2012-09-19 [colin] 3.8.1cvs64
[claws.git] / src / common / ssl.c
1 /*
2  * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
3  * Copyright (C) 1999-2012 Hiroyuki Yamamoto and the Claws Mail team
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
17  * 
18  */
19
20 #ifdef HAVE_CONFIG_H
21 #  include "config.h"
22 #include "claws-features.h"
23 #endif
24
25 #ifdef USE_GNUTLS
26 #include "defs.h"
27
28 #include <stdlib.h>
29 #include <glib.h>
30 #include <glib/gi18n.h>
31 #include <errno.h>
32 #include <pthread.h>
33
34 #if GNUTLS_VERSION_NUMBER <= 0x020b00
35 #include <gcrypt.h>
36 GCRY_THREAD_OPTION_PTHREAD_IMPL;
37 #endif
38
39 #include "claws.h"
40 #include "utils.h"
41 #include "ssl.h"
42 #include "ssl_certificate.h"
43 #include "hooks.h"
44
45 #ifdef HAVE_LIBETPAN
46 #include <libetpan/mailstream_ssl.h>
47 #endif
48
49 #ifdef USE_PTHREAD
50 #include <pthread.h>
51 #endif
52
53 #ifdef USE_PTHREAD
54 typedef struct _thread_data {
55         gnutls_session ssl;
56         gboolean done;
57 } thread_data;
58 #endif
59
60 static int gnutls_client_cert_cb(gnutls_session session,
61                                const gnutls_datum *req_ca_rdn, int nreqs,
62                                const gnutls_pk_algorithm *sign_algos,
63                                int sign_algos_length, gnutls_retr_st *st)
64 {
65         SSLClientCertHookData hookdata;
66         SockInfo *sockinfo = (SockInfo *)gnutls_session_get_ptr(session);
67         gnutls_certificate_type type = gnutls_certificate_type_get(session);
68         gnutls_x509_crt crt;
69         gnutls_x509_privkey key;
70
71         st->ncerts = 0;
72
73         hookdata.account = sockinfo->account;
74         hookdata.cert_path = NULL;
75         hookdata.password = NULL;
76         hookdata.is_smtp = sockinfo->is_smtp;
77         hooks_invoke(SSLCERT_GET_CLIENT_CERT_HOOKLIST, &hookdata);      
78
79         if (hookdata.cert_path == NULL)
80                 return 0;
81
82         sockinfo->client_crt = ssl_certificate_get_x509_from_pem_file(hookdata.cert_path);
83         sockinfo->client_key = ssl_certificate_get_pkey_from_pem_file(hookdata.cert_path);
84         if (!(sockinfo->client_crt && sockinfo->client_key)) {
85                 /* try pkcs12 format */
86                 ssl_certificate_get_x509_and_pkey_from_p12_file(hookdata.cert_path, hookdata.password, 
87                         &crt, &key);
88                 sockinfo->client_crt = crt;
89                 sockinfo->client_key = key;
90         }
91
92         if (type == GNUTLS_CRT_X509 && sockinfo->client_crt && sockinfo->client_key) {
93                 st->ncerts = 1;
94                 st->type = type;
95                 st->cert.x509 = &(sockinfo->client_crt);
96                 st->key.x509 = sockinfo->client_key;
97                 st->deinit_all = 0;
98                 return 0;
99         }
100         return 0;
101 }
102
103 const gchar *claws_ssl_get_cert_file(void)
104 {
105         const char *cert_files[]={
106                 "/etc/pki/tls/certs/ca-bundle.crt",
107                 "/etc/certs/ca-bundle.crt",
108                 "/etc/ssl/ca-bundle.pem",
109                 "/usr/share/ssl/certs/ca-bundle.crt",
110                 "/etc/ssl/certs/ca-certificates.crt",
111                 "/usr/local/ssl/certs/ca-bundle.crt",
112                 "/etc/apache/ssl.crt/ca-bundle.crt",
113                 "/usr/share/curl/curl-ca-bundle.crt",
114                 "/usr/share/curl/curl-ca-bundle.crt",
115                 "/usr/lib/ssl/cert.pem",
116                 NULL};
117         int i;
118         
119         if (g_getenv("SSL_CERT_FILE"))
120                 return g_getenv("SSL_CERT_FILE");
121 #ifndef G_OS_WIN32
122         for (i = 0; cert_files[i]; i++) {
123                 if (is_file_exist(cert_files[i]))
124                         return cert_files[i];
125         }
126         return NULL;
127 #else
128         return get_cert_file();
129 #endif
130 }
131
132 const gchar *claws_ssl_get_cert_dir(void)
133 {
134         const char *cert_dirs[]={
135                 "/etc/pki/tls/certs",
136                 "/etc/certs",
137                 "/usr/share/ssl/certs",
138                 "/etc/ssl/certs",
139                 "/usr/local/ssl/certs",
140                 "/etc/apache/ssl.crt",
141                 "/usr/share/curl",
142                 "/usr/lib/ssl/certs",
143                 NULL};
144         int i;
145         
146         if (g_getenv("SSL_CERT_DIR"))
147                 return g_getenv("SSL_CERT_DIR");
148 #ifndef G_OS_WIN32
149         for (i = 0; cert_dirs[i]; i++) {
150                 if (is_dir_exist(cert_dirs[i]))
151                         return cert_dirs[i];
152         }
153         return NULL;
154 #else
155         return NULL;
156 #endif
157 }
158
159 void ssl_init(void)
160 {
161 #if GNUTLS_VERSION_NUMBER <= 0x020b00
162         gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
163 #endif
164 #ifdef HAVE_LIBETPAN
165         mailstream_gnutls_init_not_required();
166 #endif  
167         gnutls_global_init();
168 }
169
170 void ssl_done(void)
171 {
172         gnutls_global_deinit();
173 }
174
175 #ifdef USE_PTHREAD
176 static void *SSL_connect_thread(void *data)
177 {
178         thread_data *td = (thread_data *)data;
179         int result = -1;
180
181         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
182         pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
183
184         do {
185                 result = gnutls_handshake(td->ssl);
186         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
187
188         td->done = TRUE; /* let the caller thread join() */
189         return GINT_TO_POINTER(result);
190 }
191 #endif
192
193 static gint SSL_connect_nb(gnutls_session ssl)
194 {
195         int result;
196 #ifdef USE_PTHREAD
197         thread_data *td = g_new0(thread_data, 1);
198         pthread_t pt;
199         pthread_attr_t pta;
200         void *res = NULL;
201         time_t start_time = time(NULL);
202         gboolean killed = FALSE;
203         
204         td->ssl  = ssl;
205         td->done = FALSE;
206         
207         /* try to create a thread to initialize the SSL connection,
208          * fallback to blocking method in case of problem 
209          */
210         if (pthread_attr_init(&pta) != 0 ||
211             pthread_attr_setdetachstate(&pta, PTHREAD_CREATE_JOINABLE) != 0 ||
212             pthread_create(&pt, &pta, SSL_connect_thread, td) != 0) {
213                 do {
214                         result = gnutls_handshake(td->ssl);
215                 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
216                 return result;
217         }
218         debug_print("waiting for SSL_connect thread...\n");
219         while(!td->done) {
220                 /* don't let the interface freeze while waiting */
221                 claws_do_idle();
222                 if (time(NULL) - start_time > 30) {
223                         pthread_cancel(pt);
224                         td->done = TRUE;
225                         killed = TRUE;
226                 }
227         }
228
229         /* get the thread's return value and clean its resources */
230         pthread_join(pt, &res);
231         g_free(td);
232         
233         if (killed) {
234                 res = GINT_TO_POINTER(-1);
235         }
236         debug_print("SSL_connect thread returned %d\n", 
237                         GPOINTER_TO_INT(res));
238         
239         return GPOINTER_TO_INT(res);
240 #else /* USE_PTHREAD */
241         do {
242                 result = gnutls_handshake(ssl);
243         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
244 #endif
245 }
246
247 gboolean ssl_init_socket(SockInfo *sockinfo)
248 {
249         return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
250 }
251
252 gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
253 {
254         gnutls_session session;
255         int r;
256         const gnutls_datum *raw_cert_list;
257         unsigned int raw_cert_list_length;
258         gnutls_x509_crt cert = NULL;
259         guint status;
260         gnutls_certificate_credentials_t xcred;
261
262         if (gnutls_certificate_allocate_credentials (&xcred) != 0)
263                 return FALSE;
264
265         r = gnutls_init(&session, GNUTLS_CLIENT);
266         if (session == NULL || r != 0)
267                 return FALSE;
268
269         if (method == 0)
270                 gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
271         else
272                 gnutls_priority_set_direct(session, "NORMAL", NULL);
273         gnutls_record_disable_padding(session);
274
275         gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
276
277         if (claws_ssl_get_cert_file()) {
278                 r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
279                 if (r < 0)
280                         g_warning("Can't read SSL_CERT_FILE %s: %s\n",
281                                 claws_ssl_get_cert_file(), 
282                                 gnutls_strerror(r));
283         } else {
284                 debug_print("Can't find SSL ca-certificates file\n");
285         }
286         gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
287
288         gnutls_transport_set_ptr(session, (gnutls_transport_ptr) GINT_TO_POINTER(sockinfo->sock));
289         gnutls_session_set_ptr(session, sockinfo);
290         gnutls_certificate_client_set_retrieve_function(xcred, gnutls_client_cert_cb);
291
292         gnutls_dh_set_prime_bits(session, 512);
293
294         if ((r = SSL_connect_nb(session)) < 0) {
295                 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
296                 gnutls_certificate_free_credentials(xcred);
297                 gnutls_deinit(session);
298                 return FALSE;
299         }
300
301         /* Get server's certificate (note: beware of dynamic allocation) */
302         raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
303
304         if (!raw_cert_list 
305         ||  gnutls_certificate_type_get(session) != GNUTLS_CRT_X509
306         ||  (r = gnutls_x509_crt_init(&cert)) < 0
307         ||  (r = gnutls_x509_crt_import(cert, &raw_cert_list[0], GNUTLS_X509_FMT_DER)) < 0) {
308                 g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
309                 gnutls_certificate_free_credentials(xcred);
310                 gnutls_deinit(session);
311                 return FALSE;
312         }
313
314         r = gnutls_certificate_verify_peers2(session, &status);
315
316         if (r < 0 || !ssl_certificate_check(cert, status, sockinfo->hostname, sockinfo->port)) {
317                 gnutls_x509_crt_deinit(cert);
318                 gnutls_certificate_free_credentials(xcred);
319                 gnutls_deinit(session);
320                 return FALSE;
321         }
322
323         gnutls_x509_crt_deinit(cert);
324
325         sockinfo->ssl = session;
326         sockinfo->xcred = xcred;
327         return TRUE;
328 }
329
330 void ssl_done_socket(SockInfo *sockinfo)
331 {
332         if (sockinfo && sockinfo->ssl) {
333                 gnutls_certificate_free_credentials(sockinfo->xcred);
334                 gnutls_deinit(sockinfo->ssl);
335                 if (sockinfo->client_crt)
336                         gnutls_x509_crt_deinit(sockinfo->client_crt);
337                 if (sockinfo->client_key)
338                         gnutls_x509_privkey_deinit(sockinfo->client_key);
339                 sockinfo->client_key = NULL;
340                 sockinfo->client_crt = NULL;
341                 sockinfo->ssl = NULL;
342         }
343 }
344
345 #endif /* USE_GNUTLS */