Mercurial > pidgin.yaz
changeset 27643:199cf148cdf8
Continue verification when we can't find a *cached* peer. Fixes #9664.
This should be a fatal condition and not finding a cached certificate
is *not* the same as "the certificate changed".
author | Paul Aurich <paul@darkrain42.org> |
---|---|
date | Thu, 16 Jul 2009 02:46:36 +0000 |
parents | d677981cf97e |
children | 2d541e194416 |
files | ChangeLog libpurple/certificate.c libpurple/plugins/ssl/ssl-nss.c |
diffstat | 3 files changed, 17 insertions(+), 23 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu Jul 16 02:20:40 2009 +0000 +++ b/ChangeLog Thu Jul 16 02:46:36 2009 +0000 @@ -35,6 +35,7 @@ from you on MSN. * Support sending an invite message to buddies when requesting authorization from them on MSN. + * Better handle corrupt certificates in the TLS Peers cache. AIM and ICQ: * Preliminary support for a new authentication scheme called
--- a/libpurple/certificate.c Thu Jul 16 02:20:40 2009 +0000 +++ b/libpurple/certificate.c Thu Jul 16 02:46:36 2009 +0000 @@ -1218,20 +1218,6 @@ } static void -x509_tls_cached_peer_cert_changed(PurpleCertificateVerificationRequest *vrq) -{ - /* TODO: Prompt the user, etc. */ - - purple_debug_info("certificate/x509/tls_cached", - "Certificate for %s does not match cached. " - "Auto-rejecting!\n", - vrq->subject_name); - - purple_certificate_verify_complete(vrq, PURPLE_CERTIFICATE_INVALID); - return; -} - -static void x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq); static void @@ -1254,12 +1240,11 @@ cached_crt = purple_certificate_pool_retrieve( tls_peers, vrq->subject_name); if ( !cached_crt ) { - purple_debug_error("certificate/x509/tls_cached", + purple_debug_warning("certificate/x509/tls_cached", "Lookup failed on cached certificate!\n" - "It was here just a second ago. Forwarding " - "to cert_changed.\n"); - /* vrq now becomes the problem of cert_changed */ - x509_tls_cached_peer_cert_changed(vrq); + "Falling back to full verification.\n"); + /* vrq now becomes the problem of unknown_peer */ + x509_tls_cached_unknown_peer(vrq); return; }
--- a/libpurple/plugins/ssl/ssl-nss.c Thu Jul 16 02:20:40 2009 +0000 +++ b/libpurple/plugins/ssl/ssl-nss.c Thu Jul 16 02:46:36 2009 +0000 @@ -546,12 +546,12 @@ CERTCertificate *crt_dat; PurpleCertificate *crt; - g_return_val_if_fail(filename, NULL); + g_return_val_if_fail(filename != NULL, NULL); purple_debug_info("nss/x509", "Loading certificate from %s\n", filename); - + /* Load the raw data up */ if (!g_file_get_contents(filename, &rawcert, &len, @@ -560,12 +560,20 @@ return NULL; } + if (len == 0) { + purple_debug_error("nss/x509", + "Certificate file has no contents!\n"); + if (rawcert) + g_free(rawcert); + return NULL; + } + /* Decode the certificate */ crt_dat = CERT_DecodeCertFromPackage(rawcert, len); g_free(rawcert); - g_return_val_if_fail(crt_dat, NULL); - + g_return_val_if_fail(crt_dat != NULL, NULL); + crt = g_new0(PurpleCertificate, 1); crt->scheme = &x509_nss; crt->data = crt_dat;