projects / claws.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
2008-07-04 [colin] 3.5.0cvs6
[claws.git] / src / common / ssl_certificate.c
1 /*
2  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
3  * Copyright (C) 1999-2007 Colin Leroy <colin@colino.net> 
4  * and the Claws Mail team
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
18  * 
19  */
20
21 #ifdef HAVE_CONFIG_H
22 #  include "config.h"
23 #endif
24
25 #if (defined(USE_OPENSSL) || defined (USE_GNUTLS))
26 #if USE_OPENSSL
27 #include <openssl/ssl.h>
28 #else
29 #include <gnutls/gnutls.h>
30 #include <gnutls/x509.h>
31 #include <gnutls/pkcs12.h>
32 #include <sys/stat.h>
33 #include <unistd.h>
34 #include <string.h>
35 #endif
36 #include <sys/types.h>
37 #include <stdio.h>
38 #include <glib.h>
39 #include <glib/gi18n.h>
40 #ifdef G_OS_WIN32
41 #  include <winsock2.h>
42 #else
43 #  include <sys/socket.h>
44 #  include <netinet/in.h>
45 #  include <netdb.h>
46 #endif /* G_OS_WIN32 */
47 #include "ssl_certificate.h"
48 #include "utils.h"
49 #include "log.h"
50 #include "socket.h"
51 #include "hooks.h"
52 #include "defs.h"
53
54 static GHashTable *warned_expired = NULL;
55
56 gboolean prefs_common_unsafe_ssl_certs(void);
57
58 static gchar *get_certificate_path(const gchar *host, const gchar *port, const gchar *fp)
59 {
60         if (fp != NULL && prefs_common_unsafe_ssl_certs())
61                 return g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
62                           "certs", G_DIR_SEPARATOR_S,
63                           host, ".", port, ".", fp, ".cert", NULL);
64         else 
65                 return g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
66                           "certs", G_DIR_SEPARATOR_S,
67                           host, ".", port, ".cert", NULL);
68 }
69
70 #if USE_OPENSSL
71 static SSLCertificate *ssl_certificate_new_lookup(X509 *x509_cert, gchar *host, gushort port, gboolean lookup);
72 #else
73 static SSLCertificate *ssl_certificate_new_lookup(gnutls_x509_crt x509_cert, gchar *host, gushort port, gboolean lookup);
74 #endif
75 #if USE_OPENSSL
76 /* from Courier */
77 time_t asn1toTime(ASN1_TIME *asn1Time)
78 {
79         struct tm tm;
80         int offset;
81
82         if (asn1Time == NULL || asn1Time->length < 13)
83                 return 0;
84
85         memset(&tm, 0, sizeof(tm));
86
87 #define N2(n)   ((asn1Time->data[n]-'0')*10 + asn1Time->data[(n)+1]-'0')
88
89 #define CPY(f,n) (tm.f=N2(n))
90
91         CPY(tm_year,0);
92
93         if(tm.tm_year < 50)
94                 tm.tm_year += 100; /* Sux */
95
96         CPY(tm_mon, 2);
97         --tm.tm_mon;
98         CPY(tm_mday, 4);
99         CPY(tm_hour, 6);
100         CPY(tm_min, 8);
101         CPY(tm_sec, 10);
102
103         offset=0;
104
105         if (asn1Time->data[12] != 'Z')
106         {
107                 if (asn1Time->length < 17)
108                         return 0;
109
110                 offset=N2(13)*3600+N2(15)*60;
111
112                 if (asn1Time->data[12] == '-')
113                         offset= -offset;
114         }
115
116 #undef N2
117 #undef CPY
118
119         return mktime(&tm)-offset;
120 }
121 #endif
122
123 static char * get_fqdn(char *host)
124 {
125 #ifdef INET6
126         gint gai_err;
127         struct addrinfo hints, *res;
128 #else
129         struct hostent *hp;
130 #endif
131
132         if (host == NULL || strlen(host) == 0)
133                 return g_strdup("");
134 #ifdef INET6
135         memset(&hints, 0, sizeof(hints));
136         hints.ai_flags = AI_CANONNAME;
137         hints.ai_family = AF_UNSPEC;
138         hints.ai_socktype = SOCK_STREAM;
139         hints.ai_protocol = IPPROTO_TCP;
140
141         gai_err = getaddrinfo(host, NULL, &hints, &res);
142         if (gai_err != 0) {
143                 g_warning("getaddrinfo for %s failed: %s\n",
144                           host, gai_strerror(gai_err));
145                 return g_strdup(host);
146         }
147         if (res != NULL) {
148                 if (res->ai_canonname && strlen(res->ai_canonname)) {
149                         gchar *fqdn = g_strdup(res->ai_canonname);
150                         freeaddrinfo(res);
151                         return fqdn;
152                 } else {
153                         freeaddrinfo(res);
154                         return g_strdup(host);
155                 }
156         } else {
157                 return g_strdup(host);
158         }
159 #else
160         hp = my_gethostbyname(host);
161         if (hp == NULL)
162                 return g_strdup(host); /*caller should free*/
163         else 
164                 return g_strdup(hp->h_name);
165 #endif
166 }
167
168 char * readable_fingerprint(unsigned char *src, int len) 
169 {
170         int i=0;
171         char * ret;
172         
173         if (src == NULL)
174                 return NULL;
175         ret = g_strdup("");
176         while (i < len) {
177                 char *tmp2;
178                 if(i>0)
179                         tmp2 = g_strdup_printf("%s:%02X", ret, src[i]);
180                 else
181                         tmp2 = g_strdup_printf("%02X", src[i]);
182                 g_free(ret);
183                 ret = g_strdup(tmp2);
184                 g_free(tmp2);
185                 i++;
186         }
187         return ret;
188 }
189
190 #if USE_GNUTLS
191 static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
192 {
193     int ret;
194     size_t size;
195     gnutls_datum tmp;
196     gnutls_x509_crt dest;
197     
198     if (gnutls_x509_crt_init(&dest) != 0) {
199         g_warning("couldn't gnutls_x509_crt_init\n");
200         return NULL;
201     }
202
203     if (gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &size) 
204         != GNUTLS_E_SHORT_MEMORY_BUFFER) {
205         g_warning("couldn't gnutls_x509_crt_export to get size\n");
206         gnutls_x509_crt_deinit(dest);
207         return NULL;
208     }
209
210     tmp.data = malloc(size);
211     memset(tmp.data, 0, size);
212     ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, tmp.data, &size);
213     if (ret == 0) {
214         tmp.size = size;
215         ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER);
216         if (ret) {
217                 g_warning("couldn't gnutls_x509_crt_import for real (%d %s)\n", ret, gnutls_strerror(ret));
218                 gnutls_x509_crt_deinit(dest);
219                 dest = NULL;
220         }
221     } else {
222         g_warning("couldn't gnutls_x509_crt_export for real (%d %s)\n", ret, gnutls_strerror(ret));
223         gnutls_x509_crt_deinit(dest);
224         dest = NULL;
225     }
226
227     free(tmp.data);
228     return dest;
229 }
230 #endif
231
232 #if USE_OPENSSL
233 static SSLCertificate *ssl_certificate_new_lookup(X509 *x509_cert, gchar *host, gushort port, gboolean lookup)
234 #else
235 static SSLCertificate *ssl_certificate_new_lookup(gnutls_x509_crt x509_cert, gchar *host, gushort port, gboolean lookup)
236 #endif
237 {
238         SSLCertificate *cert = g_new0(SSLCertificate, 1);
239         unsigned int n;
240         unsigned char md[128];  
241
242         if (host == NULL || x509_cert == NULL) {
243                 ssl_certificate_destroy(cert);
244                 return NULL;
245         }
246 #if USE_OPENSSL
247         cert->x509_cert = X509_dup(x509_cert);
248 #else
249         cert->x509_cert = x509_crt_copy(x509_cert);
250         cert->status = (guint)-1;
251 #endif
252         if (lookup)
253                 cert->host = get_fqdn(host);
254         else
255                 cert->host = g_strdup(host);
256         cert->port = port;
257         
258         /* fingerprint */
259 #if USE_OPENSSL
260         X509_digest(cert->x509_cert, EVP_md5(), md, &n);
261         cert->fingerprint = readable_fingerprint(md, (int)n);
262 #else
263         n = 128;
264         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
265         cert->fingerprint = readable_fingerprint(md, (int)n);
266 #endif
267         return cert;
268 }
269
270 #ifdef USE_GNUTLS
271 static void gnutls_i2d_X509_fp(FILE *fp, gnutls_x509_crt x509_cert)
272 {
273         char output[10*1024];
274         size_t cert_size = 10*1024;
275         int r;
276         
277         if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, output, &cert_size)) < 0) {
278                 g_warning("couldn't export cert %s (%d)\n", gnutls_strerror(r), cert_size);
279                 return;
280         }
281         debug_print("writing %zd bytes\n",cert_size);
282         if (fwrite(&output, 1, cert_size, fp) < cert_size) {
283                 g_warning("failed to write cert\n");
284         }
285 }
286
287 size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
288 {
289         size_t cert_size = 10*1024;
290         int r;
291         
292         if (output == NULL)
293                 return 0;
294         
295         *output = malloc(cert_size);
296
297         if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, *output, &cert_size)) < 0) {
298                 g_warning("couldn't export cert %s (%d)\n", gnutls_strerror(r), cert_size);
299                 free(*output);
300                 *output = NULL;
301                 return 0;
302         }
303         return cert_size;
304 }
305
306 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
307 {
308         size_t key_size = 10*1024;
309         int r;
310         
311         if (output == NULL)
312                 return 0;
313         
314         *output = malloc(key_size);
315
316         if ((r = gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, *output, &key_size)) < 0) {
317                 g_warning("couldn't export key %s (%d)\n", gnutls_strerror(r), key_size);
318                 free(*output);
319                 *output = NULL;
320                 return 0;
321         }
322         return key_size;
323 }
324
325 static gnutls_x509_crt gnutls_d2i_X509_fp(FILE *fp, int format)
326 {
327         gnutls_x509_crt cert = NULL;
328         gnutls_datum tmp;
329         struct stat s;
330         int r;
331         if (fstat(fileno(fp), &s) < 0) {
332                 perror("fstat");
333                 return NULL;
334         }
335         tmp.data = malloc(s.st_size);
336         memset(tmp.data, 0, s.st_size);
337         tmp.size = s.st_size;
338         if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
339                 perror("fread");
340                 free(tmp.data);
341                 return NULL;
342         }
343
344         gnutls_x509_crt_init(&cert);
345         if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
346                 debug_print("cert import failed: %s\n", gnutls_strerror(r));
347                 gnutls_x509_crt_deinit(cert);
348                 cert = NULL;
349         }
350         free(tmp.data);
351         debug_print("got cert! %p\n", cert);
352         return cert;
353 }
354
355 static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
356 {
357         gnutls_x509_privkey key = NULL;
358         gnutls_datum tmp;
359         struct stat s;
360         int r;
361         if (fstat(fileno(fp), &s) < 0) {
362                 perror("fstat");
363                 return NULL;
364         }
365         tmp.data = malloc(s.st_size);
366         memset(tmp.data, 0, s.st_size);
367         tmp.size = s.st_size;
368         if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
369                 perror("fread");
370                 free(tmp.data);
371                 return NULL;
372         }
373
374         gnutls_x509_privkey_init(&key);
375         if ((r = gnutls_x509_privkey_import(key, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
376                 debug_print("key import failed: %s\n", gnutls_strerror(r));
377                 gnutls_x509_privkey_deinit(key);
378                 key = NULL;
379         }
380         free(tmp.data);
381         debug_print("got key! %p\n", key);
382         return key;
383 }
384
385 static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
386 {
387         gnutls_pkcs12_t p12 = NULL;
388         gnutls_datum tmp;
389         struct stat s;
390         int r;
391         if (fstat(fileno(fp), &s) < 0) {
392                 perror("fstat");
393                 return NULL;
394         }
395         tmp.data = malloc(s.st_size);
396         memset(tmp.data, 0, s.st_size);
397         tmp.size = s.st_size;
398         if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
399                 perror("fread");
400                 free(tmp.data);
401                 return NULL;
402         }
403
404         gnutls_pkcs12_init(&p12);
405
406         if ((r = gnutls_pkcs12_import(p12, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM,0)) < 0) {
407                 g_warning("p12 import failed: %s\n", gnutls_strerror(r));
408                 gnutls_pkcs12_deinit(p12);
409                 p12 = NULL;
410         }
411         free(tmp.data);
412         debug_print("got p12! %p\n", p12);
413         return p12;
414 }
415
416 #endif
417
418 static void ssl_certificate_save (SSLCertificate *cert)
419 {
420         gchar *file, *port;
421         FILE *fp;
422
423         file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, 
424                           "certs", G_DIR_SEPARATOR_S, NULL);
425         
426         if (!is_dir_exist(file))
427                 make_dir_hier(file);
428         g_free(file);
429
430         port = g_strdup_printf("%d", cert->port);
431         file = get_certificate_path(cert->host, port, cert->fingerprint);
432
433         g_free(port);
434         fp = g_fopen(file, "wb");
435         if (fp == NULL) {
436                 g_free(file);
437                 debug_print("Can't save certificate !\n");
438                 return;
439         }
440 #ifdef USE_GNUTLS
441         gnutls_i2d_X509_fp(fp, cert->x509_cert);
442 #else
443         i2d_X509_fp(fp, cert->x509_cert);
444 #endif
445         g_free(file);
446         fclose(fp);
447
448 }
449
450 void ssl_certificate_destroy(SSLCertificate *cert) 
451 {
452         if (cert == NULL)
453                 return;
454
455         if (cert->x509_cert)
456 #if USE_OPENSSL
457                 X509_free(cert->x509_cert);
458 #else
459                 gnutls_x509_crt_deinit(cert->x509_cert);
460 #endif
461         g_free(cert->host);
462         g_free(cert->fingerprint);
463         g_free(cert);
464         cert = NULL;
465 }
466
467 void ssl_certificate_delete_from_disk(SSLCertificate *cert)
468 {
469         gchar *buf;
470         gchar *file;
471         buf = g_strdup_printf("%d", cert->port);
472         file = get_certificate_path(cert->host, buf, cert->fingerprint);
473         claws_unlink (file);
474         g_free(file);
475         g_free(buf);
476 }
477
478 SSLCertificate *ssl_certificate_find (gchar *host, gushort port, const gchar *fingerprint)
479 {
480         return ssl_certificate_find_lookup (host, port, fingerprint, TRUE);
481 }
482
483 SSLCertificate *ssl_certificate_find_lookup (gchar *host, gushort port, const gchar *fingerprint, gboolean lookup)
484 {
485         gchar *file = NULL;
486         gchar *buf;
487         gchar *fqdn_host;
488         SSLCertificate *cert = NULL;
489 #if USE_OPENSSL
490         X509 *tmp_x509;
491 #else
492         gnutls_x509_crt tmp_x509;
493 #endif
494         FILE *fp = NULL;
495         gboolean must_rename = FALSE;
496
497         if (lookup)
498                 fqdn_host = get_fqdn(host);
499         else
500                 fqdn_host = g_strdup(host);
501
502         buf = g_strdup_printf("%d", port);
503         
504         if (fingerprint != NULL) {
505                 file = get_certificate_path(fqdn_host, buf, fingerprint);
506                 fp = g_fopen(file, "rb");
507         }
508         if (fp == NULL) {
509                 /* see if we have the old one */
510                 debug_print("didn't get %s\n", file);
511                 g_free(file);
512                 file = get_certificate_path(fqdn_host, buf, NULL);
513                 fp = g_fopen(file, "rb");
514
515                 if (fp) {
516                         debug_print("got %s\n", file);
517                         must_rename = (fingerprint != NULL);
518                 }
519         } else {
520                 debug_print("got %s first try\n", file);
521         }
522         if (fp == NULL) {
523                 g_free(file);
524                 g_free(fqdn_host);
525                 g_free(buf);
526                 return NULL;
527         }
528         
529 #if USE_OPENSSL
530         if ((tmp_x509 = d2i_X509_fp(fp, 0)) != NULL) {
531 #else
532         if ((tmp_x509 = gnutls_d2i_X509_fp(fp, 0)) != NULL) {
533 #endif
534                 cert = ssl_certificate_new_lookup(tmp_x509, fqdn_host, port, lookup);
535                 debug_print("got cert %p\n", cert);
536 #if USE_OPENSSL
537                 X509_free(tmp_x509);
538 #else
539                 gnutls_x509_crt_deinit(tmp_x509);
540 #endif
541         }
542         fclose(fp);
543         g_free(file);
544         
545         if (must_rename) {
546                 gchar *old = get_certificate_path(fqdn_host, buf, NULL);
547                 gchar *new = get_certificate_path(fqdn_host, buf, fingerprint);
548                 if (strcmp(old, new))
549                         move_file(old, new, TRUE);
550                 g_free(old);
551                 g_free(new);
552         }
553         g_free(buf);
554         g_free(fqdn_host);
555
556         return cert;
557 }
558
559 static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate *cert_b)
560 {
561 #ifdef USE_OPENSSL
562         if (cert_a == NULL || cert_b == NULL)
563                 return FALSE;
564         else if (!X509_cmp(cert_a->x509_cert, cert_b->x509_cert))
565                 return TRUE;
566         else
567                 return FALSE;
568 #else
569         char *output_a;
570         char *output_b;
571         size_t cert_size_a = 0, cert_size_b = 0;
572         int r;
573
574         if (cert_a == NULL || cert_b == NULL)
575                 return FALSE;
576
577         if ((r = gnutls_x509_crt_export(cert_a->x509_cert, GNUTLS_X509_FMT_DER, NULL, &cert_size_a)) 
578             != GNUTLS_E_SHORT_MEMORY_BUFFER) {
579                 g_warning("couldn't gnutls_x509_crt_export to get size a %s\n", gnutls_strerror(r));
580                 return FALSE;
581         }
582
583         if ((r = gnutls_x509_crt_export(cert_b->x509_cert, GNUTLS_X509_FMT_DER, NULL, &cert_size_b))
584             != GNUTLS_E_SHORT_MEMORY_BUFFER) {
585                 g_warning("couldn't gnutls_x509_crt_export to get size b %s\n", gnutls_strerror(r));
586                 return FALSE;
587         }
588
589         output_a = malloc(cert_size_a);
590         output_b = malloc(cert_size_b);
591         if ((r = gnutls_x509_crt_export(cert_a->x509_cert, GNUTLS_X509_FMT_DER, output_a, &cert_size_a)) < 0) {
592                 g_warning("couldn't gnutls_x509_crt_export a %s\n", gnutls_strerror(r));
593                 g_free(output_a);
594                 g_free(output_b);
595                 return FALSE;
596         }
597         if ((r = gnutls_x509_crt_export(cert_b->x509_cert, GNUTLS_X509_FMT_DER, output_b, &cert_size_b)) < 0) {
598                 g_warning("couldn't gnutls_x509_crt_export b %s\n", gnutls_strerror(r));
599                 g_free(output_a);
600                 g_free(output_b);
601                 return FALSE;
602         }
603         if (cert_size_a != cert_size_b) {
604                 g_warning("size differ %d %d\n", cert_size_a, cert_size_b);
605                 g_free(output_a);
606                 g_free(output_b);
607                 return FALSE;
608         }
609         if (memcmp(output_a, output_b, cert_size_a)) {
610                 g_warning("contents differ\n");
611                 g_free(output_a);
612                 g_free(output_b);
613                 return FALSE;
614         }
615         g_free(output_a);
616         g_free(output_b);
617         
618         return TRUE;
619 #endif
620 }
621
622 #if USE_OPENSSL
623 char *ssl_certificate_check_signer (X509 *cert) 
624 {
625         X509_STORE_CTX store_ctx;
626         X509_STORE *store = SSL_CTX_get_cert_store(ssl_get_ctx());
627         char *err_msg = NULL;
628
629         if (store == NULL) {
630                 g_print("Can't create X509_STORE\n");
631                 return NULL;
632         }
633
634         X509_STORE_CTX_init (&store_ctx, store, cert, NULL);
635
636         if(!X509_verify_cert (&store_ctx)) {
637                 err_msg = g_strdup(X509_verify_cert_error_string(
638                                         X509_STORE_CTX_get_error(&store_ctx)));
639                 debug_print("Can't check signer: %s\n", err_msg);
640                 X509_STORE_CTX_cleanup (&store_ctx);
641                 return err_msg;
642                         
643         }
644         X509_STORE_CTX_cleanup (&store_ctx);
645         return NULL;
646 }
647 #else
648 char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
649 {
650         if (status == (guint)-1)
651                 return g_strdup(_("Uncheckable"));
652
653         if (status & GNUTLS_CERT_INVALID) {
654                 if (gnutls_x509_crt_check_issuer(cert, cert))
655                         return g_strdup(_("Self-signed certificate"));
656         }
657         if (status & GNUTLS_CERT_REVOKED)
658                 return g_strdup(_("Revoked certificate"));
659         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
660                 return g_strdup(_("No certificate issuer found"));
661         if (status & GNUTLS_CERT_SIGNER_NOT_CA)
662                 return g_strdup(_("Certificate issuer is not a CA"));
663
664
665         return NULL;
666 }
667 #endif
668
669 #if USE_OPENSSL
670 gboolean ssl_certificate_check (X509 *x509_cert, gchar *fqdn, gchar *host, gushort port)
671 #else
672 gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, gchar *fqdn, gchar *host, gushort port)
673 #endif
674 {
675         SSLCertificate *current_cert = NULL;
676         SSLCertificate *known_cert;
677         SSLCertHookData cert_hook_data;
678         gchar *fqdn_host = NULL;        
679         gchar *fingerprint;
680         unsigned int n;
681         unsigned char md[128];  
682
683         if (fqdn)
684                 fqdn_host = g_strdup(fqdn);
685         else if (host)
686                 fqdn_host = get_fqdn(host);
687         else {
688                 g_warning("no host!\n");
689                 return FALSE;
690         }
691                 
692         current_cert = ssl_certificate_new_lookup(x509_cert, fqdn_host, port, FALSE);
693         
694         if (current_cert == NULL) {
695                 debug_print("Buggy certificate !\n");
696                 g_free(fqdn_host);
697                 return FALSE;
698         }
699
700 #if USE_GNUTLS
701         current_cert->status = status;
702 #endif
703         /* fingerprint */
704 #if USE_OPENSSL
705         X509_digest(x509_cert, EVP_md5(), md, &n);
706         fingerprint = readable_fingerprint(md, (int)n);
707 #else
708         n = 128;
709         gnutls_x509_crt_get_fingerprint(x509_cert, GNUTLS_DIG_MD5, md, &n);
710         fingerprint = readable_fingerprint(md, (int)n);
711 #endif
712
713         known_cert = ssl_certificate_find_lookup (fqdn_host, port, fingerprint, FALSE);
714
715         g_free(fingerprint);
716         g_free(fqdn_host);
717
718         if (known_cert == NULL) {
719                 cert_hook_data.cert = current_cert;
720                 cert_hook_data.old_cert = NULL;
721                 cert_hook_data.expired = FALSE;
722                 cert_hook_data.accept = FALSE;
723                 
724                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
725                 
726                 if (!cert_hook_data.accept) {
727                         ssl_certificate_destroy(current_cert);
728                         return FALSE;
729                 } else {
730                         ssl_certificate_save(current_cert);
731                         ssl_certificate_destroy(current_cert);
732                         return TRUE;
733                 }
734         } else if (!ssl_certificate_compare (current_cert, known_cert)) {
735                 cert_hook_data.cert = current_cert;
736                 cert_hook_data.old_cert = known_cert;
737                 cert_hook_data.expired = FALSE;
738                 cert_hook_data.accept = FALSE;
739                 
740                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
741
742                 if (!cert_hook_data.accept) {
743                         ssl_certificate_destroy(current_cert);
744                         ssl_certificate_destroy(known_cert);
745                         return FALSE;
746                 } else {
747                         ssl_certificate_save(current_cert);
748                         ssl_certificate_destroy(current_cert);
749                         ssl_certificate_destroy(known_cert);
750                         return TRUE;
751                 }
752 #if USE_OPENSSL
753         } else if (asn1toTime(X509_get_notAfter(current_cert->x509_cert)) < time(NULL)) {
754 #else
755         } else if (gnutls_x509_crt_get_expiration_time(current_cert->x509_cert) < time(NULL)) {
756 #endif
757                 gchar *tmp = g_strdup_printf("%s:%d", current_cert->host, current_cert->port);
758                 
759                 if (warned_expired == NULL)
760                         warned_expired = g_hash_table_new(g_str_hash, g_str_equal);
761                 
762                 if (g_hash_table_lookup(warned_expired, tmp)) {
763                         g_free(tmp);
764                         ssl_certificate_destroy(current_cert);
765                         ssl_certificate_destroy(known_cert);
766                         return TRUE;
767                 }
768                         
769                 cert_hook_data.cert = current_cert;
770                 cert_hook_data.old_cert = NULL;
771                 cert_hook_data.expired = TRUE;
772                 cert_hook_data.accept = FALSE;
773                 
774                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
775
776                 if (!cert_hook_data.accept) {
777                         g_free(tmp);
778                         ssl_certificate_destroy(current_cert);
779                         ssl_certificate_destroy(known_cert);
780                         return FALSE;
781                 } else {
782                         g_hash_table_insert(warned_expired, tmp, GINT_TO_POINTER(1));
783                         ssl_certificate_destroy(current_cert);
784                         ssl_certificate_destroy(known_cert);
785                         return TRUE;
786                 }
787         }
788
789         ssl_certificate_destroy(current_cert);
790         ssl_certificate_destroy(known_cert);
791         return TRUE;
792 }
793
794 #if USE_OPENSSL
795 X509 *ssl_certificate_get_x509_from_pem_file(const gchar *file)
796 {
797         X509 *x509 = NULL;
798         if (!file)
799                 return NULL;
800         if (is_file_exist(file)) {
801                 FILE *fp = g_fopen(file, "r");
802                 if (fp) {
803                         x509 = PEM_read_X509(fp, NULL, NULL, NULL);
804                         fclose(fp);
805                         return x509;
806                 }
807         } else {
808                 log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
809         }
810         return NULL;
811 }
812
813 static int ssl_pkey_password_cb(char *buf, int max_len, int flag, void *pwd)
814 {
815         return 0;
816 }
817
818 EVP_PKEY *ssl_certificate_get_pkey_from_pem_file(const gchar *file)
819 {
820         EVP_PKEY *pkey = NULL;
821         if (!file)
822                 return NULL;
823         if (is_file_exist(file)) {
824                 FILE *fp = g_fopen(file, "r");
825                 if (fp) {
826                         pkey = PEM_read_PrivateKey(fp, NULL, ssl_pkey_password_cb, NULL);
827                         fclose(fp);
828                         return pkey;
829                 }
830         } else {
831                 log_error(LOG_PROTOCOL, "Can not open private key file %s\n", file);
832         }
833         return NULL;
834 }
835
836 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
837                         X509 **x509, EVP_PKEY **pkey)
838 {
839         PKCS12 *p12 = NULL;
840         *x509 = NULL;
841         *pkey = NULL;
842
843         if (!file)
844                 return;
845
846         if (is_file_exist(file)) {
847                 FILE *fp = g_fopen(file, "r");
848                 if (fp) {
849                         p12 = d2i_PKCS12_fp(fp, NULL);
850                         fclose(fp);
851                 }
852         } else {
853                 log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
854         }
855         if (p12 != NULL) {
856                 if (PKCS12_parse(p12, password, pkey, x509, NULL) == 1) {
857                         /* we got the correct password */
858                 } else {
859                         gchar *tmp = NULL;
860                         hooks_invoke(SSL_CERT_GET_PASSWORD, &tmp);
861                         if (PKCS12_parse(p12, tmp, pkey, x509, NULL) == 1) {
862                                 debug_print("got p12\n");
863                         } else {
864                                 log_error(LOG_PROTOCOL, "%s\n", ERR_error_string(ERR_get_error(),NULL));
865                         }
866                 }
867                 PKCS12_free(p12);
868         }
869 }
870 #endif
871
872 #ifdef USE_GNUTLS
873 gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file)
874 {
875         gnutls_x509_crt x509 = NULL;
876         if (!file)
877                 return NULL;
878         
879         if (is_file_exist(file)) {
880                 FILE *fp = g_fopen(file, "r");
881                 if (fp) {
882                         x509 = gnutls_d2i_X509_fp(fp, 1);
883                         fclose(fp);
884                         return x509;
885                 }
886         } else {
887                 log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
888         }
889         return NULL;
890 }
891
892 gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
893 {
894         gnutls_x509_privkey key = NULL;
895         if (!file)
896                 return NULL;
897         
898         if (is_file_exist(file)) {
899                 FILE *fp = g_fopen(file, "r");
900                 if (fp) {
901                         key = gnutls_d2i_key_fp(fp, 1);
902                         fclose(fp);
903                         return key;
904                 }
905         } else {
906                 log_error(LOG_PROTOCOL, "Can not open key file %s\n", file);
907         }
908         return NULL;
909 }
910
911 /* From GnuTLS lib/gnutls_x509.c */
912 static int
913 parse_pkcs12 (gnutls_pkcs12_t p12,
914               const char *password,
915               gnutls_x509_privkey * key,
916               gnutls_x509_crt_t * cert)
917 {
918   gnutls_pkcs12_bag bag = NULL;
919   int index = 0;
920   int ret;
921
922   for (;;)
923     {
924       int elements_in_bag;
925       int i;
926
927       ret = gnutls_pkcs12_bag_init (&bag);
928       if (ret < 0)
929         {
930           bag = NULL;
931           goto done;
932         }
933
934       ret = gnutls_pkcs12_get_bag (p12, index, bag);
935       if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
936         break;
937       if (ret < 0)
938         {
939           goto done;
940         }
941
942       ret = gnutls_pkcs12_bag_get_type (bag, 0);
943       if (ret < 0)
944         {
945           goto done;
946         }
947
948       if (ret == GNUTLS_BAG_ENCRYPTED)
949         {
950           ret = gnutls_pkcs12_bag_decrypt (bag, password);
951           if (ret < 0)
952             {
953               goto done;
954             }
955         }
956
957       elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
958       if (elements_in_bag < 0)
959         {
960           goto done;
961         }
962
963       for (i = 0; i < elements_in_bag; i++)
964         {
965           int type;
966           gnutls_datum data;
967
968           type = gnutls_pkcs12_bag_get_type (bag, i);
969           if (type < 0)
970             {
971               goto done;
972             }
973
974           ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
975           if (ret < 0)
976             {
977               goto done;
978             }
979
980           switch (type)
981             {
982             case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
983             case GNUTLS_BAG_PKCS8_KEY:
984               ret = gnutls_x509_privkey_init (key);
985               if (ret < 0)
986                 {
987                   goto done;
988                 }
989
990               ret = gnutls_x509_privkey_import_pkcs8
991                 (*key, &data, GNUTLS_X509_FMT_DER, password,
992                  type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
993               if (ret < 0)
994                 {
995                   goto done;
996                 }
997               break;
998
999             case GNUTLS_BAG_CERTIFICATE:
1000               ret = gnutls_x509_crt_init (cert);
1001               if (ret < 0)
1002                 {
1003                   goto done;
1004                 }
1005
1006               ret =
1007                 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1008               if (ret < 0)
1009                 {
1010                   goto done;
1011                 }
1012               break;
1013
1014             case GNUTLS_BAG_ENCRYPTED:
1015               /* XXX Bother to recurse one level down?  Unlikely to
1016                  use the same password anyway. */
1017             case GNUTLS_BAG_EMPTY:
1018             default:
1019               break;
1020             }
1021         }
1022
1023       index++;
1024       gnutls_pkcs12_bag_deinit (bag);
1025     }
1026
1027   ret = 0;
1028
1029 done:
1030   if (bag)
1031     gnutls_pkcs12_bag_deinit (bag);
1032
1033   return ret;
1034 }
1035 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
1036                         gnutls_x509_crt *x509, gnutls_x509_privkey *pkey)
1037 {
1038         gnutls_pkcs12_t p12 = NULL;
1039
1040         int r;
1041
1042         *x509 = NULL;
1043         *pkey = NULL;
1044         if (!file)
1045                 return;
1046
1047         if (is_file_exist(file)) {
1048                 FILE *fp = g_fopen(file, "r");
1049                 if (fp) {
1050                         p12 = gnutls_d2i_PKCS12_fp(fp, 0);
1051                         fclose(fp);
1052                 }
1053         } else {
1054                 log_error(LOG_PROTOCOL, "Can not open certificate file %s\n", file);
1055         }
1056         if (p12 != NULL) {
1057                 if ((r = parse_pkcs12(p12, password, pkey, x509)) == 0) {
1058                         debug_print("got p12\n");
1059                 } else {
1060                         log_error(LOG_PROTOCOL, "%s\n", gnutls_strerror(r));
1061                 }
1062                 gnutls_pkcs12_deinit(p12);
1063         }
1064 }
1065 #endif
1066 #endif /* USE_OPENSSL */
Claws Mail