File claws-mail-verify-hostname.patch of Package claws-mail

Index: src/common/ssl.c
===================================================================
--- src/common/ssl.c.orig
+++ src/common/ssl.c
@@ -104,6 +104,7 @@ const gchar *claws_ssl_get_cert_file(voi
 	const char *cert_files[]={
 		"/etc/pki/tls/certs/ca-bundle.crt",
 		"/etc/certs/ca-bundle.crt",
+		"/etc/ssl/ca-bundle.pem",
 		"/usr/share/ssl/certs/ca-bundle.crt",
 		"/etc/ssl/certs/ca-certificates.crt",
 		"/usr/local/ssl/certs/ca-bundle.crt",
Index: src/common/ssl_certificate.c
===================================================================
--- src/common/ssl_certificate.c.orig
+++ src/common/ssl_certificate.c
@@ -833,4 +833,22 @@ void ssl_certificate_get_x509_and_pkey_f
 		gnutls_pkcs12_deinit(p12);
 	}
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+	return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+	gchar subject_cn[BUFFSIZE];
+	size_t n = BUFFSIZE;
+
+	if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+		GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+		strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+	return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */
Index: src/common/ssl_certificate.h
===================================================================
--- src/common/ssl_certificate.h.orig
+++ src/common/ssl_certificate.h
@@ -63,13 +63,13 @@ void ssl_certificate_delete_from_disk(SS
 char * readable_fingerprint(unsigned char *src, int len);
 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status);
 
-#ifdef USE_GNUTLS
 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file);
 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file);
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, 
 			const gchar *password, gnutls_x509_crt *crt, gnutls_x509_privkey *key);
 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output);
 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output);
-#endif
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert);
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert);
 #endif /* USE_GNUTLS */
 #endif /* SSL_CERTIFICATE_H */
Index: src/gtk/sslcertwindow.c
===================================================================
--- src/gtk/sslcertwindow.c.orig
+++ src/gtk/sslcertwindow.c
@@ -284,6 +284,7 @@ static gboolean sslcert_ask_hook(gpointe
 	} else {
 		hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
 	}
+
 	return TRUE;
 }
 
@@ -303,6 +304,24 @@ void sslcertwindow_show_cert(SSLCertific
 	g_free(buf);
 }
 
+static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
+{
+	gchar *subject_cn = NULL;
+	gchar *str = NULL;
+
+	if (ssl_certificate_check_subject_cn(cert))
+		return g_strdup("");
+	
+	subject_cn = ssl_certificate_get_subject_cn(cert);
+	
+	str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
+				"You may be connecting to a rogue server.\n\n"), 
+				subject_cn, cert->host);
+	g_free(subject_cn);
+	
+	return str;
+}
+
 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 {
 	gchar *buf, *sig_status;
@@ -311,9 +330,11 @@ static gboolean sslcertwindow_ask_new_ce
 	GtkWidget *label;
 	GtkWidget *button;
 	GtkWidget *cert_widget;
-	
+	gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+	const gchar *title;
+
 	vbox = gtk_vbox_new(FALSE, 5);
-	buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host);
+	buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);
 	label = gtk_label_new(buf);
 	gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 	gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -336,7 +357,12 @@ static gboolean sslcertwindow_ask_new_ce
 	cert_widget = cert_presenter(cert);
 	gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-	val = alertpanel_full(_("Unknown SSL Certificate"), NULL,
+	if (!ssl_certificate_check_subject_cn(cert))
+		title = _("SSL certificate is invalid");
+	else
+		title = _("SSL Certificate is unknown");
+
+	val = alertpanel_full(title, NULL,
 			      _("_Cancel connection"), _("_Accept and save"), NULL,
 	 		      FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
 	
@@ -351,9 +377,13 @@ static gboolean sslcertwindow_ask_expire
 	GtkWidget *label;
 	GtkWidget *button;
 	GtkWidget *cert_widget;
-	
+	gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
+	const gchar *title;
+
 	vbox = gtk_vbox_new(FALSE, 5);
-	buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host);
+	buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
+	g_free(invalid_str);
+
 	label = gtk_label_new(buf);
 	gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 	gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
@@ -377,7 +407,12 @@ static gboolean sslcertwindow_ask_expire
 	cert_widget = cert_presenter(cert);
 	gtk_container_add(GTK_CONTAINER(button), cert_widget);
 
-	val = alertpanel_full(_("Expired SSL Certificate"), NULL,
+	if (!ssl_certificate_check_subject_cn(cert))
+		title = _("SSL certificate is invalid and expired");
+	else
+		title = _("SSL certificate is expired");
+
+	val = alertpanel_full(title, NULL,
 			      _("_Cancel connection"), _("_Accept"), NULL,
 	 		      FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
 	
@@ -394,7 +429,9 @@ static gboolean sslcertwindow_ask_change
 	GtkWidget *label;
 	GtkWidget *button;
 	AlertValue val;
-	
+	gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
+	const gchar *title;
+
 	vbox = gtk_vbox_new(FALSE, 5);
 	label = gtk_label_new(_("New certificate:"));
 	gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
@@ -408,7 +445,9 @@ static gboolean sslcertwindow_ask_change
 	gtk_widget_show_all(vbox);
 	
 	vbox2 = gtk_vbox_new(FALSE, 5);
-	buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host);
+	buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
+	g_free(invalid_str);
+
 	label = gtk_label_new(buf);
 	gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 	gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
@@ -431,7 +470,11 @@ static gboolean sslcertwindow_ask_change
 	gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
 	gtk_container_add(GTK_CONTAINER(button), vbox);
 
-	val = alertpanel_full(_("Changed SSL Certificate"), NULL,
+	if (!ssl_certificate_check_subject_cn(new_cert))
+		title = _("SSL certificate changed and is invalid");
+	else
+		title = _("SSL certificate changed");
+	val = alertpanel_full(title, NULL,
 			      _("_Cancel connection"), _("_Accept and save"), NULL,
 	 		      FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);