From 27c29b3af8741c7ee9f72e402b4f2cc8ed3fcafc Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 10 Apr 2014 15:56:27 +0200
Subject: [PATCH] Always reject revoked certificates

If there is recognized a revoked certificate being used for a secure
connection, then reject the connection immediately, for security reasons.
This behaviour cannot be overwritten with a user's trust.
---
 camel/camel-network-service.c    | 43 ++++++++++++++++++++++------------------
 libedataserver/e-source-webdav.c |  4 ++++
 2 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/camel/camel-network-service.c b/camel/camel-network-service.c
index 0afcb34..23ea4fa 100644
--- a/camel/camel-network-service.c
+++ b/camel/camel-network-service.c
@@ -345,28 +345,33 @@ network_service_accept_certificate_cb (GTlsConnection *connection,
 
 	g_free (host);
 
-	if (cert->trust == CAMEL_CERT_TRUST_UNKNOWN) {
-		cert->trust = camel_session_trust_prompt (
-			session, CAMEL_SERVICE (service),
-			peer_certificate, errors);
+	if ((errors & G_TLS_CERTIFICATE_REVOKED) != 0) {
+		/* Always reject revoked certificates */
+		accept = FALSE;
+	} else {
+		if (cert->trust == CAMEL_CERT_TRUST_UNKNOWN) {
+			cert->trust = camel_session_trust_prompt (
+				session, CAMEL_SERVICE (service),
+				peer_certificate, errors);
 
-		if (new_cert)
-			network_service_certdb_store (
-				certdb, cert, peer_certificate);
+			if (new_cert)
+				network_service_certdb_store (
+					certdb, cert, peer_certificate);
 
-		camel_certdb_touch (certdb);
-	}
+			camel_certdb_touch (certdb);
+		}
 
-	switch (cert->trust) {
-		case CAMEL_CERT_TRUST_MARGINAL:
-		case CAMEL_CERT_TRUST_FULLY:
-		case CAMEL_CERT_TRUST_ULTIMATE:
-		case CAMEL_CERT_TRUST_TEMPORARY:
-			accept = TRUE;
-			break;
-		default:
-			accept = FALSE;
-			break;
+		switch (cert->trust) {
+			case CAMEL_CERT_TRUST_MARGINAL:
+			case CAMEL_CERT_TRUST_FULLY:
+			case CAMEL_CERT_TRUST_ULTIMATE:
+			case CAMEL_CERT_TRUST_TEMPORARY:
+				accept = TRUE;
+				break;
+			default:
+				accept = FALSE;
+				break;
+		}
 	}
 
 	camel_cert_unref (cert);
diff --git a/libedataserver/e-source-webdav.c b/libedataserver/e-source-webdav.c
index 6cff83c..eda83d5 100644
--- a/libedataserver/e-source-webdav.c
+++ b/libedataserver/e-source-webdav.c
@@ -1483,6 +1483,10 @@ e_source_webdav_prepare_ssl_trust_prompt_with_parent (ESourceWebdav *extension,
 	if (!soup_message_get_https_status (message, &cert, &cert_errors) || !cert)
 		return E_TRUST_PROMPT_RESPONSE_REJECT;
 
+	/* Always reject revoked certificates */
+	if ((cert_errors & G_TLS_CERTIFICATE_REVOKED) != 0)
+		return E_TRUST_PROMPT_RESPONSE_REJECT;
+
 	soup_uri = soup_message_get_uri (message);
 
 	if (soup_uri == NULL)
-- 
2.7.4