pidgin: libpurple/certificate.c comparison

comparison libpurple/certificate.c @ 29298:fb99a0067812

propagate from branch 'im.pidgin.pidgin' (head 70d69397ed952b26b453423c381c70d6783eb66d) to branch 'im.pidgin.cpw.attention_ui' (head 1cf0dea282a0d0e4aeac4770e0150d6d0c10830a)

author	Marcus Lundblad <ml@update.uu.se>
date	Thu, 13 Aug 2009 17:42:44 +0000
parents	fcf2d3b9f281
children	35f3a79045a6

comparison

equal deleted inserted replaced

-:338d6a211055
+:fb99a0067812
 	g_return_val_if_fail(crt->scheme, FALSE);
 	g_return_val_if_fail(name, FALSE);
 	scheme = crt->scheme;
-	/* TODO: Instead of failing, maybe use get_subject_name and strcmp? */
 	g_return_val_if_fail(scheme->check_subject_name, FALSE);
 	return (scheme->check_subject_name)(crt, name);
 }
 	purple_certificate_destroy(cached_crt);
 	g_byte_array_free(peer_fpr, TRUE);
 	g_byte_array_free(cached_fpr, TRUE);
 }
+/*
+* This is called from two points in x509_tls_cached_unknown_peer below
+* once we've verified the signature chain is valid. Now we need to verify
+* the subject name of the certificate.
+*/
+static void
+x509_tls_cached_check_subject_name(PurpleCertificateVerificationRequest *vrq,
+gboolean had_ca_pool)
+{
+	PurpleCertificatePool *tls_peers;
+	PurpleCertificate *peer_crt;
+	GList *chain = vrq->cert_chain;
+	peer_crt = (PurpleCertificate *) chain->data;
+	/* Last, check that the hostname matches */
+	if ( ! purple_certificate_check_subject_name(peer_crt,
+						     vrq->subject_name) ) {
+		gchar *sn = purple_certificate_get_subject_name(peer_crt);
+		purple_debug_error("certificate/x509/tls_cached",
+				  "Name mismatch: Certificate given for %s "
+				  "has a name of %s\n",
+				  vrq->subject_name, sn);
+		if (had_ca_pool) {
+			/* Prompt the user to authenticate the certificate */
+			/* TODO: Provide the user with more guidance about why he is
+			   being prompted */
+			/* vrq will be completed by user_auth */
+			gchar *msg;
+			msg = g_strdup_printf(_("The certificate presented by \"%s\" "
+						"claims to be from \"%s\" instead.  "
+						"This could mean that you are not "
+						"connecting to the service you "
+						"believe you are."),
+					      vrq->subject_name, sn);
+			x509_tls_cached_user_auth(vrq, msg);
+			g_free(msg);
+		} else {
+			/* Had no CA pool, so couldn't verify the chain *and*
+			 * the subject name isn't valid.
+			 * I think this is bad enough to warrant a fatal error. It's
+			 * not likely anyway...
+			 */
+			purple_notify_error(NULL, /* TODO: Probably wrong. */
+						_("SSL Certificate Error"),
+						_("Invalid certificate chain"),
+						_("You have no database of root certificates, so "
+						"this certificate cannot be validated."));
+		}
+		g_free(sn);
+		return;
+	} /* if (name mismatch) */
+	if (!had_ca_pool) {
+		/* The subject name is correct, but we weren't able to verify the
+		 * chain because there was no pool of root CAs found. Prompt the user
+		 * to validate it.
+		 */
+		/* vrq will be completed by user_auth */
+		x509_tls_cached_user_auth(vrq,_("You have no database of root "
+						"certificates, so this "
+						"certificate cannot be "
+						"validated."));
+		return;
+	}
+	/* If we reach this point, the certificate is good. */
+	/* Look up the local cache and store it there for future use */
+	tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name,
+						 "tls_peers");
+	if (tls_peers) {
+		if (!purple_certificate_pool_store(tls_peers,vrq->subject_name,
+						   peer_crt) ) {
+			purple_debug_error("certificate/x509/tls_cached",
+					   "FAILED to cache peer certificate\n");
+		}
+	} else {
+		purple_debug_error("certificate/x509/tls_cached",
+				   "Unable to locate tls_peers certificate "
+				   "cache.\n");
+	}
+	/* Whew! Done! */
+	purple_certificate_verify_complete(vrq, PURPLE_CERTIFICATE_VALID);
+}
 /* For when we've never communicated with this party before */
 /* TODO: Need ways to specify possibly multiple problems with a cert, or at
-least  reprioritize them. For example, maybe the signature ought to be
+least  reprioritize them.
-checked BEFORE the hostname checking?
+*/
-Stu thinks we should check the signature before the name, so we do now.
-The above TODO still stands. */
 static void
 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq)
 {
-	PurpleCertificatePool *ca, *tls_peers;
+	PurpleCertificatePool *ca;
 	PurpleCertificate *peer_crt;
+	PurpleCertificate *ca_crt, *end_crt;
 	PurpleCertificate *failing_crt;
 	GList *chain = vrq->cert_chain;
-	gboolean chain_validated = FALSE;
+	GByteArray *last_fpr, *ca_fpr;
+	gchar *ca_id;
 	peer_crt = (PurpleCertificate *) chain->data;
 	/* TODO: Figure out a way to check for a bad signature, as opposed to
 	   "not self-signed" */
 	/* Next, attempt to verify the last certificate against a CA */
 	ca = purple_certificate_find_pool(x509_tls_cached.scheme_name, "ca");
 	/* Next, check that the certificate chain is valid */
-	if (purple_certificate_check_signature_chain_with_failing(chain,
+	if (!purple_certificate_check_signature_chain_with_failing(chain,
-	                                                          &failing_crt))
+				&failing_crt))
-		chain_validated = TRUE;
+	{
-	else {
+		gboolean chain_validated = FALSE;
 		/*
 		 * Check if the failing certificate is in the CA store. If it is, then
 		 * consider this fully validated. This works around issues with some
 		 * prominent intermediate CAs whose signature is md5WithRSAEncryption.
 		 * I'm looking at CACert Class 3 here. See #4458 for details.
 		/*
 		 * If we get here, either the cert matched the stuff right above
 		 * or it didn't, in which case we give up and complain to the user.
 		 */
-		if (!chain_validated) {
+		if (chain_validated) {
+			x509_tls_cached_check_subject_name(vrq, TRUE);
+		} else {
 			/* TODO: Tell the user where the chain broke? */
 			/* TODO: This error will hopelessly confuse any
 			   non-elite user. */
 			gchar *secondary;
 			g_free(secondary);
 			/* Okay, we're done here */
 			purple_certificate_verify_complete(vrq,
 							   PURPLE_CERTIFICATE_INVALID);
-			return;
 		}
+		return;
 	} /* if (signature chain not good) */
 	/* If, for whatever reason, there is no Certificate Authority pool
-	   loaded, we will simply present it to the user for checking. */
+	   loaded, we'll verify the subject name and then warn about thsi. */
 	if ( !ca ) {
 		purple_debug_error("certificate/x509/tls_cached",
 				   "No X.509 Certificate Authority pool "
 				   "could be found!\n");
+		x509_tls_cached_check_subject_name(vrq, FALSE);
+		return;
+	}
+	end_crt = g_list_last(chain)->data;
+	/* Attempt to look up the last certificate's issuer */
+	ca_id = purple_certificate_get_issuer_unique_id(end_crt);
+	purple_debug_info("certificate/x509/tls_cached",
+			  "Checking for a CA with DN=%s\n",
+			  ca_id);
+	ca_crt = purple_certificate_pool_retrieve(ca, ca_id);
+	if ( NULL == ca_crt ) {
+		purple_debug_warning("certificate/x509/tls_cached",
+				  "Certificate Authority with DN='%s' not "
+				  "found. I'll prompt the user, I guess.\n",
+				  ca_id);
+		g_free(ca_id);
 		/* vrq will be completed by user_auth */
-		x509_tls_cached_user_auth(vrq,_("You have no database of root "
+		x509_tls_cached_user_auth(vrq,_("The root certificate this "
-						"certificates, so this "
+						"one claims to be issued by "
-						"certificate cannot be "
+						"is unknown to Pidgin."));
-						"validated."));
 		return;
 	}
-	if (!chain_validated) {
+	g_free(ca_id);
-		GByteArray *last_fpr, *ca_fpr;
-		PurpleCertificate *ca_crt, *end_crt;
+	/*
-		gchar *ca_id;
+	 * Check the fingerprints; if they match, then this certificate *is* one
+	 * of the designated "trusted roots", and we don't need to verify the
-		end_crt = g_list_last(chain)->data;
+	 * signature. This is good because some of the older roots are self-signed
+	 * with bad hash algorithms that we don't want to allow in any other
-		/* Attempt to look up the last certificate's issuer */
+	 * circumstances (one of Verisign's root CAs is self-signed with MD2).
-		ca_id = purple_certificate_get_issuer_unique_id(end_crt);
+	 *
-		purple_debug_info("certificate/x509/tls_cached",
+	 * If the fingerprints don't match, we'll fall back to checking the
-				  "Checking for a CA with DN=%s\n",
+	 * signature.
-				  ca_id);
+	 *
-		ca_crt = purple_certificate_pool_retrieve(ca, ca_id);
+	 * GnuTLS doesn't seem to include the final root in the verification
-		if ( NULL == ca_crt ) {
+	 * list, so this check will never succeed.  NSS *does* include it in
-			purple_debug_warning("certificate/x509/tls_cached",
+	 * the list, so here we are.
-					  "Certificate Authority with DN='%s' not "
+	 */
-					  "found. I'll prompt the user, I guess.\n",
+	last_fpr = purple_certificate_get_fingerprint_sha1(end_crt);
-					  ca_id);
+	ca_fpr   = purple_certificate_get_fingerprint_sha1(ca_crt);
-			g_free(ca_id);
-			/* vrq will be completed by user_auth */
+	if ( !byte_arrays_equal(last_fpr, ca_fpr) &&
-			x509_tls_cached_user_auth(vrq,_("The root certificate this "
+			!purple_certificate_signed_by(end_crt, ca_crt) )
-							"one claims to be issued by "
+	{
-							"is unknown to Pidgin."));
+		/* TODO: If signed_by ever returns a reason, maybe mention
-			return;
+		   that, too. */
-		}
+		/* TODO: Also mention the CA involved. While I could do this
+		   now, a full DN is a little much with which to assault the
-		g_free(ca_id);
+		   user's poor, leaky eyes. */
+		/* TODO: This error message makes my eyes cross, and I wrote it */
-		/*
+		gchar * secondary =
-		 * Check the fingerprints; if they match, then this certificate *is* one
+			g_strdup_printf(_("The certificate chain presented by "
-		 * of the designated "trusted roots", and we don't need to verify the
+					  "%s does not have a valid digital "
-		 * signature. This is good because some of the older roots are self-signed
+					  "signature from the Certificate "
-		 * with bad hash algorithms that we don't want to allow in any other
+					  "Authority from which it claims to "
-		 * circumstances (one of Verisign's root CAs is self-signed with MD2).
+					  "have a signature."),
-		 *
+					vrq->subject_name);
-		 * If the fingerprints don't match, we'll fall back to checking the
-		 * signature.
+		purple_notify_error(NULL, /* TODO: Probably wrong */
-		 *
+				    _("SSL Certificate Error"),
-		 * GnuTLS doesn't seem to include the final root in the verification
+				    _("Invalid certificate authority"
-		 * list, so this check will never succeed.  NSS *does* include it in
+				      " signature"),
-		 * the list, so here we are.
+				    secondary);
-		 */
+		g_free(secondary);
-		last_fpr = purple_certificate_get_fingerprint_sha1(end_crt);
-		ca_fpr   = purple_certificate_get_fingerprint_sha1(ca_crt);
+		/* Signal "bad cert" */
+		purple_certificate_verify_complete(vrq,
-		if ( !byte_arrays_equal(last_fpr, ca_fpr) &&
+						   PURPLE_CERTIFICATE_INVALID);
-				!purple_certificate_signed_by(end_crt, ca_crt) )
-		{
+		purple_certificate_destroy(ca_crt);
-			/* TODO: If signed_by ever returns a reason, maybe mention
-			   that, too. */
-			/* TODO: Also mention the CA involved. While I could do this
-			   now, a full DN is a little much with which to assault the
-			   user's poor, leaky eyes. */
-			/* TODO: This error message makes my eyes cross, and I wrote it */
-			gchar * secondary =
-				g_strdup_printf(_("The certificate chain presented by "
-						  "%s does not have a valid digital "
-						  "signature from the Certificate "
-						  "Authority from which it claims to "
-						  "have a signature."),
-						vrq->subject_name);
-			purple_notify_error(NULL, /* TODO: Probably wrong */
-					    _("SSL Certificate Error"),
-					    _("Invalid certificate authority"
-					      " signature"),
-					    secondary);
-			g_free(secondary);
-			/* Signal "bad cert" */
-			purple_certificate_verify_complete(vrq,
-							   PURPLE_CERTIFICATE_INVALID);
-			purple_certificate_destroy(ca_crt);
-			g_byte_array_free(ca_fpr, TRUE);
-			g_byte_array_free(last_fpr, TRUE);
-			return;
-		} /* if (CA signature not good) */
 		g_byte_array_free(ca_fpr, TRUE);
 		g_byte_array_free(last_fpr, TRUE);
-	}
-	/* Last, check that the hostname matches */
-	if ( ! purple_certificate_check_subject_name(peer_crt,
-						     vrq->subject_name) ) {
-		gchar *sn = purple_certificate_get_subject_name(peer_crt);
-		gchar *msg;
-		purple_debug_error("certificate/x509/tls_cached",
-				  "Name mismatch: Certificate given for %s "
-				  "has a name of %s\n",
-				  vrq->subject_name, sn);
-		/* Prompt the user to authenticate the certificate */
-		/* TODO: Provide the user with more guidance about why he is
-		   being prompted */
-		/* vrq will be completed by user_auth */
-		msg = g_strdup_printf(_("The certificate presented by \"%s\" "
-					"claims to be from \"%s\" instead.  "
-					"This could mean that you are not "
-					"connecting to the service you "
-					"believe you are."),
-				      vrq->subject_name, sn);
-		x509_tls_cached_user_auth(vrq,msg);
-		g_free(sn);
-		g_free(msg);
 		return;
-	} /* if (name mismatch) */
+	} /* if (CA signature not good) */
-	/* If we reach this point, the certificate is good. */
+	g_byte_array_free(ca_fpr, TRUE);
-	/* Look up the local cache and store it there for future use */
+	g_byte_array_free(last_fpr, TRUE);
-	tls_peers = purple_certificate_find_pool(x509_tls_cached.scheme_name,
-						 "tls_peers");
+	x509_tls_cached_check_subject_name(vrq, TRUE);
-	if (tls_peers) {
-		if (!purple_certificate_pool_store(tls_peers,vrq->subject_name,
-						   peer_crt) ) {
-			purple_debug_error("certificate/x509/tls_cached",
-					   "FAILED to cache peer certificate\n");
-		}
-	} else {
-		purple_debug_error("certificate/x509/tls_cached",
-				   "Unable to locate tls_peers certificate "
-				   "cache.\n");
-	}
-	/* Whew! Done! */
-	purple_certificate_verify_complete(vrq, PURPLE_CERTIFICATE_VALID);
 }
 static void
 x509_tls_cached_start_verify(PurpleCertificateVerificationRequest *vrq)
 {

Mercurial > pidgin

comparison libpurple/certificate.c @ 29298:fb99a0067812