# HG changeset patch # User William Ehlhardt # Date 1183952856 0 # Node ID 7fd9bd55f8d0620a82b82241923055214a66e400 # Parent 8228c5b1d1814dceba6b40ec4bcfeea86f47e62c - Add certificate_check_subject_name and associated machinery - Update GnuTLS to support the above - tls_cached verifier now uses check_subject_name instead of strcmp diff -r 8228c5b1d181 -r 7fd9bd55f8d0 libpurple/certificate.c --- a/libpurple/certificate.c Mon Jul 09 03:26:18 2007 +0000 +++ b/libpurple/certificate.c Mon Jul 09 03:47:36 2007 +0000 @@ -186,6 +186,24 @@ return subject_name; } +gboolean +purple_certificate_check_subject_name(PurpleCertificate *crt, const gchar *name) +{ + PurpleCertificateScheme *scheme; + + g_return_val_if_fail(crt, FALSE); + g_return_val_if_fail(crt->scheme, FALSE); + g_return_val_if_fail(name, FALSE); + + scheme = crt->scheme; + + /* TODO: Instead of failing, maybe use get_subject_name and strcmp? */ + g_return_val_if_fail(scheme->check_subject_name, FALSE); + + return (scheme->check_subject_name)(crt, name); +} + + gchar * purple_certificate_pool_mkpath(PurpleCertificatePool *pool, const gchar *id) { @@ -481,8 +499,7 @@ cn = purple_certificate_get_subject_name(crt); /* Determine whether the name matches */ - /* TODO: Worry about strcmp safety? */ - if (!strcmp(cn, vrq->subject_name)) { + if (purple_certificate_check_subject_name(crt, vrq->subject_name)) { cn_match = _(""); } else { cn_match = _("(DOES NOT MATCH)"); diff -r 8228c5b1d181 -r 7fd9bd55f8d0 libpurple/certificate.h --- a/libpurple/certificate.h Mon Jul 09 03:26:18 2007 +0000 +++ b/libpurple/certificate.h Mon Jul 09 03:47:36 2007 +0000 @@ -213,6 +213,13 @@ */ gchar * (* get_subject_name)(PurpleCertificate *crt); + /** + * Check the subject name against that on the certificate + * @see purple_certificate_check_subject_name() + * @return TRUE if it is a match, else FALSE + */ + gboolean (* check_subject_name)(PurpleCertificate *crt, const gchar *name); + /** Retrieve the certificate activation time */ time_t (* get_activation_time)(PurpleCertificate *crt); /** Retrieve the expiration time */ @@ -413,6 +420,16 @@ gchar * purple_certificate_get_subject_name(PurpleCertificate *crt); +/** + * Check the subject name against that on the certificate + * @param crt Certificate instance + * @param name Name to check. + * @return TRUE if it is a match, else FALSE + */ +gboolean +purple_certificate_check_subject_name(PurpleCertificate *crt, const gchar *name); + + /*@}*/ /*****************************************************************************/ diff -r 8228c5b1d181 -r 7fd9bd55f8d0 libpurple/plugins/ssl/ssl-gnutls.c --- a/libpurple/plugins/ssl/ssl-gnutls.c Mon Jul 09 03:26:18 2007 +0000 +++ b/libpurple/plugins/ssl/ssl-gnutls.c Mon Jul 09 03:47:36 2007 +0000 @@ -711,6 +711,24 @@ return cn; } +static gboolean +x509_check_name (PurpleCertificate *crt, const gchar *name) +{ + gnutls_x509_crt_t crt_dat; + + g_return_val_if_fail(crt, FALSE); + g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE); + g_return_val_if_fail(name, FALSE); + + crt_dat = *( (gnutls_x509_crt_t *) crt->data ); + + if (gnutls_x509_crt_check_hostname(crt_dat, name)) { + return TRUE; + } else { + return FALSE; + } +} + /* X.509 certificate operations provided by this plugin */ /* TODO: Flesh this out! */ static PurpleCertificateScheme x509_gnutls = { @@ -723,6 +741,7 @@ NULL, /* Unique ID */ NULL, /* Issuer Unique ID */ x509_common_name, /* Subject name */ + x509_check_name, /* Check subject name */ NULL, /* Activation time */ NULL /* Expiration time */ };