Hello community, here is the log from the commit of package claws-mail for openSUSE:Factory checked in at 2012-08-13 19:53:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/claws-mail (Old) and /work/SRC/openSUSE:Factory/.claws-mail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "claws-mail", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/claws-mail/claws-mail.changes 2012-08-07 08:03:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.claws-mail.new/claws-mail.changes 2012-08-13 19:53:12.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Aug 9 12:59:41 UTC 2012 - [email protected] + +- Add claws-mail-verify-hostname.patch: fix SSL negotiation and + hostname verification. +- Drop claws-mail-certbundle-path.patch: integrated in the upstram + patch. + +------------------------------------------------------------------- Old: ---- claws-mail-certbundle-path.patch New: ---- claws-mail-verify-hostname.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ claws-mail.spec ++++++ --- /var/tmp/diff_new_pack.3D4K0t/_old 2012-08-13 19:53:31.000000000 +0200 +++ /var/tmp/diff_new_pack.3D4K0t/_new 2012-08-13 19:53:31.000000000 +0200 @@ -32,8 +32,8 @@ Patch0: claws-mail-python.diff # PATCH-FIX-UPSTREAM claws-mail-bnc770014.patch bnc#770014 -- Fix crash when trying to view info about pgp/smime sign Patch1: claws-mail-bnc770014.patch -# PATCH-FIX-UPSTREAM claws-mail-certbundle-path.patch bnc#761503 [email protected] -- Add our own path to the ssl ca bundle. -Patch2: claws-mail-certbundle-path.patch +# PATCH-FIX-UPSTREAM claws-mail-verify-hostname.patch bnc#761503 -- Verify peer names when negotiating certificates. +Patch3: claws-mail-verify-hostname.patch BuildRequires: NetworkManager-devel BuildRequires: compface BuildRequires: db-devel @@ -110,7 +110,7 @@ %setup -q %patch0 %patch1 -p1 -%patch2 -p1 +%patch3 -p0 %build %configure \ ++++++ claws-mail-verify-hostname.patch ++++++ Index: src/common/ssl.c =================================================================== --- src/common/ssl.c.orig +++ src/common/ssl.c @@ -104,6 +104,7 @@ const gchar *claws_ssl_get_cert_file(voi const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", + "/etc/ssl/ca-bundle.pem", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", Index: src/common/ssl_certificate.c =================================================================== --- src/common/ssl_certificate.c.orig +++ src/common/ssl_certificate.c @@ -833,4 +833,22 @@ void ssl_certificate_get_x509_and_pkey_f gnutls_pkcs12_deinit(p12); } } + +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert) +{ + return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0; +} + +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert) +{ + gchar subject_cn[BUFFSIZE]; + size_t n = BUFFSIZE; + + if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, + GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n)) + strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE); + + return g_strdup(subject_cn); +} + #endif /* USE_GNUTLS */ Index: src/common/ssl_certificate.h =================================================================== --- src/common/ssl_certificate.h.orig +++ src/common/ssl_certificate.h @@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SS char * readable_fingerprint(unsigned char *src, int len); char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status); -#ifdef USE_GNUTLS gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file); gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file); void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key); size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output); size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output); -#endif +gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert); +gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert); #endif /* USE_GNUTLS */ #endif /* SSL_CERTIFICATE_H */ Index: src/gtk/sslcertwindow.c =================================================================== --- src/gtk/sslcertwindow.c.orig +++ src/gtk/sslcertwindow.c @@ -284,6 +284,7 @@ static gboolean sslcert_ask_hook(gpointe } else { hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert); } + return TRUE; } @@ -303,6 +304,24 @@ void sslcertwindow_show_cert(SSLCertific g_free(buf); } +static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert) +{ + gchar *subject_cn = NULL; + gchar *str = NULL; + + if (ssl_certificate_check_subject_cn(cert)) + return g_strdup(""); + + subject_cn = ssl_certificate_get_subject_cn(cert); + + str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n" + "You may be connecting to a rogue server.\n\n"), + subject_cn, cert->host); + g_free(subject_cn); + + return str; +} + static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert) { gchar *buf, *sig_status; @@ -311,9 +330,11 @@ static gboolean sslcertwindow_ask_new_ce GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str); label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -336,7 +357,12 @@ static gboolean sslcertwindow_ask_new_ce cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Unknown SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid"); + else + title = _("SSL Certificate is unknown"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -351,9 +377,13 @@ static gboolean sslcertwindow_ask_expire GtkWidget *label; GtkWidget *button; GtkWidget *cert_widget; - + gchar *invalid_str = sslcertwindow_get_invalid_str(cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host); + buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0); @@ -377,7 +407,12 @@ static gboolean sslcertwindow_ask_expire cert_widget = cert_presenter(cert); gtk_container_add(GTK_CONTAINER(button), cert_widget); - val = alertpanel_full(_("Expired SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(cert)) + title = _("SSL certificate is invalid and expired"); + else + title = _("SSL certificate is expired"); + + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept"), NULL, FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT); @@ -394,7 +429,9 @@ static gboolean sslcertwindow_ask_change GtkWidget *label; GtkWidget *button; AlertValue val; - + gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert); + const gchar *title; + vbox = gtk_vbox_new(FALSE, 5); label = gtk_label_new(_("New certificate:")); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); @@ -408,7 +445,9 @@ static gboolean sslcertwindow_ask_change gtk_widget_show_all(vbox); vbox2 = gtk_vbox_new(FALSE, 5); - buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host); + buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str); + g_free(invalid_str); + label = gtk_label_new(buf); gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5); gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0); @@ -431,7 +470,11 @@ static gboolean sslcertwindow_ask_change gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0); gtk_container_add(GTK_CONTAINER(button), vbox); - val = alertpanel_full(_("Changed SSL Certificate"), NULL, + if (!ssl_certificate_check_subject_cn(new_cert)) + title = _("SSL certificate changed and is invalid"); + else + title = _("SSL certificate changed"); + val = alertpanel_full(title, NULL, _("_Cancel connection"), _("_Accept and save"), NULL, FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
