Changeset 486ddb5

Timestamp:

2011-12-19T14:50:58Z (12 years ago)

Author:

Wilmer van der Gaast <wilmer@…>

Branches:

master

Children:

78b8401

Parents:

5a48afd

Message:

Initial merge of tls_verify patch from AopicieR.

Files:

• conf.c (modified) (2 diffs)
• conf.h (modified) (1 diff)
• lib/http_client.c (modified) (2 diffs)
• lib/ssl_bogus.c (modified) (1 diff)
• lib/ssl_client.h (modified) (2 diffs)
• lib/ssl_gnutls.c (modified) (11 diffs)
• lib/ssl_nss.c (modified) (5 diffs)
• lib/ssl_openssl.c (modified) (7 diffs)
• protocols/jabber/io.c (modified) (4 diffs)
• protocols/jabber/jabber.c (modified) (1 diff)
• protocols/jabber/jabber.h (modified) (1 diff)
• protocols/skype/skype.c (modified) (1 diff)

conf.c

@@ -67 +67 @@
         conf->ft_listen = NULL;
         conf->protocols = NULL;
+        conf->cafile = NULL;
         proxytype = 0;
         
@@ -340 +341 @@
                                 conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 );
                         }
+                        else if( g_strcasecmp( ini->key, "cafile" ) == 0 )
+                        {
+                                g_free( conf->cafile );
+                                conf->cafile = g_strdup( ini->value );
+                        }
                         else
                         {

conf.h

@@ -54 +54 @@
         char *ft_listen;
         char **protocols;
+        char *cafile;
 } conf_t;
 

lib/http_client.c

@@ -33 +33 @@
 
 static gboolean http_connected( gpointer data, int source, b_input_condition cond );
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
 static void http_free( struct http_request *req );
@@ -170 +170 @@
 }
 
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
-{
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
+{
+        //The returncode is not used at the moment.
         struct http_request *req = data;
         

lib/ssl_bogus.c

@@ -56 +56 @@
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 
 {
         return NULL;

lib/ssl_client.h

@@ -37 +37 @@
 /* Some generic error codes. Especially SSL_AGAIN is important if you
    want to do asynchronous I/O. */
+#define NSS_VERIFY_ERROR -2
+#define OPENSSL_VERIFY_ERROR -1
 #define SSL_OK            0
 #define SSL_NOHANDSHAKE   1
 #define SSL_AGAIN         2
+#define VERIFY_CERT_ERROR 2
+#define VERIFY_CERT_INVALID 4
+#define VERIFY_CERT_REVOKED 8
+#define VERIFY_CERT_SIGNER_NOT_FOUND 16
+#define VERIFY_CERT_SIGNER_NOT_CA 32
+#define VERIFY_CERT_INSECURE_ALGORITHM 64
+#define VERIFY_CERT_NOT_ACTIVATED 128
+#define VERIFY_CERT_EXPIRED 256
+#define VERIFY_CERT_WRONG_HOSTNAME 512
 
 extern int ssl_errno;
 
 /* This is what your callback function should look like. */
-typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
+typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
 
 
@@ -57 +68 @@
 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    for example in Jabber. */
-G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
 
 /* Obviously you need special read/write functions to read data. */

lib/ssl_gnutls.c

@@ -25 +25 @@
 
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 #include <gcrypt.h>
 #include <fcntl.h>
@@ -32 +33 @@
 #include "sock.h"
 #include "stdlib.h"
+#include "bitlbee.h"
 
 int ssl_errno = 0;
@@ -54 +56 @@
         gboolean established;
         int inpa;
+        char *hostname;
+        gboolean verify;
         
         gnutls_session session;
@@ -92 +96 @@
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -100 +104 @@
         conn->data = data;
         conn->inpa = -1;
+        conn->hostname = hostname;
+        
+        /* For now, SSL verification is globally enabled by setting the cafile
+           setting in bitlbee.conf. Commented out by default because probably
+           not everyone has this file in the same place and plenty of folks
+           may not have the cert of their private Jabber server in it. */
+        conn->verify = verify && global.conf->cafile;
         
         /* This function should be called via a (short) timeout instead of
@@ -122 +133 @@
 }
 
+static int verify_certificate_callback( gnutls_session_t session )
+{
+        unsigned int status;
+        const gnutls_datum_t *cert_list;
+        unsigned int cert_list_size;
+        int gnutlsret;
+        int verifyret = 0;
+        gnutls_x509_crt_t cert;
+        const char *hostname;
+        
+        hostname = gnutls_session_get_ptr(session );
+
+        gnutlsret = gnutls_certificate_verify_peers2( session, &status );
+        if( gnutlsret < 0 )
+                return VERIFY_CERT_ERROR;
+
+        if( status & GNUTLS_CERT_INVALID )
+                verifyret |= VERIFY_CERT_INVALID;
+
+        if( status & GNUTLS_CERT_REVOKED )
+                verifyret |= VERIFY_CERT_REVOKED;
+
+        if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
+                verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
+
+        if( status & GNUTLS_CERT_SIGNER_NOT_CA )
+                verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
+
+        if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
+                verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
+
+        if( status & GNUTLS_CERT_NOT_ACTIVATED )
+                verifyret |= VERIFY_CERT_NOT_ACTIVATED;
+
+        if( status & GNUTLS_CERT_EXPIRED )
+                verifyret |= VERIFY_CERT_EXPIRED;
+
+        /* The following check is already performed inside 
+         * gnutls_certificate_verify_peers2, so we don't need it.
+
+         * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
+         * return GNUTLS_E_CERTIFICATE_ERROR;
+         */
+
+        if( gnutls_x509_crt_init( &cert ) < 0 )
+                return VERIFY_CERT_ERROR;
+
+        cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
+        if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
+                return VERIFY_CERT_ERROR;
+
+        if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
+        {
+                verifyret |= VERIFY_CERT_INVALID;
+                verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
+        }
+
+        gnutls_x509_crt_deinit( cert );
+
+        return verifyret;
+}
+
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
 {
@@ -128 +201 @@
         if( source == -1 )
         {
-                conn->func( conn->data, NULL, cond );
+                conn->func( conn->data, 0, NULL, cond );
                 g_free( conn );
                 return FALSE;
@@ -136 +209 @@
         
         gnutls_certificate_allocate_credentials( &conn->xcred );
+        if( conn->verify && global.conf->cafile )
+        {
+                gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
+                gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+        }
+
         gnutls_init( &conn->session, GNUTLS_CLIENT );
+        if( conn->verify )
+                gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
 #if GNUTLS_VERSION_NUMBER < 0x020c00
         gnutls_transport_set_lowat( conn->session, 0 );
@@ -152 +233 @@
 {
         struct scd *conn = data;
-        int st;
+        int st, stver;
         
         if( ( st = gnutls_handshake( conn->session ) ) < 0 )
@@ -163 +244 @@
                 else
                 {
-                        conn->func( conn->data, NULL, cond );
+                        conn->func( conn->data, 0, NULL, cond );
                         
                         gnutls_deinit( conn->session );
@@ -174 +255 @@
         else
         {
-                /* For now we can't handle non-blocking perfectly everywhere... */
-                sock_make_blocking( conn->fd );
+                if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
+                {
+                        conn->func( conn->data, stver, NULL, cond );
+
+                        gnutls_deinit( conn->session );
+                        gnutls_certificate_free_credentials( conn->xcred );
+                        closesocket( conn->fd );
+
+                        g_free( conn );
+                }
+                else
+                {
+                        /* For now we can't handle non-blocking perfectly everywhere... */
+                        sock_make_blocking( conn->fd );
                 
-                conn->established = TRUE;
-                conn->func( conn->data, conn, cond );
+                        conn->established = TRUE;
+                        conn->func( conn->data, 0, conn, cond );
+                }
         }
         

lib/ssl_nss.c

@@ -52 +52 @@
         PRFileDesc *prfd;
         gboolean established;
+        gboolean verify;
 };
 
@@ -132 +133 @@
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -139 +140 @@
         conn->func = func;
         conn->data = data;
+        conn->verify = verify;
 
         /* This function should be called via a (short) timeout instead of
@@ -157 +159 @@
 {
         struct scd *conn = data;
+        
+        /* Right now we don't have any verification functionality for nss so we 
+           fail in case verification has been requested by the user. */
+
+        if( conn->verify )
+        {
+                conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+                if( source >= 0 ) closesocket( source );
+                g_free( conn );
+
+                return FALSE;
+        }
         
         if( source == -1 )
@@ -177 +191 @@
         
         conn->established = TRUE;
-        conn->func( conn->data, conn, cond );
+        conn->func( conn->data, 0, conn, cond );
         return FALSE;
         
         ssl_connected_failure:
         
-        conn->func( conn->data, NULL, cond );
+        conn->func( conn->data, 0, NULL, cond );
         
         PR_Close( conn -> prfd );

lib/ssl_openssl.c

@@ -45 +45 @@
         int fd;
         gboolean established;
+        gboolean verify;
         
         int inpa;
@@ -82 +83 @@
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -90 +91 @@
         conn->data = data;
         conn->inpa = -1;
+        conn->verify = verify;
         
         /* This function should be called via a (short) timeout instead of
@@ -117 +119 @@
         SSL_METHOD *meth;
         
+        /* Right now we don't have any verification functionality for openssl so we 
+           fail in case verification has been requested by the user. */
+
+        if( conn->verify )
+        {
+                conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
+                if( source >= 0 ) closesocket( source );
+                g_free( conn );
+
+                return FALSE;
+        }
+
         if( source == -1 )
                 goto ssl_connected_failure;
@@ -141 +155 @@
 
 ssl_connected_failure:
-        conn->func( conn->data, NULL, cond );
+        conn->func( conn->data, 0, NULL, cond );
         
         if( conn->ssl )
@@ -169 +183 @@
                 if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
                 {
-                        conn->func( conn->data, NULL, cond );
+                        conn->func( conn->data, 0, NULL, cond );
                         
                         SSL_shutdown( conn->ssl );
@@ -187 +201 @@
         conn->established = TRUE;
         sock_make_blocking( conn->fd );         /* For now... */
-        conn->func( conn->data, conn, cond );
+        conn->func( conn->data, 0, conn, cond );
         return FALSE;
 }

protocols/jabber/io.c

@@ -276 +276 @@
 }
 
-gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
+gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
 {
         struct im_connection *ic = data;
@@ -293 +293 @@
                 
                 imcb_error( ic, "Could not connect to server" );
+                if (returncode ==  OPENSSL_VERIFY_ERROR )
+                {
+                        imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." );
+                        imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+                        imc_logout( ic, FALSE );
+                }
+                else if (returncode ==  NSS_VERIFY_ERROR )
+                {
+                        imcb_error( ic, "This BitlBee server is built agains the NSS library." );
+                        imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+                        imc_logout( ic, FALSE );
+                }
+                else if (returncode == VERIFY_CERT_ERROR )
+                {
+                        imcb_error( ic, "An error occured during the certificate verification." );
+                        imc_logout( ic, FALSE );
+                }
+                else if (returncode  & VERIFY_CERT_INVALID)
+                {
+                        imcb_error( ic, "Unable to verify peer's certificate." );
+                        if (returncode & VERIFY_CERT_REVOKED)
+                                imcb_error( ic, "The certificate has been revoked." );
+                        if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND)
+                                imcb_error( ic, "The certificate hasn't got a known issuer." );
+                        if (returncode & VERIFY_CERT_SIGNER_NOT_CA)
+                                imcb_error( ic, "The certificate's issuer is not a CA." );
+                        if (returncode & VERIFY_CERT_INSECURE_ALGORITHM)
+                                imcb_error( ic, "The certificate uses an insecure algorithm." );
+                        if (returncode & VERIFY_CERT_NOT_ACTIVATED)
+                                imcb_error( ic, "The certificate has not been activated." );
+                        if (returncode & VERIFY_CERT_EXPIRED)
+                                imcb_error( ic, "The certificate has expired." );
+                        if (returncode & VERIFY_CERT_WRONG_HOSTNAME)
+                                imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." );
+                        imc_logout( ic, FALSE );
+                }
+                else
                 imc_logout( ic, TRUE );
                 return FALSE;
@@ -397 +434 @@
         struct im_connection *ic = data;
         struct jabber_data *jd = ic->proto_data;
-        char *xmlns;
+        char *xmlns, *tlsname;
         
         xmlns = xt_find_attr( node, "xmlns" );
@@ -423 +460 @@
         
         jd->flags |= JFLAG_STARTTLS_DONE;
-        jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
+
+        /* If the user specified a server for the account, use this server as the 
+         * hostname in the certificate verification. Else we use the domain from 
+         * the username. */
+        if( ic->acc->server && *ic->acc->server )
+                tlsname = ic->acc->server;
+        else
+                tlsname = jd->server;
+        
+        jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
+                                jabber_connected_ssl, ic );
         
         return XT_HANDLED;

protocols/jabber/jabber.c

@@ -80 +80 @@
         
         s = set_add( &acc->set, "tls", "try", set_eval_tls, acc );
+        s->flags |= ACC_SET_OFFLINE_ONLY;
+        
+        s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc );
         s->flags |= ACC_SET_OFFLINE_ONLY;
         

protocols/jabber/jabber.h

@@ -307 +307 @@
 int jabber_write( struct im_connection *ic, char *buf, int len );
 gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond );
-gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );
+gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond );
 gboolean jabber_start_stream( struct im_connection *ic );
 void jabber_end_stream( struct im_connection *ic );

protocols/skype/skype.c

@@ -1157 +1157 @@
 }
 
-gboolean skype_connected(gpointer data, void *source, b_input_condition cond)
+gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond)
 {
         struct im_connection *ic = data;