Hello community,

here is the log from the commit of package claws-mail for openSUSE:Factory 
checked in at 2012-08-13 19:53:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/claws-mail (Old)
 and      /work/SRC/openSUSE:Factory/.claws-mail.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "claws-mail", Maintainer is "nadvor...@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/claws-mail/claws-mail.changes    2012-08-07 
08:03:18.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.claws-mail.new/claws-mail.changes       
2012-08-13 19:53:12.000000000 +0200
@@ -1,0 +2,8 @@
+Thu Aug  9 12:59:41 UTC 2012 - dims...@opensuse.org
+
+- Add claws-mail-verify-hostname.patch: fix SSL negotiation and
+  hostname verification.
+- Drop claws-mail-certbundle-path.patch: integrated in the upstram
+  patch. 
+
+-------------------------------------------------------------------

Old:
----
  claws-mail-certbundle-path.patch

New:
----
  claws-mail-verify-hostname.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ claws-mail.spec ++++++
--- /var/tmp/diff_new_pack.3D4K0t/_old  2012-08-13 19:53:31.000000000 +0200
+++ /var/tmp/diff_new_pack.3D4K0t/_new  2012-08-13 19:53:31.000000000 +0200
@@ -32,8 +32,8 @@
 Patch0:         claws-mail-python.diff
 # PATCH-FIX-UPSTREAM claws-mail-bnc770014.patch bnc#770014 -- Fix crash when 
trying to view info about pgp/smime sign
 Patch1:         claws-mail-bnc770014.patch
-# PATCH-FIX-UPSTREAM claws-mail-certbundle-path.patch bnc#761503 
dims...@opensuse.org -- Add our own path to the ssl ca bundle.
-Patch2:         claws-mail-certbundle-path.patch
+# PATCH-FIX-UPSTREAM claws-mail-verify-hostname.patch bnc#761503 -- Verify 
peer names when negotiating certificates.
+Patch3:         claws-mail-verify-hostname.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  compface
 BuildRequires:  db-devel
@@ -110,7 +110,7 @@
 %setup -q
 %patch0
 %patch1 -p1
-%patch2 -p1
+%patch3 -p0
 
 %build
 %configure \

++++++ claws-mail-verify-hostname.patch ++++++
Index: src/common/ssl.c
===================================================================
--- src/common/ssl.c.orig
+++ src/common/ssl.c
@@ -104,6 +104,7 @@ const gchar *claws_ssl_get_cert_file(voi
        const char *cert_files[]={
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",
+               "/etc/ssl/ca-bundle.pem",
                "/usr/share/ssl/certs/ca-bundle.crt",
                "/etc/ssl/certs/ca-certificates.crt",
                "/usr/local/ssl/certs/ca-bundle.crt",
Index: src/common/ssl_certificate.c
===================================================================
--- src/common/ssl_certificate.c.orig
+++ src/common/ssl_certificate.c
@@ -833,4 +833,22 @@ void ssl_certificate_get_x509_and_pkey_f
                gnutls_pkcs12_deinit(p12);
        }
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+       return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */
Index: src/common/ssl_certificate.h
===================================================================
--- src/common/ssl_certificate.h.orig
+++ src/common/ssl_certificate.h
@@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SS
 char * readable_fingerprint(unsigned char *src, int len);
 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status);
 
-#ifdef USE_GNUTLS
 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file);
 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file);
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, 
                        const gchar *password, gnutls_x509_crt *crt, 
gnutls_x509_privkey *key);
 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output);
 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output);
-#endif
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert);
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert);
 #endif /* USE_GNUTLS */
 #endif /* SSL_CERTIFICATE_H */
Index: src/gtk/sslcertwindow.c
===================================================================
--- src/gtk/sslcertwindow.c.orig
+++ src/gtk/sslcertwindow.c
@@ -284,6 +284,7 @@ static gboolean sslcert_ask_hook(gpointe
        } else {
                hookdata->accept = 
sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
        }
+
        return TRUE;
 }
 
@@ -303,6 +304,24 @@ void sslcertwindow_show_cert(SSLCertific
        g_free(buf);
 }
 
+static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
+{
+       gchar *subject_cn = NULL;
+       gchar *str = NULL;
+
+       if (ssl_certificate_check_subject_cn(cert))
+               return g_strdup("");
+       
+       subject_cn = ssl_certificate_get_subject_cn(cert);
+       
+       str = g_strdup_printf(_("Certificate is for %s, but connection is to 
%s.\n"
+                               "You may be connecting to a rogue 
server.\n\n"), 
+                               subject_cn, cert->host);
+       g_free(subject_cn);
+       
+       return str;
+}
+
 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 {
        gchar *buf, *sig_status;
@@ -311,9 +330,11 @@ static gboolean sslcertwindow_ask_new_ce
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to 
accept it?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want 
to accept it?"), cert->host, invalid_str);
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -336,7 +357,12 @@ static gboolean sslcertwindow_ask_new_ce
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-       val = alertpanel_full(_("Unknown SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid");
+       else
+               title = _("SSL Certificate is unknown");
+
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept and save"), 
NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
@@ -351,9 +377,13 @@ static gboolean sslcertwindow_ask_expire
        GtkWidget *label;
        GtkWidget *button;
        GtkWidget *cert_widget;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to 
continue?"), cert->host);
+       buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want 
to continue?"), cert->host, invalid_str);
+       g_free(invalid_str);
+
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -377,7 +407,12 @@ static gboolean sslcertwindow_ask_expire
        cert_widget = cert_presenter(cert);
        gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-       val = alertpanel_full(_("Expired SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(cert))
+               title = _("SSL certificate is invalid and expired");
+       else
+               title = _("SSL certificate is expired");
+
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept"), NULL,
                              FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
        
@@ -394,7 +429,9 @@ static gboolean sslcertwindow_ask_change
        GtkWidget *label;
        GtkWidget *button;
        AlertValue val;
-       
+       gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
+       const gchar *title;
+
        vbox = gtk_vbox_new(FALSE, 5);
        label = gtk_label_new(_("New certificate:"));
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
@@ -408,7 +445,9 @@ static gboolean sslcertwindow_ask_change
        gtk_widget_show_all(vbox);
        
        vbox2 = gtk_vbox_new(FALSE, 5);
-       buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to 
accept it?"), new_cert->host);
+       buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want 
to accept it?"), new_cert->host, invalid_str);
+       g_free(invalid_str);
+
        label = gtk_label_new(buf);
        gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
        gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
@@ -431,7 +470,11 @@ static gboolean sslcertwindow_ask_change
        gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
        gtk_container_add(GTK_CONTAINER(button), vbox);
 
-       val = alertpanel_full(_("Changed SSL Certificate"), NULL,
+       if (!ssl_certificate_check_subject_cn(new_cert))
+               title = _("SSL certificate changed and is invalid");
+       else
+               title = _("SSL certificate changed");
+       val = alertpanel_full(title, NULL,
                              _("_Cancel connection"), _("_Accept and save"), 
NULL,
                              FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);
        
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to