#include "lib/mem.h"
#include "lib/intl.h"
#include "lib/str.h"
+#include "lib/debug.h"
#if OPENSSL_VERSION_NUMBER >= 0x00904000L
#define READ_X509_KEY(fp, key) PEM_read_X509(fp, key, NULL, NULL)
ssldata = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
/* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
if (!(ssldata->ctx = SSL_CTX_new (TLSv1_client_method ()))) {
- dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
+ debug_print (1, ("Error allocating SSL_CTX\n"));
goto bail_ssldata;
}
ssl_get_client_cert (ssldata, conn);
if (!(ssldata->ssl = SSL_new (ssldata->ctx))) {
- dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL\n"));
+ debug_print (1, ("Error allocating SSL\n"));
goto bail_ctx;
}
if (SSL_set_fd (ssldata->ssl, conn->fd) != 1) {
- dprint (1, (debugfile, "mutt_ssl_starttls: Error setting fd\n"));
+ debug_print (1, ("Error setting fd\n"));
goto bail_ssl;
}
if (data) {
SSL_shutdown (data->ssl);
-
+#if 0
X509_free (data->cert);
+#endif
SSL_free (data->ssl);
SSL_CTX_free (data->ctx);
FREE (&conn->sockdata);
return raw_socket_close (conn);
}
+static int compare_certificates (X509 *cert, X509 *peercert,
+ unsigned char *peermd,
+ unsigned int peermdlen) {
+ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int mdlen;
+
+ /* Avoid CPU-intensive digest calculation if the certificates are
+ * not even remotely equal.
+ */
+ if (X509_subject_name_cmp (cert, peercert) != 0 ||
+ X509_issuer_name_cmp (cert, peercert) != 0)
+ return -1;
+
+ if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
+ return -1;
+
+ if (memcmp(peermd, md, mdlen) != 0)
+ return -1;
+
+ return 0;
+}
+
+static int check_certificate_cache (X509 *peercert) {
+ unsigned char peermd[EVP_MAX_MD_SIZE];
+ unsigned int peermdlen;
+ X509 *cert;
+ LIST *scert;
+
+ if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+ return 0;
+
+ for (scert = SslSessionCerts; scert; scert = scert->next) {
+ cert = *(X509**)scert->data;
+ if (!compare_certificates (cert, peercert, peermd, peermdlen)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static int tls_close (CONNECTION * conn)
{
int rc;
if (X509_STORE_set_default_paths (ctx))
pass++;
else
- dprint (2, (debugfile, "X509_STORE_set_default_paths failed\n"));
+ debug_print (2, ("X509_STORE_set_default_paths failed\n"));
}
if (X509_STORE_load_locations (ctx, SslCertFile, NULL))
pass++;
else
- dprint (2, (debugfile, "X509_STORE_load_locations_failed\n"));
+ debug_print (2, ("X509_STORE_load_locations_failed\n"));
if (pass == 0) {
/* nothing to do */
err = X509_STORE_CTX_get_error (&xsc);
snprintf (buf, sizeof (buf), "%s (%d)",
X509_verify_cert_error_string (err), err);
- dprint (2, (debugfile, "X509_verify_cert: %s\n", buf));
+ debug_print (2, ("X509_verify_cert: %s\n", buf));
}
#endif
X509_STORE_CTX_cleanup (&xsc);
/* expiration check */
if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) {
- dprint (2, (debugfile, "Server certificate is not yet valid\n"));
+ debug_print (2, ("Server certificate is not yet valid\n"));
mutt_error (_("Server certificate is not yet valid"));
mutt_sleep (2);
return 0;
}
if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) {
- dprint (2, (debugfile, "Server certificate has expired"));
+ debug_print (2, ("Server certificate has expired\n"));
mutt_error (_("Server certificate has expired"));
mutt_sleep (2);
return 0;
}
while ((cert = READ_X509_KEY (fp, &cert)) != NULL) {
- unsigned char md[EVP_MAX_MD_SIZE];
- unsigned int mdlen;
-
- /* Avoid CPU-intensive digest calculation if the certificates are
- * not even remotely equal.
- */
- if (X509_subject_name_cmp (cert, peercert) != 0 ||
- X509_issuer_name_cmp (cert, peercert) != 0)
- continue;
-
- if (!X509_digest (cert, EVP_sha1 (), md, &mdlen) || peermdlen != mdlen)
- continue;
-
- if (memcmp (peermd, md, mdlen) != 0)
- continue;
-
- pass = 1;
- break;
+ pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1;
+ if (pass)
+ break;
}
X509_free (cert);
fclose (fp);
FILE *fp;
char *name = NULL, *c;
+ /* check session cache first */
+ if (check_certificate_cache (data->cert)) {
+ debug_print (1, ("ssl_check_certificate: using cached certificate\n"));
+ return 1;
+ }
+
if (check_certificate_by_signer (data->cert)) {
- dprint (1, (debugfile, "ssl_check_certificate: signer check passed\n"));
+ debug_print (1, ("signer check passed\n"));
return 1;
}
/* automatic check from user's database */
if (SslCertFile && check_certificate_by_digest (data->cert)) {
- dprint (1, (debugfile, "ssl_check_certificate: digest check passed\n"));
+ debug_print (1, ("digest check passed\n"));
return 1;
}
snprintf (menu->dialog[row++], SHORT_STRING, _("Fingerprint: %s"), buf);
menu->title = _("SSL Certificate check");
- if (SslCertFile) {
+
+ if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (data->cert)) >= 0
+ && X509_cmp_current_time (X509_get_notBefore (data->cert)) < 0) {
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
menu->keys = _("roa");
}
/* fall through */
case OP_MAX + 2: /* accept once */
done = 2;
+ /* keep a handle on accepted certificates in case we want to
+ * open up another connection to the same server in this session */
+ SslSessionCerts = mutt_add_list_n (SslSessionCerts, &data->cert,
+ sizeof (X509 **));
break;
}
}
static void ssl_get_client_cert (sslsockdata * ssldata, CONNECTION * conn)
{
if (SslClientCert) {
- dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert));
+ debug_print (2, ("Using client certificate %s\n", SslClientCert));
SSL_CTX_set_default_passwd_cb_userdata (ssldata->ctx, &conn->account);
SSL_CTX_set_default_passwd_cb (ssldata->ctx, ssl_passwd_cb);
SSL_CTX_use_certificate_file (ssldata->ctx, SslClientCert,
if (mutt_account_getuser (account))
return 0;
- dprint (2, (debugfile, "ssl_passwd_cb: getting password for %s@%s:%u\n",
+ debug_print (2, ("getting password for %s@%s:%u\n",
account->user, account->host, account->port));
if (mutt_account_getpass (account))
projects / apps / madmutt.git / blobdiff