diff -Nru mutt-1.5.5.1.orig/PATCHES mutt-1.5.5.1/PATCHES --- mutt-1.5.5.1.orig/PATCHES 2004-03-21 15:27:20.000000000 +0000 +++ mutt-1.5.5.1/PATCHES 2004-03-21 15:27:57.000000000 +0000 @@ -1,0 +1 @@ +patch-1.4.admcd.gnutls.58d diff -Nru mutt-1.5.5.1.orig/globals.h mutt-1.5.5.1/globals.h --- mutt-1.5.5.1.orig/globals.h 2003-11-05 09:41:31.000000000 +0000 +++ mutt-1.5.5.1/globals.h 2004-03-21 15:27:57.000000000 +0000 @@ -102,10 +102,16 @@ WHERE char *Signature; WHERE char *SimpleSearch; WHERE char *Spoolfile; -#if defined(USE_SSL) || defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) WHERE char *SslCertFile INITVAL (NULL); +#endif +#if defined(USE_SSL) || defined(USE_NSS) WHERE char *SslEntropyFile INITVAL (NULL); #endif +#ifdef USE_GNUTLS +WHERE short SslDHPrimeBits; +WHERE char *SslCACertFile INITVAL (NULL); +#endif WHERE char *StChars; WHERE char *Status; WHERE char *Tempdir; diff -Nru mutt-1.5.5.1.orig/imap/imap.c mutt-1.5.5.1/imap/imap.c --- mutt-1.5.5.1.orig/imap/imap.c 2004-03-21 15:26:49.000000000 +0000 +++ mutt-1.5.5.1/imap/imap.c 2004-03-21 15:27:57.000000000 +0000 @@ -29,7 +29,7 @@ #include "browser.h" #include "message.h" #include "imap_private.h" -#ifdef USE_SSL +#if defined(USE_SSL) || defined(USE_GNUTLS) # include "mutt_ssl.h" #endif @@ -408,7 +408,7 @@ /* TODO: Parse new tagged CAPABILITY data (* OK [CAPABILITY...]) */ if (imap_check_capabilities (idata)) goto bail; -#if defined(USE_SSL) && !defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_GNUTLS) /* Attempt STARTTLS if available and desired. */ if (mutt_bit_isset (idata->capabilities, STARTTLS) && !idata->conn->ssf) { @@ -422,7 +422,11 @@ goto bail; if (rc != -2) { +#ifdef USE_SSL if (mutt_ssl_starttls (idata->conn)) +#elif USE_GNUTLS + if (mutt_gnutls_starttls (idata->conn)) +#endif { mutt_error (_("Could not negotiate TLS connection")); mutt_sleep (1); diff -Nru mutt-1.5.5.1.orig/imap/util.c mutt-1.5.5.1/imap/util.c --- mutt-1.5.5.1.orig/imap/util.c 2003-11-05 09:41:36.000000000 +0000 +++ mutt-1.5.5.1/imap/util.c 2004-03-21 15:27:57.000000000 +0000 @@ -164,7 +164,7 @@ } } -#ifdef USE_SSL +#if defined(USE_SSL) || defined(USE_GNUTLS) if (option (OPTIMAPFORCESSL)) mx->account.flags |= M_ACCT_SSL; #endif diff -Nru mutt-1.5.5.1.orig/init.c mutt-1.5.5.1/init.c --- mutt-1.5.5.1.orig/init.c 2003-11-05 09:41:31.000000000 +0000 +++ mutt-1.5.5.1/init.c 2004-03-21 15:27:57.000000000 +0000 @@ -27,7 +27,7 @@ #include "mutt_crypt.h" #include "mutt_idna.h" -#if defined(USE_SSL) || defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) #include "mutt_ssl.h" #endif diff -Nru mutt-1.5.5.1.orig/init.h mutt-1.5.5.1/init.h --- mutt-1.5.5.1.orig/init.h 2004-03-21 15:27:20.000000000 +0000 +++ mutt-1.5.5.1/init.h 2004-03-21 15:27:57.000000000 +0000 @@ -782,7 +782,7 @@ ** as folder separators for displaying IMAP paths. In particular it ** helps in using the '=' shortcut for your \fIfolder\fP variable. */ -# ifdef USE_SSL +# if defined(USE_SSL) || defined(USE_GNUTLS) { "imap_force_ssl", DT_BOOL, R_NONE, OPTIMAPFORCESSL, 0 }, /* ** .pp @@ -1737,8 +1737,8 @@ ** (S/MIME only) */ -#if defined(USE_SSL)||defined(USE_NSS) -# ifndef USE_NSS +#if defined(USE_SSL)||defined(USE_NSS)||defined(USE_GNUTLS) +# if defined(USE_SSL)||defined(USE_GNUTLS) { "ssl_starttls", DT_QUAD, R_NONE, OPT_SSLSTARTTLS, M_YES }, /* ** .pp @@ -1762,6 +1762,7 @@ ** .pp ** Example: set certificate_file=~/.mutt/certificates */ +# ifndef USE_GNUTLS { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 }, /* ** .pp @@ -1781,6 +1782,7 @@ ** This variables specifies whether to attempt to use SSLv2 in the ** SSL authentication process. */ +# endif { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 }, /* ** .pp @@ -1793,6 +1795,24 @@ ** This variables specifies whether to attempt to use TLSv1 in the ** SSL authentication process. */ +#ifdef USE_GNUTLS + { "ssl_min_dh_prime_bits", DT_NUM, R_NONE, UL &SslDHPrimeBits, 0 }, + /* + ** .pp + ** This variable specifies the minimum acceptable prime size (in bits) + ** for use in any Diffie-Hellman key exchange. A value of 0 will use + ** the default from the GNUTLS library. + */ + { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, 0 }, + /* + ** .pp + ** This variable specifies a file containing trusted CA certificates. + ** Any server certificate that is signed with one of these CA + ** certificates are also automatically accepted. + ** .pp + ** Example: set ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt + */ +#endif #endif { "pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, 0 }, diff -Nru mutt-1.5.5.1.orig/main.c mutt-1.5.5.1/main.c --- mutt-1.5.5.1.orig/main.c 2004-03-21 15:27:20.000000000 +0000 +++ mutt-1.5.5.1/main.c 2004-03-21 15:27:57.000000000 +0000 @@ -241,6 +241,12 @@ "-USE_SSL " #endif +#ifdef USE_GNUTLS + "+USE_GNUTLS " +#else + "-USE_GNUTLS " +#endif + #ifdef USE_SASL "+USE_SASL " #else diff -Nru mutt-1.5.5.1.orig/mutt.h mutt-1.5.5.1/mutt.h --- mutt-1.5.5.1.orig/mutt.h 2004-03-21 15:27:20.000000000 +0000 +++ mutt-1.5.5.1/mutt.h 2004-03-21 15:27:57.000000000 +0000 @@ -289,7 +289,7 @@ OPT_QUIT, OPT_REPLYTO, OPT_RECALL, -#ifdef USE_SSL +#if defined(USE_SSL) || defined(USE_GNUTLS) OPT_SSLSTARTTLS, #endif OPT_SUBJECT, @@ -362,15 +362,19 @@ OPTIMAPPASSIVE, OPTIMAPPEEK, OPTIMAPSERVERNOISE, -# ifdef USE_SSL +# if defined(USE_SSL) || defined(USE_GNUTLS) OPTIMAPFORCESSL, # endif #endif -#if defined(USE_SSL) || defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) +# ifndef USE_GNUTLS OPTSSLV2, +# endif OPTSSLV3, OPTTLSV1, +# ifndef USE_GNUTLS OPTSSLSYSTEMCERTS, +# endif #endif OPTIMPLICITAUTOVIEW, OPTKEEPFLAGGED, diff -Nru mutt-1.5.5.1.orig/mutt_sasl.c mutt-1.5.5.1/mutt_sasl.c --- mutt-1.5.5.1.orig/mutt_sasl.c 2004-03-21 15:26:50.000000000 +0000 +++ mutt-1.5.5.1/mutt_sasl.c 2004-03-21 15:27:57.000000000 +0000 @@ -293,7 +293,7 @@ * If someone does it'd probably be trivial to write mutt_nss_get_ssf(). * I have a feeling more SSL code could be shared between those two files, * but I haven't looked into it yet, since I still don't know the APIs. */ -#if defined(USE_SSL) && !defined(USE_NSS) +#if (defined(USE_SSL) || defined(USE_GNUTLS)) && !defined(USE_NSS) if (conn->account.flags & M_ACCT_SSL) { #ifdef USE_SASL2 /* I'm not sure this actually has an effect, at least with SASLv2 */ diff -Nru mutt-1.5.5.1.orig/mutt_socket.c mutt-1.5.5.1/mutt_socket.c --- mutt-1.5.5.1.orig/mutt_socket.c 2004-03-21 15:26:50.000000000 +0000 +++ mutt-1.5.5.1/mutt_socket.c 2004-03-21 15:27:57.000000000 +0000 @@ -22,7 +22,7 @@ #include "globals.h" #include "mutt_socket.h" #include "mutt_tunnel.h" -#ifdef USE_SSL +#if defined(USE_SSL) || defined(USE_GNUTLS) || defined(USE_NSS) # include "mutt_ssl.h" #endif @@ -257,6 +257,12 @@ ssl_socket_setup (conn); #elif USE_NSS mutt_nss_socket_setup (conn); +#elif USE_GNUTLS + if (mutt_gnutls_socket_setup (conn) < 0) + { + mutt_socket_free (conn); + return NULL; + } #else mutt_error _("SSL is unavailable."); mutt_sleep (2); diff -Nru mutt-1.5.5.1.orig/mutt_ssl.h mutt-1.5.5.1/mutt_ssl.h --- mutt-1.5.5.1.orig/mutt_ssl.h 2002-01-24 12:10:50.000000000 +0000 +++ mutt-1.5.5.1/mutt_ssl.h 2004-03-21 15:27:57.000000000 +0000 @@ -21,8 +21,17 @@ #include "mutt_socket.h" +#ifdef USE_SSL int mutt_ssl_starttls (CONNECTION* conn); extern int ssl_socket_setup (CONNECTION *conn); +#endif +#ifdef USE_GNUTLS +int mutt_gnutls_starttls (CONNECTION* conn); +extern int mutt_gnutls_socket_setup (CONNECTION *conn); +#endif +#ifdef USE_NSS +int mutt_nss_socket_setup (CONNECTION* conn); +#endif #endif /* _MUTT_SSL_H_ */ diff -Nru mutt-1.5.5.1.orig/mutt_ssl_gnutls.c mutt-1.5.5.1/mutt_ssl_gnutls.c --- mutt-1.5.5.1.orig/mutt_ssl_gnutls.c 1970-01-01 01:00:00.000000000 +0100 +++ mutt-1.5.5.1/mutt_ssl_gnutls.c 2004-03-21 15:28:06.000000000 +0000 @@ -0,0 +1,818 @@ +/* Copyright (C) 2001 Marco d'Itri + * Copyright (C) 2001-2004 Andrew McDonald + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. + */ + +#include +#include + +#include "mutt.h" +#include "mutt_socket.h" +#include "mutt_curses.h" +#include "mutt_menu.h" +#include "mutt_ssl.h" +#include "mutt_regex.h" + +typedef struct _tlssockdata +{ + gnutls_session state; + gnutls_certificate_credentials xcred; +} +tlssockdata; + +/* local prototypes */ +static int tls_socket_read (CONNECTION* conn, char* buf, size_t len); +static int tls_socket_write (CONNECTION* conn, const char* buf, size_t len); +static int tls_socket_open (CONNECTION* conn); +static int tls_socket_close (CONNECTION* conn); +static int tls_starttls_close (CONNECTION* conn); + +static int tls_init (void); +static int tls_negotiate (CONNECTION* conn); +static int tls_check_certificate (CONNECTION* conn); + + +static int tls_init (void) +{ + static unsigned char init_complete = 0; + int err; + + if (init_complete) + return 0; + + err = gnutls_global_init(); + if (err < 0) + { + mutt_error ("gnutls_global_init: %s", gnutls_strerror(err)); + mutt_sleep (2); + return -1; + } + + init_complete = 1; + return 0; +} + +int mutt_gnutls_socket_setup (CONNECTION* conn) +{ + if (tls_init() < 0) + return -1; + + conn->open = tls_socket_open; + conn->read = tls_socket_read; + conn->write = tls_socket_write; + conn->close = tls_socket_close; + + return 0; +} + +static int tls_socket_read (CONNECTION* conn, char* buf, size_t len) +{ + tlssockdata *data = conn->sockdata; + int ret; + + if (!data) + { + mutt_error ("Error: no TLS socket open"); + mutt_sleep (2); + return -1; + } + + ret = gnutls_record_recv (data->state, buf, len); + if (gnutls_error_is_fatal(ret) == 1) + { + mutt_error ("tls_socket_read (%s)", gnutls_strerror (ret)); + mutt_sleep (4); + return -1; + } + return ret; +} + +static int tls_socket_write (CONNECTION* conn, const char* buf, size_t len) +{ + tlssockdata *data = conn->sockdata; + int ret; + + if (!data) + { + mutt_error ("Error: no TLS socket open"); + mutt_sleep (2); + return -1; + } + + ret = gnutls_record_send (data->state, buf, len); + if (gnutls_error_is_fatal(ret) == 1) + { + mutt_error ("tls_socket_write (%s)", gnutls_strerror (ret)); + mutt_sleep (4); + return -1; + } + return ret; +} + +static int tls_socket_open (CONNECTION* conn) +{ + if (raw_socket_open (conn) < 0) + return -1; + + if (tls_negotiate (conn) < 0) + { + tls_socket_close (conn); + return -1; + } + + return 0; +} + +int mutt_gnutls_starttls (CONNECTION* conn) +{ + if (tls_init() < 0) + return -1; + + if (tls_negotiate (conn) < 0) + return -1; + + conn->read = tls_socket_read; + conn->write = tls_socket_write; + conn->close = tls_starttls_close; + + return 0; +} + +static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0}; + +/* tls_negotiate: After TLS state has been initialised, attempt to negotiate + * TLS over the wire, including certificate checks. */ +static int tls_negotiate (CONNECTION * conn) +{ + tlssockdata *data; + int err; + + data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata)); + conn->sockdata = data; + err = gnutls_certificate_allocate_credentials (&data->xcred); + if (err < 0) + { + FREE(&conn->sockdata); + mutt_error ("gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err)); + mutt_sleep (2); + return -1; + } + + gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile, + GNUTLS_X509_FMT_PEM); + /* ignore errors, maybe file doesn't exist yet */ + + if (SslCACertFile) + { + gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile, + GNUTLS_X509_FMT_PEM); + } + +/* + gnutls_set_x509_client_key (data->xcred, "", ""); + gnutls_set_x509_cert_callback (data->xcred, cert_callback); +*/ + + gnutls_init(&data->state, GNUTLS_CLIENT); + + /* set socket */ + gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd); + + /* disable TLS/SSL protocols as needed */ + if (!option(OPTTLSV1) && !option(OPTSSLV3)) + { + mutt_error (_("All available protocols for TLS/SSL connection disabled")); + goto fail; + } + else if (!option(OPTTLSV1)) + { + protocol_priority[0] = GNUTLS_SSL3; + protocol_priority[1] = 0; + } + else if (!option(OPTSSLV3)) + { + protocol_priority[0] = GNUTLS_TLS1; + protocol_priority[1] = 0; + } + /* + else + use the list set above + */ + + /* We use default priorities (see gnutls documentation), + except for protocol version */ + gnutls_set_default_priority (data->state); + gnutls_protocol_set_priority (data->state, protocol_priority); + + if (SslDHPrimeBits > 0) + { + gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits); + } + +/* + gnutls_set_cred (data->state, GNUTLS_ANON, NULL); +*/ + + gnutls_credentials_set (data->state, GNUTLS_CRD_CERTIFICATE, data->xcred); + + err = gnutls_handshake(data->state); + + while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED) + { + err = gnutls_handshake(data->state); + } + if (err < 0) { + if (err == GNUTLS_E_FATAL_ALERT_RECEIVED) + { + mutt_error("gnutls_handshake: %s(%s)", gnutls_strerror(err), + gnutls_alert_get_name(gnutls_alert_get(data->state))); + } + else + { + mutt_error("gnutls_handshake: %s", gnutls_strerror(err)); + } + mutt_sleep (2); + goto fail; + } + + if (!tls_check_certificate(conn)) + goto fail; + + /* set Security Strength Factor (SSF) for SASL */ + /* NB: gnutls_cipher_get_key_size() returns key length in bytes */ + conn->ssf = gnutls_cipher_get_key_size (gnutls_cipher_get (data->state)) * 8; + + mutt_message (_("SSL/TLS connection using %s (%s/%s/%s)"), + gnutls_protocol_get_name (gnutls_protocol_get_version (data->state)), + gnutls_kx_get_name (gnutls_kx_get (data->state)), + gnutls_cipher_get_name (gnutls_cipher_get (data->state)), + gnutls_mac_get_name (gnutls_mac_get (data->state))); + mutt_sleep (0); + + return 0; + + fail: + gnutls_certificate_free_credentials (data->xcred); + gnutls_deinit (data->state); + FREE(&conn->sockdata); + return -1; +} + +static int tls_socket_close (CONNECTION* conn) +{ + tlssockdata *data = conn->sockdata; + if (data) + { + gnutls_bye (data->state, GNUTLS_SHUT_RDWR); + + gnutls_certificate_free_credentials (data->xcred); + gnutls_deinit (data->state); + safe_free ((void **) &conn->sockdata); + } + + return raw_socket_close (conn); +} + +static int tls_starttls_close (CONNECTION* conn) +{ + int rc; + + rc = tls_socket_close (conn); + conn->read = raw_socket_read; + conn->write = raw_socket_write; + conn->close = raw_socket_close; + + return rc; +} + +#define CERT_SEP "-----BEGIN" + +/* this bit is based on read_ca_file() in gnutls */ +static int tls_compare_certificates (const gnutls_datum *peercert) +{ + int certsize, maxcertsize; + char *cert = NULL; + unsigned char *ptr; + FILE *fd1; + int ret; + gnutls_datum b64_data; + unsigned char *b64_data_data; + struct stat filestat; + + if (stat(SslCertFile, &filestat) == -1) + return 0; + + b64_data.size = filestat.st_size+1; + b64_data_data = (unsigned char *) safe_calloc (1, b64_data.size); + b64_data_data[b64_data.size-1] = '\0'; + b64_data.data = b64_data_data; + + fd1 = fopen(SslCertFile, "r"); + if (fd1 == NULL) { + return 0; + } + + b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1); + fclose(fd1); + + maxcertsize = 4096; + cert = (char *) safe_calloc (1, maxcertsize); + + do { + certsize = maxcertsize; + ret = gnutls_pem_base64_decode(NULL, &b64_data, cert, &certsize); + if (ret == GNUTLS_E_INVALID_REQUEST && certsize > maxcertsize) + { + FREE (&cert); + maxcertsize = certsize; + cert = (char *) safe_calloc (1, maxcertsize); + ret = gnutls_pem_base64_decode(NULL, &b64_data, cert, &certsize); + } + if (ret < 0 || certsize < 0) + { + FREE (&cert); + FREE (&b64_data_data); + return 0; + } + + ptr = (unsigned char *)strstr(b64_data.data, CERT_SEP) + 1; + ptr = (unsigned char *)strstr(ptr, CERT_SEP); + + b64_data.size = b64_data.size - (ptr - b64_data.data); + b64_data.data = ptr; + + if (certsize == peercert->size) + { + if (memcmp (cert, peercert->data, certsize) == 0) + { + /* match found */ + FREE (&cert); + FREE (&b64_data_data); + return 1; + } + } + + } while (ptr != NULL); + + /* no match found */ + FREE (&cert); + FREE (&b64_data_data); + return 0; +} + +static void tls_fingerprint (char* s, int l, const gnutls_datum* data) +{ + unsigned char md[36]; + size_t n; + int j; + + n = 36; + + if (gnutls_fingerprint (GNUTLS_MAC_MD5, data, (char *)md, &n) < 0) + { + snprintf (s, l, _("[unable to calculate]")); + } + else + { + for (j = 0; j < (int) n; j++) + { + char ch[8]; + snprintf (ch, 8, "%02X%s", md[j], (j % 2 ? " " : "")); + strncat (s, ch, l); + } + s[2*n+n/2-1] = '\0'; /* don't want trailing space */ + } +} + +static char *tls_make_date (time_t t, char *s, size_t len) +{ + struct tm *l = gmtime (&t); + + if (l) + snprintf (s, len, "%s, %d %s %d %02d:%02d:%02d UTC", + Weekdays[l->tm_wday], l->tm_mday, Months[l->tm_mon], + l->tm_year + 1900, l->tm_hour, l->tm_min, l->tm_sec); + else + strfcpy (s, _("[invalid date]"), len); + + return (s); +} + +static int tls_check_stored_hostname (const gnutls_datum *cert, + const char *hostname) +{ + char buf[80]; + FILE *fp; + char *linestr = NULL; + size_t linestrsize; + int linenum = 0; + regex_t preg; + regmatch_t pmatch[3]; + + /* try checking against names stored in stored certs file */ + if ((fp = fopen (SslCertFile, "r"))) + { + if (regcomp(&preg, "^#H ([a-zA-Z0-9_\\.-]+) ([0-9A-F]{4}( [0-9A-F]{4}){7})[ \t]*$", REG_ICASE|REG_EXTENDED) != 0) + { + regfree(&preg); + return 0; + } + + buf[0] = '\0'; + tls_fingerprint (buf, sizeof (buf), cert); + while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL) + { + if(linestr[0] == '#' && linestr[1] == 'H') + { + if (regexec(&preg, linestr, 3, pmatch, 0) == 0) + { + linestr[pmatch[1].rm_eo] = '\0'; + linestr[pmatch[2].rm_eo] = '\0'; + if (strcmp(linestr + pmatch[1].rm_so, hostname) == 0 && + strcmp(linestr + pmatch[2].rm_so, buf) == 0) + { + regfree(&preg); + safe_free((void**)&linestr); + fclose(fp); + return 1; + } + } + } + } + + regfree(&preg); + fclose(fp); + } + + /* not found a matching name */ + return 0; +} + +static int tls_check_certificate (CONNECTION* conn) +{ + tlssockdata *data = conn->sockdata; + gnutls_session state = data->state; + char helpstr[SHORT_STRING]; + char buf[SHORT_STRING]; + char fpbuf[SHORT_STRING]; + int buflen; + char dn_common_name[SHORT_STRING]; + char dn_email[SHORT_STRING]; + char dn_organization[SHORT_STRING]; + char dn_organizational_unit[SHORT_STRING]; + char dn_locality[SHORT_STRING]; + char dn_province[SHORT_STRING]; + char dn_country[SHORT_STRING]; + MUTTMENU *menu; + int done, row, i, ret; + FILE *fp; + gnutls_x509_dn dn; + time_t t; + const gnutls_datum *cert_list; + int cert_list_size = 0; + gnutls_certificate_status certstat; + char datestr[30]; + char *certdata = NULL; + gnutls_x509_crt cert; + int certsize; + int certerr_expired = 0; + int certerr_notyetvalid = 0; + int certerr_hostname = 0; + int certerr_nottrusted = 0; + + + if (gnutls_auth_get_type(state) != GNUTLS_CRD_CERTIFICATE) + { + mutt_error (_("Unable to get certificate from peer")); + mutt_sleep (2); + return 0; + } + + certstat = gnutls_certificate_verify_peers(state); + + if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND) + { + mutt_error (_("Unable to get certificate from peer")); + mutt_sleep (2); + return 0; + } + if (certstat < 0) + { + mutt_error (_("Certificate verification error (%s)"), gnutls_strerror(certstat)); + mutt_sleep (2); + return 0; + } + + if (certstat & GNUTLS_CERT_REVOKED) + { + mutt_error (_("Certificate from peer is revoked")); + mutt_sleep (2); + return 0; + } + + if (certstat & GNUTLS_CERT_INVALID) + { + certerr_nottrusted = 1; + certstat ^= GNUTLS_CERT_INVALID; + } + + /* We only support X.509 certificates (not OpenPGP) at the moment */ + if (gnutls_certificate_type_get(state) != GNUTLS_CRT_X509) + { + mutt_error (_("Error certificate is not X.509")); + mutt_sleep (2); + return 0; + } + + if (gnutls_x509_crt_init(&cert) < 0) + { + mutt_error (_("Error initialising gnutls certificate data")); + mutt_sleep (2); + return 0; + } + + cert_list = gnutls_certificate_get_peers(state, &cert_list_size); + if (!cert_list) + { + mutt_error (_("Unable to get certificate from peer")); + mutt_sleep (2); + return 0; + } + + /* FIXME: Currently only check first certificate in chain. */ + if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) + { + mutt_error (_("Error processing certificate data")); + mutt_sleep (2); + return 0; + } + + if (gnutls_x509_crt_get_expiration_time(cert) < time(NULL)) + { + certerr_expired = 1; + } + + if (gnutls_x509_crt_get_activation_time(cert) > time(NULL)) + { + certerr_notyetvalid = 1; + } + + if (!gnutls_x509_crt_check_hostname(cert, conn->account.host) && + !tls_check_stored_hostname (&cert_list[0], conn->account.host)) + { + certerr_hostname = 1; + } + + /* see whether certificate is in our cache (certificates file) */ + if (tls_compare_certificates (&cert_list[0])) + { + certerr_nottrusted = 0; + if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND) + { + /* doesn't matter that we haven't found the signer, since + certificate is in our trusted cache */ + certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND; + } + + if (certstat & GNUTLS_CERT_SIGNER_NOT_CA) + { + /* Hmm. Not really sure how to handle this, but let's say + that we don't care if the CA certificate hasn't got the + correct X.509 basic constraints if server certificate is + in our cache. */ + certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; + } + + } + + /* OK if signed by (or is) a trusted certificate */ + /* we've been zeroing the interesting bits in certstat - + don't return OK if there are any unhandled bits we don't + understand */ + if (!(certerr_expired || certerr_notyetvalid || + certerr_hostname || certerr_nottrusted) && certstat == 0) + { + gnutls_x509_crt_deinit(cert); + return 1; + } + + + /* interactive check from user */ + menu = mutt_new_menu (); + menu->max = 25; + menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *)); + for (i = 0; i < menu->max; i++) + menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char)); + + row = 0; + strfcpy (menu->dialog[row], _("This certificate belongs to:"), SHORT_STRING); + row++; + + buflen = sizeof(dn_common_name); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, + dn_common_name, &buflen) != 0) + dn_common_name[0] = '\0'; + buflen = sizeof(dn_email); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, + dn_email, &buflen) != 0) + dn_email[0] = '\0'; + buflen = sizeof(dn_organization); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, + dn_organization, &buflen) != 0) + dn_organization[0] = '\0'; + buflen = sizeof(dn_organizational_unit); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, + dn_organizational_unit, &buflen) != 0) + dn_organizational_unit[0] = '\0'; + buflen = sizeof(dn_locality); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, + dn_locality, &buflen) != 0) + dn_locality[0] = '\0'; + buflen = sizeof(dn_province); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, + dn_province, &buflen) != 0) + dn_province[0] = '\0'; + buflen = sizeof(dn_country); + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, + dn_country, &buflen) != 0) + dn_country[0] = '\0'; + + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_common_name); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_email); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit); + snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s", + dn_locality, dn_province, dn_country); + row++; + + strfcpy (menu->dialog[row], _("This certificate was issued by:"), SHORT_STRING); + row++; + + buflen = sizeof(dn_common_name); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, + dn_common_name, &buflen) != 0) + dn_common_name[0] = '\0'; + buflen = sizeof(dn_email); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, + dn_email, &buflen) != 0) + dn_email[0] = '\0'; + buflen = sizeof(dn_organization); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, + dn_organization, &buflen) != 0) + dn_organization[0] = '\0'; + buflen = sizeof(dn_organizational_unit); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, + dn_organizational_unit, &buflen) != 0) + dn_organizational_unit[0] = '\0'; + buflen = sizeof(dn_locality); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, + dn_locality, &buflen) != 0) + dn_locality[0] = '\0'; + buflen = sizeof(dn_province); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, + dn_province, &buflen) != 0) + dn_province[0] = '\0'; + buflen = sizeof(dn_country); + if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, + dn_country, &buflen) != 0) + dn_country[0] = '\0'; + + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_common_name); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_email); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization); + snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit); + snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s", + dn_locality, dn_province, dn_country); + row++; + + snprintf (menu->dialog[row++], SHORT_STRING, _("This certificate is valid")); + + t = gnutls_x509_crt_get_activation_time(cert); + snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"), + tls_make_date(t, datestr, 30)); + + t = gnutls_x509_crt_get_expiration_time(cert); + snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"), + tls_make_date(t, datestr, 30)); + + fpbuf[0] = '\0'; + tls_fingerprint (fpbuf, sizeof (fpbuf), &cert_list[0]); + snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf); + + if (certerr_notyetvalid) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING); + } + if (certerr_expired) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING); + } + if (certerr_hostname) + { + row++; + strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING); + } + + menu->title = _("TLS/SSL Certificate check"); + if (SslCertFile && !certerr_expired && !certerr_notyetvalid) + { + menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); + menu->keys = _("roa"); + } + else + { + menu->prompt = _("(r)eject, accept (o)nce"); + menu->keys = _("ro"); + } + + helpstr[0] = '\0'; + mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT); + strncat (helpstr, buf, sizeof (helpstr)); + mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP); + strncat (helpstr, buf, sizeof (helpstr)); + menu->help = helpstr; + + done = 0; + while (!done) + { + switch (mutt_menuLoop (menu)) + { + case -1: /* abort */ + case OP_MAX + 1: /* reject */ + case OP_EXIT: + done = 1; + break; + case OP_MAX + 3: /* accept always */ + done = 0; + if ((fp = fopen (SslCertFile, "a"))) + { + /* save hostname if necessary */ + if (certerr_hostname) + { + fprintf(fp, "#H %s %s\n", conn->account.host, fpbuf); + done = 1; + } + if (certerr_nottrusted) + { + certsize = 4096; + certdata = (char *) safe_calloc (1, certsize); + ret = gnutls_pem_base64_encode ("CERTIFICATE", &cert_list[0], + certdata, &certsize); + if (ret == GNUTLS_E_INVALID_REQUEST) + { + /* if we didn't allocate enough space, we try again with the + size that certsize has been set to by the encode_fmt call */ + FREE (&certdata); + certdata = (char *) safe_calloc (1, certsize); + ret = gnutls_pem_base64_encode ("CERTIFICATE", &cert_list[0], + certdata, &certsize); + } + if (ret == 0) + { + if (fwrite(certdata, certsize, 1, fp) == 1) + { + done = 1; + } + else + { + done = 0; + } + } + } + fclose (fp); + } + if (!done) + { + mutt_error (_("Warning: Couldn't save certificate")); + mutt_sleep (2); + } + else + { + mutt_message (_("Certificate saved")); + mutt_sleep (0); + } + /* fall through */ + case OP_MAX + 2: /* accept once */ + done = 2; + break; + } + } + mutt_menuDestroy (&menu); + gnutls_x509_crt_deinit(cert); + return (done == 2); +}