* please see the file GPL in the top level source directory.
*/
-#if HAVE_CONFIG_H
-# include "config.h"
-#endif
+#include <lib-lib/lib-lib.h>
#ifdef USE_SSL
#include <openssl/err.h>
#include <openssl/rand.h>
-#include <string.h>
-
-#include <lib-lib/mem.h>
-#include <lib-lib/str.h>
-#include <lib-lib/macros.h>
-#include <lib-lib/debug.h>
-
#include <lib-ui/curses.h>
#include <lib-ui/menu.h>
ssldata = p_new(sslsockdata, 1);
/* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
if (!(ssldata->ctx = SSL_CTX_new (TLSv1_client_method ()))) {
- debug_print (1, ("Error allocating SSL_CTX\n"));
goto bail_ssldata;
}
ssl_get_client_cert (ssldata, conn);
if (!(ssldata->ssl = SSL_new (ssldata->ctx))) {
- debug_print (1, ("Error allocating SSL\n"));
goto bail_ctx;
}
if (SSL_set_fd (ssldata->ssl, conn->fd) != 1) {
- debug_print (1, ("Error setting fd\n"));
goto bail_ssl;
}
if (data) {
SSL_shutdown (data->ssl);
-#if 0
- X509_free (data->cert);
-#endif
SSL_free (data->ssl);
SSL_CTX_free (data->ctx);
p_delete(&conn->sockdata);
unsigned char peermd[EVP_MAX_MD_SIZE];
unsigned int peermdlen;
X509 *cert;
- LIST *scert;
+ string_list_t *scert;
if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
return 0;
static char *x509_get_part (char *line, const char *ndx)
{
- static char ret[SHORT_STRING];
+ static char ret[STRING];
char *c, *c2;
m_strcpy(ret, sizeof(ret), _("Unknown"));
if (option (OPTSSLSYSTEMCERTS)) {
if (X509_STORE_set_default_paths (ctx))
pass++;
- else
- debug_print (2, ("X509_STORE_set_default_paths failed\n"));
}
if (X509_STORE_load_locations (ctx, SslCertFile, NULL))
pass++;
- else
- debug_print (2, ("X509_STORE_load_locations_failed\n"));
if (pass == 0) {
/* nothing to do */
X509_STORE_CTX_init (&xsc, ctx, peercert, NULL);
pass = (X509_verify_cert (&xsc) > 0);
-#ifdef DEBUG
- if (!pass) {
- char buf[SHORT_STRING];
- int err;
-
- err = X509_STORE_CTX_get_error (&xsc);
- snprintf (buf, sizeof (buf), "%s (%d)",
- X509_verify_cert_error_string (err), err);
- debug_print (2, ("X509_verify_cert: %s\n", buf));
- }
-#endif
X509_STORE_CTX_cleanup (&xsc);
X509_STORE_free (ctx);
/* expiration check */
if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) {
- debug_print (2, ("Server certificate is not yet valid\n"));
mutt_error (_("Server certificate is not yet valid"));
mutt_sleep (2);
return 0;
}
if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) {
- debug_print (2, ("Server certificate has expired\n"));
mutt_error (_("Server certificate has expired"));
mutt_sleep (2);
return 0;
return 0;
if (!X509_digest (peercert, EVP_sha1 (), peermd, &peermdlen)) {
- fclose (fp);
+ m_fclose(&fp);
return 0;
}
break;
}
X509_free (cert);
- fclose (fp);
+ m_fclose(&fp);
return pass;
}
static int ssl_check_certificate (sslsockdata * data)
{
char *part[] = { "/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C=" };
- char helpstr[SHORT_STRING];
- char buf[SHORT_STRING];
+ char helpstr[STRING];
+ char buf[STRING];
MUTTMENU *menu;
int done, row, i;
FILE *fp;
/* check session cache first */
if (check_certificate_cache (data->cert)) {
- debug_print (1, ("ssl_check_certificate: using cached certificate\n"));
return 1;
}
if (check_certificate_by_signer (data->cert)) {
- debug_print (1, ("signer check passed\n"));
return 1;
}
/* automatic check from user's database */
if (SslCertFile && check_certificate_by_digest (data->cert)) {
- debug_print (1, ("digest check passed\n"));
return 1;
}
menu->max = 19;
menu->dialog = p_new(char *, menu->max);
for (i = 0; i < menu->max; i++)
- menu->dialog[i] = p_new(char, SHORT_STRING);
+ menu->dialog[i] = p_new(char, STRING);
row = 0;
- m_strcpy(menu->dialog[row], SHORT_STRING,
+ m_strcpy(menu->dialog[row], STRING,
_("This certificate belongs to:"));
row++;
name = X509_NAME_oneline (X509_get_subject_name (data->cert),
buf, sizeof (buf));
for (i = 0; i < 5; i++) {
c = x509_get_part (name, part[i]);
- snprintf (menu->dialog[row++], SHORT_STRING, " %s", c);
+ snprintf (menu->dialog[row++], STRING, " %s", c);
}
row++;
- m_strcpy(menu->dialog[row], SHORT_STRING,
+ m_strcpy(menu->dialog[row], STRING,
_("This certificate was issued by:"));
row++;
name = X509_NAME_oneline (X509_get_issuer_name (data->cert),
buf, sizeof (buf));
for (i = 0; i < 5; i++) {
c = x509_get_part (name, part[i]);
- snprintf (menu->dialog[row++], SHORT_STRING, " %s", c);
+ snprintf (menu->dialog[row++], STRING, " %s", c);
}
row++;
- snprintf (menu->dialog[row++], SHORT_STRING, "%s",
+ snprintf (menu->dialog[row++], STRING, "%s",
_("This certificate is valid"));
- snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"),
+ snprintf (menu->dialog[row++], STRING, _(" from %s"),
asn1time_to_string (X509_get_notBefore (data->cert)));
- snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"),
+ snprintf (menu->dialog[row++], STRING, _(" to %s"),
asn1time_to_string (X509_get_notAfter (data->cert)));
row++;
buf[0] = '\0';
x509_fingerprint (buf, sizeof (buf), data->cert);
- snprintf (menu->dialog[row++], SHORT_STRING, _("Fingerprint: %s"), buf);
+ snprintf (menu->dialog[row++], STRING, _("Fingerprint: %s"), buf);
menu->title = _("SSL Certificate check");
if ((fp = fopen (SslCertFile, "a"))) {
if (PEM_write_X509 (fp, data->cert))
done = 1;
- fclose (fp);
+ m_fclose(&fp);
}
if (!done) {
mutt_error (_("Warning: Couldn't save certificate"));
static void ssl_get_client_cert (sslsockdata * ssldata, CONNECTION * conn)
{
if (SslClientCert) {
- debug_print (2, ("Using client certificate %s\n", SslClientCert));
SSL_CTX_set_default_passwd_cb_userdata (ssldata->ctx, &conn->account);
SSL_CTX_set_default_passwd_cb (ssldata->ctx, ssl_passwd_cb);
SSL_CTX_use_certificate_file (ssldata->ctx, SslClientCert,
if (mutt_account_getuser (account))
return 0;
- debug_print (2, ("getting password for %s@%s:%u\n",
- account->user, account->host, account->port));
-
if (mutt_account_getpass (account))
return 0;