2 * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
3 * Copyright (C) 1999-2007 Hiroyuki Yamamoto and the Claws Mail team
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 3 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #include <glib/gi18n.h>
33 GCRY_THREAD_OPTION_PTHREAD_IMPL;
38 #include "ssl_certificate.h"
42 #include <libetpan/mailstream_ssl.h>
50 typedef struct _thread_data {
56 static int gnutls_client_cert_cb(gnutls_session session,
57 const gnutls_datum *req_ca_rdn, int nreqs,
58 const gnutls_pk_algorithm *sign_algos,
59 int sign_algos_length, gnutls_retr_st *st)
61 SSLClientCertHookData hookdata;
62 SockInfo *sockinfo = (SockInfo *)gnutls_session_get_ptr(session);
63 gnutls_certificate_type type = gnutls_certificate_type_get(session);
65 gnutls_x509_privkey key;
69 hookdata.account = sockinfo->account;
70 hookdata.cert_path = NULL;
71 hookdata.password = NULL;
72 hookdata.is_smtp = sockinfo->is_smtp;
73 hooks_invoke(SSLCERT_GET_CLIENT_CERT_HOOKLIST, &hookdata);
75 if (hookdata.cert_path == NULL)
78 sockinfo->client_crt = ssl_certificate_get_x509_from_pem_file(hookdata.cert_path);
79 sockinfo->client_key = ssl_certificate_get_pkey_from_pem_file(hookdata.cert_path);
80 if (!(sockinfo->client_crt && sockinfo->client_key)) {
81 /* try pkcs12 format */
82 ssl_certificate_get_x509_and_pkey_from_p12_file(hookdata.cert_path, hookdata.password,
84 sockinfo->client_crt = crt;
85 sockinfo->client_key = key;
88 if (type == GNUTLS_CRT_X509 && sockinfo->client_crt && sockinfo->client_key) {
91 st->cert.x509 = &(sockinfo->client_crt);
92 st->key.x509 = sockinfo->client_key;
99 const gchar *claws_ssl_get_cert_file(void)
101 const char *cert_files[]={
102 "/etc/pki/tls/certs/ca-bundle.crt",
103 "/etc/certs/ca-bundle.crt",
104 "/usr/share/ssl/certs/ca-bundle.crt",
105 "/etc/ssl/certs/ca-certificates.crt",
106 "/usr/local/ssl/certs/ca-bundle.crt",
107 "/etc/apache/ssl.crt/ca-bundle.crt",
108 "/usr/share/curl/curl-ca-bundle.crt",
109 "/usr/share/curl/curl-ca-bundle.crt",
110 "/usr/lib/ssl/cert.pem",
114 if (g_getenv("SSL_CERT_FILE"))
115 return g_getenv("SSL_CERT_FILE");
117 for (i = 0; cert_files[i]; i++) {
118 if (is_file_exist(cert_files[i]))
119 return cert_files[i];
123 const gchar *cert_file = NULL;
124 if (cert_file == NULL)
125 cert_file = g_strconcat(DATAROOTDIR,
127 "ca-certificates.crt",
133 const gchar *claws_ssl_get_cert_dir(void)
135 const char *cert_dirs[]={
136 "/etc/pki/tls/certs",
138 "/usr/share/ssl/certs",
140 "/usr/local/ssl/certs",
141 "/etc/apache/ssl.crt",
143 "/usr/lib/ssl/certs",
147 if (g_getenv("SSL_CERT_DIR"))
148 return g_getenv("SSL_CERT_DIR");
150 for (i = 0; cert_dirs[i]; i++) {
151 if (is_dir_exist(cert_dirs[i]))
156 return "put_what_s_needed_here";
162 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
164 mailstream_gnutls_init_not_required();
166 gnutls_global_init();
171 gnutls_global_deinit();
175 static void *SSL_connect_thread(void *data)
177 thread_data *td = (thread_data *)data;
180 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
181 pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
184 result = gnutls_handshake(td->ssl);
185 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
187 td->done = TRUE; /* let the caller thread join() */
188 return GINT_TO_POINTER(result);
192 static gint SSL_connect_nb(gnutls_session ssl)
196 thread_data *td = g_new0(thread_data, 1);
200 time_t start_time = time(NULL);
201 gboolean killed = FALSE;
206 /* try to create a thread to initialize the SSL connection,
207 * fallback to blocking method in case of problem
209 if (pthread_attr_init(&pta) != 0 ||
210 pthread_attr_setdetachstate(&pta, PTHREAD_CREATE_JOINABLE) != 0 ||
211 pthread_create(&pt, &pta, SSL_connect_thread, td) != 0) {
213 result = gnutls_handshake(td->ssl);
214 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
217 debug_print("waiting for SSL_connect thread...\n");
219 /* don't let the interface freeze while waiting */
221 if (time(NULL) - start_time > 30) {
228 /* get the thread's return value and clean its resources */
229 pthread_join(pt, &res);
233 res = GINT_TO_POINTER(-1);
235 debug_print("SSL_connect thread returned %d\n",
236 GPOINTER_TO_INT(res));
238 return GPOINTER_TO_INT(res);
239 #else /* USE_PTHREAD */
241 result = gnutls_handshake(ssl);
242 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
246 gboolean ssl_init_socket(SockInfo *sockinfo)
248 return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
251 gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
253 gnutls_session session;
255 const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
256 GNUTLS_CIPHER_3DES_CBC,
257 GNUTLS_CIPHER_AES_256_CBC,
258 GNUTLS_CIPHER_ARCFOUR_128, 0 };
259 const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
261 GNUTLS_KX_DHE_DSS, 0 };
262 const int mac_prio[] = { GNUTLS_MAC_SHA1,
264 const int proto_prio[] = { GNUTLS_TLS1,
266 const gnutls_datum *raw_cert_list;
267 unsigned int raw_cert_list_length;
268 gnutls_x509_crt cert = NULL;
270 gnutls_certificate_credentials_t xcred;
272 if (gnutls_certificate_allocate_credentials (&xcred) != 0)
275 r = gnutls_init(&session, GNUTLS_CLIENT);
276 if (session == NULL || r != 0)
279 gnutls_set_default_priority(session);
280 gnutls_protocol_set_priority (session, proto_prio);
281 gnutls_cipher_set_priority (session, cipher_prio);
282 gnutls_kx_set_priority (session, kx_prio);
283 gnutls_mac_set_priority (session, mac_prio);
285 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
287 if (claws_ssl_get_cert_file()) {
288 r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(), GNUTLS_X509_FMT_PEM);
290 g_warning("Can't read SSL_CERT_FILE %s: %s\n",
291 claws_ssl_get_cert_file(),
294 debug_print("Can't find SSL ca-certificates file\n");
296 gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
298 gnutls_transport_set_ptr(session, (gnutls_transport_ptr) sockinfo->sock);
299 gnutls_session_set_ptr(session, sockinfo);
300 gnutls_certificate_client_set_retrieve_function(xcred, gnutls_client_cert_cb);
302 gnutls_dh_set_prime_bits(session, 512);
304 if ((r = SSL_connect_nb(session)) < 0) {
305 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
306 gnutls_certificate_free_credentials(xcred);
307 gnutls_deinit(session);
311 /* Get server's certificate (note: beware of dynamic allocation) */
312 raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
315 || gnutls_certificate_type_get(session) != GNUTLS_CRT_X509
316 || (r = gnutls_x509_crt_init(&cert)) < 0
317 || (r = gnutls_x509_crt_import(cert, &raw_cert_list[0], GNUTLS_X509_FMT_DER)) < 0) {
318 g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
319 gnutls_certificate_free_credentials(xcred);
320 gnutls_deinit(session);
324 r = gnutls_certificate_verify_peers2(session, &status);
326 if (!ssl_certificate_check(cert, status, sockinfo->canonical_name, sockinfo->hostname, sockinfo->port)) {
327 gnutls_x509_crt_deinit(cert);
328 gnutls_certificate_free_credentials(xcred);
329 gnutls_deinit(session);
333 gnutls_x509_crt_deinit(cert);
335 sockinfo->ssl = session;
336 sockinfo->xcred = xcred;
340 void ssl_done_socket(SockInfo *sockinfo)
342 if (sockinfo && sockinfo->ssl) {
343 gnutls_certificate_free_credentials(sockinfo->xcred);
344 gnutls_deinit(sockinfo->ssl);
345 if (sockinfo->client_crt)
346 gnutls_x509_crt_deinit(sockinfo->client_crt);
347 if (sockinfo->client_key)
348 gnutls_x509_privkey_deinit(sockinfo->client_key);
349 sockinfo->client_key = NULL;
350 sockinfo->client_crt = NULL;
351 sockinfo->ssl = NULL;
355 #endif /* USE_GNUTLS */