- update to post 1.5.20 hg snapshot (#515148)
- use hunspell by default (#510358)
This commit is contained in:
parent
23fd43327f
commit
1834f35b91
@ -1 +1 @@
|
||||
mutt-1.5.19.tar.gz
|
||||
mutt-1.5.20-20090827hg605559.tar.bz2
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -up mutt-1.5.19/configure.db47 mutt-1.5.19/configure
|
||||
--- mutt-1.5.19/configure.db47 2009-01-06 17:03:22.000000000 +0100
|
||||
+++ mutt-1.5.19/configure 2009-01-06 17:05:19.000000000 +0100
|
||||
@@ -16074,7 +16074,7 @@ echo "$as_me: error: GDBM could not be u
|
||||
bdbpfx="$bdbpfx $d/$v"
|
||||
done
|
||||
done
|
||||
- BDB_VERSIONS="db-4 db4 db-4.6 db4.6 db46 db-4.5 db4.5 db45 db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db ''"
|
||||
+ BDB_VERSIONS="db-4 db4 db-4.7 db4.7 db-4.6 db4.6 db46 db-4.5 db4.5 db45 db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db ''"
|
||||
{ echo "$as_me:$LINENO: checking for BerkeleyDB > 4.0" >&5
|
||||
echo $ECHO_N "checking for BerkeleyDB > 4.0... $ECHO_C" >&6; }
|
||||
for d in $bdbpfx; do
|
@ -1,622 +0,0 @@
|
||||
diff -r a4b47ac32d32 -r 15c662a95b91 mutt_ssl_gnutls.c
|
||||
--- a/mutt_ssl_gnutls.c Mon Jan 05 16:37:27 2009 -0800
|
||||
+++ b/mutt_ssl_gnutls.c Mon Jun 08 23:55:39 2009 -0700
|
||||
@@ -33,6 +33,16 @@
|
||||
#include "mutt_ssl.h"
|
||||
#include "mutt_regex.h"
|
||||
|
||||
+/* certificate error bitmap values */
|
||||
+#define CERTERR_VALID 0
|
||||
+#define CERTERR_EXPIRED 1
|
||||
+#define CERTERR_NOTYETVALID 2
|
||||
+#define CERTERR_REVOKED 4
|
||||
+#define CERTERR_NOTTRUSTED 8
|
||||
+#define CERTERR_HOSTNAME 16
|
||||
+#define CERTERR_SIGNERNOTCA 32
|
||||
+#define CERTERR_INSECUREALG 64
|
||||
+
|
||||
typedef struct _tlssockdata
|
||||
{
|
||||
gnutls_session state;
|
||||
@@ -265,6 +275,12 @@
|
||||
SslClientCert, GNUTLS_X509_FMT_PEM);
|
||||
}
|
||||
|
||||
+#if HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS
|
||||
+ /* disable checking certificate activation/expiration times
|
||||
+ in gnutls, we do the checks ourselves */
|
||||
+ gnutls_certificate_set_verify_flags(data->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
|
||||
+#endif
|
||||
+
|
||||
gnutls_init(&data->state, GNUTLS_CLIENT);
|
||||
|
||||
/* set socket */
|
||||
@@ -408,7 +424,7 @@
|
||||
}
|
||||
|
||||
b64_data.size = fread(b64_data.data, 1, b64_data.size, fd1);
|
||||
- fclose(fd1);
|
||||
+ safe_fclose (&fd1);
|
||||
|
||||
do {
|
||||
ret = gnutls_pem_base64_decode_alloc(NULL, &b64_data, &cert);
|
||||
@@ -504,7 +520,7 @@
|
||||
|
||||
buf[0] = '\0';
|
||||
tls_fingerprint (GNUTLS_DIG_MD5, buf, sizeof (buf), cert);
|
||||
- while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL)
|
||||
+ while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum, 0)) != NULL)
|
||||
{
|
||||
if(linestr[0] == '#' && linestr[1] == 'H')
|
||||
{
|
||||
@@ -517,7 +533,7 @@
|
||||
{
|
||||
regfree(&preg);
|
||||
FREE(&linestr);
|
||||
- fclose(fp);
|
||||
+ safe_fclose (&fp);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@@ -525,24 +541,137 @@
|
||||
}
|
||||
|
||||
regfree(&preg);
|
||||
- fclose(fp);
|
||||
+ safe_fclose (&fp);
|
||||
}
|
||||
|
||||
/* not found a matching name */
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int tls_check_preauth (const gnutls_datum_t *certdata,
|
||||
+ gnutls_certificate_status certstat,
|
||||
+ const char *hostname, int chainidx, int* certerr,
|
||||
+ int* savedcert)
|
||||
+{
|
||||
+ gnutls_x509_crt cert;
|
||||
+
|
||||
+ *certerr = CERTERR_VALID;
|
||||
+ *savedcert = 0;
|
||||
+
|
||||
+ if (gnutls_x509_crt_init (&cert) < 0)
|
||||
+ {
|
||||
+ mutt_error (_("Error initialising gnutls certificate data"));
|
||||
+ mutt_sleep (2);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
|
||||
+ {
|
||||
+ mutt_error (_("Error processing certificate data"));
|
||||
+ mutt_sleep (2);
|
||||
+ gnutls_x509_crt_deinit (cert);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (option (OPTSSLVERIFYDATES) != M_NO)
|
||||
+ {
|
||||
+ if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
|
||||
+ *certerr |= CERTERR_EXPIRED;
|
||||
+ if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
|
||||
+ *certerr |= CERTERR_NOTYETVALID;
|
||||
+ }
|
||||
+
|
||||
+ if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
|
||||
+ && !gnutls_x509_crt_check_hostname (cert, hostname)
|
||||
+ && !tls_check_stored_hostname (certdata, hostname))
|
||||
+ *certerr |= CERTERR_HOSTNAME;
|
||||
+
|
||||
+ /* see whether certificate is in our cache (certificates file) */
|
||||
+ if (tls_compare_certificates (certdata))
|
||||
+ {
|
||||
+ *savedcert = 1;
|
||||
+
|
||||
+ if (chainidx == 0 && certstat & GNUTLS_CERT_INVALID)
|
||||
+ {
|
||||
+ /* doesn't matter - have decided is valid because server
|
||||
+ certificate is in our trusted cache */
|
||||
+ certstat ^= GNUTLS_CERT_INVALID;
|
||||
+ }
|
||||
+
|
||||
+ if (chainidx == 0 && certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
||||
+ {
|
||||
+ /* doesn't matter that we haven't found the signer, since
|
||||
+ certificate is in our trusted cache */
|
||||
+ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (chainidx <= 1 && certstat & GNUTLS_CERT_SIGNER_NOT_CA)
|
||||
+ {
|
||||
+ /* Hmm. Not really sure how to handle this, but let's say
|
||||
+ that we don't care if the CA certificate hasn't got the
|
||||
+ correct X.509 basic constraints if server or first signer
|
||||
+ certificate is in our cache. */
|
||||
+ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
|
||||
+ }
|
||||
+
|
||||
+ if (chainidx == 0 && certstat & GNUTLS_CERT_INSECURE_ALGORITHM)
|
||||
+ {
|
||||
+ /* doesn't matter that it was signed using an insecure
|
||||
+ algorithm, since certificate is in our trusted cache */
|
||||
+ certstat ^= GNUTLS_CERT_INSECURE_ALGORITHM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (certstat & GNUTLS_CERT_REVOKED)
|
||||
+ {
|
||||
+ *certerr |= CERTERR_REVOKED;
|
||||
+ certstat ^= GNUTLS_CERT_REVOKED;
|
||||
+ }
|
||||
+
|
||||
+ if (certstat & GNUTLS_CERT_INVALID)
|
||||
+ {
|
||||
+ *certerr |= CERTERR_NOTTRUSTED;
|
||||
+ certstat ^= GNUTLS_CERT_INVALID;
|
||||
+ }
|
||||
+
|
||||
+ if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
||||
+ {
|
||||
+ /* NB: already cleared if cert in cache */
|
||||
+ *certerr |= CERTERR_NOTTRUSTED;
|
||||
+ certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
|
||||
+ {
|
||||
+ /* NB: already cleared if cert in cache */
|
||||
+ *certerr |= CERTERR_SIGNERNOTCA;
|
||||
+ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
|
||||
+ }
|
||||
+
|
||||
+ if (certstat & GNUTLS_CERT_INSECURE_ALGORITHM)
|
||||
+ {
|
||||
+ /* NB: already cleared if cert in cache */
|
||||
+ *certerr |= CERTERR_INSECUREALG;
|
||||
+ certstat ^= GNUTLS_CERT_INSECURE_ALGORITHM;
|
||||
+ }
|
||||
+
|
||||
+ gnutls_x509_crt_deinit (cert);
|
||||
+
|
||||
+ /* we've been zeroing the interesting bits in certstat -
|
||||
+ don't return OK if there are any unhandled bits we don't
|
||||
+ understand */
|
||||
+ if (*certerr == CERTERR_VALID && certstat == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
static int tls_check_one_certificate (const gnutls_datum_t *certdata,
|
||||
gnutls_certificate_status certstat,
|
||||
const char* hostname, int idx, int len)
|
||||
{
|
||||
+ int certerr, savedcert;
|
||||
gnutls_x509_crt cert;
|
||||
- int certerr_hostname = 0;
|
||||
- int certerr_expired = 0;
|
||||
- int certerr_notyetvalid = 0;
|
||||
- int certerr_nottrusted = 0;
|
||||
- int certerr_revoked = 0;
|
||||
- int certerr_signernotca = 0;
|
||||
char buf[SHORT_STRING];
|
||||
char fpbuf[SHORT_STRING];
|
||||
size_t buflen;
|
||||
@@ -562,13 +691,29 @@
|
||||
gnutls_datum pemdata;
|
||||
int i, row, done, ret;
|
||||
|
||||
+ if (!tls_check_preauth (certdata, certstat, hostname, idx, &certerr,
|
||||
+ &savedcert))
|
||||
+ return 1;
|
||||
+
|
||||
+ /* skip signers if insecure algorithm was used */
|
||||
+ if (idx && (certerr & CERTERR_INSECUREALG))
|
||||
+ {
|
||||
+ if (idx == 1)
|
||||
+ {
|
||||
+ mutt_error (_("Warning: Server certificate was signed using an insecure algorithm"));
|
||||
+ mutt_sleep (2);
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* interactive check from user */
|
||||
if (gnutls_x509_crt_init (&cert) < 0)
|
||||
{
|
||||
mutt_error (_("Error initialising gnutls certificate data"));
|
||||
mutt_sleep (2);
|
||||
return 0;
|
||||
}
|
||||
-
|
||||
+
|
||||
if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
|
||||
{
|
||||
mutt_error (_("Error processing certificate data"));
|
||||
@@ -576,94 +721,17 @@
|
||||
gnutls_x509_crt_deinit (cert);
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
|
||||
- certerr_expired = 1;
|
||||
- if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
|
||||
- certerr_notyetvalid = 1;
|
||||
|
||||
- if (!idx)
|
||||
- {
|
||||
- if (!gnutls_x509_crt_check_hostname (cert, hostname) &&
|
||||
- !tls_check_stored_hostname (certdata, hostname))
|
||||
- certerr_hostname = 1;
|
||||
- }
|
||||
-
|
||||
- /* see whether certificate is in our cache (certificates file) */
|
||||
- if (tls_compare_certificates (certdata))
|
||||
- {
|
||||
- if (certstat & GNUTLS_CERT_INVALID)
|
||||
- {
|
||||
- /* doesn't matter - have decided is valid because server
|
||||
- certificate is in our trusted cache */
|
||||
- certstat ^= GNUTLS_CERT_INVALID;
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
||||
- {
|
||||
- /* doesn't matter that we haven't found the signer, since
|
||||
- certificate is in our trusted cache */
|
||||
- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
|
||||
- {
|
||||
- /* Hmm. Not really sure how to handle this, but let's say
|
||||
- that we don't care if the CA certificate hasn't got the
|
||||
- correct X.509 basic constraints if server certificate is
|
||||
- in our cache. */
|
||||
- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_REVOKED)
|
||||
- {
|
||||
- certerr_revoked = 1;
|
||||
- certstat ^= GNUTLS_CERT_REVOKED;
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_INVALID)
|
||||
- {
|
||||
- certerr_nottrusted = 1;
|
||||
- certstat ^= GNUTLS_CERT_INVALID;
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
||||
- {
|
||||
- /* NB: already cleared if cert in cache */
|
||||
- certerr_nottrusted = 1;
|
||||
- certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
|
||||
- }
|
||||
-
|
||||
- if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
|
||||
- {
|
||||
- /* NB: already cleared if cert in cache */
|
||||
- certerr_signernotca = 1;
|
||||
- certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
|
||||
- }
|
||||
-
|
||||
- /* OK if signed by (or is) a trusted certificate */
|
||||
- /* we've been zeroing the interesting bits in certstat -
|
||||
- don't return OK if there are any unhandled bits we don't
|
||||
- understand */
|
||||
- if (!(certerr_expired || certerr_notyetvalid ||
|
||||
- certerr_hostname || certerr_nottrusted) && certstat == 0)
|
||||
- {
|
||||
- gnutls_x509_crt_deinit (cert);
|
||||
- return 1;
|
||||
- }
|
||||
-
|
||||
- /* interactive check from user */
|
||||
menu = mutt_new_menu (-1);
|
||||
menu->max = 25;
|
||||
menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
|
||||
for (i = 0; i < menu->max; i++)
|
||||
menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
|
||||
-
|
||||
+
|
||||
row = 0;
|
||||
strfcpy (menu->dialog[row], _("This certificate belongs to:"), SHORT_STRING);
|
||||
row++;
|
||||
-
|
||||
+
|
||||
buflen = sizeof (dn_common_name);
|
||||
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
|
||||
dn_common_name, &buflen) != 0)
|
||||
@@ -692,17 +760,17 @@
|
||||
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
|
||||
dn_country, &buflen) != 0)
|
||||
dn_country[0] = '\0';
|
||||
-
|
||||
+
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s", dn_common_name, dn_email);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s",
|
||||
dn_locality, dn_province, dn_country);
|
||||
row++;
|
||||
-
|
||||
+
|
||||
strfcpy (menu->dialog[row], _("This certificate was issued by:"), SHORT_STRING);
|
||||
row++;
|
||||
-
|
||||
+
|
||||
buflen = sizeof (dn_common_name);
|
||||
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
|
||||
dn_common_name, &buflen) != 0)
|
||||
@@ -731,52 +799,52 @@
|
||||
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
|
||||
dn_country, &buflen) != 0)
|
||||
dn_country[0] = '\0';
|
||||
-
|
||||
+
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s", dn_common_name, dn_email);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s",
|
||||
dn_locality, dn_province, dn_country);
|
||||
row++;
|
||||
-
|
||||
+
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, _("This certificate is valid"));
|
||||
-
|
||||
+
|
||||
t = gnutls_x509_crt_get_activation_time (cert);
|
||||
- snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"),
|
||||
+ snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"),
|
||||
tls_make_date (t, datestr, 30));
|
||||
-
|
||||
+
|
||||
t = gnutls_x509_crt_get_expiration_time (cert);
|
||||
- snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"),
|
||||
+ snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"),
|
||||
tls_make_date (t, datestr, 30));
|
||||
-
|
||||
+
|
||||
fpbuf[0] = '\0';
|
||||
tls_fingerprint (GNUTLS_DIG_SHA, fpbuf, sizeof (fpbuf), certdata);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), fpbuf);
|
||||
fpbuf[0] = '\0';
|
||||
tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
|
||||
snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf);
|
||||
-
|
||||
- if (certerr_notyetvalid)
|
||||
+
|
||||
+ if (certerr & CERTERR_NOTYETVALID)
|
||||
{
|
||||
row++;
|
||||
strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING);
|
||||
}
|
||||
- if (certerr_expired)
|
||||
+ if (certerr & CERTERR_EXPIRED)
|
||||
{
|
||||
row++;
|
||||
strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING);
|
||||
}
|
||||
- if (certerr_revoked)
|
||||
+ if (certerr & CERTERR_REVOKED)
|
||||
{
|
||||
row++;
|
||||
strfcpy (menu->dialog[row], _("WARNING: Server certificate has been revoked"), SHORT_STRING);
|
||||
}
|
||||
- if (certerr_hostname)
|
||||
+ if (certerr & CERTERR_HOSTNAME)
|
||||
{
|
||||
row++;
|
||||
strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING);
|
||||
}
|
||||
- if (certerr_signernotca)
|
||||
+ if (certerr & CERTERR_SIGNERNOTCA)
|
||||
{
|
||||
row++;
|
||||
strfcpy (menu->dialog[row], _("WARNING: Signer of server certificate is not a CA"), SHORT_STRING);
|
||||
@@ -788,7 +856,9 @@
|
||||
menu->title = title;
|
||||
/* certificates with bad dates, or that are revoked, must be
|
||||
accepted manually each and every time */
|
||||
- if (SslCertFile && !certerr_expired && !certerr_notyetvalid && !certerr_revoked)
|
||||
+ if (SslCertFile && !savedcert
|
||||
+ && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
|
||||
+ | CERTERR_REVOKED)))
|
||||
{
|
||||
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
|
||||
menu->keys = _("roa");
|
||||
@@ -798,14 +868,14 @@
|
||||
menu->prompt = _("(r)eject, accept (o)nce");
|
||||
menu->keys = _("ro");
|
||||
}
|
||||
-
|
||||
+
|
||||
helpstr[0] = '\0';
|
||||
mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT);
|
||||
safe_strcat (helpstr, sizeof (helpstr), buf);
|
||||
mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP);
|
||||
safe_strcat (helpstr, sizeof (helpstr), buf);
|
||||
menu->help = helpstr;
|
||||
-
|
||||
+
|
||||
done = 0;
|
||||
set_option (OPTUNBUFFEREDINPUT);
|
||||
while (!done)
|
||||
@@ -822,12 +892,12 @@
|
||||
if ((fp = fopen (SslCertFile, "a")))
|
||||
{
|
||||
/* save hostname if necessary */
|
||||
- if (certerr_hostname)
|
||||
+ if (certerr & CERTERR_HOSTNAME)
|
||||
{
|
||||
fprintf(fp, "#H %s %s\n", hostname, fpbuf);
|
||||
done = 1;
|
||||
}
|
||||
- if (certerr_nottrusted)
|
||||
+ if (certerr & CERTERR_NOTTRUSTED)
|
||||
{
|
||||
done = 0;
|
||||
ret = gnutls_pem_base64_encode_alloc ("CERTIFICATE", certdata,
|
||||
@@ -841,7 +911,7 @@
|
||||
gnutls_free (pemdata.data);
|
||||
}
|
||||
}
|
||||
- fclose (fp);
|
||||
+ safe_fclose (&fp);
|
||||
}
|
||||
if (!done)
|
||||
{
|
||||
@@ -866,23 +936,14 @@
|
||||
return (done == 2);
|
||||
}
|
||||
|
||||
-static int tls_check_certificate (CONNECTION* conn)
|
||||
+/* sanity-checking wrapper for gnutls_certificate_verify_peers */
|
||||
+static gnutls_certificate_status tls_verify_peers (gnutls_session tlsstate)
|
||||
{
|
||||
- tlssockdata *data = conn->sockdata;
|
||||
- gnutls_session state = data->state;
|
||||
- const gnutls_datum *cert_list;
|
||||
- unsigned int cert_list_size = 0;
|
||||
gnutls_certificate_status certstat;
|
||||
- int i, rc;
|
||||
|
||||
- if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
|
||||
- {
|
||||
- mutt_error (_("Unable to get certificate from peer"));
|
||||
- mutt_sleep (2);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- certstat = gnutls_certificate_verify_peers (state);
|
||||
+ certstat = gnutls_certificate_verify_peers (tlsstate);
|
||||
+ if (!certstat)
|
||||
+ return certstat;
|
||||
|
||||
if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
|
||||
{
|
||||
@@ -899,13 +960,34 @@
|
||||
}
|
||||
|
||||
/* We only support X.509 certificates (not OpenPGP) at the moment */
|
||||
- if (gnutls_certificate_type_get (state) != GNUTLS_CRT_X509)
|
||||
+ if (gnutls_certificate_type_get (tlsstate) != GNUTLS_CRT_X509)
|
||||
{
|
||||
mutt_error (_("Certificate is not X.509"));
|
||||
mutt_sleep (2);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ return certstat;
|
||||
+}
|
||||
+
|
||||
+static int tls_check_certificate (CONNECTION* conn)
|
||||
+{
|
||||
+ tlssockdata *data = conn->sockdata;
|
||||
+ gnutls_session state = data->state;
|
||||
+ const gnutls_datum *cert_list;
|
||||
+ unsigned int cert_list_size = 0;
|
||||
+ gnutls_certificate_status certstat;
|
||||
+ int certerr, i, preauthrc, savedcert, rc = 0;
|
||||
+
|
||||
+ if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE)
|
||||
+ {
|
||||
+ mutt_error (_("Unable to get certificate from peer"));
|
||||
+ mutt_sleep (2);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ certstat = tls_verify_peers (state);
|
||||
+
|
||||
cert_list = gnutls_certificate_get_peers (state, &cert_list_size);
|
||||
if (!cert_list)
|
||||
{
|
||||
@@ -914,13 +996,42 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /* tls_verify_peers doesn't check hostname or expiration, so walk
|
||||
+ * from most specific to least checking these. If we see a saved certificate,
|
||||
+ * its status short-circuits the remaining checks. */
|
||||
+ preauthrc = 0;
|
||||
+ for (i = 0; i < cert_list_size; i++) {
|
||||
+ rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i,
|
||||
+ &certerr, &savedcert);
|
||||
+ preauthrc += rc;
|
||||
+
|
||||
+ if (savedcert)
|
||||
+ {
|
||||
+ if (!preauthrc)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* then check interactively, starting from chain root */
|
||||
for (i = cert_list_size - 1; i >= 0; i--)
|
||||
{
|
||||
rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
|
||||
i, cert_list_size);
|
||||
- if (rc)
|
||||
- return rc;
|
||||
+
|
||||
+ /* add signers to trust set, then reverify */
|
||||
+ if (i && rc) {
|
||||
+ rc = gnutls_certificate_set_x509_trust_mem (data->xcred, &cert_list[i],
|
||||
+ GNUTLS_X509_FMT_DER);
|
||||
+ if (rc != 1)
|
||||
+ dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc));
|
||||
+
|
||||
+ certstat = tls_verify_peers (state);
|
||||
+ if (!certstat)
|
||||
+ return 1;
|
||||
+ }
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ return rc;
|
||||
}
|
||||
diff -up mutt-1.5.19/mutt_ssl_gnutls.c.gnutls2 mutt-1.5.19/mutt_ssl_gnutls.c
|
||||
--- mutt-1.5.19/mutt_ssl_gnutls.c.gnutls2 2009-06-09 15:41:56.000000000 +0200
|
||||
+++ mutt-1.5.19/mutt_ssl_gnutls.c 2009-06-09 16:05:51.000000000 +0200
|
||||
@@ -275,7 +275,7 @@ static int tls_negotiate (CONNECTION * c
|
||||
SslClientCert, GNUTLS_X509_FMT_PEM);
|
||||
}
|
||||
|
||||
-#if HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS
|
||||
+#if 1
|
||||
/* disable checking certificate activation/expiration times
|
||||
in gnutls, we do the checks ourselves */
|
||||
gnutls_certificate_set_verify_flags(data->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
|
||||
@@ -520,7 +520,7 @@ static int tls_check_stored_hostname (co
|
||||
|
||||
buf[0] = '\0';
|
||||
tls_fingerprint (GNUTLS_DIG_MD5, buf, sizeof (buf), cert);
|
||||
- while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum, 0)) != NULL)
|
||||
+ while ((linestr = mutt_read_line(linestr, &linestrsize, fp, &linenum)) != NULL)
|
||||
{
|
||||
if(linestr[0] == '#' && linestr[1] == 'H')
|
||||
{
|
||||
@@ -573,7 +573,7 @@ static int tls_check_preauth (const gnut
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (option (OPTSSLVERIFYDATES) != M_NO)
|
||||
+ if (1)
|
||||
{
|
||||
if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
|
||||
*certerr |= CERTERR_EXPIRED;
|
||||
@@ -581,7 +581,7 @@ static int tls_check_preauth (const gnut
|
||||
*certerr |= CERTERR_NOTYETVALID;
|
||||
}
|
||||
|
||||
- if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
|
||||
+ if (chainidx == 0
|
||||
&& !gnutls_x509_crt_check_hostname (cert, hostname)
|
||||
&& !tls_check_stored_hostname (certdata, hostname))
|
||||
*certerr |= CERTERR_HOSTNAME;
|
@ -1,36 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Rocco Rutte <pdmef@gmx.net>
|
||||
# Date 1233066304 -3600
|
||||
# Branch HEAD
|
||||
# Node ID eb918af802ec62136f5a522dcb1ac18cb470d4ac
|
||||
# Parent da94a92c3ba0ec7718c78a1c60d62931d13b062f
|
||||
Unconditionally inode-sort Maildir and MH folders. Closes #3166.
|
||||
|
||||
diff -r da94a92c3ba0 -r eb918af802ec mh.c
|
||||
--- a/mh.c Mon Jan 26 12:32:30 2009 -0800
|
||||
+++ b/mh.c Tue Jan 27 15:25:04 2009 +0100
|
||||
@@ -1027,13 +1027,14 @@
|
||||
if (!ctx->quiet && progress)
|
||||
mutt_progress_update (progress, count, -1);
|
||||
|
||||
+ DO_SORT();
|
||||
+
|
||||
snprintf (fn, sizeof (fn), "%s/%s", ctx->path, p->h->path);
|
||||
|
||||
#if USE_HCACHE
|
||||
if (option(OPTHCACHEVERIFY))
|
||||
{
|
||||
- DO_SORT();
|
||||
- ret = stat(fn, &lastchanged);
|
||||
+ ret = stat(fn, &lastchanged);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1057,7 +1058,6 @@
|
||||
{
|
||||
#endif /* USE_HCACHE */
|
||||
|
||||
- DO_SORT();
|
||||
if (maildir_parse_message (ctx->magic, fn, p->h->old, p->h))
|
||||
{
|
||||
p->header_parsed = 1;
|
@ -1,32 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Miroslav Lichvar <mlichvar@redhat.com>
|
||||
# Date 1238589215 -7200
|
||||
# Branch HEAD
|
||||
# Node ID 8205a12329d395b87eeb890cb86d28e761e83992
|
||||
# Parent 47c64fd9ac708fee9f4969e571c42e105287596e
|
||||
Use PATH_MAX for buffers passed to realpath(3) as we're supposed to
|
||||
|
||||
diff -r 47c64fd9ac70 -r 8205a12329d3 hcache.c
|
||||
--- a/hcache.c Wed Apr 01 13:16:35 2009 +0200
|
||||
+++ b/hcache.c Wed Apr 01 14:33:35 2009 +0200
|
||||
@@ -836,7 +836,7 @@
|
||||
* to ensure equivalent paths share the hcache */
|
||||
if (stat (folder, &st) == 0)
|
||||
{
|
||||
- p = safe_malloc (_POSIX_PATH_MAX+1);
|
||||
+ p = safe_malloc (PATH_MAX+1);
|
||||
if (!realpath (folder, p))
|
||||
mutt_str_replace (&p, folder);
|
||||
} else
|
||||
diff -r 47c64fd9ac70 -r 8205a12329d3 muttlib.c
|
||||
--- a/muttlib.c Wed Apr 01 13:16:35 2009 +0200
|
||||
+++ b/muttlib.c Wed Apr 01 14:33:35 2009 +0200
|
||||
@@ -759,7 +759,7 @@
|
||||
char *p = s, *q = s;
|
||||
size_t len;
|
||||
url_scheme_t scheme;
|
||||
- char tmp[_POSIX_PATH_MAX];
|
||||
+ char tmp[PATH_MAX];
|
||||
|
||||
scheme = url_check_scheme (s);
|
||||
|
@ -1,19 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Roman Kraevskiy <rkraevskiy@gmail.com>
|
||||
# Date 1237455364 -3600
|
||||
# Branch HEAD
|
||||
# Node ID 6fac57b97bf1e829d1bfdf643583f5921e153fea
|
||||
# Parent 17d770ae41e4bc94527181dc62072564b9fbd252
|
||||
Restore connection polling callback when closing SASL connection. Closes #3206.
|
||||
|
||||
diff -r 17d770ae41e4 -r 6fac57b97bf1 mutt_sasl.c
|
||||
--- a/mutt_sasl.c Wed Mar 18 14:48:07 2009 +0100
|
||||
+++ b/mutt_sasl.c Thu Mar 19 10:36:04 2009 +0100
|
||||
@@ -481,6 +481,7 @@
|
||||
conn->conn_close = sasldata->msasl_close;
|
||||
conn->conn_read = sasldata->msasl_read;
|
||||
conn->conn_write = sasldata->msasl_write;
|
||||
+ conn->conn_poll = sasldata->msasl_poll;
|
||||
|
||||
/* release sasl resources */
|
||||
sasl_dispose (&sasldata->saslconn);
|
34
mutt.spec
34
mutt.spec
@ -15,29 +15,26 @@
|
||||
|
||||
Summary: A text mode mail user agent
|
||||
Name: mutt
|
||||
Version: 1.5.19
|
||||
Release: 6%{?dist}
|
||||
Version: 1.5.20
|
||||
Release: 1.20090827hg605559%{?dist}
|
||||
Epoch: 5
|
||||
# The entire source code is GPLv2+ except
|
||||
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
|
||||
License: GPLv2+ and Public Domain
|
||||
Group: Applications/Internet
|
||||
Source: ftp://ftp.mutt.org/pub/mutt/devel/mutt-%{version}.tar.gz
|
||||
# hg snapshot created from http://dev.mutt.org/hg/mutt
|
||||
Source: mutt-1.5.20-20090827hg605559.tar.bz2
|
||||
#Source: ftp://ftp.mutt.org/pub/mutt/devel/mutt-%{version}.tar.gz
|
||||
Source1: mutt_ldap_query
|
||||
Patch2: mutt-1.5.13-nodotlock.patch
|
||||
Patch3: mutt-1.5.18-muttrc.patch
|
||||
Patch4: mutt-1.5.18-manual.patch
|
||||
Patch7: mutt-1.5.19-db47.patch
|
||||
Patch8: mutt-1.5.19-realpath.patch
|
||||
Patch9: mutt-1.5.19-inodesort.patch
|
||||
Patch10: mutt-1.5.19-saslcb.patch
|
||||
Patch11: mutt-1.5.19-gnutls.patch
|
||||
Url: http://www.mutt.org/
|
||||
Requires: mailcap urlview
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: aspell /usr/sbin/sendmail
|
||||
BuildRequires: ncurses-devel
|
||||
BuildRequires: gettext
|
||||
BuildRequires: automake
|
||||
# required to build documentation
|
||||
BuildRequires: docbook-style-xsl libxslt lynx
|
||||
|
||||
@ -65,21 +62,19 @@ regular expression searches and a powerful pattern matching language
|
||||
for selecting groups of messages.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -n mutt
|
||||
./prepare -V
|
||||
# Thou shalt use fcntl, and only fcntl
|
||||
%patch2 -p1 -b .nodl
|
||||
%patch3 -p1 -b .muttrc
|
||||
%patch4 -p1 -b .manual
|
||||
%patch7 -p1 -b .db47
|
||||
%patch8 -p1 -b .realpath
|
||||
%patch9 -p1 -b .inodesort
|
||||
%patch10 -p1 -b .saslcb
|
||||
%patch11 -p1 -b .gnutls
|
||||
|
||||
install -p -m644 %{SOURCE1} mutt_ldap_query
|
||||
|
||||
%build
|
||||
%configure \
|
||||
SENDMAIL=%{_sbindir}/sendmail \
|
||||
ISPELL=%{_bindir}/hunspell \
|
||||
%{?with_debug: --enable-debug}\
|
||||
%{?with_pop: --enable-pop}\
|
||||
%{?with_imap: --enable-imap} \
|
||||
@ -114,11 +109,7 @@ cat contrib/gpg.rc >> \
|
||||
grep -5 "^color" contrib/sample.muttrc >> \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/Muttrc
|
||||
|
||||
# and we use aspell
|
||||
cat >> $RPM_BUILD_ROOT%{_sysconfdir}/Muttrc <<EOF
|
||||
# use aspell
|
||||
set ispell="%{_bindir}/aspell --mode=email check"
|
||||
|
||||
source %{_sysconfdir}/Muttrc.local
|
||||
EOF
|
||||
|
||||
@ -147,9 +138,14 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_bindir}/pgpewrap
|
||||
%{_bindir}/smime_keys
|
||||
%{_mandir}/man1/mutt.*
|
||||
%{_mandir}/man1/smime_keys.*
|
||||
%{_mandir}/man5/muttrc.*
|
||||
|
||||
%changelog
|
||||
* Fri Sep 18 2009 Miroslav Lichvar <mlichvar@redhat.com> 5:1.5.20-1.20090827hg605559
|
||||
- update to post 1.5.20 hg snapshot (#515148)
|
||||
- use hunspell by default (#510358)
|
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5:1.5.19-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user