bdf2b3e9a893248296e4ef54f747b5a1bdf2e66f
[claws.git] / src / common / ssl.c
1 /*
2  * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
3  * Copyright (C) 1999-2007 Hiroyuki Yamamoto and the Claws Mail team
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
17  * 
18  */
19
20 #ifdef HAVE_CONFIG_H
21 #  include "config.h"
22 #endif
23
24 #if (defined(USE_OPENSSL) || defined (USE_GNUTLS))
25 #include "defs.h"
26
27 #include <glib.h>
28 #include <glib/gi18n.h>
29
30 #include "claws.h"
31 #include "utils.h"
32 #include "ssl.h"
33 #include "ssl_certificate.h"
34
35 #ifdef HAVE_LIBETPAN
36 #include <libetpan/mailstream_ssl.h>
37 #endif
38
39 #ifdef USE_PTHREAD
40 #include <pthread.h>
41 #endif
42
43 #ifdef USE_PTHREAD
44 typedef struct _thread_data {
45 #ifdef USE_OPENSSL
46         SSL *ssl;
47 #else
48         gnutls_session ssl;
49 #endif
50         gboolean done;
51 } thread_data;
52 #endif
53
54
55 #ifdef USE_OPENSSL
56 static SSL_CTX *ssl_ctx;
57 #endif
58
59 void ssl_init(void)
60 {
61 #ifdef USE_OPENSSL
62         SSL_METHOD *meth;
63
64         /* Global system initialization*/
65         SSL_library_init();
66         SSL_load_error_strings();
67
68 #ifdef HAVE_LIBETPAN
69         mailstream_openssl_init_not_required();
70 #endif  
71
72         /* Create our context*/
73         meth = SSLv23_client_method();
74         ssl_ctx = SSL_CTX_new(meth);
75
76         /* Set default certificate paths */
77         SSL_CTX_set_default_verify_paths(ssl_ctx);
78         
79 #if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
80         SSL_CTX_set_verify_depth(ssl_ctx,1);
81 #endif
82 #else
83         gnutls_global_init();
84 #endif
85 }
86
87 void ssl_done(void)
88 {
89 #if USE_OPENSSL
90         if (!ssl_ctx)
91                 return;
92         
93         SSL_CTX_free(ssl_ctx);
94 #else
95         gnutls_global_deinit();
96 #endif
97 }
98
99 #ifdef USE_PTHREAD
100 static void *SSL_connect_thread(void *data)
101 {
102         thread_data *td = (thread_data *)data;
103         int result = -1;
104
105         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
106         pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
107
108 #ifdef USE_OPENSSL
109         result = SSL_connect(td->ssl);
110 #else
111         do {
112                 result = gnutls_handshake(td->ssl);
113         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
114 #endif
115         td->done = TRUE; /* let the caller thread join() */
116         return GINT_TO_POINTER(result);
117 }
118 #endif
119
120 #ifdef USE_OPENSSL
121 static gint SSL_connect_nb(SSL *ssl)
122 #else
123 static gint SSL_connect_nb(gnutls_session ssl)
124 #endif
125 {
126 #if (defined USE_PTHREAD && ((defined __GLIBC__ && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3))) || !defined __GLIBC__))
127         thread_data *td = g_new0(thread_data, 1);
128         pthread_t pt;
129         void *res = NULL;
130 #ifdef USE_GNUTLS
131         int result;
132 #endif
133         time_t start_time = time(NULL);
134         gboolean killed = FALSE;
135         
136         td->ssl  = ssl;
137         td->done = FALSE;
138         
139         /* try to create a thread to initialize the SSL connection,
140          * fallback to blocking method in case of problem 
141          */
142         if (pthread_create(&pt, PTHREAD_CREATE_JOINABLE, 
143                         SSL_connect_thread, td) != 0) {
144 #ifdef USE_OPENSSL
145                 return SSL_connect(ssl);
146 #else
147                 do {
148                         result = gnutls_handshake(td->ssl);
149                 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
150 #endif
151         }
152         debug_print("waiting for SSL_connect thread...\n");
153         while(!td->done) {
154                 /* don't let the interface freeze while waiting */
155                 claws_do_idle();
156                 if (time(NULL) - start_time > 30) {
157                         pthread_cancel(pt);
158                         td->done = TRUE;
159                         killed = TRUE;
160                 }
161         }
162
163         /* get the thread's return value and clean its resources */
164         pthread_join(pt, &res);
165         g_free(td);
166         
167         if (killed) {
168                 res = GINT_TO_POINTER(-1);
169         }
170         debug_print("SSL_connect thread returned %d\n", 
171                         GPOINTER_TO_INT(res));
172         
173         return GPOINTER_TO_INT(res);
174 #else
175 #ifdef USE_OPENSSL
176         return SSL_connect(ssl);
177 #else
178         do {
179                 result = gnutls_handshake(td->ssl);
180         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
181 #endif
182 #endif
183 }
184
185 gboolean ssl_init_socket(SockInfo *sockinfo)
186 {
187         return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
188 }
189
190 #ifdef USE_GNUTLS
191 static const gchar *ssl_get_cert_file(void)
192 {
193         if (g_getenv("SSL_CERT_FILE"))
194                 return g_getenv("SSL_CERT_FILE");
195 #ifndef G_OS_WIN32
196         return "/etc/ssl/certs/ca-certificates.crt";
197 #else
198         return "put_what_s_needed_here";
199 #endif
200 }
201 #endif
202
203 gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
204 {
205 #ifdef USE_OPENSSL
206         X509 *server_cert;
207         SSL *ssl;
208
209         ssl = SSL_new(ssl_ctx);
210         if (ssl == NULL) {
211                 g_warning(_("Error creating ssl context\n"));
212                 return FALSE;
213         }
214
215         switch (method) {
216         case SSL_METHOD_SSLv23:
217                 debug_print("Setting SSLv23 client method\n");
218                 SSL_set_ssl_method(ssl, SSLv23_client_method());
219                 break;
220         case SSL_METHOD_TLSv1:
221                 debug_print("Setting TLSv1 client method\n");
222                 SSL_set_ssl_method(ssl, TLSv1_client_method());
223                 break;
224         default:
225                 break;
226         }
227
228         SSL_set_fd(ssl, sockinfo->sock);
229         if (SSL_connect_nb(ssl) == -1) {
230                 g_warning(_("SSL connect failed (%s)\n"),
231                             ERR_error_string(ERR_get_error(), NULL));
232                 SSL_free(ssl);
233                 return FALSE;
234         }
235
236         /* Get the cipher */
237
238         debug_print("SSL connection using %s\n", SSL_get_cipher(ssl));
239
240         /* Get server's certificate (note: beware of dynamic allocation) */
241         if ((server_cert = SSL_get_peer_certificate(ssl)) == NULL) {
242                 debug_print("server_cert is NULL ! this _should_not_ happen !\n");
243                 SSL_free(ssl);
244                 return FALSE;
245         }
246
247
248         if (!ssl_certificate_check(server_cert, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
249                 X509_free(server_cert);
250                 SSL_free(ssl);
251                 return FALSE;
252         }
253
254
255         X509_free(server_cert);
256         sockinfo->ssl = ssl;
257 #else
258         gnutls_session session;
259         int r;
260         const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
261                                 GNUTLS_CIPHER_3DES_CBC,
262                                 GNUTLS_CIPHER_AES_256_CBC,
263                                 GNUTLS_CIPHER_ARCFOUR_128, 0 };
264         const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
265                            GNUTLS_KX_RSA, 
266                            GNUTLS_KX_DHE_DSS, 0 };
267         const int mac_prio[] = { GNUTLS_MAC_SHA1,
268                                 GNUTLS_MAC_MD5, 0 };
269         const int proto_prio[] = { GNUTLS_TLS1,
270                                   GNUTLS_SSL3, 0 };
271         const gnutls_datum *raw_cert_list;
272         unsigned int raw_cert_list_length;
273         gnutls_x509_crt cert = NULL;
274         guint status;
275         gnutls_certificate_credentials_t xcred;
276
277         if (gnutls_certificate_allocate_credentials (&xcred) != 0)
278                 return FALSE;
279
280         r = gnutls_init(&session, GNUTLS_CLIENT);
281         if (session == NULL || r != 0)
282                 return FALSE;
283   
284         gnutls_set_default_priority(session);
285         gnutls_protocol_set_priority (session, proto_prio);
286         gnutls_cipher_set_priority (session, cipher_prio);
287         gnutls_kx_set_priority (session, kx_prio);
288         gnutls_mac_set_priority (session, mac_prio);
289
290         gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
291
292         r = gnutls_certificate_set_x509_trust_file(xcred, ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
293         if (r < 0)
294                 g_warning("Can't read SSL_CERT_FILE %s: %s\n",
295                         ssl_get_cert_file(), 
296                         gnutls_strerror(r));
297
298         gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
299
300         gnutls_transport_set_ptr(session, (gnutls_transport_ptr) 
301                 sockinfo->sock);
302
303         if ((r = SSL_connect_nb(session)) < 0) {
304                 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
305                 gnutls_deinit(session);
306                 return FALSE;
307         }
308
309         /* Get server's certificate (note: beware of dynamic allocation) */
310         raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
311
312         if (!raw_cert_list 
313         ||  gnutls_certificate_type_get(session) != GNUTLS_CRT_X509
314         ||  (r = gnutls_x509_crt_init(&cert)) < 0
315         ||  (r = gnutls_x509_crt_import(cert, &raw_cert_list[0], GNUTLS_X509_FMT_DER)) < 0) {
316                 g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
317                 gnutls_deinit(session);
318                 return FALSE;
319         }
320
321         r = gnutls_certificate_verify_peers2(session, &status);
322
323         if (!ssl_certificate_check(cert, status, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
324                 gnutls_x509_crt_deinit(cert);
325                 gnutls_deinit(session);
326                 return FALSE;
327         }
328
329         gnutls_x509_crt_deinit(cert);
330
331         sockinfo->ssl = session;
332 #endif
333         return TRUE;
334 }
335
336 void ssl_done_socket(SockInfo *sockinfo)
337 {
338         if (sockinfo && sockinfo->ssl) {
339 #ifdef USE_OPENSSL
340                 SSL_free(sockinfo->ssl);
341 #else
342                 gnutls_deinit(sockinfo->ssl);
343 #endif
344                 sockinfo->ssl = NULL;
345         }
346 }
347
348 #endif /* USE_OPENSSL */