diff options
-rw-r--r-- | camel/ChangeLog | 7 | ||||
-rw-r--r-- | camel/camel-tcp-stream-openssl.c | 51 | ||||
-rw-r--r-- | camel/camel-tcp-stream-ssl.c | 53 | ||||
-rw-r--r-- | camel/camel-tcp-stream-ssl.h | 1 |
4 files changed, 111 insertions, 1 deletions
diff --git a/camel/ChangeLog b/camel/ChangeLog index fc4d8da425..b1623c80d5 100644 --- a/camel/ChangeLog +++ b/camel/ChangeLog @@ -1,3 +1,10 @@ +2001-10-10 Jeffrey Stedfast <fejj@ximian.com> + + * camel-tcp-stream-openssl.c (ssl_verify): Same hack as below. + + * camel-tcp-stream-ssl.c (ssl_bad_cert): Hack around the fact that + adding a cert to nss's certdb seems to not work. + 2001-10-10 <NotZed@Ximian.com> * camel-vee-folder.c (vee_sync): Only re-build the folder if we're diff --git a/camel/camel-tcp-stream-openssl.c b/camel/camel-tcp-stream-openssl.c index a940f2419a..f83b309de7 100644 --- a/camel/camel-tcp-stream-openssl.c +++ b/camel/camel-tcp-stream-openssl.c @@ -466,6 +466,51 @@ socket_connect (struct hostent *h, int port) return fd; } +static void +save_ssl_cert (const char *certid) +{ + char *path, *filename; + struct stat st; + int fd; + + path = g_strdup_printf ("%s/.camel_certs", getenv ("HOME")); + if (mkdir (path, 0700) == -1) { + if (errno != EEXIST) + return; + + if (stat (path, &st) == -1) + return; + + if (!S_ISDIR (st.st_mode)) + return; + } + + filename = g_strdup_printf ("%s/%s", path, certid); + g_free (path); + + fd = open (filename, O_WRONLY | O_CREAT); + if (fd != -1) + close (fd); + + g_free (filename); +} + +static gboolean +ssl_cert_is_saved (const char *certid) +{ + char *filename; + int fd; + + filename = g_strdup_printf ("%s/.camel_certs/%s", getenv ("HOME"), certid); + + fd = open (filename, O_RDONLY); + g_free (filename); + if (fd != -1) + close (fd); + + return fd != -1; +} + static int ssl_verify (int ok, X509_STORE_CTX *ctx) { @@ -481,6 +526,9 @@ ssl_verify (int ok, X509_STORE_CTX *ctx) cert = X509_STORE_CTX_get_current_cert (ctx); err = X509_STORE_CTX_get_error (ctx); + if (stream) + ok = ssl_cert_is_saved (stream->priv->expected_host); + if (!ok && stream) { CamelService *service = stream->priv->service; char *prompt, *cert_str; @@ -499,6 +547,9 @@ ssl_verify (int ok, X509_STORE_CTX *ctx) ok = camel_session_alert_user (service->session, CAMEL_SESSION_ALERT_WARNING, prompt, TRUE); g_free (prompt); + + if (ok) + save_ssl_cert (stream->priv->expected_host); } return ok; diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c index d025f49a20..fa0da4041a 100644 --- a/camel/camel-tcp-stream-ssl.c +++ b/camel/camel-tcp-stream-ssl.c @@ -333,6 +333,51 @@ ssl_auth_cert (void *data, PRFileDesc *sockfd, PRBool checksig, PRBool is_server } #endif +static void +save_ssl_cert (const char *certid) +{ + char *path, *filename; + struct stat st; + int fd; + + path = g_strdup_printf ("%s/.camel_certs", getenv ("HOME")); + if (mkdir (path, 0700) == -1) { + if (errno != EEXIST) + return; + + if (stat (path, &st) == -1) + return; + + if (!S_ISDIR (st.st_mode)) + return; + } + + filename = g_strdup_printf ("%s/%s", path, certid); + g_free (path); + + fd = open (filename, O_WRONLY | O_CREAT); + if (fd != -1) + close (fd); + + g_free (filename); +} + +static gboolean +ssl_cert_is_saved (const char *certid) +{ + char *filename; + int fd; + + filename = g_strdup_printf ("%s/.camel_certs/%s", getenv ("HOME"), certid); + + fd = open (filename, O_RDONLY); + g_free (filename); + if (fd != -1) + close (fd); + + return fd != -1; +} + static SECStatus ssl_bad_cert (void *data, PRFileDesc *sockfd) { @@ -348,6 +393,10 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd) ssl = CAMEL_TCP_STREAM_SSL (data); service = ssl->priv->service; + /* this is part of a work-around hack */ + if (ssl_cert_is_saved (ssl->priv->expected_host)) + return SECSuccess; + cert = SSL_PeerCertificate (sockfd); cert_str = g_strdup_printf (_("EMail: %s\n" @@ -387,6 +436,10 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd) CERT_ImportCerts (CERT_GetDefaultCertDB (), certUsageSSLServer, 1, certs, NULL, TRUE, FALSE, cert->nickname); + /* and since the above code doesn't seem to + work... time for a good ol' fashioned hack */ + save_ssl_cert (ssl->priv->expected_host); + return SECSuccess; } diff --git a/camel/camel-tcp-stream-ssl.h b/camel/camel-tcp-stream-ssl.h index af68fe9644..181c553a1a 100644 --- a/camel/camel-tcp-stream-ssl.h +++ b/camel/camel-tcp-stream-ssl.h @@ -57,7 +57,6 @@ CamelType camel_tcp_stream_ssl_get_type (void); /* public methods */ CamelStream *camel_tcp_stream_ssl_new (CamelService *service, const char *expected_host); - #ifdef __cplusplus } #endif /* __cplusplus */ |