pidgin: cfafc0d9: Continue verification when we can't find...

[darkrain42 at pidgin.im]

-----------------------------------------------------------------
Revision: cfafc0d96db21305969d35633d88caf195ea63d9
Ancestor: 45ad8960722e2945da04e780de920cade8d2541e
Author: darkrain42 at pidgin.im
Date: 2009-07-16T02:46:36
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/cfafc0d96db21305969d35633d88caf195ea63d9

Modified files:
        ChangeLog libpurple/certificate.c
        libpurple/plugins/ssl/ssl-nss.c

ChangeLog: 

Continue verification when we can't find a *cached* peer. Fixes #9664.

This should be a fatal condition and not finding a cached certificate
is *not* the same as "the certificate changed".

-------------- next part --------------
============================================================
--- ChangeLog	31212ff99f2668c3831c1ef215d793644393d425
+++ ChangeLog	329b4fb3594ddb43df003161041495b993ff9568
@@ -35,6 +35,7 @@ version 2.6.0 (??/??/2009):
 	  from you on MSN.
 	* Support sending an invite message to buddies when requesting authorization
 	  from them on MSN.
+	* Better handle corrupt certificates in the TLS Peers cache.
 
 	AIM and ICQ:
 	* Preliminary support for a new authentication scheme called
============================================================
--- libpurple/certificate.c	20a0156eec81b99e724243387aac2355ba126464
+++ libpurple/certificate.c	7ae53533ec1095be094c8980a568efc05b65a5e0
@@ -1218,20 +1218,6 @@ static void
 }
 
 static void
-x509_tls_cached_peer_cert_changed(PurpleCertificateVerificationRequest *vrq)
-{
-	/* TODO: Prompt the user, etc. */
-
-	purple_debug_info("certificate/x509/tls_cached",
-			  "Certificate for %s does not match cached. "
-			  "Auto-rejecting!\n",
-			  vrq->subject_name);
-
-	purple_certificate_verify_complete(vrq, PURPLE_CERTIFICATE_INVALID);
-	return;
-}
-
-static void
 x509_tls_cached_unknown_peer(PurpleCertificateVerificationRequest *vrq);
 
 static void
@@ -1254,12 +1240,11 @@ x509_tls_cached_cert_in_cache(PurpleCert
 	cached_crt = purple_certificate_pool_retrieve(
 		tls_peers, vrq->subject_name);
 	if ( !cached_crt ) {
-		purple_debug_error("certificate/x509/tls_cached",
+		purple_debug_warning("certificate/x509/tls_cached",
 				   "Lookup failed on cached certificate!\n"
-				   "It was here just a second ago. Forwarding "
-				   "to cert_changed.\n");
-		/* vrq now becomes the problem of cert_changed */
-		x509_tls_cached_peer_cert_changed(vrq);
+				   "Falling back to full verification.\n");
+		/* vrq now becomes the problem of unknown_peer */
+		x509_tls_cached_unknown_peer(vrq);
 		return;
 	}
 
============================================================
--- libpurple/plugins/ssl/ssl-nss.c	5d35e88f8d79d3e07316c324c55c30cec67a1aad
+++ libpurple/plugins/ssl/ssl-nss.c	9985501f0d19f46ba6ecd07d0f3e8447a482434b
@@ -546,12 +546,12 @@ x509_import_from_file(const gchar *filen
 	CERTCertificate *crt_dat;
 	PurpleCertificate *crt;
 
-	g_return_val_if_fail(filename, NULL);
+	g_return_val_if_fail(filename != NULL, NULL);
 
 	purple_debug_info("nss/x509",
 			  "Loading certificate from %s\n",
 			  filename);
-	
+
 	/* Load the raw data up */
 	if (!g_file_get_contents(filename,
 				 &rawcert, &len,
@@ -560,12 +560,20 @@ x509_import_from_file(const gchar *filen
 		return NULL;
 	}
 
+	if (len == 0) {
+		purple_debug_error("nss/x509",
+				"Certificate file has no contents!\n");
+		if (rawcert)
+			g_free(rawcert);
+		return NULL;
+	}
+
 	/* Decode the certificate */
 	crt_dat = CERT_DecodeCertFromPackage(rawcert, len);
 	g_free(rawcert);
 
-	g_return_val_if_fail(crt_dat, NULL);
-	
+	g_return_val_if_fail(crt_dat != NULL, NULL);
+
 	crt = g_new0(PurpleCertificate, 1);
 	crt->scheme = &x509_nss;
 	crt->data = crt_dat;