Changes in / [164352e:e306fbf]
- Files:
-
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
bitlbee.conf
r164352e re306fbf 116 116 ## (Obviously, the username and password are optional) 117 117 ## 118 # Proxy = http://john:doe@proxy.localnet.com:8080119 # Proxy = socks4://socksproxy.localnet.com120 # Proxy = socks5://socksproxy.localnet.com118 ## Proxy = http://john:doe@proxy.localnet.com:8080 119 ## Proxy = socks4://socksproxy.localnet.com 120 ## Proxy = socks5://socksproxy.localnet.com 121 121 122 122 ## Protocols offered by bitlbee … … 126 126 ## nothing is given, there are no restrictions. 127 127 ## 128 # Protocols = jabber yahoo128 ## Protocols = jabber yahoo 129 129 130 ## Trusted CAs131 ##132 ## Path to a file containing a list of trusted certificate authorities used in133 ## the verification of server certificates.134 ##135 ## Uncomment this and make sure the file actually exists and contains all136 ## certificate authorities you're willing to accept (default value should137 ## work on at least Debian/Ubuntu systems with the "ca-certificates" package138 ## installed). As long as the line is commented out, SSL certificate139 ## verification is completely disabled.140 ##141 ## The location of this file may be different on other distros/OSes. For142 ## example, try /etc/ssl/ca-bundle.pem on OpenSUSE.143 ##144 # CAfile = /etc/ssl/certs/ca-certificates.crt145 130 146 131 [defaults] -
bitlbee.h
r164352e re306fbf 26 26 #ifndef _BITLBEE_H 27 27 #define _BITLBEE_H 28 29 #ifdef __cplusplus30 extern "C" {31 #endif32 28 33 29 #ifndef _GNU_SOURCE … … 179 175 extern global_t global; 180 176 181 #ifdef __cplusplus182 }183 177 #endif 184 185 #endif186 -
conf.c
r164352e re306fbf 67 67 conf->ft_listen = NULL; 68 68 conf->protocols = NULL; 69 conf->cafile = NULL;70 69 proxytype = 0; 71 70 … … 178 177 fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file ); 179 178 180 if( conf->cafile && access( conf->cafile, R_OK ) != 0 )181 {182 /* Let's treat this as a serious problem so people won't think183 they're secure when in fact they're not. */184 fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) );185 return NULL;186 }187 188 179 return conf; 189 180 } … … 349 340 conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 ); 350 341 } 351 else if( g_strcasecmp( ini->key, "cafile" ) == 0 )352 {353 g_free( conf->cafile );354 conf->cafile = g_strdup( ini->value );355 }356 342 else 357 343 { -
conf.h
r164352e re306fbf 54 54 char *ft_listen; 55 55 char **protocols; 56 char *cafile;57 56 } conf_t; 58 57 -
configure
r164352e re306fbf 283 283 EOF 284 284 ssl=gnutls 285 if ! pkg-config gnutls --atleast-version=2.8; then286 echo287 echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.'288 fi289 285 ret=1 290 286 elif libgnutls-config --version > /dev/null 2> /dev/null; then -
debian/changelog
r164352e re306fbf 1 bitlbee (3.0.4+z-2) UNRELEASED; urgency=low 2 3 * Removed some version override stuff from Debian build scripts. Instead, 4 my buildbot now uses dch to generate a changelog entry with the right 5 version number. 6 7 -- Wilmer van der Gaast <wilmer@gaast.net> Fri, 23 Dec 2011 09:45:55 +0100 8 9 bitlbee (3.0.4+bzr855-1) unstable; urgency=low 10 11 * New upstream release. 12 * This is not a vanilla 3.0.4 tree but a Bazaar snapshot. The source 13 release was a few weeks ago by now. There should be no significant 14 differences. 1 bitlbee (3.0.4-1) unstable; urgency=low 2 3 * New upstream release. 15 4 * Added bitlbee-plugin-skype and skyped packages, now part of BitlBee 16 instead of a separate package. Not building these for Debian for now 17 though since python-skype was removed. 5 instead of a separate package. 6 * Fixed dependencies of bitlbee-plugin-otr package to not break with 7 binary MTUs. (Closes: #651612) 18 8 * ^B and some other things are stripped in outgoing XMPP stanzas. 19 9 (Closes: #507856) … … 21 11 one from bugs.bitlbee.org. I hope that covers it. (Closes: #646369) 22 12 * Closing a few old bugs that were filed against the Debian package 23 instead of /as well asupstream:13 instead of upstream: 24 14 - Joining password-protected MUCs is working for a while already, set 25 15 the password using "chan set". (Closes: #615624) … … 28 18 - identi.ca support is documented. (Closes: #613789) 29 19 30 -- Wilmer van der Gaast <wilmer@gaast.net> Tue, 20 Dec 2011 12:46:42 +0100 31 32 bitlbee (3.0.3-1.1) unstable; urgency=low 33 34 * Non-maintainer upload. 35 * Use the standard ${source:Version} and ${binary:Version} substvars instead 36 of the custom and broken ${bee:Version} (closes: #651612). 37 38 -- Julien Cristau <jcristau@debian.org> Thu, 15 Dec 2011 20:34:32 +0100 20 -- Wilmer van der Gaast <wilmer@gaast.net> Sun, 11 Dec 2011 16:53:31 +0000 39 21 40 22 bitlbee (3.0.3-1) unstable; urgency=low -
debian/control
r164352e re306fbf 12 12 Package: bitlbee 13 13 Architecture: any 14 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${ source:Version})14 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version}) 15 15 Conflicts: bitlbee-libpurple 16 16 Replaces: bitlbee-libpurple … … 22 22 Package: bitlbee-libpurple 23 23 Architecture: any 24 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${ source:Version})24 Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version}) 25 25 Conflicts: bitlbee 26 26 Replaces: bitlbee … … 51 51 Package: bitlbee-dev 52 52 Architecture: all 53 Depends: ${misc:Depends}, bitlbee (>= ${ source:Version}), bitlbee (<< ${source:Version}.1~), bitlbee-common (= ${source:Version})53 Depends: ${misc:Depends}, bitlbee (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version}) 54 54 Description: An IRC to other chat networks gateway (dev files) 55 55 This program can be used as an IRC server which forwards everything you … … 61 61 Package: bitlbee-plugin-otr 62 62 Architecture: any 63 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee ( = ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})63 Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version}) 64 64 Description: An IRC to other chat networks gateway (OTR plugin) 65 65 This program can be used as an IRC server which forwards everything you … … 72 72 Package: bitlbee-plugin-skype 73 73 Architecture: any 74 Depends: ${ misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version})74 Depends: ${shlibs:Depends}, ${misc:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~) 75 75 Recommends: skyped 76 76 Description: An IRC to other chat networks gateway (Skype plugin) … … 83 83 84 84 Package: skyped 85 Architecture: a ll86 Depends: ${ misc:Depends}, ${shlibs:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7)85 Architecture: any 86 Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7) 87 87 Recommends: skype 88 88 Description: Daemon to control Skype remotely -
debian/rules
r164352e re306fbf 8 8 # 9 9 10 # Include the bitlbee-libpurple variant and OTR plugin by default. 11 # Don't build skype by default since it depends on deleted/non-free 12 # packages. Need to at least get python-skype back into Debian. 10 # Include the bitlbee-libpurple variant and OTR plugin by default 13 11 BITLBEE_LIBPURPLE ?= 1 14 12 BITLBEE_OTR ?= plugin 15 BITLBEE_SKYPE ?= 013 BITLBEE_SKYPE ?= plugin 16 14 BITLBEE_CONFIGURE_FLAGS ?= 17 15 DEBUG ?= 0 … … 19 17 ifndef BITLBEE_VERSION 20 18 # Want to use the full package version number instead of just the release. 21 BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | awk '/^Version:/{print $$2}')\"19 BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}')\" 22 20 endif 23 21 … … 74 72 $(MAKE) -C debian/build-native install-plugin-skype DESTDIR=`pwd`/debian/skyped 75 73 76 ifneq ($(BITLBEE_SKYPE),0)77 74 mkdir -p debian/bitlbee-plugin-skype/usr 78 75 mv debian/skyped/usr/lib debian/bitlbee-plugin-skype/usr … … 80 77 mkdir -p debian/skyped/usr/share/man/man1 81 78 mv debian/bitlbee-common/usr/share/man/man1/skyped* debian/skyped/usr/share/man/man1 82 endif83 79 84 80 ifeq ($(BITLBEE_LIBPURPLE),1) … … 110 106 dh_installdeb 111 107 dh_shlibdeps 112 dh_gencontrol 108 ifdef BITLBEE_VERSION 109 dh_gencontrol -- -v$(BITLBEE_VERSION) -Vbee:Version=$(BITLBEE_VERSION) 110 else 111 dh_gencontrol -- -Vbee:Version=$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}' | sed -e 's/+b[0-9]\+$$//') 112 endif 113 113 dh_md5sums 114 114 dh_builddeb -
doc/user-guide/commands.xml
r164352e re306fbf 648 648 </bitlbee-setting> 649 649 650 <bitlbee-setting name="auto_connect" type="boolean" scope=" account,global">650 <bitlbee-setting name="auto_connect" type="boolean" scope="both"> 651 651 <default>true</default> 652 652 … … 672 672 </bitlbee-setting> 673 673 674 <bitlbee-setting name="auto_reconnect" type="boolean" scope=" account,global">674 <bitlbee-setting name="auto_reconnect" type="boolean" scope="both"> 675 675 <default>true</default> 676 676 … … 726 726 </bitlbee-setting> 727 727 728 <bitlbee-setting name="away" type="string" scope=" account,global">728 <bitlbee-setting name="away" type="string" scope="both"> 729 729 <description> 730 730 <para> … … 1076 1076 </bitlbee-setting> 1077 1077 1078 <bitlbee-setting name="nick_format" type="string" scope=" account,global">1078 <bitlbee-setting name="nick_format" type="string" scope="both"> 1079 1079 <default>%-@nick</default> 1080 1080 … … 1169 1169 </bitlbee-setting> 1170 1170 1171 <bitlbee-setting name="password" type="string" scope=" account,global">1171 <bitlbee-setting name="password" type="string" scope="both"> 1172 1172 <description> 1173 1173 <para> … … 1392 1392 <description> 1393 1393 <para> 1394 Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223). 1395 </para> 1396 1397 <para> 1398 Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead. 1399 </para> 1400 </description> 1401 </bitlbee-setting> 1402 1403 <bitlbee-setting name="status" type="string" scope="account,global"> 1404 <description> 1405 <para> 1406 Most IM protocols support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. 1394 Currently only available for Jabber connections. Set this to true if the server accepts SSL connections. 1395 </para> 1396 </description> 1397 </bitlbee-setting> 1398 1399 <bitlbee-setting name="status" type="string" scope="both"> 1400 <description> 1401 <para> 1402 Certain protocols (like Jabber/XMPP) support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. 1407 1403 </para> 1408 1404 … … 1412 1408 1413 1409 <para> 1414 Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To clearthe setting, use <emphasis>set -del status</emphasis>.1410 Away states set using <emphasis>/away</emphasis> or the <emphasis>away</emphasis> setting will override this setting. To un-set the setting, use <emphasis>set -del status</emphasis>. 1415 1411 </para> 1416 1412 </description> … … 1485 1481 <para> 1486 1482 If you want to force BitlBee to use TLS sessions only (and to give up if that doesn't seem to be possible) you can set this setting to <emphasis>true</emphasis>. Set it to <emphasis>false</emphasis> if you want the session to remain plain-text. 1487 </para>1488 </description>1489 </bitlbee-setting>1490 1491 <bitlbee-setting name="tls_verify" type="boolean" scope="account">1492 <default>true</default>1493 1494 <description>1495 <para>1496 Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities.1497 </para>1498 1499 <para>1500 The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting.1501 </para>1502 1503 <para>1504 Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the <emphasis>CAfile</emphasis> setting in <emphasis>bitlbee.conf</emphasis> is not set.1505 1483 </para> 1506 1484 </description> -
irc.h
r164352e re306fbf 182 182 gboolean (*join)( irc_channel_t *ic ); 183 183 gboolean (*part)( irc_channel_t *ic, const char *msg ); 184 gboolean (*topic)( irc_channel_t *ic, const char *new _topic);184 gboolean (*topic)( irc_channel_t *ic, const char *new ); 185 185 gboolean (*invite)( irc_channel_t *ic, irc_user_t *iu ); 186 186 … … 332 332 void irc_send_msg_raw( irc_user_t *iu, const char *type, const char *dst, const char *msg ); 333 333 void irc_send_msg_f( irc_user_t *iu, const char *type, const char *dst, const char *format, ... ) G_GNUC_PRINTF( 4, 5 ); 334 void irc_send_nick( irc_user_t *iu, const char *new _nick);334 void irc_send_nick( irc_user_t *iu, const char *new ); 335 335 void irc_send_channel_user_mode_diff( irc_channel_t *ic, irc_user_t *iu, 336 irc_channel_user_flags_t old _flags, irc_channel_user_flags_t new_flags);336 irc_channel_user_flags_t old, irc_channel_user_flags_t new ); 337 337 void irc_send_invite( irc_user_t *iu, irc_channel_t *ic ); 338 338 … … 341 341 int irc_user_free( irc_t *irc, irc_user_t *iu ); 342 342 irc_user_t *irc_user_by_name( irc_t *irc, const char *nick ); 343 int irc_user_set_nick( irc_user_t *iu, const char *new _nick);343 int irc_user_set_nick( irc_user_t *iu, const char *new ); 344 344 gint irc_user_cmp( gconstpointer a_, gconstpointer b_ ); 345 345 const char *irc_user_get_away( irc_user_t *iu ); -
lib/events_glib.c
r164352e re306fbf 75 75 b_input_condition gaim_cond = 0; 76 76 gboolean st; 77 78 if (condition & G_IO_NVAL)79 return FALSE;80 77 81 78 if (condition & GAIM_READ_COND) -
lib/http_client.c
r164352e re306fbf 33 33 34 34 static gboolean http_connected( gpointer data, int source, b_input_condition cond ); 35 static gboolean http_ssl_connected( gpointer data, int returncode,void *source, b_input_condition cond );35 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ); 36 36 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond ); 37 37 static void http_free( struct http_request *req ); … … 47 47 if( ssl ) 48 48 { 49 req->ssl = ssl_connect( host, port, TRUE,http_ssl_connected, req );49 req->ssl = ssl_connect( host, port, http_ssl_connected, req ); 50 50 if( req->ssl == NULL ) 51 51 error = 1; … … 163 163 164 164 error: 165 if( req->status_string == NULL ) 166 req->status_string = g_strdup( "Error while writing HTTP request" ); 165 req->status_string = g_strdup( "Error while writing HTTP request" ); 167 166 168 167 req->func( req ); … … 171 170 } 172 171 173 static gboolean http_ssl_connected( gpointer data, int returncode,void *source, b_input_condition cond )172 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ) 174 173 { 175 174 struct http_request *req = data; 176 175 177 176 if( source == NULL ) 178 {179 if( returncode != 0 )180 {181 char *err = ssl_verify_strerror( returncode );182 req->status_string = g_strdup_printf(183 "Certificate verification problem 0x%x: %s",184 returncode, err ? err : "Unknown" );185 g_free( err );186 }187 177 return http_connected( data, -1, cond ); 188 }189 178 190 179 req->fd = ssl_getfd( source ); … … 450 439 if( new_proto == PROTO_HTTPS ) 451 440 { 452 req->ssl = ssl_connect( new_host, new_port, TRUE,http_ssl_connected, req );441 req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req ); 453 442 if( req->ssl == NULL ) 454 443 error = 1; -
lib/ssl_bogus.c
r164352e re306fbf 32 32 } 33 33 34 void *ssl_connect( char *host, int port, gboolean verify,ssl_input_function func, gpointer data )34 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) 35 35 { 36 36 return( NULL ); … … 56 56 } 57 57 58 void *ssl_starttls( int fd, char *hostname, gboolean verify,ssl_input_function func, gpointer data )58 void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 59 59 { 60 60 return NULL; … … 70 70 return 0; 71 71 } 72 73 char *ssl_verify_strerror( int code )74 {75 return NULL;76 } -
lib/ssl_client.h
r164352e re306fbf 40 40 #define SSL_NOHANDSHAKE 1 41 41 #define SSL_AGAIN 2 42 #define VERIFY_CERT_ERROR 243 #define VERIFY_CERT_INVALID 444 #define VERIFY_CERT_REVOKED 845 #define VERIFY_CERT_SIGNER_NOT_FOUND 1646 #define VERIFY_CERT_SIGNER_NOT_CA 3247 #define VERIFY_CERT_INSECURE_ALGORITHM 6448 #define VERIFY_CERT_NOT_ACTIVATED 12849 #define VERIFY_CERT_EXPIRED 25650 #define VERIFY_CERT_WRONG_HOSTNAME 51251 42 52 43 extern int ssl_errno; 53 44 54 45 /* This is what your callback function should look like. */ 55 typedef gboolean (*ssl_input_function)(gpointer, int,void*, b_input_condition);46 typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition); 56 47 57 48 … … 62 53 ready to be used for SSL traffic. This is all done asynchronously, no 63 54 blocking I/O! (Except for the DNS lookups, for now...) */ 64 G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify,ssl_input_function func, gpointer data );55 G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ); 65 56 66 57 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, 67 58 for example in Jabber. */ 68 G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify,ssl_input_function func, gpointer data );59 G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data ); 69 60 70 61 /* Obviously you need special read/write functions to read data. */ … … 99 90 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); 100 91 101 /* Converts a verification bitfield passed to ssl_input_function into102 a more useful string. Or NULL if it had no useful bits set. */103 G_MODULE_EXPORT char *ssl_verify_strerror( int code );104 105 92 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); -
lib/ssl_gnutls.c
r164352e re306fbf 25 25 26 26 #include <gnutls/gnutls.h> 27 #include <gnutls/x509.h>28 27 #include <gcrypt.h> 29 28 #include <fcntl.h> … … 33 32 #include "sock.h" 34 33 #include "stdlib.h" 35 #include "bitlbee.h"36 34 37 35 int ssl_errno = 0; … … 56 54 gboolean established; 57 55 int inpa; 58 char *hostname;59 gboolean verify;60 56 61 57 gnutls_session session; … … 78 74 } 79 75 80 void *ssl_connect( char *host, int port, gboolean verify,ssl_input_function func, gpointer data )76 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) 81 77 { 82 78 struct scd *conn = g_new0( struct scd, 1 ); … … 86 82 conn->data = data; 87 83 conn->inpa = -1; 88 conn->hostname = g_strdup( host );89 conn->verify = verify && global.conf->cafile;90 84 91 85 if( conn->fd < 0 ) … … 98 92 } 99 93 100 void *ssl_starttls( int fd, char *hostname, gboolean verify,ssl_input_function func, gpointer data )94 void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 101 95 { 102 96 struct scd *conn = g_new0( struct scd, 1 ); … … 106 100 conn->data = data; 107 101 conn->inpa = -1; 108 conn->hostname = hostname;109 110 /* For now, SSL verification is globally enabled by setting the cafile111 setting in bitlbee.conf. Commented out by default because probably112 not everyone has this file in the same place and plenty of folks113 may not have the cert of their private Jabber server in it. */114 conn->verify = verify && global.conf->cafile;115 102 116 103 /* This function should be called via a (short) timeout instead of … … 135 122 } 136 123 137 static int verify_certificate_callback( gnutls_session_t session )138 {139 unsigned int status;140 const gnutls_datum_t *cert_list;141 unsigned int cert_list_size;142 int gnutlsret;143 int verifyret = 0;144 gnutls_x509_crt_t cert;145 const char *hostname;146 147 hostname = gnutls_session_get_ptr(session );148 149 gnutlsret = gnutls_certificate_verify_peers2( session, &status );150 if( gnutlsret < 0 )151 return VERIFY_CERT_ERROR;152 153 if( status & GNUTLS_CERT_INVALID )154 verifyret |= VERIFY_CERT_INVALID;155 156 if( status & GNUTLS_CERT_REVOKED )157 verifyret |= VERIFY_CERT_REVOKED;158 159 if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )160 verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;161 162 if( status & GNUTLS_CERT_SIGNER_NOT_CA )163 verifyret |= VERIFY_CERT_SIGNER_NOT_CA;164 165 if( status & GNUTLS_CERT_INSECURE_ALGORITHM )166 verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;167 168 #ifdef GNUTLS_CERT_NOT_ACTIVATED169 /* Amusingly, the GnuTLS function used above didn't check for expiry170 until GnuTLS 2.8 or so. (See CVE-2009-1417) */171 if( status & GNUTLS_CERT_NOT_ACTIVATED )172 verifyret |= VERIFY_CERT_NOT_ACTIVATED;173 174 if( status & GNUTLS_CERT_EXPIRED )175 verifyret |= VERIFY_CERT_EXPIRED;176 #endif177 178 /* The following check is already performed inside179 * gnutls_certificate_verify_peers2, so we don't need it.180 181 * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )182 * return GNUTLS_E_CERTIFICATE_ERROR;183 */184 185 if( gnutls_x509_crt_init( &cert ) < 0 )186 return VERIFY_CERT_ERROR;187 188 cert_list = gnutls_certificate_get_peers( session, &cert_list_size );189 if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )190 return VERIFY_CERT_ERROR;191 192 if( !gnutls_x509_crt_check_hostname( cert, hostname ) )193 {194 verifyret |= VERIFY_CERT_INVALID;195 verifyret |= VERIFY_CERT_WRONG_HOSTNAME;196 }197 198 gnutls_x509_crt_deinit( cert );199 200 return verifyret;201 }202 203 char *ssl_verify_strerror( int code )204 {205 GString *ret = g_string_new( "" );206 207 if( code & VERIFY_CERT_REVOKED )208 g_string_append( ret, "certificate has been revoked, " );209 if( code & VERIFY_CERT_SIGNER_NOT_FOUND )210 g_string_append( ret, "certificate hasn't got a known issuer, " );211 if( code & VERIFY_CERT_SIGNER_NOT_CA )212 g_string_append( ret, "certificate's issuer is not a CA, " );213 if( code & VERIFY_CERT_INSECURE_ALGORITHM )214 g_string_append( ret, "certificate uses an insecure algorithm, " );215 if( code & VERIFY_CERT_NOT_ACTIVATED )216 g_string_append( ret, "certificate has not been activated, " );217 if( code & VERIFY_CERT_EXPIRED )218 g_string_append( ret, "certificate has expired, " );219 if( code & VERIFY_CERT_WRONG_HOSTNAME )220 g_string_append( ret, "certificate hostname mismatch, " );221 222 if( ret->len == 0 )223 {224 g_string_free( ret, TRUE );225 return NULL;226 }227 else228 {229 g_string_truncate( ret, ret->len - 2 );230 return g_string_free( ret, FALSE );231 }232 }233 234 124 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) 235 125 { … … 238 128 if( source == -1 ) 239 129 { 240 conn->func( conn->data, 0,NULL, cond );130 conn->func( conn->data, NULL, cond ); 241 131 g_free( conn ); 242 132 return FALSE; … … 246 136 247 137 gnutls_certificate_allocate_credentials( &conn->xcred ); 248 if( conn->verify && global.conf->cafile )249 {250 gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );251 gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );252 }253 254 138 gnutls_init( &conn->session, GNUTLS_CLIENT ); 255 if( conn->verify )256 gnutls_session_set_ptr( conn->session, (void *) conn->hostname );257 139 #if GNUTLS_VERSION_NUMBER < 0x020c00 258 140 gnutls_transport_set_lowat( conn->session, 0 ); … … 270 152 { 271 153 struct scd *conn = data; 272 int st , stver;154 int st; 273 155 274 156 if( ( st = gnutls_handshake( conn->session ) ) < 0 ) … … 281 163 else 282 164 { 283 conn->func( conn->data, 0,NULL, cond );165 conn->func( conn->data, NULL, cond ); 284 166 285 167 gnutls_deinit( conn->session ); … … 292 174 else 293 175 { 294 if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 ) 295 { 296 conn->func( conn->data, stver, NULL, cond ); 297 298 gnutls_deinit( conn->session ); 299 gnutls_certificate_free_credentials( conn->xcred ); 300 closesocket( conn->fd ); 301 302 g_free( conn ); 303 } 304 else 305 { 306 /* For now we can't handle non-blocking perfectly everywhere... */ 307 sock_make_blocking( conn->fd ); 176 /* For now we can't handle non-blocking perfectly everywhere... */ 177 sock_make_blocking( conn->fd ); 308 178 309 conn->established = TRUE; 310 conn->func( conn->data, 0, conn, cond ); 311 } 179 conn->established = TRUE; 180 conn->func( conn->data, conn, cond ); 312 181 } 313 182 -
lib/ssl_nss.c
r164352e re306fbf 52 52 PRFileDesc *prfd; 53 53 gboolean established; 54 gboolean verify;55 54 }; 56 55 … … 103 102 } 104 103 105 void *ssl_connect( char *host, int port, gboolean verify,ssl_input_function func, gpointer data )104 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) 106 105 { 107 106 struct scd *conn = g_new0( struct scd, 1 ); … … 133 132 } 134 133 135 void *ssl_starttls( int fd, char *hostname, gboolean verify,ssl_input_function func, gpointer data )134 void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 136 135 { 137 136 struct scd *conn = g_new0( struct scd, 1 ); … … 140 139 conn->func = func; 141 140 conn->data = data; 142 conn->verify = verify && global.conf->cafile;143 141 144 142 /* This function should be called via a (short) timeout instead of … … 159 157 { 160 158 struct scd *conn = data; 161 162 /* Right now we don't have any verification functionality for NSS. */163 164 if( conn->verify )165 {166 conn->func( conn->data, 1, NULL, cond );167 if( source >= 0 ) closesocket( source );168 g_free( conn );169 170 return FALSE;171 }172 159 173 160 if( source == -1 ) … … 190 177 191 178 conn->established = TRUE; 192 conn->func( conn->data, 0,conn, cond );179 conn->func( conn->data, conn, cond ); 193 180 return FALSE; 194 181 195 182 ssl_connected_failure: 196 183 197 conn->func( conn->data, 0,NULL, cond );184 conn->func( conn->data, NULL, cond ); 198 185 199 186 PR_Close( conn -> prfd ); … … 251 238 return B_EV_IO_READ; 252 239 } 253 254 char *ssl_verify_strerror( int code )255 {256 return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );257 } -
lib/ssl_openssl.c
r164352e re306fbf 45 45 int fd; 46 46 gboolean established; 47 gboolean verify;48 47 49 48 int inpa; … … 65 64 } 66 65 67 void *ssl_connect( char *host, int port, gboolean verify,ssl_input_function func, gpointer data )66 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) 68 67 { 69 68 struct scd *conn = g_new0( struct scd, 1 ); … … 83 82 } 84 83 85 void *ssl_starttls( int fd, char *hostname, gboolean verify,ssl_input_function func, gpointer data )84 void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 86 85 { 87 86 struct scd *conn = g_new0( struct scd, 1 ); … … 91 90 conn->data = data; 92 91 conn->inpa = -1; 93 conn->verify = verify && global.conf->cafile;94 92 95 93 /* This function should be called via a (short) timeout instead of … … 119 117 SSL_METHOD *meth; 120 118 121 /* Right now we don't have any verification functionality for OpenSSL. */122 123 if( conn->verify )124 {125 conn->func( conn->data, 1, NULL, cond );126 if( source >= 0 ) closesocket( source );127 g_free( conn );128 129 return FALSE;130 }131 132 119 if( source == -1 ) 133 120 goto ssl_connected_failure; … … 154 141 155 142 ssl_connected_failure: 156 conn->func( conn->data, 0,NULL, cond );143 conn->func( conn->data, NULL, cond ); 157 144 158 145 if( conn->ssl ) … … 182 169 if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE ) 183 170 { 184 conn->func( conn->data, 0,NULL, cond );171 conn->func( conn->data, NULL, cond ); 185 172 186 173 SSL_shutdown( conn->ssl ); … … 200 187 conn->established = TRUE; 201 188 sock_make_blocking( conn->fd ); /* For now... */ 202 conn->func( conn->data, 0,conn, cond );189 conn->func( conn->data, conn, cond ); 203 190 return FALSE; 204 191 } … … 285 272 { 286 273 return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ ); 287 }288 289 char *ssl_verify_strerror( int code )290 {291 return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );292 274 } 293 275 -
protocols/bee.h
r164352e re306fbf 123 123 gboolean (*chat_add_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); 124 124 gboolean (*chat_remove_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); 125 gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new _topic, bee_user_t *bu );125 gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new, bee_user_t *bu ); 126 126 gboolean (*chat_name_hint)( bee_t *bee, struct groupchat *c, const char *name ); 127 127 gboolean (*chat_invite)( bee_t *bee, bee_user_t *bu, const char *name, const char *msg ); -
protocols/jabber/io.c
r164352e re306fbf 276 276 } 277 277 278 gboolean jabber_connected_ssl( gpointer data, int returncode,void *source, b_input_condition cond )278 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond ) 279 279 { 280 280 struct im_connection *ic = data; … … 292 292 jd->ssl = NULL; 293 293 294 if( returncode != 0 ) 295 { 296 char *err = ssl_verify_strerror( returncode ); 297 imcb_error( ic, "Certificate verification problem 0x%x: %s", 298 returncode, err ? err : "Unknown" ); 299 g_free( err ); 300 imc_logout( ic, FALSE ); 301 } 302 else 303 { 304 imcb_error( ic, "Could not connect to server" ); 305 imc_logout( ic, TRUE ); 306 } 307 294 imcb_error( ic, "Could not connect to server" ); 295 imc_logout( ic, TRUE ); 308 296 return FALSE; 309 297 } … … 409 397 struct im_connection *ic = data; 410 398 struct jabber_data *jd = ic->proto_data; 411 char *xmlns , *tlsname;399 char *xmlns; 412 400 413 401 xmlns = xt_find_attr( node, "xmlns" ); … … 435 423 436 424 jd->flags |= JFLAG_STARTTLS_DONE; 437 438 /* If the user specified a server for the account, use this server as the 439 * hostname in the certificate verification. Else we use the domain from 440 * the username. */ 441 if( ic->acc->server && *ic->acc->server ) 442 tlsname = ic->acc->server; 443 else 444 tlsname = jd->server; 445 446 jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ), 447 jabber_connected_ssl, ic ); 425 jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic ); 448 426 449 427 return XT_HANDLED; -
protocols/jabber/jabber.c
r164352e re306fbf 87 87 s = set_add( &acc->set, "tls", "try", set_eval_tls, acc ); 88 88 s->flags |= ACC_SET_OFFLINE_ONLY; 89 90 s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc ); 91 s->flags |= ACC_SET_OFFLINE_ONLY; 92 89 93 90 s = set_add( &acc->set, "user_agent", "BitlBee", NULL, acc ); 94 91 … … 231 228 if( set_getbool( &acc->set, "ssl" ) ) 232 229 { 233 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE,jabber_connected_ssl, ic );230 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic ); 234 231 jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1; 235 232 } -
protocols/jabber/jabber.h
r164352e re306fbf 317 317 int jabber_write( struct im_connection *ic, char *buf, int len ); 318 318 gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond ); 319 gboolean jabber_connected_ssl( gpointer data, int returncode,void *source, b_input_condition cond );319 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond ); 320 320 gboolean jabber_start_stream( struct im_connection *ic ); 321 321 void jabber_end_stream( struct im_connection *ic ); -
protocols/msn/soap.c
r164352e re306fbf 60 60 struct im_connection *ic; 61 61 int ttl; 62 char *error;63 62 64 63 char *url, *action, *payload; … … 159 158 } 160 159 161 if( http_req->status_code != 200 )162 soap_req->error = g_strdup( http_req->status_string );163 164 160 st = soap_req->handle_response( soap_req ); 165 161 … … 168 164 g_free( soap_req->action ); 169 165 g_free( soap_req->payload ); 170 g_free( soap_req->error ); 171 soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL; 166 soap_req->url = soap_req->action = soap_req->payload = NULL; 172 167 173 168 if( st == MSN_SOAP_RETRY && --soap_req->ttl ) … … 258 253 g_free( soap_req->action ); 259 254 g_free( soap_req->payload ); 260 g_free( soap_req->error );261 255 g_free( soap_req ); 262 256 } … … 416 410 if( sd->secret == NULL ) 417 411 { 418 msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error);412 msn_auth_got_passport_token( ic, NULL, sd->error ); 419 413 return MSN_SOAP_OK; 420 414 } -
protocols/skype/skype.c
r164352e re306fbf 1157 1157 } 1158 1158 1159 gboolean skype_connected(gpointer data, int returncode,void *source, b_input_condition cond)1159 gboolean skype_connected(gpointer data, void *source, b_input_condition cond) 1160 1160 { 1161 1161 struct im_connection *ic = data; … … 1185 1185 imcb_log(ic, "Connecting"); 1186 1186 sd->ssl = ssl_connect(set_getstr(&acc->set, "server"), 1187 set_getint(&acc->set, "port"), FALSE,skype_connected, ic);1187 set_getint(&acc->set, "port"), skype_connected, ic); 1188 1188 sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1; 1189 1189 sd->username = g_strdup(acc->user); -
unix.c
r164352e re306fbf 41 41 #include <pwd.h> 42 42 #include <locale.h> 43 #include <grp.h>44 43 45 44 #if defined(OTR_BI) || defined(OTR_PI) … … 153 152 if( pw ) 154 153 { 155 initgroups( global.conf->user, pw->pw_gid );156 154 setgid( pw->pw_gid ); 157 155 setuid( pw->pw_uid ); 158 }159 else160 {161 log_message( LOGLVL_WARNING, "Failed to look up user %s.", global.conf->user );162 156 } 163 157 }
Note: See TracChangeset
for help on using the changeset viewer.