validate SSL certificate hostname (#167).

git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@3321 ee746299-78ed-0310-b773-934348b2243d

3 files changed, 35 insertions, 8 deletions

diff --git a/libsylph/Makefile.am b/libsylph/Makefile.am
index 8cf0516c..77607fa8 100644
--- a/libsylph/Makefile.am
+++ b/libsylph/Makefile.am
@@ -39,6 +39,7 @@ libsylph_0_la_SOURCES = \
 	socket.c \
 	socks.c \
 	ssl.c \
+	ssl_hostname_validation.c \
 	stringtable.c \
 	sylmain.c \
 	unmime.c \
@@ -81,6 +82,7 @@ libsylph_0include_HEADERS = \
 	socket.h \
 	socks.h \
 	ssl.h \
+	ssl_hostname_validation.h \
 	stringtable.h \
 	sylmain.h \
 	unmime.h \
diff --git a/libsylph/socks.c b/libsylph/socks.c
index b4746a15..b725ba74 100644
--- a/libsylph/socks.c
+++ b/libsylph/socks.c
@@ -1,6 +1,6 @@
 /*
  * LibSylph -- E-Mail client library
- * Copyright (C) 1999-2010 Hiroyuki Yamamoto
+ * Copyright (C) 1999-2014 Hiroyuki Yamamoto
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -129,6 +129,13 @@ gint socks4_connect(SockInfo *sock, const gchar *hostname, gushort port)
 		return -1;
 	}
 
+	/* replace sock->hostname with endpoint */
+	if (sock->hostname != hostname) {
+		g_free(sock->hostname);
+		sock->hostname = g_strdup(hostname);
+		sock->port = port;
+	}
+
 	debug_print("socks4_connect: SOCKS4 connection to %s:%u successful.\n", hostname, port);
 
 	return 0;
@@ -247,6 +254,13 @@ gint socks5_connect(SockInfo *sock, const gchar *hostname, gushort port,
 		}
 	}
 
+	/* replace sock->hostname with endpoint */
+	if (sock->hostname != hostname) {
+		g_free(sock->hostname);
+		sock->hostname = g_strdup(hostname);
+		sock->port = port;
+	}
+
 	debug_print("socks5_connect: SOCKS5 connection to %s:%u successful.\n", hostname, port);
 
 	return 0;
diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index 92165832..86c8d61a 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -1,6 +1,6 @@
 /*
  * LibSylph -- E-Mail client library
- * Copyright (C) 1999-2008 Hiroyuki Yamamoto
+ * Copyright (C) 1999-2014 Hiroyuki Yamamoto
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -30,6 +30,7 @@
 
 #include "utils.h"
 #include "ssl.h"
+#include "ssl_hostname_validation.h"
 
 static SSL_CTX *ssl_ctx_SSLv23 = NULL;
 static SSL_CTX *ssl_ctx_TLSv1 = NULL;
@@ -310,9 +311,14 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 
 		verify_result = SSL_get_verify_result(sockinfo->ssl);
 		if (verify_result == X509_V_OK) {
-			debug_print("SSL verify OK\n");
-			X509_free(server_cert);
-			return TRUE;
+			debug_print("SSL certificate verify OK\n");
+			if (ssl_validate_hostname(sockinfo->hostname, server_cert) == SSL_HOSTNAME_MATCH_FOUND) {
+				debug_print("SSL certificate hostname validation OK\n");
+				X509_free(server_cert);
+				return TRUE;
+			} else {
+				verify_result = X509_V_ERR_APPLICATION_VERIFICATION;
+			}
 		} else if (verify_result == X509_V_ERR_CERT_HAS_EXPIRED) {
 			log_message("SSL certificate of %s has expired\n", sockinfo->hostname);
 			expired = TRUE;
@@ -330,9 +336,14 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 			return FALSE;
 		}
 
-		g_warning("%s: SSL certificate verify failed (%ld: %s)\n",
-			  sockinfo->hostname, verify_result,
-			  X509_verify_cert_error_string(verify_result));
+		if (verify_result == X509_V_ERR_APPLICATION_VERIFICATION) {
+			g_warning("%s: SSL hostname validation failed\n",
+				  sockinfo->hostname);
+		} else {
+			g_warning("%s: SSL certificate verify failed (%ld: %s)\n",
+				  sockinfo->hostname, verify_result,
+				  X509_verify_cert_error_string(verify_result));
+		}
 
 		if (verify_ui_func) {
 			gint res;