Mercurial > pidgin
comparison libpurple/certificate.c @ 19090:5310b1294287
- Add HOSTNAME CHECKING to tls_cached unknown_peer mode, which is kind
of important, I'd say. This is all still untested.
| author | William Ehlhardt <williamehlhardt@gmail.com> |
|---|---|
| date | Fri, 10 Aug 2007 05:44:20 +0000 |
| parents | c8962b52579e |
| children | 489889091b14 |
comparison
equal
deleted
inserted
replaced
| 19089:c8962b52579e | 19090:5310b1294287 |
|---|---|
| 919 /* For when we've never communicated with this party before */ | 919 /* For when we've never communicated with this party before */ |
| 920 static void | 920 static void |
| 921 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) | 921 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) |
| 922 { | 922 { |
| 923 PurpleCertificatePool *ca, *tls_peers; | 923 PurpleCertificatePool *ca, *tls_peers; |
| 924 PurpleCertificate *end_crt, *ca_crt; | 924 PurpleCertificate *end_crt, *ca_crt, *peer_crt; |
| 925 GList *chain = vrq->cert_chain; | 925 GList *chain = vrq->cert_chain; |
| 926 GList *last; | 926 GList *last; |
| 927 gchar *ca_id; | 927 gchar *ca_id; |
| 928 | 928 |
| 929 /* First, check that the certificate chain is valid */ | 929 peer_crt = (PurpleCertificate *) chain->data; |
| 930 | |
| 931 /* First, check that the hostname matches */ | |
| 932 if ( ! purple_certificate_check_subject_name(peer_crt, | |
| 933 vrq->subject_name) ) { | |
| 934 gchar *sn = purple_certificate_get_subject_name(peer_crt); | |
| 935 | |
| 936 purple_debug_info("certificate/x509/tls_cached", | |
| 937 "Name mismatch: Certificate given for %s " | |
| 938 "has a name of %s\n", | |
| 939 vrq->subject_name, sn); | |
| 940 g_free(sn); | |
| 941 | |
| 942 /* Prompt the user to authenticate the certificate */ | |
| 943 /* TODO: Provide the user with more guidance about why he is | |
| 944 being prompted */ | |
| 945 /* vrq will be completed by user_auth */ | |
| 946 x509_tls_cached_user_auth(vrq); | |
| 947 return; | |
| 948 } /* if (name mismatch) */ | |
| 949 | |
| 950 | |
| 951 | |
| 952 /* Next, check that the certificate chain is valid */ | |
| 930 if ( ! purple_certificate_check_signature_chain(chain) ) { | 953 if ( ! purple_certificate_check_signature_chain(chain) ) { |
| 931 /* TODO: Tell the user where the chain broke? */ | 954 /* TODO: Tell the user where the chain broke? */ |
| 932 /* TODO: This error will hopelessly confuse any | 955 /* TODO: This error will hopelessly confuse any |
| 933 non-elite user. */ | 956 non-elite user. */ |
| 934 gchar *secondary; | 957 gchar *secondary; |
| 1020 /* Look up the local cache and store it there for future use */ | 1043 /* Look up the local cache and store it there for future use */ |
| 1021 tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name, | 1044 tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name, |
| 1022 "tls_peers"); | 1045 "tls_peers"); |
| 1023 | 1046 |
| 1024 if (tls_peers) { | 1047 if (tls_peers) { |
| 1025 PurpleCertificate *peer_crt = (PurpleCertificate *)chain->data; | |
| 1026 g_assert(purple_certificate_pool_store(tls_peers, | 1048 g_assert(purple_certificate_pool_store(tls_peers, |
| 1027 vrq->subject_name, | 1049 vrq->subject_name, |
| 1028 peer_crt) ); | 1050 peer_crt) ); |
| 1029 } else { | 1051 } else { |
| 1030 purple_debug_error("certificate/x509/tls_cached", | 1052 purple_debug_error("certificate/x509/tls_cached", |