CVS commit by ossi:
make ssl certificate handling much more useful:
- system-wide ca certs are auto-loaded
- private certs are accepted even if they are self-signed
M +88 -18 drv_imap.c 1.36
--- isync/src/drv_imap.c #1.35:1.36
@@ -67,4 +67,5 @@ typedef struct imap_server_conf {
unsigned use_tlsv1:1;
unsigned require_cram:1;
+ X509_STORE *cert_store;
#endif
} imap_server_conf_t;
@@ -183,13 +184,44 @@ static const char *Flags[] = {
#if HAVE_LIBSSL
+/* Some of this code is inspired by / lifted from mutt. */
+
+static int
+compare_certificates( X509 *cert, X509 *peercert,
+ unsigned char *peermd, unsigned peermdlen )
+{
+ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned mdlen;
+
+ /* Avoid CPU-intensive digest calculation if the certificates are
+ * not even remotely equal. */
+ if (X509_subject_name_cmp( cert, peercert ) ||
+ X509_issuer_name_cmp( cert, peercert ))
+ return -1;
+
+ if (!X509_digest( cert, EVP_sha1(), md, &mdlen ) ||
+ peermdlen != mdlen || memcmp( peermd, md, mdlen ))
+ return -1;
+
+ return 0;
+}
+
+#if OPENSSL_VERSION_NUMBER >= 0x00904000L
+#define READ_X509_KEY(fp, key) PEM_read_X509( fp, key, 0, 0 )
+#else
+#define READ_X509_KEY(fp, key) PEM_read_X509( fp, key, 0 )
+#endif
/* this gets called when a certificate is to be verified */
static int
-verify_cert( SSL *ssl )
+verify_cert( imap_store_t *ctx )
{
- X509 *cert;
+ imap_server_conf_t *srvc = ((imap_store_conf_t *)ctx->gen.conf)->server;
+ SSL *ssl = ctx->buf.sock.ssl;
+ X509 *cert, *lcert;
BIO *bio;
+ FILE *fp;
int err;
unsigned n, i;
+ X509_STORE_CTX xsc;
char buf[256];
unsigned char md[EVP_MAX_MD_SIZE];
@@ -201,8 +233,54 @@ verify_cert( SSL *ssl )
}
- err = SSL_get_verify_result( ssl );
- if (err == X509_V_OK)
+ while (srvc->cert_file) { // So break works
+ if (X509_cmp_current_time( X509_get_notBefore( cert )) >= 0) {
+ error( "Server certificate is not yet valid" );
+ break;
+ }
+ if (X509_cmp_current_time( X509_get_notAfter( cert )) <= 0) {
+ error( "Server certificate has expired" );
+ break;
+ }
+ if (!X509_digest( cert, EVP_sha1(), md, &n )) {
+ error( "*** Unable to calculate digest\n" );
+ break;
+ }
+ if (!(fp = fopen( srvc->cert_file, "rt" ))) {
+ error( "Unable to load CertificateFile '%s': %s\n",
+ srvc->cert_file, strerror( errno ) );
return 0;
+ }
+ for (lcert = 0; READ_X509_KEY( fp, &lcert ); )
+ if (!(err = compare_certificates( lcert, cert, md, n )))
+ break;
+ X509_free( lcert );
+ fclose( fp );
+ if (!err)
+ return 0;
+ break;
+ }
+ if (!srvc->cert_store) {
+ if (!(srvc->cert_store = X509_STORE_new())) {
+ error( "Error creating certificate store\n" );
+ return -1;
+ }
+ if (!X509_STORE_set_default_paths( srvc->cert_store ))
+ warn( "Error while loading default certificate files:
%s\n",
+ ERR_error_string( ERR_get_error(), 0 ) );
+ if (!srvc->cert_file) {
+ info( "Note: CertificateFile not defined\n" );
+ } else if (!X509_STORE_load_locations( srvc->cert_store,
srvc->cert_file, 0 )) {
+ error( "Error while loading certificate file '%s':
%s\n",
+ srvc->cert_file, ERR_error_string(
ERR_get_error(), 0 ) );
+ return -1;
+ }
+ }
+
+ X509_STORE_CTX_init( &xsc, srvc->cert_store, cert, 0 );
+ err = X509_verify_cert( &xsc ) > 0 ? 0 : X509_STORE_CTX_get_error( &xsc
);
+ X509_STORE_CTX_cleanup( &xsc );
+ if (!err)
+ return 0;
error( "Error, can't verify certificate: %s (%d)\n",
X509_verify_cert_error_string(err), err );
@@ -222,7 +300,7 @@ verify_cert( SSL *ssl )
BIO_free( bio );
info( " to: %s\n", buf );
- if (!X509_digest( cert, EVP_md5(), md, &n ))
- info( "*** Unable to calculate fingerprint\n" );
- else {
+ if (!X509_digest( cert, EVP_md5(), md, &n )) {
+ error( "*** Unable to calculate fingerprint\n" );
+ } else {
info( "Fingerprint: " );
for (i = 0; i < n; i += 2)
@@ -250,12 +328,4 @@ init_ssl_ctx( imap_store_t *ctx )
ctx->SSLContext = SSL_CTX_new( method );
- if (!srvc->cert_file) {
- info( "Note: CertificateFile not defined\n" );
- } else if (!SSL_CTX_load_verify_locations( ctx->SSLContext,
srvc->cert_file, NULL )) {
- error( "Error while loading certificate file '%s': %s\n",
- srvc->cert_file, ERR_error_string( ERR_get_error(), 0 )
);
- return -1;
- }
-
if (!srvc->use_sslv2)
options |= SSL_OP_NO_SSLv2;
@@ -1122,5 +1192,5 @@ start_tls( imap_store_t *ctx )
/* verify the server certificate */
- if (verify_cert( ctx->buf.sock.ssl ))
+ if (verify_cert( ctx ))
return 1;
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
