Changeset 164352e


Ignore:
Timestamp:
2011-12-24T18:02:39Z (8 years ago)
Author:
Wilmer van der Gaast <wilmer@…>
Branches:
master
Children:
34ded90
Parents:
e306fbf (diff), 96f954d (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merging mainline.

Files:
24 edited

Legend:

Unmodified
Added
Removed
  • bitlbee.conf

    re306fbf r164352e  
    116116## (Obviously, the username and password are optional)
    117117##
    118 ## Proxy = http://john:doe@proxy.localnet.com:8080
    119 ## Proxy = socks4://socksproxy.localnet.com
    120 ## Proxy = socks5://socksproxy.localnet.com
     118# Proxy = http://john:doe@proxy.localnet.com:8080
     119# Proxy = socks4://socksproxy.localnet.com
     120# Proxy = socks5://socksproxy.localnet.com
    121121
    122122## Protocols offered by bitlbee
     
    126126## nothing is given, there are no restrictions.
    127127##
    128 ## Protocols = jabber yahoo
     128# Protocols = jabber yahoo
    129129
     130## Trusted CAs
     131##
     132## Path to a file containing a list of trusted certificate authorities used in
     133## the verification of server certificates.
     134##
     135## Uncomment this and make sure the file actually exists and contains all
     136## certificate authorities you're willing to accept (default value should
     137## work on at least Debian/Ubuntu systems with the "ca-certificates" package
     138## installed). As long as the line is commented out, SSL certificate
     139## verification is completely disabled.
     140##
     141## The location of this file may be different on other distros/OSes. For
     142## example, try /etc/ssl/ca-bundle.pem on OpenSUSE.
     143##
     144# CAfile = /etc/ssl/certs/ca-certificates.crt
    130145
    131146[defaults]
  • bitlbee.h

    re306fbf r164352e  
    2626#ifndef _BITLBEE_H
    2727#define _BITLBEE_H
     28
     29#ifdef __cplusplus
     30extern "C" {
     31#endif
    2832
    2933#ifndef _GNU_SOURCE
     
    175179extern global_t global;
    176180
     181#ifdef __cplusplus
     182}
    177183#endif
     184
     185#endif
     186
  • conf.c

    re306fbf r164352e  
    6767        conf->ft_listen = NULL;
    6868        conf->protocols = NULL;
     69        conf->cafile = NULL;
    6970        proxytype = 0;
    7071       
     
    177178                fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file );
    178179       
     180        if( conf->cafile && access( conf->cafile, R_OK ) != 0 )
     181        {
     182                /* Let's treat this as a serious problem so people won't think
     183                   they're secure when in fact they're not. */
     184                fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) );
     185                return NULL;
     186        }
     187       
    179188        return conf;
    180189}
     
    340349                                conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 );
    341350                        }
     351                        else if( g_strcasecmp( ini->key, "cafile" ) == 0 )
     352                        {
     353                                g_free( conf->cafile );
     354                                conf->cafile = g_strdup( ini->value );
     355                        }
    342356                        else
    343357                        {
  • conf.h

    re306fbf r164352e  
    5454        char *ft_listen;
    5555        char **protocols;
     56        char *cafile;
    5657} conf_t;
    5758
  • configure

    re306fbf r164352e  
    283283EOF
    284284                ssl=gnutls
     285                if ! pkg-config gnutls --atleast-version=2.8; then
     286                        echo
     287                        echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.'
     288                fi
    285289                ret=1
    286290        elif libgnutls-config --version > /dev/null 2> /dev/null; then
  • debian/changelog

    re306fbf r164352e  
    1 bitlbee (3.0.4-1) unstable; urgency=low
    2 
    3   * New upstream release.
     1bitlbee (3.0.4+z-2) UNRELEASED; urgency=low
     2
     3  * Removed some version override stuff from Debian build scripts. Instead,
     4    my buildbot now uses dch to generate a changelog entry with the right
     5    version number.
     6
     7 -- Wilmer van der Gaast <wilmer@gaast.net>  Fri, 23 Dec 2011 09:45:55 +0100
     8
     9bitlbee (3.0.4+bzr855-1) unstable; urgency=low
     10
     11  * New upstream release.
     12  * This is not a vanilla 3.0.4 tree but a Bazaar snapshot. The source
     13    release was a few weeks ago by now. There should be no significant
     14    differences.
    415  * Added bitlbee-plugin-skype and skyped packages, now part of BitlBee
    5     instead of a separate package.
    6   * Fixed dependencies of bitlbee-plugin-otr package to not break with
    7     binary MTUs. (Closes: #651612)
     16    instead of a separate package. Not building these for Debian for now
     17    though since python-skype was removed.
    818  * ^B and some other things are stripped in outgoing XMPP stanzas.
    919    (Closes: #507856)
     
    1121    one from bugs.bitlbee.org. I hope that covers it. (Closes: #646369)
    1222  * Closing a few old bugs that were filed against the Debian package
    13     instead of upstream:
     23    instead of/as well as upstream:
    1424    - Joining password-protected MUCs is working for a while already, set
    1525      the password using "chan set". (Closes: #615624)
     
    1828    - identi.ca support is documented. (Closes: #613789)
    1929
    20  -- Wilmer van der Gaast <wilmer@gaast.net>  Sun, 11 Dec 2011 16:53:31 +0000
     30 -- Wilmer van der Gaast <wilmer@gaast.net>  Tue, 20 Dec 2011 12:46:42 +0100
     31
     32bitlbee (3.0.3-1.1) unstable; urgency=low
     33
     34  * Non-maintainer upload.
     35  * Use the standard ${source:Version} and ${binary:Version} substvars instead
     36    of the custom and broken ${bee:Version} (closes: #651612).
     37
     38 -- Julien Cristau <jcristau@debian.org>  Thu, 15 Dec 2011 20:34:32 +0100
    2139
    2240bitlbee (3.0.3-1) unstable; urgency=low
  • debian/control

    re306fbf r164352e  
    1212Package: bitlbee
    1313Architecture: any
    14 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version})
     14Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version})
    1515Conflicts: bitlbee-libpurple
    1616Replaces: bitlbee-libpurple
     
    2222Package: bitlbee-libpurple
    2323Architecture: any
    24 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version})
     24Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version})
    2525Conflicts: bitlbee
    2626Replaces: bitlbee
     
    5151Package: bitlbee-dev
    5252Architecture: all
    53 Depends: ${misc:Depends}, bitlbee (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})
     53Depends: ${misc:Depends}, bitlbee (>= ${source:Version}), bitlbee (<< ${source:Version}.1~), bitlbee-common (= ${source:Version})
    5454Description: An IRC to other chat networks gateway (dev files)
    5555 This program can be used as an IRC server which forwards everything you
     
    6161Package: bitlbee-plugin-otr
    6262Architecture: any
    63 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})
     63Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})
    6464Description: An IRC to other chat networks gateway (OTR plugin)
    6565 This program can be used as an IRC server which forwards everything you
     
    7272Package: bitlbee-plugin-skype
    7373Architecture: any
    74 Depends: ${shlibs:Depends}, ${misc:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~)
     74Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})
    7575Recommends: skyped
    7676Description: An IRC to other chat networks gateway (Skype plugin)
     
    8383
    8484Package: skyped
    85 Architecture: any
    86 Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)
     85Architecture: all
     86Depends: ${misc:Depends}, ${shlibs:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)
    8787Recommends: skype
    8888Description: Daemon to control Skype remotely
  • debian/rules

    re306fbf r164352e  
    88#
    99
    10 # Include the bitlbee-libpurple variant and OTR plugin by default
     10# Include the bitlbee-libpurple variant and OTR plugin by default.
     11# Don't build skype by default since it depends on deleted/non-free
     12# packages. Need to at least get python-skype back into Debian.
    1113BITLBEE_LIBPURPLE ?= 1
    1214BITLBEE_OTR ?= plugin
    13 BITLBEE_SKYPE ?= plugin
     15BITLBEE_SKYPE ?= 0
    1416BITLBEE_CONFIGURE_FLAGS ?=
    1517DEBUG ?= 0
     
    1719ifndef BITLBEE_VERSION
    1820# Want to use the full package version number instead of just the release.
    19 BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}')\"
     21BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | awk '/^Version:/ {print $$2}')\"
    2022endif
    2123
     
    7274        $(MAKE) -C debian/build-native install-plugin-skype DESTDIR=`pwd`/debian/skyped
    7375
     76ifneq ($(BITLBEE_SKYPE),0)
    7477        mkdir -p debian/bitlbee-plugin-skype/usr
    7578        mv debian/skyped/usr/lib debian/bitlbee-plugin-skype/usr
     
    7780        mkdir -p debian/skyped/usr/share/man/man1
    7881        mv debian/bitlbee-common/usr/share/man/man1/skyped* debian/skyped/usr/share/man/man1
     82endif
    7983
    8084ifeq ($(BITLBEE_LIBPURPLE),1)
     
    106110        dh_installdeb
    107111        dh_shlibdeps
    108 ifdef BITLBEE_VERSION
    109         dh_gencontrol -- -v$(BITLBEE_VERSION)  -Vbee:Version=$(BITLBEE_VERSION)
    110 else
    111         dh_gencontrol -- -Vbee:Version=$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}' | sed -e 's/+b[0-9]\+$$//')
    112 endif
     112        dh_gencontrol
    113113        dh_md5sums
    114114        dh_builddeb
  • doc/user-guide/commands.xml

    re306fbf r164352e  
    648648        </bitlbee-setting>
    649649
    650         <bitlbee-setting name="auto_connect" type="boolean" scope="both">
     650        <bitlbee-setting name="auto_connect" type="boolean" scope="account,global">
    651651                <default>true</default>
    652652
     
    672672        </bitlbee-setting>
    673673
    674         <bitlbee-setting name="auto_reconnect" type="boolean" scope="both">
     674        <bitlbee-setting name="auto_reconnect" type="boolean" scope="account,global">
    675675                <default>true</default>
    676676
     
    726726        </bitlbee-setting>
    727727
    728         <bitlbee-setting name="away" type="string" scope="both">
     728        <bitlbee-setting name="away" type="string" scope="account,global">
    729729                <description>
    730730                        <para>
     
    10761076        </bitlbee-setting>
    10771077
    1078         <bitlbee-setting name="nick_format" type="string" scope="both">
     1078        <bitlbee-setting name="nick_format" type="string" scope="account,global">
    10791079                <default>%-@nick</default>
    10801080
     
    11691169        </bitlbee-setting>
    11701170
    1171         <bitlbee-setting name="password" type="string" scope="both">
     1171        <bitlbee-setting name="password" type="string" scope="account,global">
    11721172                <description>
    11731173                        <para>
     
    13921392                <description>
    13931393                        <para>
    1394                                 Currently only available for Jabber connections. Set this to true if the server accepts SSL connections.
    1395                         </para>
    1396                 </description>
    1397         </bitlbee-setting>
    1398 
    1399         <bitlbee-setting name="status" type="string" scope="both">
    1400                 <description>
    1401                         <para>
    1402                                 Certain protocols (like Jabber/XMPP) support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy.
     1394                                Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223).
     1395                        </para>
     1396
     1397                        <para>
     1398                                Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead.
     1399                        </para>
     1400                </description>
     1401        </bitlbee-setting>
     1402
     1403        <bitlbee-setting name="status" type="string" scope="account,global">
     1404                <description>
     1405                        <para>
     1406                                Most IM protocols support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy.
    14031407                        </para>
    14041408
     
    14081412
    14091413                        <para>
    1410                                 Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To un-set the setting, use <emphasis>set -del status</emphasis>.
     1414                                Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To clear the setting, use <emphasis>set -del status</emphasis>.
    14111415                        </para>
    14121416                </description>
     
    14811485                        <para>
    14821486                                If you want to force BitlBee to use TLS sessions only (and to give up if that doesn't seem to be possible) you can set this setting to <emphasis>true</emphasis>. Set it to <emphasis>false</emphasis> if you want the session to remain plain-text.
     1487                        </para>
     1488                </description>
     1489        </bitlbee-setting>
     1490
     1491        <bitlbee-setting name="tls_verify" type="boolean" scope="account">
     1492                <default>true</default>
     1493
     1494                <description>
     1495                        <para>
     1496                                Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities.
     1497                        </para>
     1498
     1499                        <para>
     1500                                The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting.
     1501                        </para>
     1502
     1503                        <para>
     1504                                Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the <emphasis>CAfile</emphasis> setting in <emphasis>bitlbee.conf</emphasis> is not set.
    14831505                        </para>
    14841506                </description>
  • irc.h

    re306fbf r164352e  
    182182        gboolean (*join)( irc_channel_t *ic );
    183183        gboolean (*part)( irc_channel_t *ic, const char *msg );
    184         gboolean (*topic)( irc_channel_t *ic, const char *new );
     184        gboolean (*topic)( irc_channel_t *ic, const char *new_topic );
    185185        gboolean (*invite)( irc_channel_t *ic, irc_user_t *iu );
    186186       
     
    332332void irc_send_msg_raw( irc_user_t *iu, const char *type, const char *dst, const char *msg );
    333333void irc_send_msg_f( irc_user_t *iu, const char *type, const char *dst, const char *format, ... ) G_GNUC_PRINTF( 4, 5 );
    334 void irc_send_nick( irc_user_t *iu, const char *new );
     334void irc_send_nick( irc_user_t *iu, const char *new_nick );
    335335void irc_send_channel_user_mode_diff( irc_channel_t *ic, irc_user_t *iu,
    336                                       irc_channel_user_flags_t old, irc_channel_user_flags_t new );
     336                                      irc_channel_user_flags_t old_flags, irc_channel_user_flags_t new_flags );
    337337void irc_send_invite( irc_user_t *iu, irc_channel_t *ic );
    338338
     
    341341int irc_user_free( irc_t *irc, irc_user_t *iu );
    342342irc_user_t *irc_user_by_name( irc_t *irc, const char *nick );
    343 int irc_user_set_nick( irc_user_t *iu, const char *new );
     343int irc_user_set_nick( irc_user_t *iu, const char *new_nick );
    344344gint irc_user_cmp( gconstpointer a_, gconstpointer b_ );
    345345const char *irc_user_get_away( irc_user_t *iu );
  • lib/events_glib.c

    re306fbf r164352e  
    7575        b_input_condition gaim_cond = 0;
    7676        gboolean st;
     77       
     78        if (condition & G_IO_NVAL)
     79                return FALSE;
    7780
    7881        if (condition & GAIM_READ_COND)
  • lib/http_client.c

    re306fbf r164352e  
    3333
    3434static gboolean http_connected( gpointer data, int source, b_input_condition cond );
    35 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
     35static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
    3636static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
    3737static void http_free( struct http_request *req );
     
    4747        if( ssl )
    4848        {
    49                 req->ssl = ssl_connect( host, port, http_ssl_connected, req );
     49                req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req );
    5050                if( req->ssl == NULL )
    5151                        error = 1;
     
    163163       
    164164error:
    165         req->status_string = g_strdup( "Error while writing HTTP request" );
     165        if( req->status_string == NULL )
     166                req->status_string = g_strdup( "Error while writing HTTP request" );
    166167       
    167168        req->func( req );
     
    170171}
    171172
    172 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
     173static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
    173174{
    174175        struct http_request *req = data;
    175176       
    176177        if( source == NULL )
     178        {
     179                if( returncode != 0 )
     180                {
     181                        char *err = ssl_verify_strerror( returncode );
     182                        req->status_string = g_strdup_printf(
     183                                "Certificate verification problem 0x%x: %s",
     184                                returncode, err ? err : "Unknown" );
     185                        g_free( err );
     186                }
    177187                return http_connected( data, -1, cond );
     188        }
    178189       
    179190        req->fd = ssl_getfd( source );
     
    439450                if( new_proto == PROTO_HTTPS )
    440451                {
    441                         req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );
     452                        req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req );
    442453                        if( req->ssl == NULL )
    443454                                error = 1;
  • lib/ssl_bogus.c

    re306fbf r164352e  
    3232}
    3333
    34 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     34void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    3535{
    3636        return( NULL );
     
    5656}
    5757
    58 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     58void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    5959{
    6060        return NULL;
     
    7070        return 0;
    7171}
     72
     73char *ssl_verify_strerror( int code )
     74{
     75        return NULL;
     76}
  • lib/ssl_client.h

    re306fbf r164352e  
    4040#define SSL_NOHANDSHAKE   1
    4141#define SSL_AGAIN         2
     42#define VERIFY_CERT_ERROR 2
     43#define VERIFY_CERT_INVALID 4
     44#define VERIFY_CERT_REVOKED 8
     45#define VERIFY_CERT_SIGNER_NOT_FOUND 16
     46#define VERIFY_CERT_SIGNER_NOT_CA 32
     47#define VERIFY_CERT_INSECURE_ALGORITHM 64
     48#define VERIFY_CERT_NOT_ACTIVATED 128
     49#define VERIFY_CERT_EXPIRED 256
     50#define VERIFY_CERT_WRONG_HOSTNAME 512
    4251
    4352extern int ssl_errno;
    4453
    4554/* This is what your callback function should look like. */
    46 typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
     55typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
    4756
    4857
     
    5362   ready to be used for SSL traffic. This is all done asynchronously, no
    5463   blocking I/O! (Except for the DNS lookups, for now...) */
    55 G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );
     64G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
    5665
    5766/* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    5867   for example in Jabber. */
    59 G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
     68G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
    6069
    6170/* Obviously you need special read/write functions to read data. */
     
    9099G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
    91100
     101/* Converts a verification bitfield passed to ssl_input_function into
     102   a more useful string. Or NULL if it had no useful bits set. */
     103G_MODULE_EXPORT char *ssl_verify_strerror( int code );
     104
    92105G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);
  • lib/ssl_gnutls.c

    re306fbf r164352e  
    2525
    2626#include <gnutls/gnutls.h>
     27#include <gnutls/x509.h>
    2728#include <gcrypt.h>
    2829#include <fcntl.h>
     
    3233#include "sock.h"
    3334#include "stdlib.h"
     35#include "bitlbee.h"
    3436
    3537int ssl_errno = 0;
     
    5456        gboolean established;
    5557        int inpa;
     58        char *hostname;
     59        gboolean verify;
    5660       
    5761        gnutls_session session;
     
    7478}
    7579
    76 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     80void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    7781{
    7882        struct scd *conn = g_new0( struct scd, 1 );
     
    8286        conn->data = data;
    8387        conn->inpa = -1;
     88        conn->hostname = g_strdup( host );
     89        conn->verify = verify && global.conf->cafile;
    8490       
    8591        if( conn->fd < 0 )
     
    9298}
    9399
    94 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     100void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    95101{
    96102        struct scd *conn = g_new0( struct scd, 1 );
     
    100106        conn->data = data;
    101107        conn->inpa = -1;
     108        conn->hostname = hostname;
     109       
     110        /* For now, SSL verification is globally enabled by setting the cafile
     111           setting in bitlbee.conf. Commented out by default because probably
     112           not everyone has this file in the same place and plenty of folks
     113           may not have the cert of their private Jabber server in it. */
     114        conn->verify = verify && global.conf->cafile;
    102115       
    103116        /* This function should be called via a (short) timeout instead of
     
    122135}
    123136
     137static int verify_certificate_callback( gnutls_session_t session )
     138{
     139        unsigned int status;
     140        const gnutls_datum_t *cert_list;
     141        unsigned int cert_list_size;
     142        int gnutlsret;
     143        int verifyret = 0;
     144        gnutls_x509_crt_t cert;
     145        const char *hostname;
     146       
     147        hostname = gnutls_session_get_ptr(session );
     148
     149        gnutlsret = gnutls_certificate_verify_peers2( session, &status );
     150        if( gnutlsret < 0 )
     151                return VERIFY_CERT_ERROR;
     152
     153        if( status & GNUTLS_CERT_INVALID )
     154                verifyret |= VERIFY_CERT_INVALID;
     155
     156        if( status & GNUTLS_CERT_REVOKED )
     157                verifyret |= VERIFY_CERT_REVOKED;
     158
     159        if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
     160                verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
     161
     162        if( status & GNUTLS_CERT_SIGNER_NOT_CA )
     163                verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
     164
     165        if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
     166                verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
     167
     168#ifdef GNUTLS_CERT_NOT_ACTIVATED
     169        /* Amusingly, the GnuTLS function used above didn't check for expiry
     170           until GnuTLS 2.8 or so. (See CVE-2009-1417) */
     171        if( status & GNUTLS_CERT_NOT_ACTIVATED )
     172                verifyret |= VERIFY_CERT_NOT_ACTIVATED;
     173
     174        if( status & GNUTLS_CERT_EXPIRED )
     175                verifyret |= VERIFY_CERT_EXPIRED;
     176#endif
     177
     178        /* The following check is already performed inside
     179         * gnutls_certificate_verify_peers2, so we don't need it.
     180
     181         * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
     182         * return GNUTLS_E_CERTIFICATE_ERROR;
     183         */
     184
     185        if( gnutls_x509_crt_init( &cert ) < 0 )
     186                return VERIFY_CERT_ERROR;
     187
     188        cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
     189        if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
     190                return VERIFY_CERT_ERROR;
     191
     192        if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
     193        {
     194                verifyret |= VERIFY_CERT_INVALID;
     195                verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
     196        }
     197
     198        gnutls_x509_crt_deinit( cert );
     199
     200        return verifyret;
     201}
     202
     203char *ssl_verify_strerror( int code )
     204{
     205        GString *ret = g_string_new( "" );
     206       
     207        if( code & VERIFY_CERT_REVOKED )
     208                g_string_append( ret, "certificate has been revoked, " );
     209        if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
     210                g_string_append( ret, "certificate hasn't got a known issuer, " );
     211        if( code & VERIFY_CERT_SIGNER_NOT_CA )
     212                g_string_append( ret, "certificate's issuer is not a CA, " );
     213        if( code & VERIFY_CERT_INSECURE_ALGORITHM )
     214                g_string_append( ret, "certificate uses an insecure algorithm, " );
     215        if( code & VERIFY_CERT_NOT_ACTIVATED )
     216                g_string_append( ret, "certificate has not been activated, " );
     217        if( code & VERIFY_CERT_EXPIRED )
     218                g_string_append( ret, "certificate has expired, " );
     219        if( code & VERIFY_CERT_WRONG_HOSTNAME )
     220                g_string_append( ret, "certificate hostname mismatch, " );
     221       
     222        if( ret->len == 0 )
     223        {
     224                g_string_free( ret, TRUE );
     225                return NULL;
     226        }
     227        else
     228        {
     229                g_string_truncate( ret, ret->len - 2 );
     230                return g_string_free( ret, FALSE );
     231        }
     232}
     233
    124234static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
    125235{
     
    128238        if( source == -1 )
    129239        {
    130                 conn->func( conn->data, NULL, cond );
     240                conn->func( conn->data, 0, NULL, cond );
    131241                g_free( conn );
    132242                return FALSE;
     
    136246       
    137247        gnutls_certificate_allocate_credentials( &conn->xcred );
     248        if( conn->verify && global.conf->cafile )
     249        {
     250                gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
     251                gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
     252        }
     253
    138254        gnutls_init( &conn->session, GNUTLS_CLIENT );
     255        if( conn->verify )
     256                gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
    139257#if GNUTLS_VERSION_NUMBER < 0x020c00
    140258        gnutls_transport_set_lowat( conn->session, 0 );
     
    152270{
    153271        struct scd *conn = data;
    154         int st;
     272        int st, stver;
    155273       
    156274        if( ( st = gnutls_handshake( conn->session ) ) < 0 )
     
    163281                else
    164282                {
    165                         conn->func( conn->data, NULL, cond );
     283                        conn->func( conn->data, 0, NULL, cond );
    166284                       
    167285                        gnutls_deinit( conn->session );
     
    174292        else
    175293        {
    176                 /* For now we can't handle non-blocking perfectly everywhere... */
    177                 sock_make_blocking( conn->fd );
     294                if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
     295                {
     296                        conn->func( conn->data, stver, NULL, cond );
     297
     298                        gnutls_deinit( conn->session );
     299                        gnutls_certificate_free_credentials( conn->xcred );
     300                        closesocket( conn->fd );
     301
     302                        g_free( conn );
     303                }
     304                else
     305                {
     306                        /* For now we can't handle non-blocking perfectly everywhere... */
     307                        sock_make_blocking( conn->fd );
    178308               
    179                 conn->established = TRUE;
    180                 conn->func( conn->data, conn, cond );
     309                        conn->established = TRUE;
     310                        conn->func( conn->data, 0, conn, cond );
     311                }
    181312        }
    182313       
  • lib/ssl_nss.c

    re306fbf r164352e  
    5252        PRFileDesc *prfd;
    5353        gboolean established;
     54        gboolean verify;
    5455};
    5556
     
    102103}
    103104
    104 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     105void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    105106{
    106107        struct scd *conn = g_new0( struct scd, 1 );
     
    132133}
    133134
    134 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     135void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    135136{
    136137        struct scd *conn = g_new0( struct scd, 1 );
     
    139140        conn->func = func;
    140141        conn->data = data;
     142        conn->verify = verify && global.conf->cafile;
    141143
    142144        /* This function should be called via a (short) timeout instead of
     
    157159{
    158160        struct scd *conn = data;
     161       
     162        /* Right now we don't have any verification functionality for NSS. */
     163
     164        if( conn->verify )
     165        {
     166                conn->func( conn->data, 1, NULL, cond );
     167                if( source >= 0 ) closesocket( source );
     168                g_free( conn );
     169
     170                return FALSE;
     171        }
    159172       
    160173        if( source == -1 )
     
    177190       
    178191        conn->established = TRUE;
    179         conn->func( conn->data, conn, cond );
     192        conn->func( conn->data, 0, conn, cond );
    180193        return FALSE;
    181194       
    182195        ssl_connected_failure:
    183196       
    184         conn->func( conn->data, NULL, cond );
     197        conn->func( conn->data, 0, NULL, cond );
    185198       
    186199        PR_Close( conn -> prfd );
     
    238251        return B_EV_IO_READ;
    239252}
     253
     254char *ssl_verify_strerror( int code )
     255{
     256        return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
     257}
  • lib/ssl_openssl.c

    re306fbf r164352e  
    4545        int fd;
    4646        gboolean established;
     47        gboolean verify;
    4748       
    4849        int inpa;
     
    6465}
    6566
    66 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     67void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    6768{
    6869        struct scd *conn = g_new0( struct scd, 1 );
     
    8283}
    8384
    84 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     85void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    8586{
    8687        struct scd *conn = g_new0( struct scd, 1 );
     
    9091        conn->data = data;
    9192        conn->inpa = -1;
     93        conn->verify = verify && global.conf->cafile;
    9294       
    9395        /* This function should be called via a (short) timeout instead of
     
    117119        SSL_METHOD *meth;
    118120       
     121        /* Right now we don't have any verification functionality for OpenSSL. */
     122
     123        if( conn->verify )
     124        {
     125                conn->func( conn->data, 1, NULL, cond );
     126                if( source >= 0 ) closesocket( source );
     127                g_free( conn );
     128
     129                return FALSE;
     130        }
     131
    119132        if( source == -1 )
    120133                goto ssl_connected_failure;
     
    141154
    142155ssl_connected_failure:
    143         conn->func( conn->data, NULL, cond );
     156        conn->func( conn->data, 0, NULL, cond );
    144157       
    145158        if( conn->ssl )
     
    169182                if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
    170183                {
    171                         conn->func( conn->data, NULL, cond );
     184                        conn->func( conn->data, 0, NULL, cond );
    172185                       
    173186                        SSL_shutdown( conn->ssl );
     
    187200        conn->established = TRUE;
    188201        sock_make_blocking( conn->fd );         /* For now... */
    189         conn->func( conn->data, conn, cond );
     202        conn->func( conn->data, 0, conn, cond );
    190203        return FALSE;
    191204}
     
    272285{
    273286        return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ );
     287}
     288
     289char *ssl_verify_strerror( int code )
     290{
     291        return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
    274292}
    275293
  • protocols/bee.h

    re306fbf r164352e  
    123123        gboolean (*chat_add_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu );
    124124        gboolean (*chat_remove_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu );
    125         gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new, bee_user_t *bu );
     125        gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new_topic, bee_user_t *bu );
    126126        gboolean (*chat_name_hint)( bee_t *bee, struct groupchat *c, const char *name );
    127127        gboolean (*chat_invite)( bee_t *bee, bee_user_t *bu, const char *name, const char *msg );
  • protocols/jabber/io.c

    re306fbf r164352e  
    276276}
    277277
    278 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
     278gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
    279279{
    280280        struct im_connection *ic = data;
     
    292292                jd->ssl = NULL;
    293293               
    294                 imcb_error( ic, "Could not connect to server" );
    295                 imc_logout( ic, TRUE );
     294                if( returncode != 0 )
     295                {
     296                        char *err = ssl_verify_strerror( returncode );
     297                        imcb_error( ic, "Certificate verification problem 0x%x: %s",
     298                                    returncode, err ? err : "Unknown" );
     299                        g_free( err );
     300                        imc_logout( ic, FALSE );
     301                }
     302                else
     303                {
     304                        imcb_error( ic, "Could not connect to server" );
     305                        imc_logout( ic, TRUE );
     306                }
     307               
    296308                return FALSE;
    297309        }
     
    397409        struct im_connection *ic = data;
    398410        struct jabber_data *jd = ic->proto_data;
    399         char *xmlns;
     411        char *xmlns, *tlsname;
    400412       
    401413        xmlns = xt_find_attr( node, "xmlns" );
     
    423435       
    424436        jd->flags |= JFLAG_STARTTLS_DONE;
    425         jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
     437
     438        /* If the user specified a server for the account, use this server as the
     439         * hostname in the certificate verification. Else we use the domain from
     440         * the username. */
     441        if( ic->acc->server && *ic->acc->server )
     442                tlsname = ic->acc->server;
     443        else
     444                tlsname = jd->server;
     445       
     446        jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
     447                                jabber_connected_ssl, ic );
    426448       
    427449        return XT_HANDLED;
  • protocols/jabber/jabber.c

    re306fbf r164352e  
    8787        s = set_add( &acc->set, "tls", "try", set_eval_tls, acc );
    8888        s->flags |= ACC_SET_OFFLINE_ONLY;
    89 
     89       
     90        s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc );
     91        s->flags |= ACC_SET_OFFLINE_ONLY;
     92       
    9093        s = set_add( &acc->set, "user_agent", "BitlBee", NULL, acc );
    9194       
     
    228231        if( set_getbool( &acc->set, "ssl" ) )
    229232        {
    230                 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic );
     233                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic );
    231234                jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1;
    232235        }
  • protocols/jabber/jabber.h

    re306fbf r164352e  
    317317int jabber_write( struct im_connection *ic, char *buf, int len );
    318318gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond );
    319 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );
     319gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond );
    320320gboolean jabber_start_stream( struct im_connection *ic );
    321321void jabber_end_stream( struct im_connection *ic );
  • protocols/msn/soap.c

    re306fbf r164352e  
    6060        struct im_connection *ic;
    6161        int ttl;
     62        char *error;
    6263       
    6364        char *url, *action, *payload;
     
    158159        }
    159160       
     161        if( http_req->status_code != 200 )
     162                soap_req->error = g_strdup( http_req->status_string );
     163       
    160164        st = soap_req->handle_response( soap_req );
    161165
     
    164168        g_free( soap_req->action );
    165169        g_free( soap_req->payload );
    166         soap_req->url = soap_req->action = soap_req->payload = NULL;
     170        g_free( soap_req->error );
     171        soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL;
    167172       
    168173        if( st == MSN_SOAP_RETRY && --soap_req->ttl )
     
    253258        g_free( soap_req->action );
    254259        g_free( soap_req->payload );
     260        g_free( soap_req->error );
    255261        g_free( soap_req );
    256262}
     
    410416        if( sd->secret == NULL )
    411417        {
    412                 msn_auth_got_passport_token( ic, NULL, sd->error );
     418                msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error );
    413419                return MSN_SOAP_OK;
    414420        }
  • protocols/skype/skype.c

    re306fbf r164352e  
    11571157}
    11581158
    1159 gboolean skype_connected(gpointer data, void *source, b_input_condition cond)
     1159gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond)
    11601160{
    11611161        struct im_connection *ic = data;
     
    11851185        imcb_log(ic, "Connecting");
    11861186        sd->ssl = ssl_connect(set_getstr(&acc->set, "server"),
    1187                 set_getint(&acc->set, "port"), skype_connected, ic);
     1187                set_getint(&acc->set, "port"), FALSE, skype_connected, ic);
    11881188        sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1;
    11891189        sd->username = g_strdup(acc->user);
  • unix.c

    re306fbf r164352e  
    4141#include <pwd.h>
    4242#include <locale.h>
     43#include <grp.h>
    4344
    4445#if defined(OTR_BI) || defined(OTR_PI)
     
    152153                if( pw )
    153154                {
     155                        initgroups( global.conf->user, pw->pw_gid );
    154156                        setgid( pw->pw_gid );
    155157                        setuid( pw->pw_uid );
     158                }
     159                else
     160                {
     161                        log_message( LOGLVL_WARNING, "Failed to look up user %s.", global.conf->user );
    156162                }
    157163        }
Note: See TracChangeset for help on using the changeset viewer.