diff options
| author | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2014-02-28 09:09:39 +0000 |
|---|---|---|
| committer | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2014-02-28 09:09:39 +0000 |
| commit | eec2055b585608a68c3a6073143c2a49bb1dfff7 (patch) | |
| tree | 625e0ee7afa0e06a7197a7f11326363e632133a6 | |
| parent | 91282f23c547f0ddd35382d3a4b58db36fc007d7 (diff) | |
validate SSL certificate hostname (#167).
git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@3321 ee746299-78ed-0310-b773-934348b2243d
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | configure.in | 4 | ||||
| -rw-r--r-- | libsylph/Makefile.am | 2 | ||||
| -rw-r--r-- | libsylph/socks.c | 16 | ||||
| -rw-r--r-- | libsylph/ssl.c | 25 | ||||
| -rw-r--r-- | src/sslmanager.c | 6 |
6 files changed, 49 insertions, 11 deletions
@@ -1,3 +1,10 @@ +2014-02-28 + + * libsylph/ssl.c + src/sslmanager.c: validate SSL certificate hostname (#167). + * libsylph/socks.c: replace sock->hostname with endpoint for hostname + check. + 2013-12-20 * src/addr_compl.c: address_completion_create_completion_window(): diff --git a/configure.in b/configure.in index 3bd6b68a..142d616d 100644 --- a/configure.in +++ b/configure.in @@ -9,8 +9,8 @@ MINOR_VERSION=4 MICRO_VERSION=0 INTERFACE_AGE=0 BINARY_AGE=0 -EXTRA_VERSION=beta7 -BUILD_REVISION=1152 +EXTRA_VERSION=beta8 +BUILD_REVISION=1153 VERSION=$MAJOR_VERSION.$MINOR_VERSION.$MICRO_VERSION$EXTRA_VERSION dnl define if this is a development release diff --git a/libsylph/Makefile.am b/libsylph/Makefile.am index 8cf0516c..77607fa8 100644 --- a/libsylph/Makefile.am +++ b/libsylph/Makefile.am @@ -39,6 +39,7 @@ libsylph_0_la_SOURCES = \ socket.c \ socks.c \ ssl.c \ + ssl_hostname_validation.c \ stringtable.c \ sylmain.c \ unmime.c \ @@ -81,6 +82,7 @@ libsylph_0include_HEADERS = \ socket.h \ socks.h \ ssl.h \ + ssl_hostname_validation.h \ stringtable.h \ sylmain.h \ unmime.h \ diff --git a/libsylph/socks.c b/libsylph/socks.c index b4746a15..b725ba74 100644 --- a/libsylph/socks.c +++ b/libsylph/socks.c @@ -1,6 +1,6 @@ /* * LibSylph -- E-Mail client library - * Copyright (C) 1999-2010 Hiroyuki Yamamoto + * Copyright (C) 1999-2014 Hiroyuki Yamamoto * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -129,6 +129,13 @@ gint socks4_connect(SockInfo *sock, const gchar *hostname, gushort port) return -1; } + /* replace sock->hostname with endpoint */ + if (sock->hostname != hostname) { + g_free(sock->hostname); + sock->hostname = g_strdup(hostname); + sock->port = port; + } + debug_print("socks4_connect: SOCKS4 connection to %s:%u successful.\n", hostname, port); return 0; @@ -247,6 +254,13 @@ gint socks5_connect(SockInfo *sock, const gchar *hostname, gushort port, } } + /* replace sock->hostname with endpoint */ + if (sock->hostname != hostname) { + g_free(sock->hostname); + sock->hostname = g_strdup(hostname); + sock->port = port; + } + debug_print("socks5_connect: SOCKS5 connection to %s:%u successful.\n", hostname, port); return 0; diff --git a/libsylph/ssl.c b/libsylph/ssl.c index 92165832..86c8d61a 100644 --- a/libsylph/ssl.c +++ b/libsylph/ssl.c @@ -1,6 +1,6 @@ /* * LibSylph -- E-Mail client library - * Copyright (C) 1999-2008 Hiroyuki Yamamoto + * Copyright (C) 1999-2014 Hiroyuki Yamamoto * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -30,6 +30,7 @@ #include "utils.h" #include "ssl.h" +#include "ssl_hostname_validation.h" static SSL_CTX *ssl_ctx_SSLv23 = NULL; static SSL_CTX *ssl_ctx_TLSv1 = NULL; @@ -310,9 +311,14 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) verify_result = SSL_get_verify_result(sockinfo->ssl); if (verify_result == X509_V_OK) { - debug_print("SSL verify OK\n"); - X509_free(server_cert); - return TRUE; + debug_print("SSL certificate verify OK\n"); + if (ssl_validate_hostname(sockinfo->hostname, server_cert) == SSL_HOSTNAME_MATCH_FOUND) { + debug_print("SSL certificate hostname validation OK\n"); + X509_free(server_cert); + return TRUE; + } else { + verify_result = X509_V_ERR_APPLICATION_VERIFICATION; + } } else if (verify_result == X509_V_ERR_CERT_HAS_EXPIRED) { log_message("SSL certificate of %s has expired\n", sockinfo->hostname); expired = TRUE; @@ -330,9 +336,14 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) return FALSE; } - g_warning("%s: SSL certificate verify failed (%ld: %s)\n", - sockinfo->hostname, verify_result, - X509_verify_cert_error_string(verify_result)); + if (verify_result == X509_V_ERR_APPLICATION_VERIFICATION) { + g_warning("%s: SSL hostname validation failed\n", + sockinfo->hostname); + } else { + g_warning("%s: SSL certificate verify failed (%ld: %s)\n", + sockinfo->hostname, verify_result, + X509_verify_cert_error_string(verify_result)); + } if (verify_ui_func) { gint res; diff --git a/src/sslmanager.c b/src/sslmanager.c index e184c699..8dce0526 100644 --- a/src/sslmanager.c +++ b/src/sslmanager.c @@ -99,7 +99,11 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, message = g_string_new(""); g_string_append_printf(message, _("The SSL certificate of %s cannot be verified by the following reason:"), hostname); - g_string_append_printf(message, "\n %s\n\n", X509_verify_cert_error_string(verify_result)); + if (verify_result == X509_V_ERR_APPLICATION_VERIFICATION) { + g_string_append_printf(message, "\n certificate hostname does not match\n\n"); + } else { + g_string_append_printf(message, "\n %s\n\n", X509_verify_cert_error_string(verify_result)); + } g_string_append_printf(message, _("Subject: %s\n"), subject ? subject : "(unknown)"); g_string_append_printf(message, _("Issuer: %s\n"), issuer ? issuer : "(unknown)"); g_string_append_printf(message, _("Issued date: %s\n"), not_before); |