src/common/ssl.c

   1 /*
   2  * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
   3  * Copyright (C) 1999-2007 Hiroyuki Yamamoto and the Claws Mail team
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 3 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  17  *
  18  */
  19
  20 #ifdef HAVE_CONFIG_H
  21 #  include "config.h"
  22 #endif
  23
  24 #if (defined(USE_OPENSSL) || defined (USE_GNUTLS))
  25 #include "defs.h"
  26
  27 #include <glib.h>
  28 #include <glib/gi18n.h>
  29
  30 #include "claws.h"
  31 #include "utils.h"
  32 #include "ssl.h"
  33 #include "ssl_certificate.h"
  34
  35 #ifdef HAVE_LIBETPAN
  36 #include <libetpan/mailstream_ssl.h>
  37 #endif
  38
  39 #ifdef USE_PTHREAD
  40 #include <pthread.h>
  41 #endif
  42
  43 #ifdef USE_PTHREAD
  44 typedef struct _thread_data {
  45 #ifdef USE_OPENSSL
  46         SSL *ssl;
  47 #else
  48         gnutls_session ssl;
  49 #endif
  50         gboolean done;
  51 } thread_data;
  52 #endif
  53
  54
  55 #ifdef USE_OPENSSL
  56 static SSL_CTX *ssl_ctx;
  57 #endif
  58
  59 void ssl_init(void)
  60 {
  61 #ifdef USE_OPENSSL
  62         SSL_METHOD *meth;
  63
  64         /* Global system initialization*/
  65         SSL_library_init();
  66         SSL_load_error_strings();
  67
  68 #ifdef HAVE_LIBETPAN
  69         mailstream_openssl_init_not_required();
  70 #endif
  71
  72         /* Create our context*/
  73         meth = SSLv23_client_method();
  74         ssl_ctx = SSL_CTX_new(meth);
  75
  76         /* Set default certificate paths */
  77         SSL_CTX_set_default_verify_paths(ssl_ctx);
  78
  79 #if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
  80         SSL_CTX_set_verify_depth(ssl_ctx,1);
  81 #endif
  82 #else
  83         gnutls_global_init();
  84 #endif
  85 }
  86
  87 void ssl_done(void)
  88 {
  89 #if USE_OPENSSL
  90         if (!ssl_ctx)
  91                 return;
  92
  93         SSL_CTX_free(ssl_ctx);
  94 #else
  95         gnutls_global_deinit();
  96 #endif
  97 }
  98
  99 #ifdef USE_PTHREAD
 100 static void *SSL_connect_thread(void *data)
 101 {
 102         thread_data *td = (thread_data *)data;
 103         int result = -1;
 104
 105         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
 106         pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
 107
 108 #ifdef USE_OPENSSL
 109         result = SSL_connect(td->ssl);
 110 #else
 111         do {
 112                 result = gnutls_handshake(td->ssl);
 113         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 114 #endif
 115         td->done = TRUE; /* let the caller thread join() */
 116         return GINT_TO_POINTER(result);
 117 }
 118 #endif
 119
 120 #ifdef USE_OPENSSL
 121 static gint SSL_connect_nb(SSL *ssl)
 122 #else
 123 static gint SSL_connect_nb(gnutls_session ssl)
 124 #endif
 125 {
 126 #ifdef USE_PTHREAD
 127         thread_data *td = g_new0(thread_data, 1);
 128         pthread_t pt;
 129         pthread_attr_t pta;
 130         void *res = NULL;
 131 #ifdef USE_GNUTLS
 132         int result;
 133 #endif
 134         time_t start_time = time(NULL);
 135         gboolean killed = FALSE;
 136
 137         td->ssl  = ssl;
 138         td->done = FALSE;
 139
 140         /* try to create a thread to initialize the SSL connection,
 141          * fallback to blocking method in case of problem
 142          */
 143         if (pthread_attr_init(&pta) != 0 ||
 144             pthread_attr_setdetachstate(&pta, PTHREAD_CREATE_JOINABLE) != 0 ||
 145             pthread_create(&pt, &pta, SSL_connect_thread, td) != 0) {
 146 #ifdef USE_OPENSSL
 147                 return SSL_connect(ssl);
 148 #else
 149                 do {
 150                         result = gnutls_handshake(td->ssl);
 151                 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 152                 return result;
 153 #endif
 154         }
 155         debug_print("waiting for SSL_connect thread...\n");
 156         while(!td->done) {
 157                 /* don't let the interface freeze while waiting */
 158                 claws_do_idle();
 159                 if (time(NULL) - start_time > 30) {
 160                         pthread_cancel(pt);
 161                         td->done = TRUE;
 162                         killed = TRUE;
 163                 }
 164         }
 165
 166         /* get the thread's return value and clean its resources */
 167         pthread_join(pt, &res);
 168         g_free(td);
 169
 170         if (killed) {
 171                 res = GINT_TO_POINTER(-1);
 172         }
 173         debug_print("SSL_connect thread returned %d\n",
 174                         GPOINTER_TO_INT(res));
 175
 176         return GPOINTER_TO_INT(res);
 177 #else
 178 #ifdef USE_OPENSSL
 179         return SSL_connect(ssl);
 180 #else
 181         do {
 182                 result = gnutls_handshake(td->ssl);
 183         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 184 #endif
 185 #endif
 186 }
 187
 188 gboolean ssl_init_socket(SockInfo *sockinfo)
 189 {
 190         return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
 191 }
 192
 193 #ifdef USE_GNUTLS
 194 static const gchar *ssl_get_cert_file(void)
 195 {
 196         if (g_getenv("SSL_CERT_FILE"))
 197                 return g_getenv("SSL_CERT_FILE");
 198 #ifndef G_OS_WIN32
 199         return "/etc/ssl/certs/ca-certificates.crt";
 200 #else
 201         return "put_what_s_needed_here";
 202 #endif
 203 }
 204 #endif
 205
 206 gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 207 {
 208 #ifdef USE_OPENSSL
 209         X509 *server_cert;
 210         SSL *ssl;
 211
 212         ssl = SSL_new(ssl_ctx);
 213         if (ssl == NULL) {
 214                 g_warning(_("Error creating ssl context\n"));
 215                 return FALSE;
 216         }
 217
 218         switch (method) {
 219         case SSL_METHOD_SSLv23:
 220                 debug_print("Setting SSLv23 client method\n");
 221                 SSL_set_ssl_method(ssl, SSLv23_client_method());
 222                 break;
 223         case SSL_METHOD_TLSv1:
 224                 debug_print("Setting TLSv1 client method\n");
 225                 SSL_set_ssl_method(ssl, TLSv1_client_method());
 226                 break;
 227         default:
 228                 break;
 229         }
 230
 231         SSL_set_fd(ssl, sockinfo->sock);
 232         if (SSL_connect_nb(ssl) == -1) {
 233                 g_warning(_("SSL connect failed (%s)\n"),
 234                             ERR_error_string(ERR_get_error(), NULL));
 235                 SSL_free(ssl);
 236                 return FALSE;
 237         }
 238
 239         /* Get the cipher */
 240
 241         debug_print("SSL connection using %s\n", SSL_get_cipher(ssl));
 242
 243         /* Get server's certificate (note: beware of dynamic allocation) */
 244         if ((server_cert = SSL_get_peer_certificate(ssl)) == NULL) {
 245                 debug_print("server_cert is NULL ! this _should_not_ happen !\n");
 246                 SSL_free(ssl);
 247                 return FALSE;
 248         }
 249
 250
 251         if (!ssl_certificate_check(server_cert, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
 252                 X509_free(server_cert);
 253                 SSL_free(ssl);
 254                 return FALSE;
 255         }
 256
 257
 258         X509_free(server_cert);
 259         sockinfo->ssl = ssl;
 260 #else
 261         gnutls_session session;
 262         int r;
 263         const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
 264                                 GNUTLS_CIPHER_3DES_CBC,
 265                                 GNUTLS_CIPHER_AES_256_CBC,
 266                                 GNUTLS_CIPHER_ARCFOUR_128, 0 };
 267         const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
 268                            GNUTLS_KX_RSA,
 269                            GNUTLS_KX_DHE_DSS, 0 };
 270         const int mac_prio[] = { GNUTLS_MAC_SHA1,
 271                                 GNUTLS_MAC_MD5, 0 };
 272         const int proto_prio[] = { GNUTLS_TLS1,
 273                                   GNUTLS_SSL3, 0 };
 274         const gnutls_datum *raw_cert_list;
 275         unsigned int raw_cert_list_length;
 276         gnutls_x509_crt cert = NULL;
 277         guint status;
 278         gnutls_certificate_credentials_t xcred;
 279
 280         if (gnutls_certificate_allocate_credentials (&xcred) != 0)
 281                 return FALSE;
 282
 283         r = gnutls_init(&session, GNUTLS_CLIENT);
 284         if (session == NULL || r != 0)
 285                 return FALSE;
 286
 287         gnutls_set_default_priority(session);
 288         gnutls_protocol_set_priority (session, proto_prio);
 289         gnutls_cipher_set_priority (session, cipher_prio);
 290         gnutls_kx_set_priority (session, kx_prio);
 291         gnutls_mac_set_priority (session, mac_prio);
 292
 293         gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 294
 295         r = gnutls_certificate_set_x509_trust_file(xcred, ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
 296         if (r < 0)
 297                 g_warning("Can't read SSL_CERT_FILE %s: %s\n",
 298                         ssl_get_cert_file(),
 299                         gnutls_strerror(r));
 300
 301         gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 302
 303         gnutls_transport_set_ptr(session, (gnutls_transport_ptr)
 304                 sockinfo->sock);
 305
 306         gnutls_dh_set_prime_bits(session, 512);
 307
 308         if ((r = SSL_connect_nb(session)) < 0) {
 309                 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
 310                 gnutls_certificate_free_credentials(xcred);
 311                 gnutls_deinit(session);
 312                 return FALSE;
 313         }
 314
 315         /* Get server's certificate (note: beware of dynamic allocation) */
 316         raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
 317
 318         if (!raw_cert_list
 319         ||  gnutls_certificate_type_get(session) != GNUTLS_CRT_X509
 320         ||  (r = gnutls_x509_crt_init(&cert)) < 0
 321         ||  (r = gnutls_x509_crt_import(cert, &raw_cert_list[0], GNUTLS_X509_FMT_DER)) < 0) {
 322                 g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
 323                 gnutls_certificate_free_credentials(xcred);
 324                 gnutls_deinit(session);
 325                 return FALSE;
 326         }
 327
 328         r = gnutls_certificate_verify_peers2(session, &status);
 329
 330         if (!ssl_certificate_check(cert, status, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
 331                 gnutls_x509_crt_deinit(cert);
 332                 gnutls_certificate_free_credentials(xcred);
 333                 gnutls_deinit(session);
 334                 return FALSE;
 335         }
 336
 337         gnutls_x509_crt_deinit(cert);
 338
 339         sockinfo->ssl = session;
 340         sockinfo->xcred = xcred;
 341 #endif
 342         return TRUE;
 343 }
 344
 345 void ssl_done_socket(SockInfo *sockinfo)
 346 {
 347         if (sockinfo && sockinfo->ssl) {
 348 #ifdef USE_OPENSSL
 349                 SSL_free(sockinfo->ssl);
 350 #else
 351                 gnutls_certificate_free_credentials(sockinfo->xcred);
 352                 gnutls_deinit(sockinfo->ssl);
 353 #endif
 354                 sockinfo->ssl = NULL;
 355         }
 356 }
 357
 358 #endif /* USE_OPENSSL */