2 * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
3 * Copyright (C) 1999-2007 Hiroyuki Yamamoto and the Claws Mail team
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #if (defined(USE_OPENSSL) || defined (USE_GNUTLS))
28 #include <glib/gi18n.h>
33 #include "ssl_certificate.h"
36 #include <libetpan/mailstream_ssl.h>
44 typedef struct _thread_data {
56 static SSL_CTX *ssl_ctx;
64 /* Global system initialization*/
66 SSL_load_error_strings();
69 mailstream_openssl_init_not_required();
72 /* Create our context*/
73 meth = SSLv23_client_method();
74 ssl_ctx = SSL_CTX_new(meth);
76 /* Set default certificate paths */
77 SSL_CTX_set_default_verify_paths(ssl_ctx);
79 #if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
80 SSL_CTX_set_verify_depth(ssl_ctx,1);
93 SSL_CTX_free(ssl_ctx);
95 gnutls_global_deinit();
100 static void *SSL_connect_thread(void *data)
102 thread_data *td = (thread_data *)data;
105 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
106 pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
109 result = SSL_connect(td->ssl);
112 result = gnutls_handshake(td->ssl);
113 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
115 td->done = TRUE; /* let the caller thread join() */
116 return GINT_TO_POINTER(result);
121 static gint SSL_connect_nb(SSL *ssl)
123 static gint SSL_connect_nb(gnutls_session ssl)
127 thread_data *td = g_new0(thread_data, 1);
134 time_t start_time = time(NULL);
135 gboolean killed = FALSE;
140 /* try to create a thread to initialize the SSL connection,
141 * fallback to blocking method in case of problem
143 if (pthread_attr_init(&pta) != 0 ||
144 pthread_attr_setdetachstate(&pta, PTHREAD_CREATE_JOINABLE) != 0 ||
145 pthread_create(&pt, &pta, SSL_connect_thread, td) != 0) {
147 return SSL_connect(ssl);
150 result = gnutls_handshake(td->ssl);
151 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
155 debug_print("waiting for SSL_connect thread...\n");
157 /* don't let the interface freeze while waiting */
159 if (time(NULL) - start_time > 30) {
166 /* get the thread's return value and clean its resources */
167 pthread_join(pt, &res);
171 res = GINT_TO_POINTER(-1);
173 debug_print("SSL_connect thread returned %d\n",
174 GPOINTER_TO_INT(res));
176 return GPOINTER_TO_INT(res);
179 return SSL_connect(ssl);
182 result = gnutls_handshake(td->ssl);
183 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
188 gboolean ssl_init_socket(SockInfo *sockinfo)
190 return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
194 static const gchar *ssl_get_cert_file(void)
196 if (g_getenv("SSL_CERT_FILE"))
197 return g_getenv("SSL_CERT_FILE");
199 return "/etc/ssl/certs/ca-certificates.crt";
201 return "put_what_s_needed_here";
206 gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
212 ssl = SSL_new(ssl_ctx);
214 g_warning(_("Error creating ssl context\n"));
219 case SSL_METHOD_SSLv23:
220 debug_print("Setting SSLv23 client method\n");
221 SSL_set_ssl_method(ssl, SSLv23_client_method());
223 case SSL_METHOD_TLSv1:
224 debug_print("Setting TLSv1 client method\n");
225 SSL_set_ssl_method(ssl, TLSv1_client_method());
231 SSL_set_fd(ssl, sockinfo->sock);
232 if (SSL_connect_nb(ssl) == -1) {
233 g_warning(_("SSL connect failed (%s)\n"),
234 ERR_error_string(ERR_get_error(), NULL));
241 debug_print("SSL connection using %s\n", SSL_get_cipher(ssl));
243 /* Get server's certificate (note: beware of dynamic allocation) */
244 if ((server_cert = SSL_get_peer_certificate(ssl)) == NULL) {
245 debug_print("server_cert is NULL ! this _should_not_ happen !\n");
251 if (!ssl_certificate_check(server_cert, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
252 X509_free(server_cert);
258 X509_free(server_cert);
261 gnutls_session session;
263 const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
264 GNUTLS_CIPHER_3DES_CBC,
265 GNUTLS_CIPHER_AES_256_CBC,
266 GNUTLS_CIPHER_ARCFOUR_128, 0 };
267 const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
269 GNUTLS_KX_DHE_DSS, 0 };
270 const int mac_prio[] = { GNUTLS_MAC_SHA1,
272 const int proto_prio[] = { GNUTLS_TLS1,
274 const gnutls_datum *raw_cert_list;
275 unsigned int raw_cert_list_length;
276 gnutls_x509_crt cert = NULL;
278 gnutls_certificate_credentials_t xcred;
280 if (gnutls_certificate_allocate_credentials (&xcred) != 0)
283 r = gnutls_init(&session, GNUTLS_CLIENT);
284 if (session == NULL || r != 0)
287 gnutls_set_default_priority(session);
288 gnutls_protocol_set_priority (session, proto_prio);
289 gnutls_cipher_set_priority (session, cipher_prio);
290 gnutls_kx_set_priority (session, kx_prio);
291 gnutls_mac_set_priority (session, mac_prio);
293 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
295 r = gnutls_certificate_set_x509_trust_file(xcred, ssl_get_cert_file(), GNUTLS_X509_FMT_PEM);
297 g_warning("Can't read SSL_CERT_FILE %s: %s\n",
301 gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
303 gnutls_transport_set_ptr(session, (gnutls_transport_ptr)
306 gnutls_dh_set_prime_bits(session, 512);
308 if ((r = SSL_connect_nb(session)) < 0) {
309 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
310 gnutls_certificate_free_credentials(xcred);
311 gnutls_deinit(session);
315 /* Get server's certificate (note: beware of dynamic allocation) */
316 raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
319 || gnutls_certificate_type_get(session) != GNUTLS_CRT_X509
320 || (r = gnutls_x509_crt_init(&cert)) < 0
321 || (r = gnutls_x509_crt_import(cert, &raw_cert_list[0], GNUTLS_X509_FMT_DER)) < 0) {
322 g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
323 gnutls_certificate_free_credentials(xcred);
324 gnutls_deinit(session);
328 r = gnutls_certificate_verify_peers2(session, &status);
330 if (!ssl_certificate_check(cert, status, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
331 gnutls_x509_crt_deinit(cert);
332 gnutls_certificate_free_credentials(xcred);
333 gnutls_deinit(session);
337 gnutls_x509_crt_deinit(cert);
339 sockinfo->ssl = session;
340 sockinfo->xcred = xcred;
345 void ssl_done_socket(SockInfo *sockinfo)
347 if (sockinfo && sockinfo->ssl) {
349 SSL_free(sockinfo->ssl);
351 gnutls_certificate_free_credentials(sockinfo->xcred);
352 gnutls_deinit(sockinfo->ssl);
354 sockinfo->ssl = NULL;
358 #endif /* USE_OPENSSL */