Mercurial > pidgin
comparison libpurple/certificate.c @ 19090:5310b1294287
- Add HOSTNAME CHECKING to tls_cached unknown_peer mode, which is kind
of important, I'd say. This is all still untested.
author | William Ehlhardt <williamehlhardt@gmail.com> |
---|---|
date | Fri, 10 Aug 2007 05:44:20 +0000 |
parents | c8962b52579e |
children | 489889091b14 |
comparison
equal
deleted
inserted
replaced
19089:c8962b52579e | 19090:5310b1294287 |
---|---|
919 /* For when we've never communicated with this party before */ | 919 /* For when we've never communicated with this party before */ |
920 static void | 920 static void |
921 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) | 921 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) |
922 { | 922 { |
923 PurpleCertificatePool *ca, *tls_peers; | 923 PurpleCertificatePool *ca, *tls_peers; |
924 PurpleCertificate *end_crt, *ca_crt; | 924 PurpleCertificate *end_crt, *ca_crt, *peer_crt; |
925 GList *chain = vrq->cert_chain; | 925 GList *chain = vrq->cert_chain; |
926 GList *last; | 926 GList *last; |
927 gchar *ca_id; | 927 gchar *ca_id; |
928 | 928 |
929 /* First, check that the certificate chain is valid */ | 929 peer_crt = (PurpleCertificate *) chain->data; |
930 | |
931 /* First, check that the hostname matches */ | |
932 if ( ! purple_certificate_check_subject_name(peer_crt, | |
933 vrq->subject_name) ) { | |
934 gchar *sn = purple_certificate_get_subject_name(peer_crt); | |
935 | |
936 purple_debug_info("certificate/x509/tls_cached", | |
937 "Name mismatch: Certificate given for %s " | |
938 "has a name of %s\n", | |
939 vrq->subject_name, sn); | |
940 g_free(sn); | |
941 | |
942 /* Prompt the user to authenticate the certificate */ | |
943 /* TODO: Provide the user with more guidance about why he is | |
944 being prompted */ | |
945 /* vrq will be completed by user_auth */ | |
946 x509_tls_cached_user_auth(vrq); | |
947 return; | |
948 } /* if (name mismatch) */ | |
949 | |
950 | |
951 | |
952 /* Next, check that the certificate chain is valid */ | |
930 if ( ! purple_certificate_check_signature_chain(chain) ) { | 953 if ( ! purple_certificate_check_signature_chain(chain) ) { |
931 /* TODO: Tell the user where the chain broke? */ | 954 /* TODO: Tell the user where the chain broke? */ |
932 /* TODO: This error will hopelessly confuse any | 955 /* TODO: This error will hopelessly confuse any |
933 non-elite user. */ | 956 non-elite user. */ |
934 gchar *secondary; | 957 gchar *secondary; |
1020 /* Look up the local cache and store it there for future use */ | 1043 /* Look up the local cache and store it there for future use */ |
1021 tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name, | 1044 tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name, |
1022 "tls_peers"); | 1045 "tls_peers"); |
1023 | 1046 |
1024 if (tls_peers) { | 1047 if (tls_peers) { |
1025 PurpleCertificate *peer_crt = (PurpleCertificate *)chain->data; | |
1026 g_assert(purple_certificate_pool_store(tls_peers, | 1048 g_assert(purple_certificate_pool_store(tls_peers, |
1027 vrq->subject_name, | 1049 vrq->subject_name, |
1028 peer_crt) ); | 1050 peer_crt) ); |
1029 } else { | 1051 } else { |
1030 purple_debug_error("certificate/x509/tls_cached", | 1052 purple_debug_error("certificate/x509/tls_cached", |