Changes in / [164352e:e306fbf]

Files:

• bitlbee.conf (modified) (2 diffs)
• bitlbee.h (modified) (2 diffs)
• conf.c (modified) (3 diffs)
• conf.h (modified) (1 diff)
• configure (modified) (1 diff)
• debian/changelog (modified) (3 diffs)
• debian/control (modified) (6 diffs)
• debian/rules (modified) (5 diffs)
• doc/user-guide/commands.xml (modified) (8 diffs)
• irc.h (modified) (3 diffs)
• lib/events_glib.c (modified) (1 diff)
• lib/http_client.c (modified) (5 diffs)
• lib/ssl_bogus.c (modified) (3 diffs)
• lib/ssl_client.h (modified) (3 diffs)
• lib/ssl_gnutls.c (modified) (13 diffs)
• lib/ssl_nss.c (modified) (7 diffs)
• lib/ssl_openssl.c (modified) (9 diffs)
• protocols/bee.h (modified) (1 diff)
• protocols/jabber/io.c (modified) (4 diffs)
• protocols/jabber/jabber.c (modified) (2 diffs)
• protocols/jabber/jabber.h (modified) (1 diff)
• protocols/msn/soap.c (modified) (5 diffs)
• protocols/skype/skype.c (modified) (2 diffs)
• unix.c (modified) (2 diffs)

bitlbee.conf

@@ -116 +116 @@
 ## (Obviously, the username and password are optional)
 ##
-# Proxy = http://john:doe@proxy.localnet.com:8080
-# Proxy = socks4://socksproxy.localnet.com
-# Proxy = socks5://socksproxy.localnet.com
+## Proxy = http://john:doe@proxy.localnet.com:8080
+## Proxy = socks4://socksproxy.localnet.com
+## Proxy = socks5://socksproxy.localnet.com
 
 ## Protocols offered by bitlbee
@@ -126 +126 @@
 ## nothing is given, there are no restrictions.
 ## 
-# Protocols = jabber yahoo
+## Protocols = jabber yahoo
 
-## Trusted CAs
-##
-## Path to a file containing a list of trusted certificate authorities used in
-## the verification of server certificates.
-##
-## Uncomment this and make sure the file actually exists and contains all
-## certificate authorities you're willing to accept (default value should
-## work on at least Debian/Ubuntu systems with the "ca-certificates" package
-## installed). As long as the line is commented out, SSL certificate
-## verification is completely disabled.
-##
-## The location of this file may be different on other distros/OSes. For
-## example, try /etc/ssl/ca-bundle.pem on OpenSUSE.
-##
-# CAfile = /etc/ssl/certs/ca-certificates.crt
 
 [defaults]

bitlbee.h

@@ -26 +26 @@
 #ifndef _BITLBEE_H
 #define _BITLBEE_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
 
 #ifndef _GNU_SOURCE
@@ -179 +175 @@
 extern global_t global;
 
-#ifdef __cplusplus
-}
 #endif
-
-#endif
-

conf.c

@@ -67 +67 @@
         conf->ft_listen = NULL;
         conf->protocols = NULL;
-        conf->cafile = NULL;
         proxytype = 0;
         
@@ -178 +177 @@
                 fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file );
         
-        if( conf->cafile && access( conf->cafile, R_OK ) != 0 )
-        {
-                /* Let's treat this as a serious problem so people won't think
-                   they're secure when in fact they're not. */
-                fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) );
-                return NULL;
-        }
-        
         return conf;
 }
@@ -349 +340 @@
                                 conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 );
                         }
-                        else if( g_strcasecmp( ini->key, "cafile" ) == 0 )
-                        {
-                                g_free( conf->cafile );
-                                conf->cafile = g_strdup( ini->value );
-                        }
                         else
                         {

conf.h

@@ -54 +54 @@
         char *ft_listen;
         char **protocols;
-        char *cafile;
 } conf_t;
 

configure

@@ -283 +283 @@
 EOF
                 ssl=gnutls
-                if ! pkg-config gnutls --atleast-version=2.8; then
-                        echo
-                        echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.'
-                fi
                 ret=1
         elif libgnutls-config --version > /dev/null 2> /dev/null; then

debian/changelog

@@ -1 @@
-bitlbee (3.0.4+z-2) UNRELEASED; urgency=low
-
-  * Removed some version override stuff from Debian build scripts. Instead,
-    my buildbot now uses dch to generate a changelog entry with the right
-    version number.
-
- -- Wilmer van der Gaast <wilmer@gaast.net>  Fri, 23 Dec 2011 09:45:55 +0100
-
-bitlbee (3.0.4+bzr855-1) unstable; urgency=low
-
-  * New upstream release.
-  * This is not a vanilla 3.0.4 tree but a Bazaar snapshot. The source
-    release was a few weeks ago by now. There should be no significant
-    differences.
+bitlbee (3.0.4-1) unstable; urgency=low
+
+  * New upstream release.
   * Added bitlbee-plugin-skype and skyped packages, now part of BitlBee
-    instead of a separate package. Not building these for Debian for now
-    though since python-skype was removed.
+    instead of a separate package.
+  * Fixed dependencies of bitlbee-plugin-otr package to not break with
+    binary MTUs. (Closes: #651612)
   * ^B and some other things are stripped in outgoing XMPP stanzas.
     (Closes: #507856)
@@ -21 +11 @@
     one from bugs.bitlbee.org. I hope that covers it. (Closes: #646369)
   * Closing a few old bugs that were filed against the Debian package
-    instead of/as well as upstream:
+    instead of upstream:
     - Joining password-protected MUCs is working for a while already, set
       the password using "chan set". (Closes: #615624)
@@ -28 +18 @@
     - identi.ca support is documented. (Closes: #613789)
 
- -- Wilmer van der Gaast <wilmer@gaast.net>  Tue, 20 Dec 2011 12:46:42 +0100
-
-bitlbee (3.0.3-1.1) unstable; urgency=low
-
-  * Non-maintainer upload.
-  * Use the standard ${source:Version} and ${binary:Version} substvars instead
-    of the custom and broken ${bee:Version} (closes: #651612).
-
- -- Julien Cristau <jcristau@debian.org>  Thu, 15 Dec 2011 20:34:32 +0100
+ -- Wilmer van der Gaast <wilmer@gaast.net>  Sun, 11 Dec 2011 16:53:31 +0000
 
 bitlbee (3.0.3-1) unstable; urgency=low

debian/control

@@ -12 +12 @@
 Package: bitlbee
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version})
+Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version})
 Conflicts: bitlbee-libpurple
 Replaces: bitlbee-libpurple
@@ -22 +22 @@
 Package: bitlbee-libpurple
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version})
+Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version})
 Conflicts: bitlbee
 Replaces: bitlbee
@@ -51 +51 @@
 Package: bitlbee-dev
 Architecture: all
-Depends: ${misc:Depends}, bitlbee (>= ${source:Version}), bitlbee (<< ${source:Version}.1~), bitlbee-common (= ${source:Version})
+Depends: ${misc:Depends}, bitlbee (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})
 Description: An IRC to other chat networks gateway (dev files)
  This program can be used as an IRC server which forwards everything you
@@ -61 +61 @@
 Package: bitlbee-plugin-otr
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})
+Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version})
 Description: An IRC to other chat networks gateway (OTR plugin)
  This program can be used as an IRC server which forwards everything you
@@ -72 +72 @@
 Package: bitlbee-plugin-skype
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~)
 Recommends: skyped
 Description: An IRC to other chat networks gateway (Skype plugin)
@@ -83 +83 @@
 
 Package: skyped
-Architecture: all
-Depends: ${misc:Depends}, ${shlibs:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)
 Recommends: skype
 Description: Daemon to control Skype remotely

debian/rules

@@ -8 +8 @@
 #
 
-# Include the bitlbee-libpurple variant and OTR plugin by default.
-# Don't build skype by default since it depends on deleted/non-free
-# packages. Need to at least get python-skype back into Debian.
+# Include the bitlbee-libpurple variant and OTR plugin by default
 BITLBEE_LIBPURPLE ?= 1
 BITLBEE_OTR ?= plugin
-BITLBEE_SKYPE ?= 0
+BITLBEE_SKYPE ?= plugin
 BITLBEE_CONFIGURE_FLAGS ?=
 DEBUG ?= 0
@@ -19 +17 @@
 ifndef BITLBEE_VERSION
 # Want to use the full package version number instead of just the release.
-BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | awk '/^Version:/ {print $$2}')\"
+BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}')\"
 endif
 
@@ -74 +72 @@
         $(MAKE) -C debian/build-native install-plugin-skype DESTDIR=`pwd`/debian/skyped
 
-ifneq ($(BITLBEE_SKYPE),0)
         mkdir -p debian/bitlbee-plugin-skype/usr
         mv debian/skyped/usr/lib debian/bitlbee-plugin-skype/usr
@@ -80 +77 @@
         mkdir -p debian/skyped/usr/share/man/man1
         mv debian/bitlbee-common/usr/share/man/man1/skyped* debian/skyped/usr/share/man/man1
-endif
 
 ifeq ($(BITLBEE_LIBPURPLE),1)
@@ -110 +106 @@
         dh_installdeb
         dh_shlibdeps
-        dh_gencontrol
+ifdef BITLBEE_VERSION
+        dh_gencontrol -- -v$(BITLBEE_VERSION)  -Vbee:Version=$(BITLBEE_VERSION)
+else
+        dh_gencontrol -- -Vbee:Version=$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}' | sed -e 's/+b[0-9]\+$$//')
+endif
         dh_md5sums
         dh_builddeb

doc/user-guide/commands.xml

@@ -648 +648 @@
         </bitlbee-setting>
 
-        <bitlbee-setting name="auto_connect" type="boolean" scope="account,global">
+        <bitlbee-setting name="auto_connect" type="boolean" scope="both">
                 <default>true</default>
 
@@ -672 +672 @@
         </bitlbee-setting>
 
-        <bitlbee-setting name="auto_reconnect" type="boolean" scope="account,global">
+        <bitlbee-setting name="auto_reconnect" type="boolean" scope="both">
                 <default>true</default>
 
@@ -726 +726 @@
         </bitlbee-setting>
 
-        <bitlbee-setting name="away" type="string" scope="account,global">
+        <bitlbee-setting name="away" type="string" scope="both">
                 <description>
                         <para>
@@ -1076 +1076 @@
         </bitlbee-setting>
 
-        <bitlbee-setting name="nick_format" type="string" scope="account,global">
+        <bitlbee-setting name="nick_format" type="string" scope="both">
                 <default>%-@nick</default>
 
@@ -1169 +1169 @@
         </bitlbee-setting>
 
-        <bitlbee-setting name="password" type="string" scope="account,global">
+        <bitlbee-setting name="password" type="string" scope="both">
                 <description>
                         <para>
@@ -1392 +1392 @@
                 <description>
                         <para>
-                                Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223).
-                        </para>
-
-                        <para>
-                                Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead.
-                        </para>
-                </description>
-        </bitlbee-setting>
-
-        <bitlbee-setting name="status" type="string" scope="account,global">
-                <description>
-                        <para>
-                                Most IM protocols support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy.
+                                Currently only available for Jabber connections. Set this to true if the server accepts SSL connections.
+                        </para>
+                </description>
+        </bitlbee-setting>
+
+        <bitlbee-setting name="status" type="string" scope="both">
+                <description>
+                        <para>
+                                Certain protocols (like Jabber/XMPP) support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy.
                         </para>
 
@@ -1412 +1408 @@
 
                         <para>
-                                Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To clear the setting, use <emphasis>set -del status</emphasis>.
+                                Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To un-set the setting, use <emphasis>set -del status</emphasis>.
                         </para>
                 </description>
@@ -1485 +1481 @@
                         <para>
                                 If you want to force BitlBee to use TLS sessions only (and to give up if that doesn't seem to be possible) you can set this setting to <emphasis>true</emphasis>. Set it to <emphasis>false</emphasis> if you want the session to remain plain-text.
-                        </para>
-                </description>
-        </bitlbee-setting>
-
-        <bitlbee-setting name="tls_verify" type="boolean" scope="account">
-                <default>true</default>
-
-                <description>
-                        <para>
-                                Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities.
-                        </para>
-
-                        <para>
-                                The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting.
-                        </para>
-
-                        <para>
-                                Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the <emphasis>CAfile</emphasis> setting in <emphasis>bitlbee.conf</emphasis> is not set.
                         </para>
                 </description>

irc.h

@@ -182 +182 @@
         gboolean (*join)( irc_channel_t *ic );
         gboolean (*part)( irc_channel_t *ic, const char *msg );
-        gboolean (*topic)( irc_channel_t *ic, const char *new_topic );
+        gboolean (*topic)( irc_channel_t *ic, const char *new );
         gboolean (*invite)( irc_channel_t *ic, irc_user_t *iu );
         
@@ -332 +332 @@
 void irc_send_msg_raw( irc_user_t *iu, const char *type, const char *dst, const char *msg );
 void irc_send_msg_f( irc_user_t *iu, const char *type, const char *dst, const char *format, ... ) G_GNUC_PRINTF( 4, 5 );
-void irc_send_nick( irc_user_t *iu, const char *new_nick );
+void irc_send_nick( irc_user_t *iu, const char *new );
 void irc_send_channel_user_mode_diff( irc_channel_t *ic, irc_user_t *iu,
-                                      irc_channel_user_flags_t old_flags, irc_channel_user_flags_t new_flags );
+                                      irc_channel_user_flags_t old, irc_channel_user_flags_t new );
 void irc_send_invite( irc_user_t *iu, irc_channel_t *ic );
 
@@ -341 +341 @@
 int irc_user_free( irc_t *irc, irc_user_t *iu );
 irc_user_t *irc_user_by_name( irc_t *irc, const char *nick );
-int irc_user_set_nick( irc_user_t *iu, const char *new_nick );
+int irc_user_set_nick( irc_user_t *iu, const char *new );
 gint irc_user_cmp( gconstpointer a_, gconstpointer b_ );
 const char *irc_user_get_away( irc_user_t *iu );

lib/events_glib.c

@@ -75 +75 @@
         b_input_condition gaim_cond = 0;
         gboolean st;
-        
-        if (condition & G_IO_NVAL)
-                return FALSE;
 
         if (condition & GAIM_READ_COND)

lib/http_client.c

@@ -33 +33 @@
 
 static gboolean http_connected( gpointer data, int source, b_input_condition cond );
-static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
+static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
 static void http_free( struct http_request *req );
@@ -47 +47 @@
         if( ssl )
         {
-                req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req );
+                req->ssl = ssl_connect( host, port, http_ssl_connected, req );
                 if( req->ssl == NULL )
                         error = 1;
@@ -163 +163 @@
         
 error:
-        if( req->status_string == NULL )
-                req->status_string = g_strdup( "Error while writing HTTP request" );
+        req->status_string = g_strdup( "Error while writing HTTP request" );
         
         req->func( req );
@@ -171 +170 @@
 }
 
-static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
+static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
 {
         struct http_request *req = data;
         
         if( source == NULL )
-        {
-                if( returncode != 0 )
-                {
-                        char *err = ssl_verify_strerror( returncode );
-                        req->status_string = g_strdup_printf(
-                                "Certificate verification problem 0x%x: %s",
-                                returncode, err ? err : "Unknown" );
-                        g_free( err );
-                }
                 return http_connected( data, -1, cond );
-        }
         
         req->fd = ssl_getfd( source );
@@ -450 +439 @@
                 if( new_proto == PROTO_HTTPS )
                 {
-                        req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req );
+                        req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );
                         if( req->ssl == NULL )
                                 error = 1;

lib/ssl_bogus.c

@@ -32 +32 @@
 }
 
-void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
         return( NULL );
@@ -56 +56 @@
 }
 
-void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 
+void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 
 {
         return NULL;
@@ -70 +70 @@
         return 0;
 }
-
-char *ssl_verify_strerror( int code )
-{
-        return NULL;
-}

lib/ssl_client.h

@@ -40 +40 @@
 #define SSL_NOHANDSHAKE   1
 #define SSL_AGAIN         2
-#define VERIFY_CERT_ERROR 2
-#define VERIFY_CERT_INVALID 4
-#define VERIFY_CERT_REVOKED 8
-#define VERIFY_CERT_SIGNER_NOT_FOUND 16
-#define VERIFY_CERT_SIGNER_NOT_CA 32
-#define VERIFY_CERT_INSECURE_ALGORITHM 64
-#define VERIFY_CERT_NOT_ACTIVATED 128
-#define VERIFY_CERT_EXPIRED 256
-#define VERIFY_CERT_WRONG_HOSTNAME 512
 
 extern int ssl_errno;
 
 /* This is what your callback function should look like. */
-typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
+typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
 
 
@@ -62 +53 @@
    ready to be used for SSL traffic. This is all done asynchronously, no
    blocking I/O! (Except for the DNS lookups, for now...) */
-G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );
 
 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    for example in Jabber. */
-G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
 
 /* Obviously you need special read/write functions to read data. */
@@ -99 +90 @@
 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
 
-/* Converts a verification bitfield passed to ssl_input_function into
-   a more useful string. Or NULL if it had no useful bits set. */
-G_MODULE_EXPORT char *ssl_verify_strerror( int code );
-
 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);

lib/ssl_gnutls.c

@@ -25 +25 @@
 
 #include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
 #include <gcrypt.h>
 #include <fcntl.h>
@@ -33 +32 @@
 #include "sock.h"
 #include "stdlib.h"
-#include "bitlbee.h"
 
 int ssl_errno = 0;
@@ -56 +54 @@
         gboolean established;
         int inpa;
-        char *hostname;
-        gboolean verify;
         
         gnutls_session session;
@@ -78 +74 @@
 }
 
-void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -86 +82 @@
         conn->data = data;
         conn->inpa = -1;
-        conn->hostname = g_strdup( host );
-        conn->verify = verify && global.conf->cafile;
         
         if( conn->fd < 0 )
@@ -98 +92 @@
 }
 
-void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -106 +100 @@
         conn->data = data;
         conn->inpa = -1;
-        conn->hostname = hostname;
-        
-        /* For now, SSL verification is globally enabled by setting the cafile
-           setting in bitlbee.conf. Commented out by default because probably
-           not everyone has this file in the same place and plenty of folks
-           may not have the cert of their private Jabber server in it. */
-        conn->verify = verify && global.conf->cafile;
         
         /* This function should be called via a (short) timeout instead of
@@ -135 +122 @@
 }
 
-static int verify_certificate_callback( gnutls_session_t session )
-{
-        unsigned int status;
-        const gnutls_datum_t *cert_list;
-        unsigned int cert_list_size;
-        int gnutlsret;
-        int verifyret = 0;
-        gnutls_x509_crt_t cert;
-        const char *hostname;
-        
-        hostname = gnutls_session_get_ptr(session );
-
-        gnutlsret = gnutls_certificate_verify_peers2( session, &status );
-        if( gnutlsret < 0 )
-                return VERIFY_CERT_ERROR;
-
-        if( status & GNUTLS_CERT_INVALID )
-                verifyret |= VERIFY_CERT_INVALID;
-
-        if( status & GNUTLS_CERT_REVOKED )
-                verifyret |= VERIFY_CERT_REVOKED;
-
-        if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
-                verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
-
-        if( status & GNUTLS_CERT_SIGNER_NOT_CA )
-                verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
-
-        if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
-                verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
-
-#ifdef GNUTLS_CERT_NOT_ACTIVATED
-        /* Amusingly, the GnuTLS function used above didn't check for expiry
-           until GnuTLS 2.8 or so. (See CVE-2009-1417) */
-        if( status & GNUTLS_CERT_NOT_ACTIVATED )
-                verifyret |= VERIFY_CERT_NOT_ACTIVATED;
-
-        if( status & GNUTLS_CERT_EXPIRED )
-                verifyret |= VERIFY_CERT_EXPIRED;
-#endif
-
-        /* The following check is already performed inside 
-         * gnutls_certificate_verify_peers2, so we don't need it.
-
-         * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
-         * return GNUTLS_E_CERTIFICATE_ERROR;
-         */
-
-        if( gnutls_x509_crt_init( &cert ) < 0 )
-                return VERIFY_CERT_ERROR;
-
-        cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
-        if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
-                return VERIFY_CERT_ERROR;
-
-        if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
-        {
-                verifyret |= VERIFY_CERT_INVALID;
-                verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
-        }
-
-        gnutls_x509_crt_deinit( cert );
-
-        return verifyret;
-}
-
-char *ssl_verify_strerror( int code )
-{
-        GString *ret = g_string_new( "" );
-        
-        if( code & VERIFY_CERT_REVOKED )
-                g_string_append( ret, "certificate has been revoked, " );
-        if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
-                g_string_append( ret, "certificate hasn't got a known issuer, " );
-        if( code & VERIFY_CERT_SIGNER_NOT_CA )
-                g_string_append( ret, "certificate's issuer is not a CA, " );
-        if( code & VERIFY_CERT_INSECURE_ALGORITHM )
-                g_string_append( ret, "certificate uses an insecure algorithm, " );
-        if( code & VERIFY_CERT_NOT_ACTIVATED )
-                g_string_append( ret, "certificate has not been activated, " );
-        if( code & VERIFY_CERT_EXPIRED )
-                g_string_append( ret, "certificate has expired, " );
-        if( code & VERIFY_CERT_WRONG_HOSTNAME )
-                g_string_append( ret, "certificate hostname mismatch, " );
-        
-        if( ret->len == 0 )
-        {
-                g_string_free( ret, TRUE );
-                return NULL;
-        }
-        else
-        {
-                g_string_truncate( ret, ret->len - 2 );
-                return g_string_free( ret, FALSE );
-        }
-}
-
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
 {
@@ -238 +128 @@
         if( source == -1 )
         {
-                conn->func( conn->data, 0, NULL, cond );
+                conn->func( conn->data, NULL, cond );
                 g_free( conn );
                 return FALSE;
@@ -246 +136 @@
         
         gnutls_certificate_allocate_credentials( &conn->xcred );
-        if( conn->verify && global.conf->cafile )
-        {
-                gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
-                gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
-        }
-
         gnutls_init( &conn->session, GNUTLS_CLIENT );
-        if( conn->verify )
-                gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
 #if GNUTLS_VERSION_NUMBER < 0x020c00
         gnutls_transport_set_lowat( conn->session, 0 );
@@ -270 +152 @@
 {
         struct scd *conn = data;
-        int st, stver;
+        int st;
         
         if( ( st = gnutls_handshake( conn->session ) ) < 0 )
@@ -281 +163 @@
                 else
                 {
-                        conn->func( conn->data, 0, NULL, cond );
+                        conn->func( conn->data, NULL, cond );
                         
                         gnutls_deinit( conn->session );
@@ -292 +174 @@
         else
         {
-                if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
-                {
-                        conn->func( conn->data, stver, NULL, cond );
-
-                        gnutls_deinit( conn->session );
-                        gnutls_certificate_free_credentials( conn->xcred );
-                        closesocket( conn->fd );
-
-                        g_free( conn );
-                }
-                else
-                {
-                        /* For now we can't handle non-blocking perfectly everywhere... */
-                        sock_make_blocking( conn->fd );
+                /* For now we can't handle non-blocking perfectly everywhere... */
+                sock_make_blocking( conn->fd );
                 
-                        conn->established = TRUE;
-                        conn->func( conn->data, 0, conn, cond );
-                }
+                conn->established = TRUE;
+                conn->func( conn->data, conn, cond );
         }
         

lib/ssl_nss.c

@@ -52 +52 @@
         PRFileDesc *prfd;
         gboolean established;
-        gboolean verify;
 };
 
@@ -103 +102 @@
 }
 
-void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -133 +132 @@
 }
 
-void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -140 +139 @@
         conn->func = func;
         conn->data = data;
-        conn->verify = verify && global.conf->cafile;
 
         /* This function should be called via a (short) timeout instead of
@@ -159 +157 @@
 {
         struct scd *conn = data;
-        
-        /* Right now we don't have any verification functionality for NSS. */
-
-        if( conn->verify )
-        {
-                conn->func( conn->data, 1, NULL, cond );
-                if( source >= 0 ) closesocket( source );
-                g_free( conn );
-
-                return FALSE;
-        }
         
         if( source == -1 )
@@ -190 +177 @@
         
         conn->established = TRUE;
-        conn->func( conn->data, 0, conn, cond );
+        conn->func( conn->data, conn, cond );
         return FALSE;
         
         ssl_connected_failure:
         
-        conn->func( conn->data, 0, NULL, cond );
+        conn->func( conn->data, NULL, cond );
         
         PR_Close( conn -> prfd );
@@ -251 +238 @@
         return B_EV_IO_READ;
 }
-
-char *ssl_verify_strerror( int code )
-{
-        return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
-}

lib/ssl_openssl.c

@@ -45 +45 @@
         int fd;
         gboolean established;
-        gboolean verify;
         
         int inpa;
@@ -65 +64 @@
 }
 
-void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -83 +82 @@
 }
 
-void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -91 +90 @@
         conn->data = data;
         conn->inpa = -1;
-        conn->verify = verify && global.conf->cafile;
         
         /* This function should be called via a (short) timeout instead of
@@ -119 +117 @@
         SSL_METHOD *meth;
         
-        /* Right now we don't have any verification functionality for OpenSSL. */
-
-        if( conn->verify )
-        {
-                conn->func( conn->data, 1, NULL, cond );
-                if( source >= 0 ) closesocket( source );
-                g_free( conn );
-
-                return FALSE;
-        }
-
         if( source == -1 )
                 goto ssl_connected_failure;
@@ -154 +141 @@
 
 ssl_connected_failure:
-        conn->func( conn->data, 0, NULL, cond );
+        conn->func( conn->data, NULL, cond );
         
         if( conn->ssl )
@@ -182 +169 @@
                 if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
                 {
-                        conn->func( conn->data, 0, NULL, cond );
+                        conn->func( conn->data, NULL, cond );
                         
                         SSL_shutdown( conn->ssl );
@@ -200 +187 @@
         conn->established = TRUE;
         sock_make_blocking( conn->fd );         /* For now... */
-        conn->func( conn->data, 0, conn, cond );
+        conn->func( conn->data, conn, cond );
         return FALSE;
 }
@@ -285 +272 @@
 {
         return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ );
-}
-
-char *ssl_verify_strerror( int code )
-{
-        return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
 }
 

protocols/bee.h

@@ -123 +123 @@
         gboolean (*chat_add_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu );
         gboolean (*chat_remove_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu );
-        gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new_topic, bee_user_t *bu );
+        gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new, bee_user_t *bu );
         gboolean (*chat_name_hint)( bee_t *bee, struct groupchat *c, const char *name );
         gboolean (*chat_invite)( bee_t *bee, bee_user_t *bu, const char *name, const char *msg );

protocols/jabber/io.c

@@ -276 +276 @@
 }
 
-gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
+gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
 {
         struct im_connection *ic = data;
@@ -292 +292 @@
                 jd->ssl = NULL;
                 
-                if( returncode != 0 )
-                {
-                        char *err = ssl_verify_strerror( returncode );
-                        imcb_error( ic, "Certificate verification problem 0x%x: %s",
-                                    returncode, err ? err : "Unknown" );
-                        g_free( err );
-                        imc_logout( ic, FALSE );
-                }
-                else
-                {
-                        imcb_error( ic, "Could not connect to server" );
-                        imc_logout( ic, TRUE );
-                }
-                
+                imcb_error( ic, "Could not connect to server" );
+                imc_logout( ic, TRUE );
                 return FALSE;
         }
@@ -409 +397 @@
         struct im_connection *ic = data;
         struct jabber_data *jd = ic->proto_data;
-        char *xmlns, *tlsname;
+        char *xmlns;
         
         xmlns = xt_find_attr( node, "xmlns" );
@@ -435 +423 @@
         
         jd->flags |= JFLAG_STARTTLS_DONE;
-
-        /* If the user specified a server for the account, use this server as the 
-         * hostname in the certificate verification. Else we use the domain from 
-         * the username. */
-        if( ic->acc->server && *ic->acc->server )
-                tlsname = ic->acc->server;
-        else
-                tlsname = jd->server;
-        
-        jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
-                                jabber_connected_ssl, ic );
+        jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
         
         return XT_HANDLED;

protocols/jabber/jabber.c

@@ -87 +87 @@
         s = set_add( &acc->set, "tls", "try", set_eval_tls, acc );
         s->flags |= ACC_SET_OFFLINE_ONLY;
-        
-        s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc );
-        s->flags |= ACC_SET_OFFLINE_ONLY;
-        
+
         s = set_add( &acc->set, "user_agent", "BitlBee", NULL, acc );
         
@@ -231 +228 @@
         if( set_getbool( &acc->set, "ssl" ) )
         {
-                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic );
+                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic );
                 jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1;
         }

protocols/jabber/jabber.h

@@ -317 +317 @@
 int jabber_write( struct im_connection *ic, char *buf, int len );
 gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond );
-gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond );
+gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );
 gboolean jabber_start_stream( struct im_connection *ic );
 void jabber_end_stream( struct im_connection *ic );

protocols/msn/soap.c

@@ -60 +60 @@
         struct im_connection *ic;
         int ttl;
-        char *error;
         
         char *url, *action, *payload;
@@ -159 +158 @@
         }
         
-        if( http_req->status_code != 200 )
-                soap_req->error = g_strdup( http_req->status_string );
-        
         st = soap_req->handle_response( soap_req );
 
@@ -168 +164 @@
         g_free( soap_req->action );
         g_free( soap_req->payload );
-        g_free( soap_req->error );
-        soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL;
+        soap_req->url = soap_req->action = soap_req->payload = NULL;
         
         if( st == MSN_SOAP_RETRY && --soap_req->ttl )
@@ -258 +253 @@
         g_free( soap_req->action );
         g_free( soap_req->payload );
-        g_free( soap_req->error );
         g_free( soap_req );
 }
@@ -416 +410 @@
         if( sd->secret == NULL )
         {
-                msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error );
+                msn_auth_got_passport_token( ic, NULL, sd->error );
                 return MSN_SOAP_OK;
         }

protocols/skype/skype.c

@@ -1157 +1157 @@
 }
 
-gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond)
+gboolean skype_connected(gpointer data, void *source, b_input_condition cond)
 {
         struct im_connection *ic = data;
@@ -1185 +1185 @@
         imcb_log(ic, "Connecting");
         sd->ssl = ssl_connect(set_getstr(&acc->set, "server"),
-                set_getint(&acc->set, "port"), FALSE, skype_connected, ic);
+                set_getint(&acc->set, "port"), skype_connected, ic);
         sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1;
         sd->username = g_strdup(acc->user);

unix.c

@@ -41 +41 @@
 #include <pwd.h>
 #include <locale.h>
-#include <grp.h>
 
 #if defined(OTR_BI) || defined(OTR_PI)
@@ -153 +152 @@
                 if( pw )
                 {
-                        initgroups( global.conf->user, pw->pw_gid );
                         setgid( pw->pw_gid );
                         setuid( pw->pw_uid );
-                }
-                else
-                {
-                        log_message( LOGLVL_WARNING, "Failed to look up user %s.", global.conf->user );
                 }
         }