Context Navigation

source: lib/ssl_gnutls.c @ a6b00fc

Last change on this file since a6b00fc was 5ebff60, checked in by dequis <dx@…>, at 2015-02-20T22:50:54Z

Reindent everything to K&R style with tabs

Used uncrustify, with the configuration file in ./doc/uncrustify.cfg

Commit author set to "Indent <please@…>" so that it's easier to
skip while doing git blame.

Property mode set to 100644

File size: 12.3 KB

Rev	Line
[5ebff60]	1	/********************************************************************\
[b7d3cc34]	2	* BitlBee -- An IRC to other IM-networks gateway *
	3	* *
[9b67285]	4	* Copyright 2002-2012 Wilmer van der Gaast and others *
[b7d3cc34]	5	\********************************************************************/
	6
	7	/* SSL module - GnuTLS version */
	8
	9	/*
	10	This program is free software; you can redistribute it and/or modify
	11	it under the terms of the GNU General Public License as published by
	12	the Free Software Foundation; either version 2 of the License, or
	13	(at your option) any later version.
	14
	15	This program is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	GNU General Public License for more details.
	19
	20	You should have received a copy of the GNU General Public License with
	21	the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
[6f10697]	22	if not, write to the Free Software Foundation, Inc., 51 Franklin St.,
	23	Fifth Floor, Boston, MA 02110-1301 USA
[b7d3cc34]	24	*/
	25
	26	#include <gnutls/gnutls.h>
[486ddb5]	27	#include <gnutls/x509.h>
[83e47ec]	28	#include <gcrypt.h>
[701acdd4]	29	#include <fcntl.h>
	30	#include <unistd.h>
[b7d3cc34]	31	#include "proxy.h"
	32	#include "ssl_client.h"
	33	#include "sock.h"
	34	#include "stdlib.h"
[486ddb5]	35	#include "bitlbee.h"
[b7d3cc34]	36
[701acdd4]	37	int ssl_errno = 0;
	38
[b7d3cc34]	39	static gboolean initialized = FALSE;
[2fb1262]	40	gnutls_certificate_credentials_t xcred;
[b7d3cc34]	41
[56f260a]	42	#include <limits.h>
	43
	44	#if defined(ULONG_MAX) && ULONG_MAX > 4294967295UL
	45	#define GNUTLS_STUPID_CAST (long)
	46	#else
	47	#define GNUTLS_STUPID_CAST (int)
	48	#endif
	49
[ca974d7]	50	#define SSLDEBUG 0
	51
[5ebff60]	52	struct scd {
[3d64e5b]	53	ssl_input_function func;
[b7d3cc34]	54	gpointer data;
	55	int fd;
	56	gboolean established;
[701acdd4]	57	int inpa;
[486ddb5]	58	char *hostname;
	59	gboolean verify;
[5ebff60]	60
[2fb1262]	61	gnutls_session_t session;
[b7d3cc34]	62	};
	63
[9b67285]	64	static GHashTable *session_cache;
	65
[5ebff60]	66	static gboolean ssl_connected(gpointer data, gint source, b_input_condition cond);
	67	static gboolean ssl_starttls_real(gpointer data, gint source, b_input_condition cond);
	68	static gboolean ssl_handshake(gpointer data, gint source, b_input_condition cond);
[b7d3cc34]	69
[5ebff60]	70	static void ssl_deinit(void);
[b7d3cc34]	71
[5ebff60]	72	static void ssl_log(int level, const char *line)
[632f3d4]	73	{
[5ebff60]	74	printf("%d %s", level, line);
[632f3d4]	75	}
	76
[5ebff60]	77	void ssl_init(void)
[ba5add7]	78	{
[5ebff60]	79	if (initialized) {
[83e47ec]	80	return;
[5ebff60]	81	}
	82
[ba5add7]	83	gnutls_global_init();
[5ebff60]	84	gnutls_certificate_allocate_credentials(&xcred);
	85	if (global.conf->cafile) {
	86	gnutls_certificate_set_x509_trust_file(xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM);
	87
[8f976e6]	88	/* Not needed in GnuTLS 2.11+ (enabled by default there) so
	89	don't do it (resets possible other defaults). */
[5ebff60]	90	if (!gnutls_check_version("2.11")) {
	91	gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
	92	}
[59cd92b]	93	}
[ba5add7]	94	initialized = TRUE;
[5ebff60]	95
	96	gnutls_global_set_log_function(ssl_log);
[632f3d4]	97	/*
	98	gnutls_global_set_log_level( 3 );
	99	*/
[5ebff60]	100
	101	session_cache = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free);
	102
	103	atexit(ssl_deinit);
[59cd92b]	104	}
	105
[5ebff60]	106	static void ssl_deinit(void)
[59cd92b]	107	{
	108	gnutls_global_deinit();
[5ebff60]	109	gnutls_certificate_free_credentials(xcred);
	110	g_hash_table_destroy(session_cache);
[9b67285]	111	session_cache = NULL;
[ba5add7]	112	}
	113
[5ebff60]	114	void ssl_connect(char host, int port, gboolean verify, ssl_input_function func, gpointer data)
[b7d3cc34]	115	{
[5ebff60]	116	struct scd *conn = g_new0(struct scd, 1);
	117
[b7d3cc34]	118	conn->func = func;
	119	conn->data = data;
[701acdd4]	120	conn->inpa = -1;
[5ebff60]	121	conn->hostname = g_strdup(host);
[a72dc2b]	122	conn->verify = verify && global.conf->cafile;
[5ebff60]	123	conn->fd = proxy_connect(host, port, ssl_connected, conn);
	124
	125	if (conn->fd < 0) {
	126	g_free(conn);
[42127dc]	127	return NULL;
[b7d3cc34]	128	}
[5ebff60]	129
[42127dc]	130	return conn;
	131	}
	132
[5ebff60]	133	void ssl_starttls(int fd, char hostname, gboolean verify, ssl_input_function func, gpointer data)
[42127dc]	134	{
[5ebff60]	135	struct scd *conn = g_new0(struct scd, 1);
	136
[42127dc]	137	conn->fd = fd;
	138	conn->func = func;
	139	conn->data = data;
	140	conn->inpa = -1;
[5ebff60]	141	conn->hostname = g_strdup(hostname);
	142
[486ddb5]	143	/* For now, SSL verification is globally enabled by setting the cafile
	144	setting in bitlbee.conf. Commented out by default because probably
	145	not everyone has this file in the same place and plenty of folks
	146	may not have the cert of their private Jabber server in it. */
	147	conn->verify = verify && global.conf->cafile;
[5ebff60]	148
[c1ed6527]	149	/* This function should be called via a (short) timeout instead of
	150	directly from here, because these SSL calls are supposed to be
	151	completely asynchronous and not ready yet when this function
	152	(or *_connect, for examle) returns. Also, errors are reported via
	153	the callback function, not via this function's return value.
[5ebff60]	154
[c1ed6527]	155	In short, doing things like this makes the rest of the code a lot
	156	simpler. */
[5ebff60]	157
	158	b_timeout_add(1, ssl_starttls_real, conn);
	159
[42127dc]	160	return conn;
[b7d3cc34]	161	}
	162
[5ebff60]	163	static gboolean ssl_starttls_real(gpointer data, gint source, b_input_condition cond)
[c1ed6527]	164	{
	165	struct scd *conn = data;
[5ebff60]	166
	167	return ssl_connected(conn, conn->fd, B_EV_IO_WRITE);
[c1ed6527]	168	}
[701acdd4]	169
[5ebff60]	170	static int verify_certificate_callback(gnutls_session_t session)
[486ddb5]	171	{
	172	unsigned int status;
	173	const gnutls_datum_t *cert_list;
	174	unsigned int cert_list_size;
	175	int gnutlsret;
	176	int verifyret = 0;
	177	gnutls_x509_crt_t cert;
[2fb1262]	178	struct scd *conn;
[486ddb5]	179
[5ebff60]	180	conn = gnutls_session_get_ptr(session);
	181
	182	gnutlsret = gnutls_certificate_verify_peers2(session, &status);
	183	if (gnutlsret < 0) {
[486ddb5]	184	return VERIFY_CERT_ERROR;
[5ebff60]	185	}
[486ddb5]	186
[5ebff60]	187	if (status & GNUTLS_CERT_INVALID) {
[486ddb5]	188	verifyret \|= VERIFY_CERT_INVALID;
[5ebff60]	189	}
[486ddb5]	190
[5ebff60]	191	if (status & GNUTLS_CERT_REVOKED) {
[486ddb5]	192	verifyret \|= VERIFY_CERT_REVOKED;
[5ebff60]	193	}
[486ddb5]	194
[5ebff60]	195	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
[486ddb5]	196	verifyret \|= VERIFY_CERT_SIGNER_NOT_FOUND;
[5ebff60]	197	}
[486ddb5]	198
[5ebff60]	199	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
[486ddb5]	200	verifyret \|= VERIFY_CERT_SIGNER_NOT_CA;
[5ebff60]	201	}
[486ddb5]	202
[5ebff60]	203	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
[486ddb5]	204	verifyret \|= VERIFY_CERT_INSECURE_ALGORITHM;
[5ebff60]	205	}
[486ddb5]	206
[5513f3e]	207	#ifdef GNUTLS_CERT_NOT_ACTIVATED
	208	/* Amusingly, the GnuTLS function used above didn't check for expiry
	209	until GnuTLS 2.8 or so. (See CVE-2009-1417) */
[5ebff60]	210	if (status & GNUTLS_CERT_NOT_ACTIVATED) {
[486ddb5]	211	verifyret \|= VERIFY_CERT_NOT_ACTIVATED;
[5ebff60]	212	}
[486ddb5]	213
[5ebff60]	214	if (status & GNUTLS_CERT_EXPIRED) {
[486ddb5]	215	verifyret \|= VERIFY_CERT_EXPIRED;
[5ebff60]	216	}
[5513f3e]	217	#endif
[486ddb5]	218
[5ebff60]	219	if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509 \|\| gnutls_x509_crt_init(&cert) < 0) {
[486ddb5]	220	return VERIFY_CERT_ERROR;
[5ebff60]	221	}
[486ddb5]	222
[5ebff60]	223	cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
	224	if (cert_list == NULL \|\| gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) {
[486ddb5]	225	return VERIFY_CERT_ERROR;
[5ebff60]	226	}
[486ddb5]	227
[5ebff60]	228	if (!gnutls_x509_crt_check_hostname(cert, conn->hostname)) {
[486ddb5]	229	verifyret \|= VERIFY_CERT_INVALID;
	230	verifyret \|= VERIFY_CERT_WRONG_HOSTNAME;
	231	}
	232
[5ebff60]	233	gnutls_x509_crt_deinit(cert);
[486ddb5]	234
	235	return verifyret;
	236	}
	237
[5ebff60]	238	struct ssl_session {
[9b67285]	239	size_t size;
	240	char data[];
	241	};
	242
[5ebff60]	243	static void ssl_cache_add(struct scd *conn)
[9b67285]	244	{
[b7cd22d]	245	size_t data_size = 0;
[9b67285]	246	struct ssl_session *data;
	247	char *hostname;
[5ebff60]	248
	249	if (!conn->hostname \|\|
	250	gnutls_session_get_data(conn->session, NULL, &data_size) != 0) {
[9b67285]	251	return;
[5ebff60]	252	}
	253
	254	data = g_malloc(sizeof(struct ssl_session) + data_size);
	255	if (gnutls_session_get_data(conn->session, data->data, &data_size) != 0) {
	256	g_free(data);
[9b67285]	257	return;
	258	}
[5ebff60]	259
	260	hostname = g_strdup(conn->hostname);
	261	g_hash_table_insert(session_cache, hostname, data);
[9b67285]	262	}
	263
[5ebff60]	264	static void ssl_cache_resume(struct scd *conn)
[9b67285]	265	{
	266	struct ssl_session *data;
[5ebff60]	267
	268	if (conn->hostname &&
	269	(data = g_hash_table_lookup(session_cache, conn->hostname))) {
	270	gnutls_session_set_data(conn->session, data->data, data->size);
	271	g_hash_table_remove(session_cache, conn->hostname);
[9b67285]	272	}
	273	}
	274
[5ebff60]	275	char *ssl_verify_strerror(int code)
[78b8401]	276	{
[5ebff60]	277	GString *ret = g_string_new("");
	278
	279	if (code & VERIFY_CERT_REVOKED) {
	280	g_string_append(ret, "certificate has been revoked, ");
	281	}
	282	if (code & VERIFY_CERT_SIGNER_NOT_FOUND) {
	283	g_string_append(ret, "certificate hasn't got a known issuer, ");
	284	}
	285	if (code & VERIFY_CERT_SIGNER_NOT_CA) {
	286	g_string_append(ret, "certificate's issuer is not a CA, ");
	287	}
	288	if (code & VERIFY_CERT_INSECURE_ALGORITHM) {
	289	g_string_append(ret, "certificate uses an insecure algorithm, ");
	290	}
	291	if (code & VERIFY_CERT_NOT_ACTIVATED) {
	292	g_string_append(ret, "certificate has not been activated, ");
[78b8401]	293	}
[5ebff60]	294	if (code & VERIFY_CERT_EXPIRED) {
	295	g_string_append(ret, "certificate has expired, ");
	296	}
	297	if (code & VERIFY_CERT_WRONG_HOSTNAME) {
	298	g_string_append(ret, "certificate hostname mismatch, ");
	299	}
	300
	301	if (ret->len == 0) {
	302	g_string_free(ret, TRUE);
	303	return NULL;
	304	} else {
	305	g_string_truncate(ret, ret->len - 2);
	306	return g_string_free(ret, FALSE);
[78b8401]	307	}
	308	}
	309
[5ebff60]	310	static gboolean ssl_connected(gpointer data, gint source, b_input_condition cond)
[b7d3cc34]	311	{
	312	struct scd *conn = data;
[5ebff60]	313
	314	if (source == -1) {
	315	conn->func(conn->data, 0, NULL, cond);
	316	g_free(conn);
[2b7d2d1]	317	return FALSE;
[701acdd4]	318	}
[5ebff60]	319
[83e47ec]	320	ssl_init();
[5ebff60]	321
	322	gnutls_init(&conn->session, GNUTLS_CLIENT);
	323	gnutls_session_set_ptr(conn->session, (void *) conn);
[80acb6d]	324	#if GNUTLS_VERSION_NUMBER < 0x020c00
[5ebff60]	325	gnutls_transport_set_lowat(conn->session, 0);
[80acb6d]	326	#endif
[5ebff60]	327	gnutls_set_default_priority(conn->session);
	328	gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE, xcred);
	329	if (conn->hostname && !g_ascii_isdigit(conn->hostname[0])) {
	330	gnutls_server_name_set(conn->session, GNUTLS_NAME_DNS,
	331	conn->hostname, strlen(conn->hostname));
	332	}
	333
	334	sock_make_nonblocking(conn->fd);
	335	gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) GNUTLS_STUPID_CAST conn->fd);
	336
	337	ssl_cache_resume(conn);
	338
	339	return ssl_handshake(data, source, cond);
[701acdd4]	340	}
	341
[5ebff60]	342	static gboolean ssl_handshake(gpointer data, gint source, b_input_condition cond)
[701acdd4]	343	{
	344	struct scd *conn = data;
[486ddb5]	345	int st, stver;
[5ebff60]	346
[286cd48]	347	/* This function returns false, so avoid calling b_event_remove again */
	348	conn->inpa = -1;
[486ddb5]	349
[5ebff60]	350	if ((st = gnutls_handshake(conn->session)) < 0) {
	351	if (st == GNUTLS_E_AGAIN \|\| st == GNUTLS_E_INTERRUPTED) {
	352	conn->inpa = b_input_add(conn->fd, ssl_getdirection(conn),
	353	ssl_handshake, data);
	354	} else {
	355	conn->func(conn->data, 0, NULL, cond);
	356
	357	gnutls_deinit(conn->session);
	358	closesocket(conn->fd);
[486ddb5]	359
[5ebff60]	360	g_free(conn);
[486ddb5]	361	}
[5ebff60]	362	} else {
	363	if (conn->verify && (stver = verify_certificate_callback(conn->session)) != 0) {
	364	conn->func(conn->data, stver, NULL, cond);
	365
	366	gnutls_deinit(conn->session);
	367	closesocket(conn->fd);
	368
	369	g_free(conn);
	370	} else {
[486ddb5]	371	/* For now we can't handle non-blocking perfectly everywhere... */
[5ebff60]	372	sock_make_blocking(conn->fd);
	373
	374	ssl_cache_add(conn);
[486ddb5]	375	conn->established = TRUE;
[5ebff60]	376	conn->func(conn->data, 0, conn, cond);
[486ddb5]	377	}
[701acdd4]	378	}
[5ebff60]	379
[2b7d2d1]	380	return FALSE;
[b7d3cc34]	381	}
	382
[5ebff60]	383	int ssl_read(void conn, char buf, int len)
[b7d3cc34]	384	{
[8a9afe4]	385	int st;
[5ebff60]	386
	387	if (!((struct scd*) conn)->established) {
[701acdd4]	388	ssl_errno = SSL_NOHANDSHAKE;
[80acb6d]	389	return -1;
[701acdd4]	390	}
[5ebff60]	391
	392	st = gnutls_record_recv(((struct scd*) conn)->session, buf, len);
	393
[8a9afe4]	394	ssl_errno = SSL_OK;
[5ebff60]	395	if (st == GNUTLS_E_AGAIN \|\| st == GNUTLS_E_INTERRUPTED) {
[8a9afe4]	396	ssl_errno = SSL_AGAIN;
[5ebff60]	397	}
	398
	399	if (SSLDEBUG && getenv("BITLBEE_DEBUG") && st > 0) {
	400	len = write(2, buf, st);
	401	}
	402
[8a9afe4]	403	return st;
[b7d3cc34]	404	}
	405
[5ebff60]	406	int ssl_write(void conn, const char buf, int len)
[b7d3cc34]	407	{
[8a9afe4]	408	int st;
[5ebff60]	409
	410	if (!((struct scd*) conn)->established) {
[701acdd4]	411	ssl_errno = SSL_NOHANDSHAKE;
[80acb6d]	412	return -1;
[701acdd4]	413	}
[5ebff60]	414
	415	st = gnutls_record_send(((struct scd*) conn)->session, buf, len);
	416
[8a9afe4]	417	ssl_errno = SSL_OK;
[5ebff60]	418	if (st == GNUTLS_E_AGAIN \|\| st == GNUTLS_E_INTERRUPTED) {
[8a9afe4]	419	ssl_errno = SSL_AGAIN;
[5ebff60]	420	}
	421
	422	if (SSLDEBUG && getenv("BITLBEE_DEBUG") && st > 0) {
	423	len = write(2, buf, st);
	424	}
	425
[8a9afe4]	426	return st;
[b7d3cc34]	427	}
	428
[5ebff60]	429	int ssl_pending(void *conn)
[8a2221a7]	430	{
[5ebff60]	431	if (conn == NULL) {
[80acb6d]	432	return 0;
[5ebff60]	433	}
	434
	435	if (!((struct scd*) conn)->established) {
[80acb6d]	436	ssl_errno = SSL_NOHANDSHAKE;
	437	return 0;
	438	}
[632f3d4]	439
	440	#if GNUTLS_VERSION_NUMBER >= 0x03000d && GNUTLS_VERSION_NUMBER <= 0x030012
[5ebff60]	441	if (ssl_errno == SSL_AGAIN) {
[632f3d4]	442	return 0;
[5ebff60]	443	}
[632f3d4]	444	#endif
[5ebff60]	445
	446	return gnutls_record_check_pending(((struct scd*) conn)->session) != 0;
[8a2221a7]	447	}
	448
[5ebff60]	449	void ssl_disconnect(void *conn_)
[b7d3cc34]	450	{
	451	struct scd *conn = conn_;
[5ebff60]	452
	453	if (conn->inpa != -1) {
	454	b_event_remove(conn->inpa);
	455	}
	456
	457	if (conn->established) {
	458	gnutls_bye(conn->session, GNUTLS_SHUT_WR);
	459	}
	460
	461	closesocket(conn->fd);
	462
	463	if (conn->session) {
	464	gnutls_deinit(conn->session);
	465	}
	466	g_free(conn->hostname);
	467	g_free(conn);
[b7d3cc34]	468	}
	469
[5ebff60]	470	int ssl_getfd(void *conn)
[b7d3cc34]	471	{
[5ebff60]	472	return(((struct scd*) conn)->fd);
[b7d3cc34]	473	}
[8a9afe4]	474
[5ebff60]	475	b_input_condition ssl_getdirection(void *conn)
[8a9afe4]	476	{
[5ebff60]	477	return(gnutls_record_get_direction(((struct scd*) conn)->session) ?
	478	B_EV_IO_WRITE : B_EV_IO_READ);
[8a9afe4]	479	}
[83e47ec]	480
[5ebff60]	481	size_t ssl_des3_encrypt(const unsigned char key, size_t key_len, const unsigned char input,
	482	size_t input_len, const unsigned char iv, unsigned char *res)
[83e47ec]	483	{
	484	gcry_cipher_hd_t gcr;
	485	gcry_error_t st;
[5ebff60]	486
[83e47ec]	487	ssl_init();
[5ebff60]	488
	489	*res = g_malloc(input_len);
	490	st = gcry_cipher_open(&gcr, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0) \|\|
	491	gcry_cipher_setkey(gcr, key, key_len) \|\|
	492	gcry_cipher_setiv(gcr, iv, 8) \|\|
	493	gcry_cipher_encrypt(gcr, *res, input_len, input, input_len);
	494
	495	gcry_cipher_close(gcr);
	496
	497	if (st == 0) {
[83e47ec]	498	return input_len;
[5ebff60]	499	}
	500
	501	g_free(*res);
[83e47ec]	502	return 0;
	503	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: lib/ssl_gnutls.c @ a6b00fc

Download in other formats: