Fossil

Artifact [d9f9c4e5]
Login

Artifact [d9f9c4e5]

Download Hex

Artifact d9f9c4e5aed3f0d1655bcfa02163e540fa3bea6a:

Attachment "checkcert.patch" to ticket [727af73f] added by anonymous 2010-11-08 10:26:55. 
Index: src/http_ssl.c
===================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -190,30 +191,32 @@
     BIO_puts(mem, "\n\nIssued By:\n\n");
     X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
     BIO_write(mem, "", 1); // null-terminate mem buffer
     BIO_get_mem_data(mem, &desc);
     
-    if( hasSavedCertificate ){
-      warning = "WARNING: Certificate doesn't match the "
-                "saved certificate for this host!";
-    }
-    prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n"
-                     "Accept certificate [a=always/y/N]? ", desc, warning);
-    BIO_free(mem);
+    if( !( hasSavedCertificate && ssl_cmp_certificate(cert) ) ) {
+      if( hasSavedCertificate ){
+        warning = "WARNING: Certificate doesn't match the "
+          "saved certificate for this host!";
+      }
+      prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n"
+          "Accept certificate [a=always/y/N]? ", desc, warning);
+      BIO_free(mem);
 
-    prompt_user(prompt, &ans);
-    free(prompt);
-    if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
-      X509_free(cert);
-      ssl_set_errmsg("SSL certificate declined");
-      ssl_close();
-      return 1;
+      prompt_user(prompt, &ans);
+      free(prompt);
+      if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
+        X509_free(cert);
+        ssl_set_errmsg("SSL certificate declined");
+        ssl_close();
+        return 1;
+      }
+      if( blob_str(&ans)[0]=='a' ) {
+        ssl_save_certificate(cert);
+      }
+      blob_reset(&ans);
     }
-    if( blob_str(&ans)[0]=='a' ) {
-      ssl_save_certificate(cert);
-    }
-    blob_reset(&ans);
   }
   X509_free(cert);
   return 0;
 }
 
@@ -230,10 +233,28 @@
   BIO_get_mem_data(mem, &zCert);
   zHost = mprintf("cert:%s", g.urlName);
   db_set(zHost, zCert, 1);
   free(zHost);
   BIO_free(mem);  
+}
+
+int ssl_cmp_certificate(const X509 * cert_current){
+  BIO *mem_c;
+  char *zCert_c, *zCert_s, *zHost;
+  int found = 0;
+
+  mem_c = BIO_new(BIO_s_mem());
+  PEM_write_bio_X509(mem_c, cert_current);
+  BIO_write(mem_c, "", 1); // null-terminate mem buffer
+  BIO_get_mem_data(mem_c, &zCert_c);
+  zHost = mprintf("cert:%s", g.urlName);
+  zCert_s = db_get(zHost, NULL);
+  if(zCert_s && !strcmp(zCert_s, zCert_c)) found = 1;
+  free(zHost);
+  if(zCert_s) free(zCert_s);
+  BIO_free(mem_c);
+  return found;
 }
 
 /*
 ** Get certificate for g.urlName from global config.
 ** Return NULL if no certificate found.