PKGBUILDs/extra/claws-mail/claws-ssl-3.patch

From a74e15a5c7185b941a24b0b61bc134397c8d5737 Mon Sep 17 00:00:00 2001
From: Nepu User <nepu@localhost.localdomain>
Date: Sun, 27 Apr 2014 14:56:01 +0200
Subject: [PATCH 3/3] upstream commit 4d0f2b9b14819b26fbaa72ad129ec0c03e41400f

---
 src/common/ssl_certificate.c | 114 +++++++++++++++++++++++++++++--------------
 src/etpan/etpan-ssl.c        |   1 +
 src/etpan/imap-thread.c      |   4 +-
 src/etpan/nntp-thread.c      |   2 +-
 4 files changed, 82 insertions(+), 39 deletions(-)

diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index 72f73ac..48e55c9 100644
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -207,33 +207,73 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)
 	return key_size;
 }
 
-static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format)
+static int gnutls_d2i_X509_list_fp(FILE *fp, int format, gnutls_x509_crt_t **cert_list, gint *num_certs)
 {
-	gnutls_x509_crt_t cert = NULL;
+	gnutls_x509_crt_t *crt_list;
+	unsigned int max = 512;
+	unsigned int flags = 0;
 	gnutls_datum_t tmp;
 	struct stat s;
 	int r;
+
+	*cert_list = NULL;
+	*num_certs = 0;
+
+	if (fp == NULL)
+		return -ENOENT;
+
 	if (fstat(fileno(fp), &s) < 0) {
 		perror("fstat");
-		return NULL;
+		return -errno;
 	}
+
+	crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
 	tmp.data = malloc(s.st_size);
 	memset(tmp.data, 0, s.st_size);
 	tmp.size = s.st_size;
 	if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
 		perror("fread");
 		free(tmp.data);
-		return NULL;
+		free(crt_list);
+		return -EIO;
 	}
 
-	gnutls_x509_crt_init(&cert);
-	if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+	if ((r = gnutls_x509_crt_list_import(crt_list, &max, 
+			&tmp, format, flags)) < 0) {
 		debug_print("cert import failed: %s\n", gnutls_strerror(r));
-		gnutls_x509_crt_deinit(cert);
-		cert = NULL;
+		free(tmp.data);
+		free(crt_list);
+		return r;
 	}
 	free(tmp.data);
-	debug_print("got cert! %p\n", cert);
+	debug_print("got %d certs in crt_list! %p\n", max, &crt_list);
+
+	*cert_list = crt_list;
+	*num_certs = max;
+
+	return r;
+}
+
+/* return one certificate, read from file */
+static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format)
+{
+	gnutls_x509_crt_t *certs = NULL;
+	gnutls_x509_crt_t cert = NULL;
+	int i, ncerts, r;
+
+	if ((r = gnutls_d2i_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {
+		return NULL;
+	}
+
+	if (ncerts == 0)
+		return NULL;
+
+	for (i = 1; i < ncerts; i++)
+		gnutls_x509_crt_deinit(certs[i]);
+
+	cert = certs[0];
+	free(certs);
+
 	return cert;
 }
 
@@ -474,8 +514,6 @@ static guint check_cert(gnutls_x509_crt_t cert)
 	gnutls_x509_crt_t *ca_list;
 	unsigned int max = 512;
 	unsigned int flags = 0;
-	gnutls_datum_t tmp;
-	struct stat s;
 	int r, i;
 	unsigned int status;
 	FILE *fp;
@@ -485,34 +523,12 @@ static guint check_cert(gnutls_x509_crt_t cert)
 	else
 		return (guint)-1;
 
-	if (fstat(fileno(fp), &s) < 0) {
-		perror("fstat");
-		fclose(fp);
-		return (guint)-1;
-	}
-
-	ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
-	tmp.data = malloc(s.st_size);
-	memset(tmp.data, 0, s.st_size);
-	tmp.size = s.st_size;
-	if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-		perror("fread");
-		free(tmp.data);
-		free(ca_list);
-		fclose(fp);
-		return (guint)-1;
-	}
-
-	if ((r = gnutls_x509_crt_list_import(ca_list, &max, 
-			&tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {
+	if ((r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max)) < 0) {
 		debug_print("cert import failed: %s\n", gnutls_strerror(r));
-		free(tmp.data);
-		free(ca_list);
 		fclose(fp);
 		return (guint)-1;
 	}
-	free(tmp.data);
-	debug_print("got %d certs in ca_list! %p\n", max, &ca_list);
+
 	r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);
 	fclose(fp);
 
@@ -649,18 +665,44 @@ gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const
 
 gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len, const gchar *host, gushort port)
 {
+	int ncas = 0, ncrls = 0;
+	gnutls_x509_crt_t *cas = NULL;
+	gnutls_x509_crl_t *crls = NULL;
 	gboolean result = FALSE;
+	int i;
 	gint status;
 
+	if (claws_ssl_get_cert_file()) {
+		FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb");
+		int r = -errno;
+
+		if (fp) {
+			r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);
+			fclose(fp);
+		}
+
+		if (r < 0)
+			g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+				claws_ssl_get_cert_file(), 
+				gnutls_strerror(r));
+	} else {
+		debug_print("Can't find SSL ca-certificates file\n");
+	}
+
+
 	gnutls_x509_crt_list_verify (certs,
                              chain_len,
-                             NULL, 0,
+                             cas, ncas,
                              NULL, 0,
                              GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
                              &status);
 
 	result = ssl_certificate_check(certs[0], status, host, port);
 
+	for (i = 0; i < ncas; i++)
+		gnutls_x509_crt_deinit(cas[i]);
+	free(cas);
+
 	return result;
 }
 
diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c
index c9dc9d8..f99955b 100644
--- a/src/etpan/etpan-ssl.c
+++ b/src/etpan/etpan-ssl.c
@@ -125,6 +125,7 @@ gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port
 
 	for (i = 0; i < chain_len; i++)
 		gnutls_x509_crt_deinit(certs[i]);
+	free(certs);
 
 	return result;
 #endif
diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c
index 4332f59..f0b504e 100644
--- a/src/etpan/imap-thread.c
+++ b/src/etpan/imap-thread.c
@@ -570,7 +570,7 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port)
 
 	if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED ||
 	     result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) {
-		if (etpan_certificate_check(imap->imap_stream, server, port) < 0)
+		if (etpan_certificate_check(imap->imap_stream, server, port) != TRUE)
 			result.error = MAILIMAP_ERROR_SSL;
 	}
 	debug_print("connect %d with imap %p\n", result.error, imap);
@@ -1107,7 +1107,7 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port)
 	debug_print("imap starttls - end\n");
 
 	if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) {
-		if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0)
+		if (etpan_certificate_check(param.imap->imap_stream, host, port) != TRUE)
 			return MAILIMAP_ERROR_SSL;
 	}	
 	return result.error;
diff --git a/src/etpan/nntp-thread.c b/src/etpan/nntp-thread.c
index 84a2f83..7708d31 100644
--- a/src/etpan/nntp-thread.c
+++ b/src/etpan/nntp-thread.c
@@ -423,7 +423,7 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port)
 	threaded_run(folder, &param, &result, connect_ssl_run);
 
 	if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) {
-		if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0)
+		if (etpan_certificate_check(nntp->nntp_stream, server, port) != TRUE)
 			return -1;
 	}
 	debug_print("connect %d with nntp %p\n", result.error, nntp);
-- 
1.9.2
extra/claws-mail to 3.9.3-4 2014-04-29 13:10:12 +00:00			`From a74e15a5c7185b941a24b0b61bc134397c8d5737 Mon Sep 17 00:00:00 2001`
			`From: Nepu User <nepu@localhost.localdomain>`
			`Date: Sun, 27 Apr 2014 14:56:01 +0200`
			`Subject: [PATCH 3/3] upstream commit 4d0f2b9b14819b26fbaa72ad129ec0c03e41400f`

			`---`
			`src/common/ssl_certificate.c \| 114 +++++++++++++++++++++++++++++--------------`
			`src/etpan/etpan-ssl.c \| 1 +`
			`src/etpan/imap-thread.c \| 4 +-`
			`src/etpan/nntp-thread.c \| 2 +-`
			`4 files changed, 82 insertions(+), 39 deletions(-)`

			`diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c`
			`index 72f73ac..48e55c9 100644`
			`--- a/src/common/ssl_certificate.c`
			`+++ b/src/common/ssl_certificate.c`
			`@@ -207,33 +207,73 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)`
			`return key_size;`
			`}`

			`-static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format)`
			`+static int gnutls_d2i_X509_list_fp(FILE fp, int format, gnutls_x509_crt_t cert_list, gint num_certs)`
			`{`
			`- gnutls_x509_crt_t cert = NULL;`
			`+ gnutls_x509_crt_t *crt_list;`
			`+ unsigned int max = 512;`
			`+ unsigned int flags = 0;`
			`gnutls_datum_t tmp;`
			`struct stat s;`
			`int r;`
			`+`
			`+ *cert_list = NULL;`
			`+ *num_certs = 0;`
			`+`
			`+ if (fp == NULL)`
			`+ return -ENOENT;`
			`+`
			`if (fstat(fileno(fp), &s) < 0) {`
			`perror("fstat");`
			`- return NULL;`
			`+ return -errno;`
			`}`
			`+`
			`+ crt_list=(gnutls_x509_crt_t)malloc(maxsizeof(gnutls_x509_crt_t));`
			`tmp.data = malloc(s.st_size);`
			`memset(tmp.data, 0, s.st_size);`
			`tmp.size = s.st_size;`
			`if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {`
			`perror("fread");`
			`free(tmp.data);`
			`- return NULL;`
			`+ free(crt_list);`
			`+ return -EIO;`
			`}`

			`- gnutls_x509_crt_init(&cert);`
			`- if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {`
			`+ if ((r = gnutls_x509_crt_list_import(crt_list, &max,`
			`+ &tmp, format, flags)) < 0) {`
			`debug_print("cert import failed: %s\n", gnutls_strerror(r));`
			`- gnutls_x509_crt_deinit(cert);`
			`- cert = NULL;`
			`+ free(tmp.data);`
			`+ free(crt_list);`
			`+ return r;`
			`}`
			`free(tmp.data);`
			`- debug_print("got cert! %p\n", cert);`
			`+ debug_print("got %d certs in crt_list! %p\n", max, &crt_list);`
			`+`
			`+ *cert_list = crt_list;`
			`+ *num_certs = max;`
			`+`
			`+ return r;`
			`+}`
			`+`
			`+/* return one certificate, read from file */`
			`+static gnutls_x509_crt_t gnutls_d2i_X509_fp(FILE *fp, int format)`
			`+{`
			`+ gnutls_x509_crt_t *certs = NULL;`
			`+ gnutls_x509_crt_t cert = NULL;`
			`+ int i, ncerts, r;`
			`+`
			`+ if ((r = gnutls_d2i_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {`
			`+ return NULL;`
			`+ }`
			`+`
			`+ if (ncerts == 0)`
			`+ return NULL;`
			`+`
			`+ for (i = 1; i < ncerts; i++)`
			`+ gnutls_x509_crt_deinit(certs[i]);`
			`+`
			`+ cert = certs[0];`
			`+ free(certs);`
			`+`
			`return cert;`
			`}`

			`@@ -474,8 +514,6 @@ static guint check_cert(gnutls_x509_crt_t cert)`
			`gnutls_x509_crt_t *ca_list;`
			`unsigned int max = 512;`
			`unsigned int flags = 0;`
			`- gnutls_datum_t tmp;`
			`- struct stat s;`
			`int r, i;`
			`unsigned int status;`
			`FILE *fp;`
			`@@ -485,34 +523,12 @@ static guint check_cert(gnutls_x509_crt_t cert)`
			`else`
			`return (guint)-1;`

			`- if (fstat(fileno(fp), &s) < 0) {`
			`- perror("fstat");`
			`- fclose(fp);`
			`- return (guint)-1;`
			`- }`
			`-`
			`- ca_list=(gnutls_x509_crt_t)malloc(maxsizeof(gnutls_x509_crt_t));`
			`- tmp.data = malloc(s.st_size);`
			`- memset(tmp.data, 0, s.st_size);`
			`- tmp.size = s.st_size;`
			`- if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {`
			`- perror("fread");`
			`- free(tmp.data);`
			`- free(ca_list);`
			`- fclose(fp);`
			`- return (guint)-1;`
			`- }`
			`-`
			`- if ((r = gnutls_x509_crt_list_import(ca_list, &max,`
			`- &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {`
			`+ if ((r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max)) < 0) {`
			`debug_print("cert import failed: %s\n", gnutls_strerror(r));`
			`- free(tmp.data);`
			`- free(ca_list);`
			`fclose(fp);`
			`return (guint)-1;`
			`}`
			`- free(tmp.data);`
			`- debug_print("got %d certs in ca_list! %p\n", max, &ca_list);`
			`+`
			`r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);`
			`fclose(fp);`

			`@@ -649,18 +665,44 @@ gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const`

			`gboolean ssl_certificate_check_chain(gnutls_x509_crt_t certs, gint chain_len, const gchar host, gushort port)`
			`{`
			`+ int ncas = 0, ncrls = 0;`
			`+ gnutls_x509_crt_t *cas = NULL;`
			`+ gnutls_x509_crl_t *crls = NULL;`
			`gboolean result = FALSE;`
			`+ int i;`
			`gint status;`

			`+ if (claws_ssl_get_cert_file()) {`
			`+ FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb");`
			`+ int r = -errno;`
			`+`
			`+ if (fp) {`
			`+ r = gnutls_d2i_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);`
			`+ fclose(fp);`
			`+ }`
			`+`
			`+ if (r < 0)`
			`+ g_warning("Can't read SSL_CERT_FILE %s: %s\n",`
			`+ claws_ssl_get_cert_file(),`
			`+ gnutls_strerror(r));`
			`+ } else {`
			`+ debug_print("Can't find SSL ca-certificates file\n");`
			`+ }`
			`+`
			`+`
			`gnutls_x509_crt_list_verify (certs,`
			`chain_len,`
			`- NULL, 0,`
			`+ cas, ncas,`
			`NULL, 0,`
			`GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,`
			`&status);`

			`result = ssl_certificate_check(certs[0], status, host, port);`

			`+ for (i = 0; i < ncas; i++)`
			`+ gnutls_x509_crt_deinit(cas[i]);`
			`+ free(cas);`
			`+`
			`return result;`
			`}`

			`diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c`
			`index c9dc9d8..f99955b 100644`
			`--- a/src/etpan/etpan-ssl.c`
			`+++ b/src/etpan/etpan-ssl.c`
			`@@ -125,6 +125,7 @@ gboolean etpan_certificate_check(mailstream stream, const char host, gint port`

			`for (i = 0; i < chain_len; i++)`
			`gnutls_x509_crt_deinit(certs[i]);`
			`+ free(certs);`

			`return result;`
			`#endif`
			`diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c`
			`index 4332f59..f0b504e 100644`
			`--- a/src/etpan/imap-thread.c`
			`+++ b/src/etpan/imap-thread.c`
			`@@ -570,7 +570,7 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port)`

			`if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED \|\|`
			`result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) {`
			`- if (etpan_certificate_check(imap->imap_stream, server, port) < 0)`
			`+ if (etpan_certificate_check(imap->imap_stream, server, port) != TRUE)`
			`result.error = MAILIMAP_ERROR_SSL;`
			`}`
			`debug_print("connect %d with imap %p\n", result.error, imap);`
			`@@ -1107,7 +1107,7 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port)`
			`debug_print("imap starttls - end\n");`

			`if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) {`
			`- if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0)`
			`+ if (etpan_certificate_check(param.imap->imap_stream, host, port) != TRUE)`
			`return MAILIMAP_ERROR_SSL;`
			`}`
			`return result.error;`
			`diff --git a/src/etpan/nntp-thread.c b/src/etpan/nntp-thread.c`
			`index 84a2f83..7708d31 100644`
			`--- a/src/etpan/nntp-thread.c`
			`+++ b/src/etpan/nntp-thread.c`
			`@@ -423,7 +423,7 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port)`
			`threaded_run(folder, &param, &result, connect_ssl_run);`

			`if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) {`
			`- if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0)`
			`+ if (etpan_certificate_check(nntp->nntp_stream, server, port) != TRUE)`
			`return -1;`
			`}`
			`debug_print("connect %d with nntp %p\n", result.error, nntp);`
			`--`
			`1.9.2`