diff options
author | William Ehlhardt <williamehlhardt@gmail.com> | 2007-08-10 05:44:20 +0000 |
---|---|---|
committer | William Ehlhardt <williamehlhardt@gmail.com> | 2007-08-10 05:44:20 +0000 |
commit | ca62fff309f4fe8eeebf6b405a253dc500287d3a (patch) | |
tree | 53b6b07542aa1fec345e98a2f3dffb7c8c691851 | |
parent | 236e0a34f0f4892098644c1ecb0f6918482f72ab (diff) | |
download | pidgin-ca62fff309f4fe8eeebf6b405a253dc500287d3a.tar.gz |
- Add HOSTNAME CHECKING to tls_cached unknown_peer mode, which is kind
of important, I'd say. This is all still untested.
-rw-r--r-- | libpurple/certificate.c | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/libpurple/certificate.c b/libpurple/certificate.c index 091288615c..a42e369e2e 100644 --- a/libpurple/certificate.c +++ b/libpurple/certificate.c @@ -921,12 +921,35 @@ static void x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) { PurpleCertificatePool *ca, *tls_peers; - PurpleCertificate *end_crt, *ca_crt; + PurpleCertificate *end_crt, *ca_crt, *peer_crt; GList *chain = vrq->cert_chain; GList *last; gchar *ca_id; - /* First, check that the certificate chain is valid */ + peer_crt = (PurpleCertificate *) chain->data; + + /* First, check that the hostname matches */ + if ( ! purple_certificate_check_subject_name(peer_crt, + vrq->subject_name) ) { + gchar *sn = purple_certificate_get_subject_name(peer_crt); + + purple_debug_info("certificate/x509/tls_cached", + "Name mismatch: Certificate given for %s " + "has a name of %s\n", + vrq->subject_name, sn); + g_free(sn); + + /* Prompt the user to authenticate the certificate */ + /* TODO: Provide the user with more guidance about why he is + being prompted */ + /* vrq will be completed by user_auth */ + x509_tls_cached_user_auth(vrq); + return; + } /* if (name mismatch) */ + + + + /* Next, check that the certificate chain is valid */ if ( ! purple_certificate_check_signature_chain(chain) ) { /* TODO: Tell the user where the chain broke? */ /* TODO: This error will hopelessly confuse any @@ -1022,7 +1045,6 @@ x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq) "tls_peers"); if (tls_peers) { - PurpleCertificate *peer_crt = (PurpleCertificate *)chain->data; g_assert(purple_certificate_pool_store(tls_peers, vrq->subject_name, peer_crt) ); |