changeset 19008:7fd9bd55f8d0

- Add certificate_check_subject_name and associated machinery - Update GnuTLS to support the above - tls_cached verifier now uses check_subject_name instead of strcmp
author William Ehlhardt <williamehlhardt@gmail.com>
date Mon, 09 Jul 2007 03:47:36 +0000
parents 8228c5b1d181
children b64aa0222a7a
files libpurple/certificate.c libpurple/certificate.h libpurple/plugins/ssl/ssl-gnutls.c
diffstat 3 files changed, 55 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/certificate.c	Mon Jul 09 03:26:18 2007 +0000
+++ b/libpurple/certificate.c	Mon Jul 09 03:47:36 2007 +0000
@@ -186,6 +186,24 @@
 	return subject_name;
 }
 
+gboolean
+purple_certificate_check_subject_name(PurpleCertificate *crt, const gchar *name)
+{
+	PurpleCertificateScheme *scheme;
+
+	g_return_val_if_fail(crt, FALSE);
+	g_return_val_if_fail(crt->scheme, FALSE);
+	g_return_val_if_fail(name, FALSE);
+
+	scheme = crt->scheme;
+
+	/* TODO: Instead of failing, maybe use get_subject_name and strcmp? */
+	g_return_val_if_fail(scheme->check_subject_name, FALSE);
+
+	return (scheme->check_subject_name)(crt, name);
+}
+
+
 gchar *
 purple_certificate_pool_mkpath(PurpleCertificatePool *pool, const gchar *id)
 {
@@ -481,8 +499,7 @@
 	cn = purple_certificate_get_subject_name(crt);
 
 	/* Determine whether the name matches */
-	/* TODO: Worry about strcmp safety? */
-	if (!strcmp(cn, vrq->subject_name)) {
+	if (purple_certificate_check_subject_name(crt, vrq->subject_name)) {
 		cn_match = _("");
 	} else {
 		cn_match = _("(DOES NOT MATCH)");
--- a/libpurple/certificate.h	Mon Jul 09 03:26:18 2007 +0000
+++ b/libpurple/certificate.h	Mon Jul 09 03:47:36 2007 +0000
@@ -213,6 +213,13 @@
 	 */
 	gchar * (* get_subject_name)(PurpleCertificate *crt);
 
+	/**
+	 * Check the subject name against that on the certificate
+	 * @see purple_certificate_check_subject_name()
+	 * @return TRUE if it is a match, else FALSE
+	 */
+	gboolean (* check_subject_name)(PurpleCertificate *crt, const gchar *name);
+
 	/** Retrieve the certificate activation time */
 	time_t (* get_activation_time)(PurpleCertificate *crt);
 	/** Retrieve the expiration time */
@@ -413,6 +420,16 @@
 gchar *
 purple_certificate_get_subject_name(PurpleCertificate *crt);
 
+/**
+ * Check the subject name against that on the certificate
+ * @param crt   Certificate instance
+ * @param name  Name to check. 
+ * @return TRUE if it is a match, else FALSE
+ */
+gboolean
+purple_certificate_check_subject_name(PurpleCertificate *crt, const gchar *name);
+
+
 /*@}*/
 
 /*****************************************************************************/
--- a/libpurple/plugins/ssl/ssl-gnutls.c	Mon Jul 09 03:26:18 2007 +0000
+++ b/libpurple/plugins/ssl/ssl-gnutls.c	Mon Jul 09 03:47:36 2007 +0000
@@ -711,6 +711,24 @@
 	return cn;
 }
 
+static gboolean
+x509_check_name (PurpleCertificate *crt, const gchar *name)
+{
+	gnutls_x509_crt_t crt_dat;
+
+	g_return_val_if_fail(crt, FALSE);
+	g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE);
+	g_return_val_if_fail(name, FALSE);
+
+	crt_dat = *( (gnutls_x509_crt_t *) crt->data );
+
+	if (gnutls_x509_crt_check_hostname(crt_dat, name)) {
+		return TRUE;
+	} else {
+		return FALSE;
+	}
+}
+
 /* X.509 certificate operations provided by this plugin */
 /* TODO: Flesh this out! */
 static PurpleCertificateScheme x509_gnutls = {
@@ -723,6 +741,7 @@
 	NULL,                            /* Unique ID */
 	NULL,                            /* Issuer Unique ID */
 	x509_common_name,                /* Subject name */
+	x509_check_name,                 /* Check subject name */
 	NULL,                            /* Activation time */
 	NULL                             /* Expiration time */
 };