X-Git-Url: http://git.madism.org/?p=apps%2Fmadmutt.git;a=blobdiff_plain;f=mutt_ssl.c;h=f73cca73ca2b022ee5db8d60b84a4af6869e826a;hp=83b735b180a01ab4d8fc3e22600dad755df12394;hb=29ed7b79229bb8e12bb1ead911a9a48031861ede;hpb=96d53ff49c308769efbf708e1e65819077cb7af6

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 83b735b..f73cca7 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -11,6 +11,8 @@
 # include "config.h"
 #endif
 
+#ifdef USE_SSL
+
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/err.h>
@@ -84,7 +86,7 @@ int mutt_ssl_starttls (CONNECTION * conn)
   if (ssl_init ())
     goto bail;
 
-  ssldata = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
+  ssldata = (sslsockdata *) mem_calloc (1, sizeof (sslsockdata));
   /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
   if (!(ssldata->ctx = SSL_CTX_new (TLSv1_client_method ()))) {
     debug_print (1, ("Error allocating SSL_CTX\n"));
@@ -118,11 +120,11 @@ int mutt_ssl_starttls (CONNECTION * conn)
   return 0;
 
 bail_ssl:
-  FREE (&ssldata->ssl);
+  mem_free (&ssldata->ssl);
 bail_ctx:
-  FREE (&ssldata->ctx);
+  mem_free (&ssldata->ctx);
 bail_ssldata:
-  FREE (&ssldata);
+  mem_free (&ssldata);
 bail:
   return -1;
 }
@@ -137,7 +139,7 @@ bail:
  * versions also. (That's the reason for the ugly #ifdefs and macros,
  * otherwise I could have simply #ifdef'd the whole ssl_init funcion)
  */
-int ssl_init (void)
+static int ssl_init (void)
 {
   char path[_POSIX_PATH_MAX];
   static unsigned char init_complete = 0;
@@ -219,7 +221,7 @@ static int ssl_socket_open_err (CONNECTION * conn)
 }
 
 
-int ssl_socket_setup (CONNECTION * conn)
+int mutt_ssl_socket_setup (CONNECTION * conn)
 {
   if (ssl_init () < 0) {
     conn->conn_open = ssl_socket_open_err;
@@ -256,7 +258,7 @@ static int ssl_socket_open (CONNECTION * conn)
   if (raw_socket_open (conn) < 0)
     return -1;
 
-  data = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
+  data = (sslsockdata *) mem_calloc (1, sizeof (sslsockdata));
   conn->sockdata = data;
 
   data->ctx = SSL_CTX_new (SSLv23_client_method ());
@@ -343,16 +345,57 @@ static int ssl_socket_close (CONNECTION * conn)
 
   if (data) {
     SSL_shutdown (data->ssl);
-
+#if 0
     X509_free (data->cert);
+#endif
     SSL_free (data->ssl);
     SSL_CTX_free (data->ctx);
-    FREE (&conn->sockdata);
+    mem_free (&conn->sockdata);
   }
 
   return raw_socket_close (conn);
 }
 
+static int compare_certificates (X509 *cert, X509 *peercert, 
+                                 unsigned char *peermd,
+                                 unsigned int peermdlen) {
+  unsigned char md[EVP_MAX_MD_SIZE];
+  unsigned int mdlen;
+
+  /* Avoid CPU-intensive digest calculation if the certificates are
+  * not even remotely equal.
+  */
+  if (X509_subject_name_cmp (cert, peercert) != 0 || 
+      X509_issuer_name_cmp (cert, peercert) != 0)
+    return -1;
+
+  if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
+    return -1;
+
+  if (memcmp(peermd, md, mdlen) != 0)
+    return -1;
+
+  return 0;
+}
+
+static int check_certificate_cache (X509 *peercert) {
+  unsigned char peermd[EVP_MAX_MD_SIZE];
+  unsigned int peermdlen;
+  X509 *cert;
+  LIST *scert;
+
+  if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)) 
+    return 0;
+
+  for (scert = SslSessionCerts; scert; scert = scert->next) {
+    cert = *(X509**)scert->data;
+    if (!compare_certificates (cert, peercert, peermd, peermdlen)) {
+      return 1;
+    }
+  }
+ return 0;
+}
+
 static int tls_close (CONNECTION * conn)
 {
   int rc;
@@ -374,7 +417,7 @@ static char *x509_get_part (char *line, const char *ndx)
 
   c = strstr (line, ndx);
   if (c) {
-    c += mutt_strlen (ndx);
+    c += str_len (ndx);
     c2 = strchr (c, '/');
     if (c2)
       *c2 = '\0';
@@ -400,7 +443,7 @@ static void x509_fingerprint (char *s, int l, X509 * cert)
       char ch[8];
 
       snprintf (ch, 8, "%02X%s", md[j], (j % 2 ? " " : ""));
-      safe_strcat (s, l, ch);
+      str_cat (s, l, ch);
     }
   }
 }
@@ -501,24 +544,9 @@ static int check_certificate_by_digest (X509 * peercert)
   }
 
   while ((cert = READ_X509_KEY (fp, &cert)) != NULL) {
-    unsigned char md[EVP_MAX_MD_SIZE];
-    unsigned int mdlen;
-
-    /* Avoid CPU-intensive digest calculation if the certificates are
-     * not even remotely equal.
-     */
-    if (X509_subject_name_cmp (cert, peercert) != 0 ||
-        X509_issuer_name_cmp (cert, peercert) != 0)
-      continue;
-
-    if (!X509_digest (cert, EVP_sha1 (), md, &mdlen) || peermdlen != mdlen)
-      continue;
-
-    if (memcmp (peermd, md, mdlen) != 0)
-      continue;
-
-    pass = 1;
-    break;
+    pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1;
+    if (pass)
+      break;
   }
   X509_free (cert);
   fclose (fp);
@@ -536,6 +564,12 @@ static int ssl_check_certificate (sslsockdata * data)
   FILE *fp;
   char *name = NULL, *c;
 
+  /* check session cache first */
+  if (check_certificate_cache (data->cert)) {
+    debug_print (1, ("ssl_check_certificate: using cached certificate\n"));
+    return 1;
+  }
+
   if (check_certificate_by_signer (data->cert)) {
     debug_print (1, ("signer check passed\n"));
     return 1;
@@ -550,9 +584,9 @@ static int ssl_check_certificate (sslsockdata * data)
   /* interactive check from user */
   menu = mutt_new_menu ();
   menu->max = 19;
-  menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
+  menu->dialog = (char **) mem_calloc (1, menu->max * sizeof (char *));
   for (i = 0; i < menu->max; i++)
-    menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
+    menu->dialog[i] = (char *) mem_calloc (1, SHORT_STRING * sizeof (char));
 
   row = 0;
   strfcpy (menu->dialog[row], _("This certificate belongs to:"),
@@ -590,7 +624,9 @@ static int ssl_check_certificate (sslsockdata * data)
   snprintf (menu->dialog[row++], SHORT_STRING, _("Fingerprint: %s"), buf);
 
   menu->title = _("SSL Certificate check");
-  if (SslCertFile) {
+
+  if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (data->cert)) >= 0
+      && X509_cmp_current_time (X509_get_notBefore (data->cert)) < 0) {
     menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
     menu->keys = _("roa");
   }
@@ -601,9 +637,9 @@ static int ssl_check_certificate (sslsockdata * data)
 
   helpstr[0] = '\0';
   mutt_make_help (buf, sizeof (buf), _("Exit  "), MENU_GENERIC, OP_EXIT);
-  safe_strcat (helpstr, sizeof (helpstr), buf);
+  str_cat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP);
-  safe_strcat (helpstr, sizeof (helpstr), buf);
+  str_cat (helpstr, sizeof (helpstr), buf);
   menu->help = helpstr;
 
   done = 0;
@@ -633,6 +669,10 @@ static int ssl_check_certificate (sslsockdata * data)
       /* fall through */
     case OP_MAX + 2:           /* accept once */
       done = 2;
+      /* keep a handle on accepted certificates in case we want to
+       * open up another connection to the same server in this session */
+      SslSessionCerts = mutt_add_list_n (SslSessionCerts, &data->cert,
+                                         sizeof (X509 **));
       break;
     }
   }
@@ -669,3 +709,5 @@ static int ssl_passwd_cb (char *buf, int size, int rwflag, void *userdata)
 
   return snprintf (buf, size, "%s", account->pass);
 }
+
+#endif /* USE_SSL */