sylpheed-check-ssl-hostname.patch

Andrew Ayer, 02/24/2014 03:59 AM

Download (7.85 KB)

View differences:

libsylph/ssl.c (working copy)
27 27

  
28 28
#include <glib.h>
29 29
#include <glib/gi18n.h>
30
#include <strings.h>
31
#include <openssl/x509v3.h>
30 32

  
31 33
#include "utils.h"
32 34
#include "ssl.h"
......
65 67
	return NULL;
66 68
}
67 69

  
70
/*
71
 * Helper functions to perform basic hostname validation using OpenSSL.
72
 *
73
 * Copyright (C) 2012, iSEC Partners.
74
 * 
75
 * Permission is hereby granted, free of charge, to any person obtaining a copy of 
76
 * this software and associated documentation files (the "Software"), to deal in 
77
 * the Software without restriction, including without limitation the rights to 
78
 * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 
79
 * of the Software, and to permit persons to whom the Software is furnished to do 
80
 * so, subject to the following conditions:
81
 * 
82
 * The above copyright notice and this permission notice shall be included in all 
83
 * copies or substantial portions of the Software.
84
 * 
85
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
86
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
87
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
88
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
89
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
90
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
91
 * SOFTWARE.
92
 *
93
 */
94
typedef enum {
95
	MatchFound,
96
	MatchNotFound,
97
	NoSANPresent,
98
	MalformedCertificate,
99
	Error
100
} HostnameValidationResult;
101

  
102
#define HOSTNAME_MAX_SIZE 255
103

  
104
/**
105
* Tries to find a match for hostname in the certificate's Common Name field.
106
*
107
* Returns MatchFound if a match was found.
108
* Returns MatchNotFound if no matches were found.
109
* Returns MalformedCertificate if the Common Name had a NUL character embedded in it.
110
* Returns Error if the Common Name could not be extracted.
111
*/
112
static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) {
113
	int common_name_loc = -1;
114
	X509_NAME_ENTRY *common_name_entry = NULL;
115
	ASN1_STRING *common_name_asn1 = NULL;
116
	char *common_name_str = NULL;
117

  
118
	// Find the position of the CN field in the Subject field of the certificate
119
	common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
120
	if (common_name_loc < 0) {
121
		return Error;
122
	}
123

  
124
	// Extract the CN field
125
	common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
126
	if (common_name_entry == NULL) {
127
		return Error;
128
	}
129

  
130
	// Convert the CN field to a C string
131
	common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
132
	if (common_name_asn1 == NULL) {
133
		return Error;
134
	}			
135
	common_name_str = (char *) ASN1_STRING_data(common_name_asn1);
136

  
137
	// Make sure there isn't an embedded NUL character in the CN
138
	if (ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
139
		return MalformedCertificate;
140
	}
141

  
142
	// Compare expected hostname with the CN
143
	if (strcasecmp(hostname, common_name_str) == 0) {
144
		return MatchFound;
145
	}
146
	else {
147
		return MatchNotFound;
148
	}
149
}
150

  
151

  
152
/**
153
* Tries to find a match for hostname in the certificate's Subject Alternative Name extension.
154
*
155
* Returns MatchFound if a match was found.
156
* Returns MatchNotFound if no matches were found.
157
* Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it.
158
* Returns NoSANPresent if the SAN extension was not present in the certificate.
159
*/
160
static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert) {
161
	HostnameValidationResult result = MatchNotFound;
162
	int i;
163
	int san_names_nb = -1;
164
	STACK_OF(GENERAL_NAME) *san_names = NULL;
165

  
166
	// Try to extract the names within the SAN extension from the certificate
167
	san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
168
	if (san_names == NULL) {
169
		return NoSANPresent;
170
	}
171
	san_names_nb = sk_GENERAL_NAME_num(san_names);
172

  
173
	// Check each name within the extension
174
	for (i=0; i<san_names_nb; i++) {
175
		const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
176

  
177
		if (current_name->type == GEN_DNS) {
178
			// Current name is a DNS name, let's check it
179
			char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);
180

  
181
			// Make sure there isn't an embedded NUL character in the DNS name
182
			if (ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
183
				result = MalformedCertificate;
184
				break;
185
			}
186
			else { // Compare expected hostname with the DNS name
187
				if (strcasecmp(hostname, dns_name) == 0) {
188
					result = MatchFound;
189
					break;
190
				}
191
			}
192
		}
193
	}
194
	sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
195

  
196
	return result;
197
}
198

  
199

  
200
/**
201
* Validates the server's identity by looking for the expected hostname in the
202
* server's certificate. As described in RFC 6125, it first tries to find a match
203
* in the Subject Alternative Name extension. If the extension is not present in
204
* the certificate, it checks the Common Name instead.
205
*
206
* Returns MatchFound if a match was found.
207
* Returns MatchNotFound if no matches were found.
208
* Returns MalformedCertificate if any of the hostnames had a NUL character embedded in it.
209
* Returns Error if there was an error.
210
*/
211
static HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) {
212
	HostnameValidationResult result;
213

  
214
	if((hostname == NULL) || (server_cert == NULL))
215
		return Error;
216

  
217
	// First try the Subject Alternative Names extension
218
	result = matches_subject_alternative_name(hostname, server_cert);
219
	if (result == NoSANPresent) {
220
		// Extension was not found: try the Common Name
221
		result = matches_common_name(hostname, server_cert);
222
	}
223

  
224
	return result;
225
}
226

  
227

  
68 228
void ssl_init(void)
69 229
{
70 230
	gchar *certs_file, *certs_dir;
......
309 469
		}
310 470

  
311 471
		verify_result = SSL_get_verify_result(sockinfo->ssl);
312
		if (verify_result == X509_V_OK) {
472
		if (verify_result == X509_V_OK && validate_hostname(sockinfo->hostname, server_cert) == MatchFound) {
313 473
			debug_print("SSL verify OK\n");
314 474
			X509_free(server_cert);
315 475
			return TRUE;
......
330 490
			return FALSE;
331 491
		}
332 492

  
333
		g_warning("%s: SSL certificate verify failed (%ld: %s)\n",
334
			  sockinfo->hostname, verify_result,
335
			  X509_verify_cert_error_string(verify_result));
493
		if (verify_result == X509_V_OK) {
494
			g_warning("%s: SSL certificate hostname verify failed\n",
495
				  sockinfo->hostname);
496
		} else {
497
			g_warning("%s: SSL certificate verify failed (%ld: %s)\n",
498
				  sockinfo->hostname, verify_result,
499
				  X509_verify_cert_error_string(verify_result));
500
		}
336 501

  
337 502
		if (verify_ui_func) {
338 503
			gint res;
src/sslmanager.c (working copy)
61 61
	gint result;
62 62
	gboolean disable_always = FALSE;
63 63

  
64
	if (verify_result == X509_V_OK)
65
		return 0;
66

  
67 64
	gdk_threads_enter();
68 65

  
69 66
	title = _("SSL certificate verify failed");
......
99 96

  
100 97
	message = g_string_new("");
101 98
	g_string_append_printf(message, _("The SSL certificate of %s cannot be verified by the following reason:"), hostname);
102
	g_string_append_printf(message, "\n  %s\n\n", X509_verify_cert_error_string(verify_result));
99
	if (verify_result == X509_V_OK) {
100
		g_string_append_printf(message, "\n  Certificate hostname does not match\n\n");
101
	} else {
102
		g_string_append_printf(message, "\n  %s\n\n", X509_verify_cert_error_string(verify_result));
103
	}
103 104
	g_string_append_printf(message, _("Subject: %s\n"), subject ? subject : "(unknown)");
104 105
	g_string_append_printf(message, _("Issuer: %s\n"), issuer ? issuer : "(unknown)");
105 106
	g_string_append_printf(message, _("Issued date: %s\n"), not_before);