[pan2: 194/268] some ssl fixes and (c) utf-8 fix



commit 745e6d860fa8a90a52093cd2548ef301068ae25e
Author: Heinrich MÃller <sphemuel stud informatik uni-erlangen de>
Date:   Thu Nov 10 09:04:02 2011 +0100

    some ssl fixes and (c) utf-8 fix

 pan/gui/gui.cc                   |   11 ++++---
 pan/tasks/cert-store.cc          |   18 +++++-----
 pan/tasks/socket-impl-main.cc    |   11 -------
 pan/tasks/socket-impl-openssl.cc |   12 ++++---
 pan/usenet-utils/ssl-utils.h     |   61 +++++++++++++++++++++++++++++++++-----
 5 files changed, 75 insertions(+), 38 deletions(-)
---
diff --git a/pan/gui/gui.cc b/pan/gui/gui.cc
index 1838ee3..1916fae 100644
--- a/pan/gui/gui.cc
+++ b/pan/gui/gui.cc
@@ -1460,15 +1460,16 @@ void GUI :: do_tip_jar ()
 }
 void GUI :: do_about_pan ()
 {
-  const gchar * authors [] = { "Charles Kerr <charles rebelbase com> - Pan Author", "Calin Culianu <calin ajvar org> - Threaded Decoding", "K. Haley <haleykd users sf net> - Contributor",
-  "Petr Kovar <pknbe volny cz> - Contributor", "Heinrich Mueller <eddie_v gmx de> - Contributor", "Christophe Lambin <chris rebelbase com> - Original Pan Development",
+  const gchar * authors [] = {
+  "Charles Kerr <charles rebelbase com> - Pan Author", "Calin Culianu <calin ajvar org> - Threaded Decoding", "K. Haley <haleykd users sf net> - Contributor",
+  "Petr Kovar <pknbe volny cz> - Contributor", "Heinrich Mü<eddie_v gmx de> - Contributor", "Christophe Lambin <chris rebelbase com> - Original Pan Development",
   "Matt Eagleson <matt rebelbase com> - Original Pan Development", 0 };
   GdkPixbuf * logo = gdk_pixbuf_new_from_inline(-1, icon_pan_about_logo, 0, 0);
   GtkAboutDialog * w (GTK_ABOUT_DIALOG (gtk_about_dialog_new ()));
   gtk_about_dialog_set_program_name (w, _("Pan"));
   gtk_about_dialog_set_version (w, PACKAGE_VERSION);
   gtk_about_dialog_set_comments (w, VERSION_TITLE " (" GIT_REV "; " PLATFORM_INFO ")");
-  gtk_about_dialog_set_copyright (w, _("Copyright © 2002-2011 Charles Kerr and others"));
+  gtk_about_dialog_set_copyright (w, _("Copyright \u00A9 2002-2011 Charles Kerr and others")); // \u00A9 is unicode for ©
   gtk_about_dialog_set_website (w, "http://pan.rebelbase.com/";);
   gtk_about_dialog_set_logo (w, logo);
   gtk_about_dialog_set_license (w, LICENSE);
@@ -2094,11 +2095,11 @@ GUI :: on_prefs_string_changed (const StringView& key, const StringView& value)
 void
 GUI :: on_verify_cert_failed(X509* cert, std::string server, int nr)
 {
-  std::cerr<<"gui cert failed : "<<cert<<"\n";
+//  std::cerr<<"gui cert failed : "<<cert<<"\n";
 
   if (GUI::confirm_accept_new_cert_dialog(get_window(_root),cert,server))
     if (!_certstore.add(cert, server))
-      std::cerr<<"error adding cert to "<<server<<std::endl;
+      Log::add_err_va("Error adding certificate of server '%s' to Certificate Store",server.c_str());
 
 }
 
diff --git a/pan/tasks/cert-store.cc b/pan/tasks/cert-store.cc
index d911a7c..7fa13d9 100644
--- a/pan/tasks/cert-store.cc
+++ b/pan/tasks/cert-store.cc
@@ -28,22 +28,16 @@
 #include <fstream>
 #include <iostream>
 #include <string>
-#include <cerrno>
-#include <cstring>
 
 extern "C" {
   #include <glib/gi18n.h>
-  #include <dirent.h>
 }
 
 #include <pan/general/debug.h>
 #include <pan/general/e-util.h>
 #include <pan/general/macros.h>
-#include <pan/usenet-utils/mime-utils.h>
-
-#include <pan/general/debug.h>
+#include <pan/usenet-utils/ssl-utils.h>
 #include <pan/general/file-util.h>
-#include <pan/general/macros.h>
 #include <pan/general/messages.h>
 #include <pan/general/log.h>
 #include <pan/general/string-view.h>
@@ -73,13 +67,18 @@ namespace pan
       int depth = X509_STORE_CTX_get_error_depth(store);
       int err = X509_STORE_CTX_get_error(store);
 
+//      std::cerr<<"ssl verify err "<<err<<" "<<ok<<std::endl;
+
       /* accept user-override on self-signed certificates */
       if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-          err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+          err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+          err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+          err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
         mydata->cs->verify_failed(cert, mydata->server, err);
+      else
+        g_warning("[[DEBUG:]] unknown error condition, please report me: %s", ssl_err_to_string(err).c_str());
     }
     return ok;
-
 }
 
 int
@@ -181,6 +180,7 @@ CertStore :: add(X509* cert, const Quark& server)
   FILE * fp = fopen(buf, "wb");
   PEM_write_X509(fp, cert);
   fclose(fp);
+  chmod (buf, 0600);
 
   valid_cert_added(cert, server.c_str());
   return true;
diff --git a/pan/tasks/socket-impl-main.cc b/pan/tasks/socket-impl-main.cc
index 7c64b0b..96d83cb 100644
--- a/pan/tasks/socket-impl-main.cc
+++ b/pan/tasks/socket-impl-main.cc
@@ -95,35 +95,24 @@ namespace pan
 #ifdef HAVE_OPENSSL
 namespace
 {
-//  static pthread_mutex_t *lock_cs=0;
   static Mutex* mutex;
 
   void gio_lock(int mode, int type, const char *file, int line)
   {
     if (mode & CRYPTO_LOCK)
       mutex[type].lock();
-//      pthread_mutex_lock(&(lock_cs[type]));
     else
       mutex[type].unlock();
-//      pthread_mutex_unlock(&(lock_cs[type]));
   }
 
   void ssl_thread_setup() {
     mutex = new Mutex[CRYPTO_num_locks()];
-//    lock_cs = (pthread_mutex_t*)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
-//    for (int i=0; i<CRYPTO_num_locks(); i++)
-//      if (pthread_mutex_init(&lock_cs[i],0) != 0)
-//        g_warning("error initialing mutex!");
-
     CRYPTO_set_locking_callback(gio_lock);
   }
 
   void ssl_thread_cleanup() {
-//    for (int i=0; i<CRYPTO_num_locks(); i++)
-//      pthread_mutex_destroy(&lock_cs[i]);
     delete [] mutex;
     CRYPTO_set_locking_callback(0);
-//    OPENSSL_free(lock_cs);
   }
 
 }
diff --git a/pan/tasks/socket-impl-openssl.cc b/pan/tasks/socket-impl-openssl.cc
index 054650d..e2ed647 100644
--- a/pan/tasks/socket-impl-openssl.cc
+++ b/pan/tasks/socket-impl-openssl.cc
@@ -288,8 +288,9 @@ namespace
   {
     GIOSSLChannel *chan = (GIOSSLChannel *)handle;
     g_io_channel_unref(chan->giochan);
+    SSL_shutdown(chan->ssl);
     SSL_free(chan->ssl);
-    std::cerr<<"ssl free\n";
+//    std::cerr<<"ssl free\n";
     g_free(chan);
   }
 }
@@ -299,7 +300,7 @@ GIOChannelSocketSSL :: ~GIOChannelSocketSSL ()
 
   _certstore.remove_listener(this);
 
-  std::cerr << LINE_ID << " destroying socket " << this <<std::endl;
+//  std::cerr << LINE_ID << " destroying socket " << this <<std::endl;
 
 //  std::cerr<<_session<<std::endl;
 
@@ -410,6 +411,7 @@ namespace
 
     ret = SSL_connect(chan->ssl);
     if (ret <= 0) {
+//      std::cerr<<"ret handshake "<<ret<<std::endl;
       err = SSL_get_error(chan->ssl, ret);
       switch (err) {
         case SSL_ERROR_WANT_READ:
@@ -417,17 +419,17 @@ namespace
         case SSL_ERROR_WANT_WRITE:
           return 3;
         case SSL_ERROR_ZERO_RETURN:
-          g_warning("SSL handshake failed: %s", "server closed connection");
+//          g_warning("SSL handshake failed: %s", "server closed connection");
           return -1;
         case SSL_ERROR_SYSCALL:
           errstr = ERR_reason_error_string(ERR_get_error());
           if (errstr == NULL && ret == -1)
             errstr = strerror(errno);
-          g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "server closed connection unexpectedly");
+//          g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "server closed connection unexpectedly");
           return -1;
         default:
           errstr = ERR_reason_error_string(ERR_get_error());
-          g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "unknown SSL error");
+//          g_warning("SSL handshake failed: %s", errstr != NULL ? errstr : "unknown SSL error");
           return -1;
       }
     }
diff --git a/pan/usenet-utils/ssl-utils.h b/pan/usenet-utils/ssl-utils.h
index 404837d..d3ab163 100644
--- a/pan/usenet-utils/ssl-utils.h
+++ b/pan/usenet-utils/ssl-utils.h
@@ -18,8 +18,6 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
-/* based on verify_extract_name from tls_client.c in postfix */
-
 /** Copyright notice: Some code taken from here :
   * http://dslinux.gits.kiev.ua/trunk/user/irssi/src/src/core/network-openssl.c
   * Copyright (C) 2002 vjt (irssi project) */
@@ -29,18 +27,21 @@
 
 #ifdef HAVE_OPENSSL
 
+#include <pan/general/quark.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <map>
+
 
 namespace pan
 {
 
   /* Checks if the given string has internal NUL characters. */
-  gboolean has_internal_nul(const char* str, int len) {
+  static gboolean has_internal_nul(const char* str, int len) {
     /* Remove trailing nul characters. They would give false alarms */
     while (len > 0 && str[len-1] == 0)
       len--;
@@ -48,7 +49,7 @@ namespace pan
   }
 
   /* tls_dns_name - Extract valid DNS name from subjectAltName value */
-  const char *tls_dns_name(const GENERAL_NAME * gn)
+  static const char *tls_dns_name(const GENERAL_NAME * gn)
   {
     const char *dnsname;
 
@@ -71,7 +72,7 @@ namespace pan
   }
 
   /* tls_text_name - extract certificate property value by name */
-  char *tls_text_name(X509_NAME *name, int nid)
+  static char *tls_text_name(X509_NAME *name, int nid)
   {
     int     pos;
     X509_NAME_ENTRY *entry;
@@ -110,7 +111,7 @@ namespace pan
 
 
   /** check if a hostname in the certificate matches the hostname we used for the connection */
-  gboolean match_hostname(const char *cert_hostname, const char *hostname)
+  static gboolean match_hostname(const char *cert_hostname, const char *hostname)
   {
     const char *hostname_left;
 
@@ -126,7 +127,7 @@ namespace pan
     return FALSE;
   }
 
-  gboolean ssl_verify_hostname(X509 *cert, const char *hostname)
+  static gboolean ssl_verify_hostname(X509 *cert, const char *hostname)
   {
     int gen_index, gen_count;
     gboolean matched = FALSE, has_dns_name = FALSE;
@@ -180,7 +181,7 @@ namespace pan
     return matched;
   }
 
-  gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
+  static gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
   {
     long result;
 
@@ -226,6 +227,50 @@ namespace pan
     return TRUE;
   }
 
+  static std::map<int, Quark> ssl_err;
+  static int map_init(0);
+  typedef std::pair<int, Quark> err_p;
+
+  static void init_err_map()
+  {
+    ssl_err.insert(err_p(2,"X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"));
+    ssl_err.insert(err_p(3,"X509_V_ERR_UNABLE_TO_GET_CRL"));
+    ssl_err.insert(err_p(4,"X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"));
+    ssl_err.insert(err_p(5,"X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"));
+    ssl_err.insert(err_p(6,"X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"));
+    ssl_err.insert(err_p(7,"X509_V_ERR_CERT_SIGNATURE_FAILURE"));
+    ssl_err.insert(err_p(8,"X509_V_ERR_CRL_SIGNATURE_FAILURE"));
+    ssl_err.insert(err_p(9,"X509_V_ERR_CERT_NOT_YET_VALID"));
+    ssl_err.insert(err_p(10,"X509_V_ERR_CERT_HAS_EXPIRED"));
+    ssl_err.insert(err_p(11,"X509_V_ERR_CRL_NOT_YET_VALID"));
+    ssl_err.insert(err_p(12,"X509_V_ERR_CRL_HAS_EXPIRED"));
+    ssl_err.insert(err_p(13,"X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"));
+    ssl_err.insert(err_p(14,"X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"));
+    ssl_err.insert(err_p(15,"X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"));
+    ssl_err.insert(err_p(16,"X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"));
+    ssl_err.insert(err_p(17,"X509_V_ERR_OUT_OF_MEM"));
+    ssl_err.insert(err_p(18,"X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"));
+    ssl_err.insert(err_p(19,"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"));
+    ssl_err.insert(err_p(20,"X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY "));
+    ssl_err.insert(err_p(21,"X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	"));
+    ssl_err.insert(err_p(22,"X509_V_ERR_CERT_CHAIN_TOO_LONG"));
+    ssl_err.insert(err_p(23,"X509_V_ERR_CERT_REVOKED"));
+    ssl_err.insert(err_p(24,"X509_V_ERR_INVALID_CA"));
+    ssl_err.insert(err_p(25,"X509_V_ERR_PATH_LENGTH_EXCEEDED"));
+    ssl_err.insert(err_p(26,"X509_V_ERR_INVALID_PURPOSE"));
+    ssl_err.insert(err_p(27,"X509_V_ERR_CERT_UNTRUSTED"));
+    ssl_err.insert(err_p(28,"X509_V_ERR_CERT_REJECTED"));
+  }
+
+  static const Quark
+  ssl_err_to_string(int i)
+  {
+    if (map_init++ == 0) init_err_map();
+    Quark ret;
+    if (ssl_err.count(i) > 0) return ssl_err[i];
+    return ret;
+  }
+
 }
 
 #endif



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]