8 fix
- Date: Sat, 3 Dec 2011 22:41:50 +0000 (UTC)
commit 745e6d860fa8a90a52093cd2548ef301068ae25e
Author: Heinrich MÃller <sphemuel stud informatik uni-erlangen de>
Date: Thu Nov 10 09:04:02 2011 +0100
some ssl fixes and (c) utf-8 fix
pan/gui/gui.cc | 11 ++++---
pan/tasks/cert-store.cc | 18 +++++-----
pan/tasks/socket-impl-main.cc | 11 -------
pan/tasks/socket-impl-openssl.cc | 12 ++++---
pan/usenet-utils/ssl-utils.h | 61 +++++++++++++++++++++++++++++++++-----
5 files changed, 75 insertions(+), 38 deletions(-)
---
diff --git a/pan/gui/gui.cc b/pan/gui/gui.cc
index 1838ee3..1916fae 100644
--- a/pan/gui/gui.cc
+++ b/pan/gui/gui.cc
@@ -1460,15 +1460,16 @@ void GUI :: do_tip_jar ()
}
void GUI :: do_about_pan ()
{
- const gchar * authors [] = { "Charles Kerr <charles rebelbase com> - Pan Author", "Calin Culianu <calin ajvar org> - Threaded Decoding", "K. Haley <haleykd users sf net> - Contributor",
- "Petr Kovar <pknbe volny cz> - Contributor", "Heinrich Mueller <eddie_v gmx de> - Contributor", "Christophe Lambin <chris rebelbase com> - Original Pan Development",
+ const gchar * authors [] = {
+ "Charles Kerr <charles rebelbase com> - Pan Author", "Calin Culianu <calin ajvar org> - Threaded Decoding", "K. Haley <haleykd users sf net> - Contributor",
+ "Petr Kovar <pknbe volny cz> - Contributor", "Heinrich Mü<eddie_v gmx de> - Contributor", "Christophe Lambin <chris rebelbase com> - Original Pan Development",
"Matt Eagleson <matt rebelbase com> - Original Pan Development", 0 };
GdkPixbuf * logo = gdk_pixbuf_new_from_inline(-1, icon_pan_about_logo, 0, 0);
GtkAboutDialog * w (GTK_ABOUT_DIALOG (gtk_about_dialog_new ()));
gtk_about_dialog_set_program_name (w, _("Pan"));
gtk_about_dialog_set_version (w, PACKAGE_VERSION);
gtk_about_dialog_set_comments (w, VERSION_TITLE " (" GIT_REV "; " PLATFORM_INFO ")");
- gtk_about_dialog_set_copyright (w, _("Copyright © 2002-2011 Charles Kerr and others"));
+ gtk_about_dialog_set_copyright (w, _("Copyright \u00A9 2002-2011 Charles Kerr and others")); // \u00A9 is unicode for ©
gtk_about_dialog_set_website (w, "http://pan.rebelbase.com/";);
gtk_about_dialog_set_logo (w, logo);
gtk_about_dialog_set_license (w, LICENSE);
@@ -2094,11 +2095,11 @@ GUI :: on_prefs_string_changed (const StringView& key, const StringView& value)
void
GUI :: on_verify_cert_failed(X509* cert, std::string server, int nr)
{
- std::cerr<<"gui cert failed : "<<cert<<"\n";
+// std::cerr<<"gui cert failed : "<<cert<<"\n";
if (GUI::confirm_accept_new_cert_dialog(get_window(_root),cert,server))
if (!_certstore.add(cert, server))
- std::cerr<<"error adding cert to "<<server<<std::endl;
+ Log::add_err_va("Error adding certificate of server '%s' to Certificate Store",server.c_str());
}
diff --git a/pan/tasks/cert-store.cc b/pan/tasks/cert-store.cc
index d911a7c..7fa13d9 100644
--- a/pan/tasks/cert-store.cc
+++ b/pan/tasks/cert-store.cc
@@ -28,22 +28,16 @@
#include <fstream>
#include <iostream>
#include <string>
-#include <cerrno>
-#include <cstring>
extern "C" {
#include <glib/gi18n.h>
- #include <dirent.h>
}
#include <pan/general/debug.h>
#include <pan/general/e-util.h>
#include <pan/general/macros.h>
-#include <pan/usenet-utils/mime-utils.h>
-
-#include <pan/general/debug.h>
+#include <pan/usenet-utils/ssl-utils.h>
#include <pan/general/file-util.h>
-#include <pan/general/macros.h>
#include <pan/general/messages.h>
#include <pan/general/log.h>
#include <pan/general/string-view.h>
@@ -73,13 +67,18 @@ namespace pan
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
+// std::cerr<<"ssl verify err "<<err<<" "<<ok<<std::endl;
+
/* accept user-override on self-signed certificates */
if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
- err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+ err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
mydata->cs->verify_failed(cert, mydata->server, err);
+ else
+ g_warning("[[DEBUG:]] unknown error condition, please report me: %s", ssl_err_to_string(err).c_str());
}
return ok;
-
}
int
@@ -181,6 +180,7 @@ CertStore :: add(X509* cert, const Quark& server)
FILE * fp = fopen(buf, "wb");
PEM_write_X509(fp, cert);
fclose(fp);
+ chmod (buf, 0600);
valid_cert_added(cert, server.c_str());
return true;
diff --git a/pan/tasks/socket-impl-main.cc b/pan/tasks/socket-impl-main.cc
index 7c64b0b..96d83cb 100644
--- a/pan/tasks/socket-impl-main.cc
+++ b/pan/tasks/socket-impl-main.cc
@@ -95,35 +95,24 @@ namespace pan
#ifdef HAVE_OPENSSL
namespace
{
-// static pthread_mutex_t *lock_cs=0;
static Mutex* mutex;
void gio_lock(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK)
mutex[type].lock();
-// pthread_mutex_lock(&(lock_cs[type]));
else
mutex[type].unlock();
-// pthread_mutex_unlock(&(lock_cs[type]));
}
void ssl_thread_setup() {
mutex = new Mutex[CRYPTO_num_locks()];
-// lock_cs = (pthread_mutex_t*)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
-// for (int i=0; i<CRYPTO_num_locks(); i++)
-// if (pthread_mutex_init(&lock_cs[i],0) != 0)
-// g_warning("error initialing mutex!");
-
CRYPTO_set_locking_callback(gio_lock);
}
void ssl_thread_cleanup() {
-// for (int i=0; i<CRYPTO_num_locks(); i++)
-// pthread_mutex_destroy(&lock_cs[i]);
delete [] mutex;
CRYPTO_set_locking_callback(0);
-// OPENSSL_free(lock_cs);
}
}
diff --git a/pan/tasks/socket-impl-openssl.cc b/pan/tasks/socket-impl-openssl.cc
index 054650d..e2ed647 100644
--- a/pan/tasks/socket-impl-openssl.cc
+++ b/pan/tasks/socket-impl-openssl.cc
@@ -288,8 +288,9 @@ namespace
{
GIOSSLChannel *chan = (GIOSSLChannel *)handle;
g_io_channel_unref(chan->giochan);
+ SSL_shutdown(chan->ssl);
SSL_free(chan->ssl);
- std::cerr<<"ssl free\n";
+// std::cerr<<"ssl free\n";
g_free(chan);
}
}
@@ -299,7 +300,7 @@ GIOChannelSocketSSL :: ~GIOChannelSocketSSL ()
_certstore.remove_listener(this);
- std::cerr << LINE_ID << " destroying socket " << this <<std::endl;
+// std::cerr << LINE_ID << " destroying socket " << this <<std::endl;
// std::cerr<<_session<<std::endl;
@@ -410,6 +411,7 @@ namespace
ret = SSL_connect(chan->ssl);
if (ret <= 0) {
+// std::cerr<<"ret handshake "<<ret<<std::endl;
err = SSL_get_error(chan->ssl, ret);
switch (err) {
case SSL_ERROR_WANT_READ:
@@ -417,17 +419,17 @@ namespace
case SSL_ERROR_WANT_WRITE:
return 3;
case SSL_ERROR_ZERO_RETURN:
- g_warning("SSL handshake failed: %s", "server closed connection");
+// g_warning("SSL handshake failed: %s", "server closed connection");
return -1;
case SSL_ERROR_SYSCALL:
errstr = ERR_reason_error_string(ERR_get_error());
if (errstr == NULL && ret == -1)
errstr = strerror(errno);
- g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "server closed connection unexpectedly");
+// g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "server closed connection unexpectedly");
return -1;
default:
errstr = ERR_reason_error_string(ERR_get_error());
- g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "unknown SSL error");
+// g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "unknown SSL error");
return -1;
}
}
diff --git a/pan/usenet-utils/ssl-utils.h b/pan/usenet-utils/ssl-utils.h
index 404837d..d3ab163 100644
--- a/pan/usenet-utils/ssl-utils.h
+++ b/pan/usenet-utils/ssl-utils.h
@@ -18,8 +18,6 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
-/* based on verify_extract_name from tls_client.c in postfix */
-
/** Copyright notice: Some code taken from here :
* http://dslinux.gits.kiev.ua/trunk/user/irssi/src/src/core/network-openssl.c
* Copyright (C) 2002 vjt (irssi project) */
@@ -29,18 +27,21 @@
#ifdef HAVE_OPENSSL
+#include <pan/general/quark.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#include <map>
+
namespace pan
{
/* Checks if the given string has internal NUL characters. */
- gboolean has_internal_nul(const char* str, int len) {
+ static gboolean has_internal_nul(const char* str, int len) {
/* Remove trailing nul characters. They would give false alarms */
while (len > 0 && str[len-1] == 0)
len--;
@@ -48,7 +49,7 @@ namespace pan
}
/* tls_dns_name - Extract valid DNS name from subjectAltName value */
- const char *tls_dns_name(const GENERAL_NAME * gn)
+ static const char *tls_dns_name(const GENERAL_NAME * gn)
{
const char *dnsname;
@@ -71,7 +72,7 @@ namespace pan
}
/* tls_text_name - extract certificate property value by name */
- char *tls_text_name(X509_NAME *name, int nid)
+ static char *tls_text_name(X509_NAME *name, int nid)
{
int pos;
X509_NAME_ENTRY *entry;
@@ -110,7 +111,7 @@ namespace pan
/** check if a hostname in the certificate matches the hostname we used for the connection */
- gboolean match_hostname(const char *cert_hostname, const char *hostname)
+ static gboolean match_hostname(const char *cert_hostname, const char *hostname)
{
const char *hostname_left;
@@ -126,7 +127,7 @@ namespace pan
return FALSE;
}
- gboolean ssl_verify_hostname(X509 *cert, const char *hostname)
+ static gboolean ssl_verify_hostname(X509 *cert, const char *hostname)
{
int gen_index, gen_count;
gboolean matched = FALSE, has_dns_name = FALSE;
@@ -180,7 +181,7 @@ namespace pan
return matched;
}
- gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
+ static gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
{
long result;
@@ -226,6 +227,50 @@ namespace pan
return TRUE;
}
+ static std::map<int, Quark> ssl_err;
+ static int map_init(0);
+ typedef std::pair<int, Quark> err_p;
+
+ static void init_err_map()
+ {
+ ssl_err.insert(err_p(2,"X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"));
+ ssl_err.insert(err_p(3,"X509_V_ERR_UNABLE_TO_GET_CRL"));
+ ssl_err.insert(err_p(4,"X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"));
+ ssl_err.insert(err_p(5,"X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"));
+ ssl_err.insert(err_p(6,"X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"));
+ ssl_err.insert(err_p(7,"X509_V_ERR_CERT_SIGNATURE_FAILURE"));
+ ssl_err.insert(err_p(8,"X509_V_ERR_CRL_SIGNATURE_FAILURE"));
+ ssl_err.insert(err_p(9,"X509_V_ERR_CERT_NOT_YET_VALID"));
+ ssl_err.insert(err_p(10,"X509_V_ERR_CERT_HAS_EXPIRED"));
+ ssl_err.insert(err_p(11,"X509_V_ERR_CRL_NOT_YET_VALID"));
+ ssl_err.insert(err_p(12,"X509_V_ERR_CRL_HAS_EXPIRED"));
+ ssl_err.insert(err_p(13,"X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"));
+ ssl_err.insert(err_p(14,"X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"));
+ ssl_err.insert(err_p(15,"X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"));
+ ssl_err.insert(err_p(16,"X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"));
+ ssl_err.insert(err_p(17,"X509_V_ERR_OUT_OF_MEM"));
+ ssl_err.insert(err_p(18,"X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"));
+ ssl_err.insert(err_p(19,"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"));
+ ssl_err.insert(err_p(20,"X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY "));
+ ssl_err.insert(err_p(21,"X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE "));
+ ssl_err.insert(err_p(22,"X509_V_ERR_CERT_CHAIN_TOO_LONG"));
+ ssl_err.insert(err_p(23,"X509_V_ERR_CERT_REVOKED"));
+ ssl_err.insert(err_p(24,"X509_V_ERR_INVALID_CA"));
+ ssl_err.insert(err_p(25,"X509_V_ERR_PATH_LENGTH_EXCEEDED"));
+ ssl_err.insert(err_p(26,"X509_V_ERR_INVALID_PURPOSE"));
+ ssl_err.insert(err_p(27,"X509_V_ERR_CERT_UNTRUSTED"));
+ ssl_err.insert(err_p(28,"X509_V_ERR_CERT_REJECTED"));
+ }
+
+ static const Quark
+ ssl_err_to_string(int i)
+ {
+ if (map_init++ == 0) init_err_map();
+ Quark ret;
+ if (ssl_err.count(i) > 0) return ssl_err[i];
+ return ret;
+ }
+
}
#endif
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
