Changeset 164352e
- Timestamp:
- 2011-12-24T18:02:39Z (13 years ago)
- Branches:
- master
- Children:
- 34ded90
- Parents:
- e306fbf (diff), 96f954d (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - Files:
-
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
bitlbee.conf
re306fbf r164352e 116 116 ## (Obviously, the username and password are optional) 117 117 ## 118 # #Proxy = http://john:doe@proxy.localnet.com:8080119 # #Proxy = socks4://socksproxy.localnet.com120 # #Proxy = socks5://socksproxy.localnet.com118 # Proxy = http://john:doe@proxy.localnet.com:8080 119 # Proxy = socks4://socksproxy.localnet.com 120 # Proxy = socks5://socksproxy.localnet.com 121 121 122 122 ## Protocols offered by bitlbee … … 126 126 ## nothing is given, there are no restrictions. 127 127 ## 128 # #Protocols = jabber yahoo128 # Protocols = jabber yahoo 129 129 130 ## Trusted CAs 131 ## 132 ## Path to a file containing a list of trusted certificate authorities used in 133 ## the verification of server certificates. 134 ## 135 ## Uncomment this and make sure the file actually exists and contains all 136 ## certificate authorities you're willing to accept (default value should 137 ## work on at least Debian/Ubuntu systems with the "ca-certificates" package 138 ## installed). As long as the line is commented out, SSL certificate 139 ## verification is completely disabled. 140 ## 141 ## The location of this file may be different on other distros/OSes. For 142 ## example, try /etc/ssl/ca-bundle.pem on OpenSUSE. 143 ## 144 # CAfile = /etc/ssl/certs/ca-certificates.crt 130 145 131 146 [defaults] -
bitlbee.h
re306fbf r164352e 26 26 #ifndef _BITLBEE_H 27 27 #define _BITLBEE_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 28 32 29 33 #ifndef _GNU_SOURCE … … 175 179 extern global_t global; 176 180 181 #ifdef __cplusplus 182 } 177 183 #endif 184 185 #endif 186 -
conf.c
re306fbf r164352e 67 67 conf->ft_listen = NULL; 68 68 conf->protocols = NULL; 69 conf->cafile = NULL; 69 70 proxytype = 0; 70 71 … … 177 178 fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file ); 178 179 180 if( conf->cafile && access( conf->cafile, R_OK ) != 0 ) 181 { 182 /* Let's treat this as a serious problem so people won't think 183 they're secure when in fact they're not. */ 184 fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) ); 185 return NULL; 186 } 187 179 188 return conf; 180 189 } … … 340 349 conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 ); 341 350 } 351 else if( g_strcasecmp( ini->key, "cafile" ) == 0 ) 352 { 353 g_free( conf->cafile ); 354 conf->cafile = g_strdup( ini->value ); 355 } 342 356 else 343 357 { -
conf.h
re306fbf r164352e 54 54 char *ft_listen; 55 55 char **protocols; 56 char *cafile; 56 57 } conf_t; 57 58 -
configure
re306fbf r164352e 283 283 EOF 284 284 ssl=gnutls 285 if ! pkg-config gnutls --atleast-version=2.8; then 286 echo 287 echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.' 288 fi 285 289 ret=1 286 290 elif libgnutls-config --version > /dev/null 2> /dev/null; then -
debian/changelog
re306fbf r164352e 1 bitlbee (3.0.4-1) unstable; urgency=low 2 3 * New upstream release. 1 bitlbee (3.0.4+z-2) UNRELEASED; urgency=low 2 3 * Removed some version override stuff from Debian build scripts. Instead, 4 my buildbot now uses dch to generate a changelog entry with the right 5 version number. 6 7 -- Wilmer van der Gaast <wilmer@gaast.net> Fri, 23 Dec 2011 09:45:55 +0100 8 9 bitlbee (3.0.4+bzr855-1) unstable; urgency=low 10 11 * New upstream release. 12 * This is not a vanilla 3.0.4 tree but a Bazaar snapshot. The source 13 release was a few weeks ago by now. There should be no significant 14 differences. 4 15 * Added bitlbee-plugin-skype and skyped packages, now part of BitlBee 5 instead of a separate package. 6 * Fixed dependencies of bitlbee-plugin-otr package to not break with 7 binary MTUs. (Closes: #651612) 16 instead of a separate package. Not building these for Debian for now 17 though since python-skype was removed. 8 18 * ^B and some other things are stripped in outgoing XMPP stanzas. 9 19 (Closes: #507856) … … 11 21 one from bugs.bitlbee.org. I hope that covers it. (Closes: #646369) 12 22 * Closing a few old bugs that were filed against the Debian package 13 instead of upstream:23 instead of/as well as upstream: 14 24 - Joining password-protected MUCs is working for a while already, set 15 25 the password using "chan set". (Closes: #615624) … … 18 28 - identi.ca support is documented. (Closes: #613789) 19 29 20 -- Wilmer van der Gaast <wilmer@gaast.net> Sun, 11 Dec 2011 16:53:31 +0000 30 -- Wilmer van der Gaast <wilmer@gaast.net> Tue, 20 Dec 2011 12:46:42 +0100 31 32 bitlbee (3.0.3-1.1) unstable; urgency=low 33 34 * Non-maintainer upload. 35 * Use the standard ${source:Version} and ${binary:Version} substvars instead 36 of the custom and broken ${bee:Version} (closes: #651612). 37 38 -- Julien Cristau <jcristau@debian.org> Thu, 15 Dec 2011 20:34:32 +0100 21 39 22 40 bitlbee (3.0.3-1) unstable; urgency=low -
debian/control
re306fbf r164352e 12 12 Package: bitlbee 13 13 Architecture: any 14 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${ bee:Version})14 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version}) 15 15 Conflicts: bitlbee-libpurple 16 16 Replaces: bitlbee-libpurple … … 22 22 Package: bitlbee-libpurple 23 23 Architecture: any 24 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${ bee:Version})24 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version}) 25 25 Conflicts: bitlbee 26 26 Replaces: bitlbee … … 51 51 Package: bitlbee-dev 52 52 Architecture: all 53 Depends: ${misc:Depends}, bitlbee (>= ${ bee:Version}), bitlbee (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})53 Depends: ${misc:Depends}, bitlbee (>= ${source:Version}), bitlbee (<< ${source:Version}.1~), bitlbee-common (= ${source:Version}) 54 54 Description: An IRC to other chat networks gateway (dev files) 55 55 This program can be used as an IRC server which forwards everything you … … 61 61 Package: bitlbee-plugin-otr 62 62 Architecture: any 63 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee ( >= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})63 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version}) 64 64 Description: An IRC to other chat networks gateway (OTR plugin) 65 65 This program can be used as an IRC server which forwards everything you … … 72 72 Package: bitlbee-plugin-skype 73 73 Architecture: any 74 Depends: ${ shlibs:Depends}, ${misc:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~)74 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version}) 75 75 Recommends: skyped 76 76 Description: An IRC to other chat networks gateway (Skype plugin) … … 83 83 84 84 Package: skyped 85 Architecture: a ny86 Depends: ${ shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)85 Architecture: all 86 Depends: ${misc:Depends}, ${shlibs:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7) 87 87 Recommends: skype 88 88 Description: Daemon to control Skype remotely -
debian/rules
re306fbf r164352e 8 8 # 9 9 10 # Include the bitlbee-libpurple variant and OTR plugin by default 10 # Include the bitlbee-libpurple variant and OTR plugin by default. 11 # Don't build skype by default since it depends on deleted/non-free 12 # packages. Need to at least get python-skype back into Debian. 11 13 BITLBEE_LIBPURPLE ?= 1 12 14 BITLBEE_OTR ?= plugin 13 BITLBEE_SKYPE ?= plugin15 BITLBEE_SKYPE ?= 0 14 16 BITLBEE_CONFIGURE_FLAGS ?= 15 17 DEBUG ?= 0 … … 17 19 ifndef BITLBEE_VERSION 18 20 # Want to use the full package version number instead of just the release. 19 BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}')\"21 BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | awk '/^Version:/ {print $$2}')\" 20 22 endif 21 23 … … 72 74 $(MAKE) -C debian/build-native install-plugin-skype DESTDIR=`pwd`/debian/skyped 73 75 76 ifneq ($(BITLBEE_SKYPE),0) 74 77 mkdir -p debian/bitlbee-plugin-skype/usr 75 78 mv debian/skyped/usr/lib debian/bitlbee-plugin-skype/usr … … 77 80 mkdir -p debian/skyped/usr/share/man/man1 78 81 mv debian/bitlbee-common/usr/share/man/man1/skyped* debian/skyped/usr/share/man/man1 82 endif 79 83 80 84 ifeq ($(BITLBEE_LIBPURPLE),1) … … 106 110 dh_installdeb 107 111 dh_shlibdeps 108 ifdef BITLBEE_VERSION 109 dh_gencontrol -- -v$(BITLBEE_VERSION) -Vbee:Version=$(BITLBEE_VERSION) 110 else 111 dh_gencontrol -- -Vbee:Version=$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}' | sed -e 's/+b[0-9]\+$$//') 112 endif 112 dh_gencontrol 113 113 dh_md5sums 114 114 dh_builddeb -
doc/user-guide/commands.xml
re306fbf r164352e 648 648 </bitlbee-setting> 649 649 650 <bitlbee-setting name="auto_connect" type="boolean" scope=" both">650 <bitlbee-setting name="auto_connect" type="boolean" scope="account,global"> 651 651 <default>true</default> 652 652 … … 672 672 </bitlbee-setting> 673 673 674 <bitlbee-setting name="auto_reconnect" type="boolean" scope=" both">674 <bitlbee-setting name="auto_reconnect" type="boolean" scope="account,global"> 675 675 <default>true</default> 676 676 … … 726 726 </bitlbee-setting> 727 727 728 <bitlbee-setting name="away" type="string" scope=" both">728 <bitlbee-setting name="away" type="string" scope="account,global"> 729 729 <description> 730 730 <para> … … 1076 1076 </bitlbee-setting> 1077 1077 1078 <bitlbee-setting name="nick_format" type="string" scope=" both">1078 <bitlbee-setting name="nick_format" type="string" scope="account,global"> 1079 1079 <default>%-@nick</default> 1080 1080 … … 1169 1169 </bitlbee-setting> 1170 1170 1171 <bitlbee-setting name="password" type="string" scope=" both">1171 <bitlbee-setting name="password" type="string" scope="account,global"> 1172 1172 <description> 1173 1173 <para> … … 1392 1392 <description> 1393 1393 <para> 1394 Currently only available for Jabber connections. Set this to true if the server accepts SSL connections. 1395 </para> 1396 </description> 1397 </bitlbee-setting> 1398 1399 <bitlbee-setting name="status" type="string" scope="both"> 1400 <description> 1401 <para> 1402 Certain protocols (like Jabber/XMPP) support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. 1394 Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223). 1395 </para> 1396 1397 <para> 1398 Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead. 1399 </para> 1400 </description> 1401 </bitlbee-setting> 1402 1403 <bitlbee-setting name="status" type="string" scope="account,global"> 1404 <description> 1405 <para> 1406 Most IM protocols support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. 1403 1407 </para> 1404 1408 … … 1408 1412 1409 1413 <para> 1410 Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To un-setthe setting, use <emphasis>set -del status</emphasis>.1414 Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To clear the setting, use <emphasis>set -del status</emphasis>. 1411 1415 </para> 1412 1416 </description> … … 1481 1485 <para> 1482 1486 If you want to force BitlBee to use TLS sessions only (and to give up if that doesn't seem to be possible) you can set this setting to <emphasis>true</emphasis>. Set it to <emphasis>false</emphasis> if you want the session to remain plain-text. 1487 </para> 1488 </description> 1489 </bitlbee-setting> 1490 1491 <bitlbee-setting name="tls_verify" type="boolean" scope="account"> 1492 <default>true</default> 1493 1494 <description> 1495 <para> 1496 Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities. 1497 </para> 1498 1499 <para> 1500 The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting. 1501 </para> 1502 1503 <para> 1504 Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the <emphasis>CAfile</emphasis> setting in <emphasis>bitlbee.conf</emphasis> is not set. 1483 1505 </para> 1484 1506 </description> -
irc.h
re306fbf r164352e 182 182 gboolean (*join)( irc_channel_t *ic ); 183 183 gboolean (*part)( irc_channel_t *ic, const char *msg ); 184 gboolean (*topic)( irc_channel_t *ic, const char *new );184 gboolean (*topic)( irc_channel_t *ic, const char *new_topic ); 185 185 gboolean (*invite)( irc_channel_t *ic, irc_user_t *iu ); 186 186 … … 332 332 void irc_send_msg_raw( irc_user_t *iu, const char *type, const char *dst, const char *msg ); 333 333 void irc_send_msg_f( irc_user_t *iu, const char *type, const char *dst, const char *format, ... ) G_GNUC_PRINTF( 4, 5 ); 334 void irc_send_nick( irc_user_t *iu, const char *new );334 void irc_send_nick( irc_user_t *iu, const char *new_nick ); 335 335 void irc_send_channel_user_mode_diff( irc_channel_t *ic, irc_user_t *iu, 336 irc_channel_user_flags_t old , irc_channel_user_flags_t new);336 irc_channel_user_flags_t old_flags, irc_channel_user_flags_t new_flags ); 337 337 void irc_send_invite( irc_user_t *iu, irc_channel_t *ic ); 338 338 … … 341 341 int irc_user_free( irc_t *irc, irc_user_t *iu ); 342 342 irc_user_t *irc_user_by_name( irc_t *irc, const char *nick ); 343 int irc_user_set_nick( irc_user_t *iu, const char *new );343 int irc_user_set_nick( irc_user_t *iu, const char *new_nick ); 344 344 gint irc_user_cmp( gconstpointer a_, gconstpointer b_ ); 345 345 const char *irc_user_get_away( irc_user_t *iu ); -
lib/events_glib.c
re306fbf r164352e 75 75 b_input_condition gaim_cond = 0; 76 76 gboolean st; 77 78 if (condition & G_IO_NVAL) 79 return FALSE; 77 80 78 81 if (condition & GAIM_READ_COND) -
lib/http_client.c
re306fbf r164352e 33 33 34 34 static gboolean http_connected( gpointer data, int source, b_input_condition cond ); 35 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );35 static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ); 36 36 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond ); 37 37 static void http_free( struct http_request *req ); … … 47 47 if( ssl ) 48 48 { 49 req->ssl = ssl_connect( host, port, http_ssl_connected, req );49 req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req ); 50 50 if( req->ssl == NULL ) 51 51 error = 1; … … 163 163 164 164 error: 165 req->status_string = g_strdup( "Error while writing HTTP request" ); 165 if( req->status_string == NULL ) 166 req->status_string = g_strdup( "Error while writing HTTP request" ); 166 167 167 168 req->func( req ); … … 170 171 } 171 172 172 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )173 static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ) 173 174 { 174 175 struct http_request *req = data; 175 176 176 177 if( source == NULL ) 178 { 179 if( returncode != 0 ) 180 { 181 char *err = ssl_verify_strerror( returncode ); 182 req->status_string = g_strdup_printf( 183 "Certificate verification problem 0x%x: %s", 184 returncode, err ? err : "Unknown" ); 185 g_free( err ); 186 } 177 187 return http_connected( data, -1, cond ); 188 } 178 189 179 190 req->fd = ssl_getfd( source ); … … 439 450 if( new_proto == PROTO_HTTPS ) 440 451 { 441 req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );452 req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req ); 442 453 if( req->ssl == NULL ) 443 454 error = 1; -
lib/ssl_bogus.c
re306fbf r164352e 32 32 } 33 33 34 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )34 void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) 35 35 { 36 36 return( NULL ); … … 56 56 } 57 57 58 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )58 void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 59 59 { 60 60 return NULL; … … 70 70 return 0; 71 71 } 72 73 char *ssl_verify_strerror( int code ) 74 { 75 return NULL; 76 } -
lib/ssl_client.h
re306fbf r164352e 40 40 #define SSL_NOHANDSHAKE 1 41 41 #define SSL_AGAIN 2 42 #define VERIFY_CERT_ERROR 2 43 #define VERIFY_CERT_INVALID 4 44 #define VERIFY_CERT_REVOKED 8 45 #define VERIFY_CERT_SIGNER_NOT_FOUND 16 46 #define VERIFY_CERT_SIGNER_NOT_CA 32 47 #define VERIFY_CERT_INSECURE_ALGORITHM 64 48 #define VERIFY_CERT_NOT_ACTIVATED 128 49 #define VERIFY_CERT_EXPIRED 256 50 #define VERIFY_CERT_WRONG_HOSTNAME 512 42 51 43 52 extern int ssl_errno; 44 53 45 54 /* This is what your callback function should look like. */ 46 typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);55 typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition); 47 56 48 57 … … 53 62 ready to be used for SSL traffic. This is all done asynchronously, no 54 63 blocking I/O! (Except for the DNS lookups, for now...) */ 55 G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );64 G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ); 56 65 57 66 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, 58 67 for example in Jabber. */ 59 G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );68 G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ); 60 69 61 70 /* Obviously you need special read/write functions to read data. */ … … 90 99 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); 91 100 101 /* Converts a verification bitfield passed to ssl_input_function into 102 a more useful string. Or NULL if it had no useful bits set. */ 103 G_MODULE_EXPORT char *ssl_verify_strerror( int code ); 104 92 105 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); -
lib/ssl_gnutls.c
re306fbf r164352e 25 25 26 26 #include <gnutls/gnutls.h> 27 #include <gnutls/x509.h> 27 28 #include <gcrypt.h> 28 29 #include <fcntl.h> … … 32 33 #include "sock.h" 33 34 #include "stdlib.h" 35 #include "bitlbee.h" 34 36 35 37 int ssl_errno = 0; … … 54 56 gboolean established; 55 57 int inpa; 58 char *hostname; 59 gboolean verify; 56 60 57 61 gnutls_session session; … … 74 78 } 75 79 76 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )80 void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) 77 81 { 78 82 struct scd *conn = g_new0( struct scd, 1 ); … … 82 86 conn->data = data; 83 87 conn->inpa = -1; 88 conn->hostname = g_strdup( host ); 89 conn->verify = verify && global.conf->cafile; 84 90 85 91 if( conn->fd < 0 ) … … 92 98 } 93 99 94 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )100 void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 95 101 { 96 102 struct scd *conn = g_new0( struct scd, 1 ); … … 100 106 conn->data = data; 101 107 conn->inpa = -1; 108 conn->hostname = hostname; 109 110 /* For now, SSL verification is globally enabled by setting the cafile 111 setting in bitlbee.conf. Commented out by default because probably 112 not everyone has this file in the same place and plenty of folks 113 may not have the cert of their private Jabber server in it. */ 114 conn->verify = verify && global.conf->cafile; 102 115 103 116 /* This function should be called via a (short) timeout instead of … … 122 135 } 123 136 137 static int verify_certificate_callback( gnutls_session_t session ) 138 { 139 unsigned int status; 140 const gnutls_datum_t *cert_list; 141 unsigned int cert_list_size; 142 int gnutlsret; 143 int verifyret = 0; 144 gnutls_x509_crt_t cert; 145 const char *hostname; 146 147 hostname = gnutls_session_get_ptr(session ); 148 149 gnutlsret = gnutls_certificate_verify_peers2( session, &status ); 150 if( gnutlsret < 0 ) 151 return VERIFY_CERT_ERROR; 152 153 if( status & GNUTLS_CERT_INVALID ) 154 verifyret |= VERIFY_CERT_INVALID; 155 156 if( status & GNUTLS_CERT_REVOKED ) 157 verifyret |= VERIFY_CERT_REVOKED; 158 159 if( status & GNUTLS_CERT_SIGNER_NOT_FOUND ) 160 verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND; 161 162 if( status & GNUTLS_CERT_SIGNER_NOT_CA ) 163 verifyret |= VERIFY_CERT_SIGNER_NOT_CA; 164 165 if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) 166 verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; 167 168 #ifdef GNUTLS_CERT_NOT_ACTIVATED 169 /* Amusingly, the GnuTLS function used above didn't check for expiry 170 until GnuTLS 2.8 or so. (See CVE-2009-1417) */ 171 if( status & GNUTLS_CERT_NOT_ACTIVATED ) 172 verifyret |= VERIFY_CERT_NOT_ACTIVATED; 173 174 if( status & GNUTLS_CERT_EXPIRED ) 175 verifyret |= VERIFY_CERT_EXPIRED; 176 #endif 177 178 /* The following check is already performed inside 179 * gnutls_certificate_verify_peers2, so we don't need it. 180 181 * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 ) 182 * return GNUTLS_E_CERTIFICATE_ERROR; 183 */ 184 185 if( gnutls_x509_crt_init( &cert ) < 0 ) 186 return VERIFY_CERT_ERROR; 187 188 cert_list = gnutls_certificate_get_peers( session, &cert_list_size ); 189 if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 ) 190 return VERIFY_CERT_ERROR; 191 192 if( !gnutls_x509_crt_check_hostname( cert, hostname ) ) 193 { 194 verifyret |= VERIFY_CERT_INVALID; 195 verifyret |= VERIFY_CERT_WRONG_HOSTNAME; 196 } 197 198 gnutls_x509_crt_deinit( cert ); 199 200 return verifyret; 201 } 202 203 char *ssl_verify_strerror( int code ) 204 { 205 GString *ret = g_string_new( "" ); 206 207 if( code & VERIFY_CERT_REVOKED ) 208 g_string_append( ret, "certificate has been revoked, " ); 209 if( code & VERIFY_CERT_SIGNER_NOT_FOUND ) 210 g_string_append( ret, "certificate hasn't got a known issuer, " ); 211 if( code & VERIFY_CERT_SIGNER_NOT_CA ) 212 g_string_append( ret, "certificate's issuer is not a CA, " ); 213 if( code & VERIFY_CERT_INSECURE_ALGORITHM ) 214 g_string_append( ret, "certificate uses an insecure algorithm, " ); 215 if( code & VERIFY_CERT_NOT_ACTIVATED ) 216 g_string_append( ret, "certificate has not been activated, " ); 217 if( code & VERIFY_CERT_EXPIRED ) 218 g_string_append( ret, "certificate has expired, " ); 219 if( code & VERIFY_CERT_WRONG_HOSTNAME ) 220 g_string_append( ret, "certificate hostname mismatch, " ); 221 222 if( ret->len == 0 ) 223 { 224 g_string_free( ret, TRUE ); 225 return NULL; 226 } 227 else 228 { 229 g_string_truncate( ret, ret->len - 2 ); 230 return g_string_free( ret, FALSE ); 231 } 232 } 233 124 234 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) 125 235 { … … 128 238 if( source == -1 ) 129 239 { 130 conn->func( conn->data, NULL, cond );240 conn->func( conn->data, 0, NULL, cond ); 131 241 g_free( conn ); 132 242 return FALSE; … … 136 246 137 247 gnutls_certificate_allocate_credentials( &conn->xcred ); 248 if( conn->verify && global.conf->cafile ) 249 { 250 gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM ); 251 gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); 252 } 253 138 254 gnutls_init( &conn->session, GNUTLS_CLIENT ); 255 if( conn->verify ) 256 gnutls_session_set_ptr( conn->session, (void *) conn->hostname ); 139 257 #if GNUTLS_VERSION_NUMBER < 0x020c00 140 258 gnutls_transport_set_lowat( conn->session, 0 ); … … 152 270 { 153 271 struct scd *conn = data; 154 int st ;272 int st, stver; 155 273 156 274 if( ( st = gnutls_handshake( conn->session ) ) < 0 ) … … 163 281 else 164 282 { 165 conn->func( conn->data, NULL, cond );283 conn->func( conn->data, 0, NULL, cond ); 166 284 167 285 gnutls_deinit( conn->session ); … … 174 292 else 175 293 { 176 /* For now we can't handle non-blocking perfectly everywhere... */ 177 sock_make_blocking( conn->fd ); 294 if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 ) 295 { 296 conn->func( conn->data, stver, NULL, cond ); 297 298 gnutls_deinit( conn->session ); 299 gnutls_certificate_free_credentials( conn->xcred ); 300 closesocket( conn->fd ); 301 302 g_free( conn ); 303 } 304 else 305 { 306 /* For now we can't handle non-blocking perfectly everywhere... */ 307 sock_make_blocking( conn->fd ); 178 308 179 conn->established = TRUE; 180 conn->func( conn->data, conn, cond ); 309 conn->established = TRUE; 310 conn->func( conn->data, 0, conn, cond ); 311 } 181 312 } 182 313 -
lib/ssl_nss.c
re306fbf r164352e 52 52 PRFileDesc *prfd; 53 53 gboolean established; 54 gboolean verify; 54 55 }; 55 56 … … 102 103 } 103 104 104 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )105 void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) 105 106 { 106 107 struct scd *conn = g_new0( struct scd, 1 ); … … 132 133 } 133 134 134 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )135 void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 135 136 { 136 137 struct scd *conn = g_new0( struct scd, 1 ); … … 139 140 conn->func = func; 140 141 conn->data = data; 142 conn->verify = verify && global.conf->cafile; 141 143 142 144 /* This function should be called via a (short) timeout instead of … … 157 159 { 158 160 struct scd *conn = data; 161 162 /* Right now we don't have any verification functionality for NSS. */ 163 164 if( conn->verify ) 165 { 166 conn->func( conn->data, 1, NULL, cond ); 167 if( source >= 0 ) closesocket( source ); 168 g_free( conn ); 169 170 return FALSE; 171 } 159 172 160 173 if( source == -1 ) … … 177 190 178 191 conn->established = TRUE; 179 conn->func( conn->data, conn, cond );192 conn->func( conn->data, 0, conn, cond ); 180 193 return FALSE; 181 194 182 195 ssl_connected_failure: 183 196 184 conn->func( conn->data, NULL, cond );197 conn->func( conn->data, 0, NULL, cond ); 185 198 186 199 PR_Close( conn -> prfd ); … … 238 251 return B_EV_IO_READ; 239 252 } 253 254 char *ssl_verify_strerror( int code ) 255 { 256 return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." ); 257 } -
lib/ssl_openssl.c
re306fbf r164352e 45 45 int fd; 46 46 gboolean established; 47 gboolean verify; 47 48 48 49 int inpa; … … 64 65 } 65 66 66 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )67 void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) 67 68 { 68 69 struct scd *conn = g_new0( struct scd, 1 ); … … 82 83 } 83 84 84 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )85 void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 85 86 { 86 87 struct scd *conn = g_new0( struct scd, 1 ); … … 90 91 conn->data = data; 91 92 conn->inpa = -1; 93 conn->verify = verify && global.conf->cafile; 92 94 93 95 /* This function should be called via a (short) timeout instead of … … 117 119 SSL_METHOD *meth; 118 120 121 /* Right now we don't have any verification functionality for OpenSSL. */ 122 123 if( conn->verify ) 124 { 125 conn->func( conn->data, 1, NULL, cond ); 126 if( source >= 0 ) closesocket( source ); 127 g_free( conn ); 128 129 return FALSE; 130 } 131 119 132 if( source == -1 ) 120 133 goto ssl_connected_failure; … … 141 154 142 155 ssl_connected_failure: 143 conn->func( conn->data, NULL, cond );156 conn->func( conn->data, 0, NULL, cond ); 144 157 145 158 if( conn->ssl ) … … 169 182 if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE ) 170 183 { 171 conn->func( conn->data, NULL, cond );184 conn->func( conn->data, 0, NULL, cond ); 172 185 173 186 SSL_shutdown( conn->ssl ); … … 187 200 conn->established = TRUE; 188 201 sock_make_blocking( conn->fd ); /* For now... */ 189 conn->func( conn->data, conn, cond );202 conn->func( conn->data, 0, conn, cond ); 190 203 return FALSE; 191 204 } … … 272 285 { 273 286 return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ ); 287 } 288 289 char *ssl_verify_strerror( int code ) 290 { 291 return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." ); 274 292 } 275 293 -
protocols/bee.h
re306fbf r164352e 123 123 gboolean (*chat_add_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); 124 124 gboolean (*chat_remove_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); 125 gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new , bee_user_t *bu );125 gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new_topic, bee_user_t *bu ); 126 126 gboolean (*chat_name_hint)( bee_t *bee, struct groupchat *c, const char *name ); 127 127 gboolean (*chat_invite)( bee_t *bee, bee_user_t *bu, const char *name, const char *msg ); -
protocols/jabber/io.c
re306fbf r164352e 276 276 } 277 277 278 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )278 gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond ) 279 279 { 280 280 struct im_connection *ic = data; … … 292 292 jd->ssl = NULL; 293 293 294 imcb_error( ic, "Could not connect to server" ); 295 imc_logout( ic, TRUE ); 294 if( returncode != 0 ) 295 { 296 char *err = ssl_verify_strerror( returncode ); 297 imcb_error( ic, "Certificate verification problem 0x%x: %s", 298 returncode, err ? err : "Unknown" ); 299 g_free( err ); 300 imc_logout( ic, FALSE ); 301 } 302 else 303 { 304 imcb_error( ic, "Could not connect to server" ); 305 imc_logout( ic, TRUE ); 306 } 307 296 308 return FALSE; 297 309 } … … 397 409 struct im_connection *ic = data; 398 410 struct jabber_data *jd = ic->proto_data; 399 char *xmlns ;411 char *xmlns, *tlsname; 400 412 401 413 xmlns = xt_find_attr( node, "xmlns" ); … … 423 435 424 436 jd->flags |= JFLAG_STARTTLS_DONE; 425 jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic ); 437 438 /* If the user specified a server for the account, use this server as the 439 * hostname in the certificate verification. Else we use the domain from 440 * the username. */ 441 if( ic->acc->server && *ic->acc->server ) 442 tlsname = ic->acc->server; 443 else 444 tlsname = jd->server; 445 446 jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ), 447 jabber_connected_ssl, ic ); 426 448 427 449 return XT_HANDLED; -
protocols/jabber/jabber.c
re306fbf r164352e 87 87 s = set_add( &acc->set, "tls", "try", set_eval_tls, acc ); 88 88 s->flags |= ACC_SET_OFFLINE_ONLY; 89 89 90 s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc ); 91 s->flags |= ACC_SET_OFFLINE_ONLY; 92 90 93 s = set_add( &acc->set, "user_agent", "BitlBee", NULL, acc ); 91 94 … … 228 231 if( set_getbool( &acc->set, "ssl" ) ) 229 232 { 230 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic );233 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic ); 231 234 jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1; 232 235 } -
protocols/jabber/jabber.h
re306fbf r164352e 317 317 int jabber_write( struct im_connection *ic, char *buf, int len ); 318 318 gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond ); 319 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );319 gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond ); 320 320 gboolean jabber_start_stream( struct im_connection *ic ); 321 321 void jabber_end_stream( struct im_connection *ic ); -
protocols/msn/soap.c
re306fbf r164352e 60 60 struct im_connection *ic; 61 61 int ttl; 62 char *error; 62 63 63 64 char *url, *action, *payload; … … 158 159 } 159 160 161 if( http_req->status_code != 200 ) 162 soap_req->error = g_strdup( http_req->status_string ); 163 160 164 st = soap_req->handle_response( soap_req ); 161 165 … … 164 168 g_free( soap_req->action ); 165 169 g_free( soap_req->payload ); 166 soap_req->url = soap_req->action = soap_req->payload = NULL; 170 g_free( soap_req->error ); 171 soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL; 167 172 168 173 if( st == MSN_SOAP_RETRY && --soap_req->ttl ) … … 253 258 g_free( soap_req->action ); 254 259 g_free( soap_req->payload ); 260 g_free( soap_req->error ); 255 261 g_free( soap_req ); 256 262 } … … 410 416 if( sd->secret == NULL ) 411 417 { 412 msn_auth_got_passport_token( ic, NULL, sd->error );418 msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error ); 413 419 return MSN_SOAP_OK; 414 420 } -
protocols/skype/skype.c
re306fbf r164352e 1157 1157 } 1158 1158 1159 gboolean skype_connected(gpointer data, void *source, b_input_condition cond)1159 gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond) 1160 1160 { 1161 1161 struct im_connection *ic = data; … … 1185 1185 imcb_log(ic, "Connecting"); 1186 1186 sd->ssl = ssl_connect(set_getstr(&acc->set, "server"), 1187 set_getint(&acc->set, "port"), skype_connected, ic);1187 set_getint(&acc->set, "port"), FALSE, skype_connected, ic); 1188 1188 sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1; 1189 1189 sd->username = g_strdup(acc->user); -
unix.c
re306fbf r164352e 41 41 #include <pwd.h> 42 42 #include <locale.h> 43 #include <grp.h> 43 44 44 45 #if defined(OTR_BI) || defined(OTR_PI) … … 152 153 if( pw ) 153 154 { 155 initgroups( global.conf->user, pw->pw_gid ); 154 156 setgid( pw->pw_gid ); 155 157 setuid( pw->pw_uid ); 158 } 159 else 160 { 161 log_message( LOGLVL_WARNING, "Failed to look up user %s.", global.conf->user ); 156 162 } 157 163 }
Note: See TracChangeset
for help on using the changeset viewer.