src/common/ssl.c

   1 /*
   2  * Sylpheed -- a GTK+ based, lightweight, and fast e-mail client
   3  * Copyright (C) 1999-2012 Hiroyuki Yamamoto and the Claws Mail team
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 3 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  17  *
  18  */
  19
  20 #ifdef HAVE_CONFIG_H
  21 #  include "config.h"
  22 #include "claws-features.h"
  23 #endif
  24
  25 #ifdef USE_GNUTLS
  26 #include "defs.h"
  27
  28 #include <stdlib.h>
  29 #include <glib.h>
  30 #include <glib/gi18n.h>
  31 #include <errno.h>
  32 #include <pthread.h>
  33
  34 #include "claws.h"
  35 #include "utils.h"
  36 #include "ssl.h"
  37 #include "ssl_certificate.h"
  38 #include "hooks.h"
  39
  40 #if GNUTLS_VERSION_NUMBER <= 0x020b00
  41 #include <gcrypt.h>
  42 GCRY_THREAD_OPTION_PTHREAD_IMPL;
  43 #endif
  44
  45 #ifdef HAVE_LIBETPAN
  46 #include <libetpan/mailstream_ssl.h>
  47 #endif
  48
  49 #ifdef USE_PTHREAD
  50 #include <pthread.h>
  51 #endif
  52
  53 #ifdef USE_PTHREAD
  54 typedef struct _thread_data {
  55         gnutls_session_t ssl;
  56         gboolean done;
  57 } thread_data;
  58 #endif
  59
  60 #if GNUTLS_VERSION_NUMBER < 0x030400
  61 #define DEFAULT_GNUTLS_PRIORITY "NORMAL:-VERS-SSL3.0"
  62 #else
  63 #define DEFAULT_GNUTLS_PRIORITY "NORMAL"
  64 #endif
  65
  66 #if GNUTLS_VERSION_NUMBER <= 0x020c00
  67 static int gnutls_client_cert_cb(gnutls_session_t session,
  68                                const gnutls_datum_t *req_ca_rdn, int nreqs,
  69                                const gnutls_pk_algorithm_t *sign_algos,
  70                                int sign_algos_length, gnutls_retr_st *st)
  71 #else
  72 static int gnutls_cert_cb(gnutls_session_t session,
  73                                const gnutls_datum_t *req_ca_rdn, int nreqs,
  74                                const gnutls_pk_algorithm_t *sign_algos,
  75                                int sign_algos_length, gnutls_retr2_st *st)
  76 #endif
  77 {
  78         SSLClientCertHookData hookdata;
  79         SockInfo *sockinfo = (SockInfo *)gnutls_session_get_ptr(session);
  80         gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
  81         gnutls_x509_crt_t crt;
  82         gnutls_x509_privkey_t key;
  83
  84         st->ncerts = 0;
  85
  86         hookdata.account = sockinfo->account;
  87         hookdata.cert_path = NULL;
  88         hookdata.password = NULL;
  89         hookdata.is_smtp = sockinfo->is_smtp;
  90         hooks_invoke(SSLCERT_GET_CLIENT_CERT_HOOKLIST, &hookdata);
  91
  92         if (hookdata.cert_path == NULL) {
  93                 g_free(hookdata.password);
  94                 return 0;
  95         }
  96
  97         sockinfo->client_crt = ssl_certificate_get_x509_from_pem_file(hookdata.cert_path);
  98         sockinfo->client_key = ssl_certificate_get_pkey_from_pem_file(hookdata.cert_path);
  99         if (!(sockinfo->client_crt && sockinfo->client_key)) {
 100                 /* try pkcs12 format */
 101                 ssl_certificate_get_x509_and_pkey_from_p12_file(hookdata.cert_path, hookdata.password,
 102                         &crt, &key);
 103                 sockinfo->client_crt = crt;
 104                 sockinfo->client_key = key;
 105         }
 106
 107         if (type == GNUTLS_CRT_X509 && sockinfo->client_crt && sockinfo->client_key) {
 108                 st->ncerts = 1;
 109 #if GNUTLS_VERSION_NUMBER <= 0x020c00
 110                 st->type = type;
 111 #else
 112                 st->key_type = type;
 113 #endif
 114                 st->cert.x509 = &(sockinfo->client_crt);
 115                 st->key.x509 = sockinfo->client_key;
 116                 st->deinit_all = 0;
 117                 g_free(hookdata.password);
 118                 return 0;
 119         }
 120         g_free(hookdata.password);
 121         return 0;
 122 }
 123
 124 const gchar *claws_ssl_get_cert_file(void)
 125 {
 126 #ifndef G_OS_WIN32
 127         const char *cert_files[]={
 128                 "/etc/ssl/cert.pem",
 129                 "/etc/pki/tls/certs/ca-bundle.crt",
 130                 "/etc/certs/ca-bundle.crt",
 131                 "/etc/ssl/ca-bundle.pem",
 132                 "/usr/share/ssl/certs/ca-bundle.crt",
 133                 "/etc/ssl/certs/ca-certificates.crt",
 134                 "/usr/local/ssl/certs/ca-bundle.crt",
 135                 "/etc/apache/ssl.crt/ca-bundle.crt",
 136                 "/usr/share/curl/curl-ca-bundle.crt",
 137                 "/usr/share/curl/curl-ca-bundle.crt",
 138                 "/usr/lib/ssl/cert.pem",
 139                 NULL};
 140         int i;
 141 #endif
 142
 143         /* We honor this environment variable on all platforms. */
 144         if (g_getenv("SSL_CERT_FILE"))
 145                 return g_getenv("SSL_CERT_FILE");
 146
 147 #ifndef G_OS_WIN32
 148         for (i = 0; cert_files[i]; i++) {
 149                 if (is_file_exist(cert_files[i]))
 150                         return cert_files[i];
 151         }
 152         return NULL;
 153 #else
 154         return w32_get_cert_file();
 155 #endif
 156 }
 157
 158 const gchar *claws_ssl_get_cert_dir(void)
 159 {
 160         const char *cert_dirs[]={
 161                 "/etc/pki/tls/certs",
 162                 "/etc/certs",
 163                 "/usr/share/ssl/certs",
 164                 "/etc/ssl/certs",
 165                 "/usr/local/ssl/certs",
 166                 "/etc/apache/ssl.crt",
 167                 "/usr/share/curl",
 168                 "/usr/lib/ssl/certs",
 169                 NULL};
 170         int i;
 171
 172         if (g_getenv("SSL_CERT_DIR"))
 173                 return g_getenv("SSL_CERT_DIR");
 174 #ifndef G_OS_WIN32
 175         for (i = 0; cert_dirs[i]; i++) {
 176                 if (is_dir_exist(cert_dirs[i]))
 177                         return cert_dirs[i];
 178         }
 179         return NULL;
 180 #else
 181         return NULL;
 182 #endif
 183 }
 184
 185 void ssl_init(void)
 186 {
 187 #if GNUTLS_VERSION_NUMBER <= 0x020b00
 188         gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
 189 #endif
 190 #ifdef HAVE_LIBETPAN
 191         mailstream_gnutls_init_not_required();
 192 #endif
 193         gnutls_global_init();
 194 }
 195
 196 void ssl_done(void)
 197 {
 198         gnutls_global_deinit();
 199 }
 200
 201 #ifdef USE_PTHREAD
 202 static void *SSL_connect_thread(void *data)
 203 {
 204         thread_data *td = (thread_data *)data;
 205         int result = -1;
 206
 207         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
 208         pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
 209
 210         do {
 211                 result = gnutls_handshake(td->ssl);
 212         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 213
 214         td->done = TRUE; /* let the caller thread join() */
 215         return GINT_TO_POINTER(result);
 216 }
 217 #endif
 218
 219 static gint SSL_connect_nb(gnutls_session_t ssl)
 220 {
 221         int result;
 222 #ifdef USE_PTHREAD
 223         thread_data *td = g_new0(thread_data, 1);
 224         pthread_t pt;
 225         pthread_attr_t pta;
 226         void *res = NULL;
 227         time_t start_time = time(NULL);
 228         gboolean killed = FALSE;
 229
 230         td->ssl  = ssl;
 231         td->done = FALSE;
 232
 233         /* try to create a thread to initialize the SSL connection,
 234          * fallback to blocking method in case of problem
 235          */
 236         if (pthread_attr_init(&pta) != 0 ||
 237             pthread_attr_setdetachstate(&pta, PTHREAD_CREATE_JOINABLE) != 0 ||
 238             pthread_create(&pt, &pta, SSL_connect_thread, td) != 0) {
 239                 do {
 240                         result = gnutls_handshake(td->ssl);
 241                 } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 242                 return result;
 243         }
 244         debug_print("waiting for SSL_connect thread...\n");
 245         while(!td->done) {
 246                 /* don't let the interface freeze while waiting */
 247                 claws_do_idle();
 248                 if (time(NULL) - start_time > 30) {
 249                         pthread_cancel(pt);
 250                         td->done = TRUE;
 251                         killed = TRUE;
 252                 }
 253         }
 254
 255         /* get the thread's return value and clean its resources */
 256         pthread_join(pt, &res);
 257         g_free(td);
 258
 259         if (killed) {
 260                 res = GINT_TO_POINTER(-1);
 261         }
 262         debug_print("SSL_connect thread returned %d\n",
 263                         GPOINTER_TO_INT(res));
 264
 265         return GPOINTER_TO_INT(res);
 266 #else /* USE_PTHREAD */
 267         do {
 268                 result = gnutls_handshake(ssl);
 269         } while (result == GNUTLS_E_AGAIN || result == GNUTLS_E_INTERRUPTED);
 270 #endif
 271 }
 272
 273 gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *list_len)
 274 {
 275         const gnutls_datum_t *raw_cert_list;
 276         gnutls_x509_crt_t *certs = NULL;
 277         gboolean result = TRUE;
 278
 279         *list_len = -1;
 280         if (!session)
 281                 return NULL;
 282
 283         raw_cert_list = gnutls_certificate_get_peers(session, list_len);
 284
 285         if (raw_cert_list && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
 286                 int i = 0;
 287
 288                 if (*list_len > 128)
 289                         *list_len = 128;
 290
 291                 certs = g_malloc(sizeof(gnutls_x509_crt_t) * (*list_len));
 292
 293                 for(i = 0 ; i < (*list_len) ; i++) {
 294                         int r;
 295
 296                         gnutls_x509_crt_init(&certs[i]);
 297                         r = gnutls_x509_crt_import(certs[i], &raw_cert_list[i], GNUTLS_X509_FMT_DER);
 298                         if (r < 0) {
 299                                 g_warning("cert get failure: %d %s", r, gnutls_strerror(r));
 300
 301                                 result = FALSE;
 302                                 i--;
 303                                 break;
 304                         }
 305                 }
 306                 if (!result) {
 307                         for (; i >= 0; i--)
 308                                 gnutls_x509_crt_deinit(certs[i]);
 309
 310                         g_free(certs);
 311                         *list_len = -1;
 312
 313                         return NULL;
 314                 }
 315         }
 316
 317         return certs;
 318 }
 319
 320 gboolean ssl_init_socket(SockInfo *sockinfo)
 321 {
 322         gnutls_session_t session;
 323         int r, i;
 324         unsigned int cert_list_length;
 325         gnutls_x509_crt_t *certs = NULL;
 326         gnutls_certificate_credentials_t xcred;
 327
 328         if (gnutls_certificate_allocate_credentials (&xcred) != 0)
 329                 return FALSE;
 330
 331         r = gnutls_init(&session, GNUTLS_CLIENT);
 332         if (session == NULL || r != 0)
 333                 return FALSE;
 334
 335         if (sockinfo->gnutls_priority && strlen(sockinfo->gnutls_priority)) {
 336                 r = gnutls_priority_set_direct(session, sockinfo->gnutls_priority, NULL);
 337                 debug_print("Setting GnuTLS priority to %s, status = %d\n",
 338                             sockinfo->gnutls_priority, r);
 339         }
 340         else {
 341                 gnutls_priority_set_direct(session, DEFAULT_GNUTLS_PRIORITY, NULL);
 342         }
 343
 344         gnutls_record_disable_padding(session);
 345
 346         gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 347
 348         if (claws_ssl_get_cert_file()) {
 349                 r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
 350                 if (r < 0)
 351                         g_warning("Can't read SSL_CERT_FILE '%s': %s",
 352                                 claws_ssl_get_cert_file(),
 353                                 gnutls_strerror(r));
 354         } else {
 355                 debug_print("Can't find SSL ca-certificates file\n");
 356         }
 357         gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 358
 359         gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) GINT_TO_POINTER(sockinfo->sock));
 360         gnutls_session_set_ptr(session, sockinfo);
 361 #if GNUTLS_VERSION_NUMBER <= 0x020c00
 362         gnutls_certificate_client_set_retrieve_function(xcred, gnutls_client_cert_cb);
 363 #else
 364         gnutls_certificate_set_retrieve_function(xcred, gnutls_cert_cb);
 365 #endif
 366
 367         gnutls_dh_set_prime_bits(session, 512);
 368
 369         if ((r = SSL_connect_nb(session)) < 0) {
 370                 g_warning("SSL connection failed (%s)", gnutls_strerror(r));
 371                 gnutls_certificate_free_credentials(xcred);
 372                 gnutls_deinit(session);
 373                 return FALSE;
 374         }
 375
 376         /* Get server's certificate (note: beware of dynamic allocation) */
 377         certs = ssl_get_certificate_chain(session, &cert_list_length);
 378
 379         if (!certs) {
 380                 gnutls_certificate_free_credentials(xcred);
 381                 gnutls_deinit(session);
 382                 return FALSE;
 383         }
 384
 385         if (!ssl_certificate_check_chain(certs, cert_list_length, sockinfo->hostname, sockinfo->port,
 386                                          sockinfo->ssl_cert_auto_accept)) {
 387                 for (i = 0; i < cert_list_length; i++)
 388                         gnutls_x509_crt_deinit(certs[i]);
 389                 g_free(certs);
 390                 gnutls_certificate_free_credentials(xcred);
 391                 gnutls_deinit(session);
 392                 return FALSE;
 393         }
 394
 395         for (i = 0; i < cert_list_length; i++)
 396                 gnutls_x509_crt_deinit(certs[i]);
 397         g_free(certs);
 398
 399         sockinfo->ssl = session;
 400         sockinfo->xcred = xcred;
 401         return TRUE;
 402 }
 403
 404 void ssl_done_socket(SockInfo *sockinfo)
 405 {
 406         if (sockinfo && sockinfo->ssl) {
 407                 if (sockinfo->xcred)
 408                         gnutls_certificate_free_credentials(sockinfo->xcred);
 409                 gnutls_deinit(sockinfo->ssl);
 410                 if (sockinfo->client_crt)
 411                         gnutls_x509_crt_deinit(sockinfo->client_crt);
 412                 if (sockinfo->client_key)
 413                         gnutls_x509_privkey_deinit(sockinfo->client_key);
 414                 sockinfo->client_key = NULL;
 415                 sockinfo->client_crt = NULL;
 416                 sockinfo->xcred = NULL;
 417                 sockinfo->ssl = NULL;
 418         }
 419 }
 420
 421 #endif /* USE_GNUTLS */