[pan2/testing: 272/279] TODO : better handling of expired certs, for now they are just accepted.



commit 7312588bacb1e55eb555e7fa533b637cbddf938d
Author: Heinrich MÃller <sphemuel stud informatik uni-erlangen de>
Date:   Sat Dec 3 01:08:58 2011 +0100

    TODO : better handling of expired certs, for now they are just accepted.
    
    Conflicts:
    
    	pan/data/cert-store.cc
    	pan/usenet-utils/ssl-utils.h

 pan.cbp                          |    1 +
 pan/data/cert-store.cc           |   13 +++++++++----
 pan/data/cert-store.h            |   17 ++++++++---------
 pan/gui/gui.cc                   |    2 +-
 pan/tasks/socket-impl-main.h     |   20 --------------------
 pan/tasks/socket-impl-openssl.cc |    2 +-
 pan/usenet-utils/ssl-utils.h     |    6 ++++--
 7 files changed, 24 insertions(+), 37 deletions(-)
---
diff --git a/pan.cbp b/pan.cbp
index e165e09..02227b0 100644
--- a/pan.cbp
+++ b/pan.cbp
@@ -5,6 +5,7 @@
 		<Option title="pan" />
 		<Option makefile_is_custom="1" />
 		<Option pch_mode="2" />
+		<Option default_target="all_linux" />
 		<Option compiler="gcc" />
 		<MakeCommands>
 			<Build command="$make -j8 -f $makefile $target" />
diff --git a/pan/data/cert-store.cc b/pan/data/cert-store.cc
index be372e7..a5817fa 100644
--- a/pan/data/cert-store.cc
+++ b/pan/data/cert-store.cc
@@ -4,7 +4,7 @@
  * Copyright (C) 2002-2006  Charles Kerr <charles rebelbase com>
  *
  * This file
- * Copyright (C) 2011 Heinrich Mü<sphemuel stud informatik uni-erlangen de>
+ * Copyright (C) 2011 Heinrich Mïller <sphemuel stud informatik uni-erlangen de>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -63,16 +63,19 @@ namespace pan
 
     if (!ok)
     {
-      if (mydata->ignore_all==1) { return 1; }
+      int err = X509_STORE_CTX_get_error(store);
 
       X509 *cert = X509_STORE_CTX_get_current_cert(store);
       CRYPTO_add (&(cert->references), 1, CRYPTO_LOCK_X509); // refcount +1
-      int err = X509_STORE_CTX_get_error(store);
+      if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+        if (!mydata->cs->is_ignored(cert))
+            mydata->cs->ignore(cert);
+        else return 1;
 
       /* accept user-override on self-signed certificates */
       if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
           err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-          err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+          err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY )
         mydata->cs->verify_failed(cert, mydata->server, mydata->cert_name, err);
       else
         g_warning("[[DEBUG:]] unknown error condition, please report me: %s", ssl_err_to_string(err).c_str());
@@ -108,6 +111,7 @@ namespace pan
     return cnt;
   }
 
+
   void
   CertStore :: init_me()
   {
@@ -120,6 +124,7 @@ namespace pan
     get_all_certs_from_disk (certs);
     foreach_const (std::set<X509*>, certs, it)
       if (X509_STORE_add_cert(_store, *it) != 0) ++r;
+
     if (r != 0) Log::add_info_va(_("Succesfully added %d SSL PEM certificate(s) to Certificate Store."), r);
     SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
 
diff --git a/pan/data/cert-store.h b/pan/data/cert-store.h
index 5700ba8..b60d351 100644
--- a/pan/data/cert-store.h
+++ b/pan/data/cert-store.h
@@ -57,7 +57,9 @@ namespace pan
     private:
       SSL_CTX* _ctx;
       typedef std::set<Quark> certs_t;
+      typedef std::set<X509*> certs_s;
       certs_t _certs;
+      certs_s _ignores;
       typedef std::map<Quark,X509*> certs_m;
       typedef std::pair<Quark,X509*> certs_p;
       certs_m _cert_to_server;
@@ -101,19 +103,16 @@ namespace pan
         _blacklist.erase(s);
       }
 
-      void dump_blacklist()
+      void ignore (X509* cert)
       {
-        std::cerr<<"#################\n";
-        std::cerr<<_blacklist.size()<<std::endl;
-        std::cerr<<"#################\n\n";
+        _ignores.insert(cert);
       }
 
-      void dump_certs()
+      bool is_ignored(X509* c)
       {
-        std::cerr<<"#################\n";
-        foreach_const(certs_t, _certs, it)
-          std::cerr<<*it<<"\n";
-        std::cerr<<"#################\n\n";
+        foreach (certs_s, _ignores, it)
+          if (X509_cmp(c, *it)==0) return true;
+        return false;
       }
 
     private:
diff --git a/pan/gui/gui.cc b/pan/gui/gui.cc
index fdaaafe..bbcf55a 100644
--- a/pan/gui/gui.cc
+++ b/pan/gui/gui.cc
@@ -2103,7 +2103,6 @@ GUI :: do_show_cert_failed_dialog(VerifyData* data)
     if (!_certstore.add(d.cert, d.server))
       Log::add_urgent_va("Error adding certificate of server '%s' to Certificate Store",d.server.c_str());
 
-  X509_free(d.cert); // refcount -1
   delete data;
 }
 
@@ -2137,6 +2136,7 @@ void
 GUI :: on_valid_cert_added (X509* cert, std::string server)
 {
   /* whitelist to make avaible for nntp-pool */
+  X509_free(cert); // refcount -1
   _certstore.whitelist(server);
 }
 
diff --git a/pan/tasks/socket-impl-main.h b/pan/tasks/socket-impl-main.h
index 0e7a73a..0699a12 100644
--- a/pan/tasks/socket-impl-main.h
+++ b/pan/tasks/socket-impl-main.h
@@ -157,26 +157,6 @@ namespace pan
                                   Socket::Creator::Listener * listener,
                                   bool               use_ssl);
 
-//      struct Listener
-//      {
-//        virtual ~Listener() {}
-//        /* functions that other listeners listen on */
-//        virtual void on_handshake_done (X509* cert UNUSED, std::string server UNUSED, std::string cert_name UNUSED, int nr UNUSED) = 0;
-//      };
-//
-//      typedef std::set<Listener*> listeners_t;
-//      listeners_t _listeners;
-//
-//      void add_listener (Listener * l)    { _listeners.insert(l); }
-//      void remove_listener (Listener * l) { _listeners.erase(l);  }
-//
-//      /* notify functions for listener list */
-//      void handshake_done (X509* c, std::string server, std::string cn, int nr)
-//      {
-//        for (listeners_t::iterator it(_listeners.begin()), end(_listeners.end()); it!=end; ++it)
-//          (*it)->on_handshake_done (c, server, cn, nr);
-//      }
-
   };
 
 }
diff --git a/pan/tasks/socket-impl-openssl.cc b/pan/tasks/socket-impl-openssl.cc
index d223880..e1202ab 100644
--- a/pan/tasks/socket-impl-openssl.cc
+++ b/pan/tasks/socket-impl-openssl.cc
@@ -482,7 +482,7 @@ namespace
       return -1;
     }
 
-    ret = !chan->verify || ssl_verify(chan->ssl, chan->ctx, host.c_str(), cert);
+    ret = !chan->verify || ssl_verify(cs, chan->ssl, chan->ctx, host.c_str(), cert);
     X509_free(cert);
     return ret ? 0 : -1;
 
diff --git a/pan/usenet-utils/ssl-utils.h b/pan/usenet-utils/ssl-utils.h
index f0422bb..51bf9a5 100644
--- a/pan/usenet-utils/ssl-utils.h
+++ b/pan/usenet-utils/ssl-utils.h
@@ -5,7 +5,7 @@
  * Copyright (C) 2002-2006  Charles Kerr <charles rebelbase com>
  *
  * This file
- * Copyright (C) 2011 Heinrich Mü<sphemuel stud informatik uni-erlangen de>
+ * Copyright (C) 2011 Heinrich Mïller <sphemuel stud informatik uni-erlangen de>
  * SSL functions : Copyright (C) 2002 vjt (irssi project)
  * getTimeFromASN1 : Copyright (C) 2003 Jay Case,
  * taken from : http://www.mail-archive.com/openssl-users openssl org/msg33365.html
@@ -29,6 +29,7 @@
 
 #ifdef HAVE_OPENSSL
 
+#include <pan/data/cert-store.h>
 #include <pan/tasks/socket.h>
 #include <pan/general/quark.h>
 #include <pan/general/macros.h>
@@ -192,11 +193,12 @@ namespace pan
     return matched;
   }
 
-  static gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
+  static gboolean ssl_verify(CertStore* cs, SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
   {
     long result;
 
     result = SSL_get_verify_result(ssl);
+    if (result == X509_V_ERR_CERT_HAS_EXPIRED && cs->is_ignored(cert)) return true;
     if (result != X509_V_OK) {
       unsigned char md[EVP_MAX_MD_SIZE];
       unsigned int n;



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]