[pan2: 218/268] TODO : better handling of expired certs, for now they are just accepted.
- From: Heinrich MÃller <henmull src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [pan2: 218/268] TODO : better handling of expired certs, for now they are just accepted.
- Date: Mon, 2 Jan 2012 15:56:20 +0000 (UTC)
commit 7312588bacb1e55eb555e7fa533b637cbddf938d
Author: Heinrich MÃller <sphemuel stud informatik uni-erlangen de>
Date: Sat Dec 3 01:08:58 2011 +0100
TODO : better handling of expired certs, for now they are just accepted.
Conflicts:
pan/data/cert-store.cc
pan/usenet-utils/ssl-utils.h
pan.cbp | 1 +
pan/data/cert-store.cc | 13 +++++++++----
pan/data/cert-store.h | 17 ++++++++---------
pan/gui/gui.cc | 2 +-
pan/tasks/socket-impl-main.h | 20 --------------------
pan/tasks/socket-impl-openssl.cc | 2 +-
pan/usenet-utils/ssl-utils.h | 6 ++++--
7 files changed, 24 insertions(+), 37 deletions(-)
---
diff --git a/pan.cbp b/pan.cbp
index e165e09..02227b0 100644
--- a/pan.cbp
+++ b/pan.cbp
@@ -5,6 +5,7 @@
<Option title="pan" />
<Option makefile_is_custom="1" />
<Option pch_mode="2" />
+ <Option default_target="all_linux" />
<Option compiler="gcc" />
<MakeCommands>
<Build command="$make -j8 -f $makefile $target" />
diff --git a/pan/data/cert-store.cc b/pan/data/cert-store.cc
index be372e7..a5817fa 100644
--- a/pan/data/cert-store.cc
+++ b/pan/data/cert-store.cc
@@ -4,7 +4,7 @@
* Copyright (C) 2002-2006 Charles Kerr <charles rebelbase com>
*
* This file
- * Copyright (C) 2011 Heinrich Mü<sphemuel stud informatik uni-erlangen de>
+ * Copyright (C) 2011 Heinrich Mïller <sphemuel stud informatik uni-erlangen de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -63,16 +63,19 @@ namespace pan
if (!ok)
{
- if (mydata->ignore_all==1) { return 1; }
+ int err = X509_STORE_CTX_get_error(store);
X509 *cert = X509_STORE_CTX_get_current_cert(store);
CRYPTO_add (&(cert->references), 1, CRYPTO_LOCK_X509); // refcount +1
- int err = X509_STORE_CTX_get_error(store);
+ if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+ if (!mydata->cs->is_ignored(cert))
+ mydata->cs->ignore(cert);
+ else return 1;
/* accept user-override on self-signed certificates */
if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
- err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
+ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY )
mydata->cs->verify_failed(cert, mydata->server, mydata->cert_name, err);
else
g_warning("[[DEBUG:]] unknown error condition, please report me: %s", ssl_err_to_string(err).c_str());
@@ -108,6 +111,7 @@ namespace pan
return cnt;
}
+
void
CertStore :: init_me()
{
@@ -120,6 +124,7 @@ namespace pan
get_all_certs_from_disk (certs);
foreach_const (std::set<X509*>, certs, it)
if (X509_STORE_add_cert(_store, *it) != 0) ++r;
+
if (r != 0) Log::add_info_va(_("Succesfully added %d SSL PEM certificate(s) to Certificate Store."), r);
SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
diff --git a/pan/data/cert-store.h b/pan/data/cert-store.h
index 5700ba8..b60d351 100644
--- a/pan/data/cert-store.h
+++ b/pan/data/cert-store.h
@@ -57,7 +57,9 @@ namespace pan
private:
SSL_CTX* _ctx;
typedef std::set<Quark> certs_t;
+ typedef std::set<X509*> certs_s;
certs_t _certs;
+ certs_s _ignores;
typedef std::map<Quark,X509*> certs_m;
typedef std::pair<Quark,X509*> certs_p;
certs_m _cert_to_server;
@@ -101,19 +103,16 @@ namespace pan
_blacklist.erase(s);
}
- void dump_blacklist()
+ void ignore (X509* cert)
{
- std::cerr<<"#################\n";
- std::cerr<<_blacklist.size()<<std::endl;
- std::cerr<<"#################\n\n";
+ _ignores.insert(cert);
}
- void dump_certs()
+ bool is_ignored(X509* c)
{
- std::cerr<<"#################\n";
- foreach_const(certs_t, _certs, it)
- std::cerr<<*it<<"\n";
- std::cerr<<"#################\n\n";
+ foreach (certs_s, _ignores, it)
+ if (X509_cmp(c, *it)==0) return true;
+ return false;
}
private:
diff --git a/pan/gui/gui.cc b/pan/gui/gui.cc
index fdaaafe..bbcf55a 100644
--- a/pan/gui/gui.cc
+++ b/pan/gui/gui.cc
@@ -2103,7 +2103,6 @@ GUI :: do_show_cert_failed_dialog(VerifyData* data)
if (!_certstore.add(d.cert, d.server))
Log::add_urgent_va("Error adding certificate of server '%s' to Certificate Store",d.server.c_str());
- X509_free(d.cert); // refcount -1
delete data;
}
@@ -2137,6 +2136,7 @@ void
GUI :: on_valid_cert_added (X509* cert, std::string server)
{
/* whitelist to make avaible for nntp-pool */
+ X509_free(cert); // refcount -1
_certstore.whitelist(server);
}
diff --git a/pan/tasks/socket-impl-main.h b/pan/tasks/socket-impl-main.h
index 0e7a73a..0699a12 100644
--- a/pan/tasks/socket-impl-main.h
+++ b/pan/tasks/socket-impl-main.h
@@ -157,26 +157,6 @@ namespace pan
Socket::Creator::Listener * listener,
bool use_ssl);
-// struct Listener
-// {
-// virtual ~Listener() {}
-// /* functions that other listeners listen on */
-// virtual void on_handshake_done (X509* cert UNUSED, std::string server UNUSED, std::string cert_name UNUSED, int nr UNUSED) = 0;
-// };
-//
-// typedef std::set<Listener*> listeners_t;
-// listeners_t _listeners;
-//
-// void add_listener (Listener * l) { _listeners.insert(l); }
-// void remove_listener (Listener * l) { _listeners.erase(l); }
-//
-// /* notify functions for listener list */
-// void handshake_done (X509* c, std::string server, std::string cn, int nr)
-// {
-// for (listeners_t::iterator it(_listeners.begin()), end(_listeners.end()); it!=end; ++it)
-// (*it)->on_handshake_done (c, server, cn, nr);
-// }
-
};
}
diff --git a/pan/tasks/socket-impl-openssl.cc b/pan/tasks/socket-impl-openssl.cc
index d223880..e1202ab 100644
--- a/pan/tasks/socket-impl-openssl.cc
+++ b/pan/tasks/socket-impl-openssl.cc
@@ -482,7 +482,7 @@ namespace
return -1;
}
- ret = !chan->verify || ssl_verify(chan->ssl, chan->ctx, host.c_str(), cert);
+ ret = !chan->verify || ssl_verify(cs, chan->ssl, chan->ctx, host.c_str(), cert);
X509_free(cert);
return ret ? 0 : -1;
diff --git a/pan/usenet-utils/ssl-utils.h b/pan/usenet-utils/ssl-utils.h
index f0422bb..51bf9a5 100644
--- a/pan/usenet-utils/ssl-utils.h
+++ b/pan/usenet-utils/ssl-utils.h
@@ -5,7 +5,7 @@
* Copyright (C) 2002-2006 Charles Kerr <charles rebelbase com>
*
* This file
- * Copyright (C) 2011 Heinrich Mü<sphemuel stud informatik uni-erlangen de>
+ * Copyright (C) 2011 Heinrich Mïller <sphemuel stud informatik uni-erlangen de>
* SSL functions : Copyright (C) 2002 vjt (irssi project)
* getTimeFromASN1 : Copyright (C) 2003 Jay Case,
* taken from : http://www.mail-archive.com/openssl-users openssl org/msg33365.html
@@ -29,6 +29,7 @@
#ifdef HAVE_OPENSSL
+#include <pan/data/cert-store.h>
#include <pan/tasks/socket.h>
#include <pan/general/quark.h>
#include <pan/general/macros.h>
@@ -192,11 +193,12 @@ namespace pan
return matched;
}
- static gboolean ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
+ static gboolean ssl_verify(CertStore* cs, SSL *ssl, SSL_CTX *ctx, const char* hostname, X509 *cert)
{
long result;
result = SSL_get_verify_result(ssl);
+ if (result == X509_V_ERR_CERT_HAS_EXPIRED && cs->is_ignored(cert)) return true;
if (result != X509_V_OK) {
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int n;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
