src/common/ssl_certificate.c

   1 /*
   2  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
   3  * Copyright (C) 1999-2016 Colin Leroy and the Claws Mail team
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 3 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  17  */
  18
  19 #ifdef HAVE_CONFIG_H
  20 #  include "config.h"
  21 #include "claws-features.h"
  22 #endif
  23
  24 #ifdef USE_GNUTLS
  25 #include <gnutls/gnutls.h>
  26 #include <gnutls/x509.h>
  27 #include <gnutls/pkcs12.h>
  28 #include <sys/stat.h>
  29 #include <unistd.h>
  30 #include <string.h>
  31 #include <sys/types.h>
  32 #include <stdio.h>
  33 #include <glib.h>
  34 #include <glib/gi18n.h>
  35 #include <errno.h>
  36 #ifdef G_OS_WIN32
  37 #  include <winsock2.h>
  38 #else
  39 #  include <sys/socket.h>
  40 #  include <netinet/in.h>
  41 #  include <netdb.h>
  42 #endif /* G_OS_WIN32 */
  43 #include "ssl_certificate.h"
  44 #include "utils.h"
  45 #include "log.h"
  46 #include "socket.h"
  47 #include "hooks.h"
  48 #include "defs.h"
  49 #include "claws_io.h"
  50
  51 static GHashTable *warned_expired = NULL;
  52
  53 gboolean prefs_common_unsafe_ssl_certs(void);
  54
  55 static gchar *get_certificate_path(const gchar *host, const gchar *port, const gchar *fp)
  56 {
  57         if (fp != NULL && prefs_common_unsafe_ssl_certs())
  58                 return g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S,
  59                           "certs", G_DIR_SEPARATOR_S,
  60                           host, ".", port, ".", fp, ".cert", NULL);
  61         else
  62                 return g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S,
  63                           "certs", G_DIR_SEPARATOR_S,
  64                           host, ".", port, ".cert", NULL);
  65 }
  66
  67 static gchar *get_certificate_chain_path(const gchar *host, const gchar *port, const gchar *fp)
  68 {
  69         gchar *tmp = get_certificate_path(host, port, fp);
  70         gchar *result = g_strconcat(tmp, ".chain", NULL);
  71
  72         g_free(tmp);
  73
  74         return result;
  75 }
  76
  77 char * readable_fingerprint(unsigned char *src, int len)
  78 {
  79         int i=0;
  80         char * ret;
  81
  82         if (src == NULL)
  83                 return NULL;
  84         ret = g_strdup("");
  85         while (i < len) {
  86                 char *tmp2;
  87                 if(i>0)
  88                         tmp2 = g_strdup_printf("%s:%02X", ret, src[i]);
  89                 else
  90                         tmp2 = g_strdup_printf("%02X", src[i]);
  91                 g_free(ret);
  92                 ret = g_strdup(tmp2);
  93                 g_free(tmp2);
  94                 i++;
  95         }
  96         return ret;
  97 }
  98
  99 #if USE_GNUTLS
 100 static gnutls_x509_crt_t x509_crt_copy(gnutls_x509_crt_t src)
 101 {
 102     int ret;
 103     size_t size;
 104     gnutls_datum_t tmp;
 105     gnutls_x509_crt_t dest;
 106     size = 0;
 107
 108     if (gnutls_x509_crt_init(&dest) != 0) {
 109         g_warning("couldn't gnutls_x509_crt_init");
 110         return NULL;
 111     }
 112
 113     if (gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &size)
 114         != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 115         g_warning("couldn't gnutls_x509_crt_export to get size");
 116         gnutls_x509_crt_deinit(dest);
 117         return NULL;
 118     }
 119
 120     tmp.data = malloc(size);
 121     memset(tmp.data, 0, size);
 122     ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, tmp.data, &size);
 123     if (ret == 0) {
 124         tmp.size = size;
 125         ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER);
 126         if (ret) {
 127                 g_warning("couldn't gnutls_x509_crt_import for real (%d %s)", ret, gnutls_strerror(ret));
 128                 gnutls_x509_crt_deinit(dest);
 129                 dest = NULL;
 130         }
 131     } else {
 132         g_warning("couldn't gnutls_x509_crt_export for real (%d %s)", ret, gnutls_strerror(ret));
 133         gnutls_x509_crt_deinit(dest);
 134         dest = NULL;
 135     }
 136
 137     free(tmp.data);
 138     return dest;
 139 }
 140 #endif
 141
 142 static SSLCertificate *ssl_certificate_new(gnutls_x509_crt_t x509_cert, const gchar *host, gushort port)
 143 {
 144         SSLCertificate *cert = g_new0(SSLCertificate, 1);
 145         size_t n;
 146         unsigned char md[128];
 147
 148         if (host == NULL || x509_cert == NULL) {
 149                 ssl_certificate_destroy(cert);
 150                 return NULL;
 151         }
 152         cert->x509_cert = x509_crt_copy(x509_cert);
 153         cert->status = (guint)-1;
 154         cert->host = g_strdup(host);
 155         cert->port = port;
 156
 157         /* fingerprint */
 158         n = sizeof(md);
 159         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
 160         cert->fingerprint = readable_fingerprint(md, (int)n);
 161         return cert;
 162 }
 163
 164 static void gnutls_export_X509_fp(FILE *fp, gnutls_x509_crt_t x509_cert, gnutls_x509_crt_fmt_t format)
 165 {
 166         char output[10*1024];
 167         size_t cert_size = 10*1024;
 168         int r;
 169
 170         if ((r = gnutls_x509_crt_export(x509_cert, format, output, &cert_size)) < 0) {
 171                 g_warning("couldn't export cert %s (%zd)", gnutls_strerror(r), cert_size);
 172                 return;
 173         }
 174
 175         debug_print("writing %zd bytes\n",cert_size);
 176         if (claws_fwrite(&output, 1, cert_size, fp) < cert_size) {
 177                 g_warning("failed to write cert: %d %s", errno, g_strerror(errno));
 178         }
 179 }
 180
 181 size_t gnutls_i2d_X509(gnutls_x509_crt_t x509_cert, unsigned char **output)
 182 {
 183         size_t cert_size = 10*1024;
 184         int r;
 185
 186         if (output == NULL)
 187                 return 0;
 188
 189         *output = malloc(cert_size);
 190
 191         if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, *output, &cert_size)) < 0) {
 192                 g_warning("couldn't export cert %s (%zd)", gnutls_strerror(r), cert_size);
 193                 free(*output);
 194                 *output = NULL;
 195                 return 0;
 196         }
 197         return cert_size;
 198 }
 199
 200 size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)
 201 {
 202         size_t key_size = 10*1024;
 203         int r;
 204
 205         if (output == NULL)
 206                 return 0;
 207
 208         *output = malloc(key_size);
 209
 210         if ((r = gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, *output, &key_size)) < 0) {
 211                 g_warning("couldn't export key %s (%zd)", gnutls_strerror(r), key_size);
 212                 free(*output);
 213                 *output = NULL;
 214                 return 0;
 215         }
 216         return key_size;
 217 }
 218
 219 static int gnutls_import_X509_list_fp(FILE *fp, gnutls_x509_crt_fmt_t format,
 220                                    gnutls_x509_crt_t **cert_list, gint *num_certs)
 221 {
 222         gnutls_x509_crt_t *crt_list;
 223         unsigned int max = 512;
 224         unsigned int flags = 0;
 225         gnutls_datum_t tmp;
 226         struct stat s;
 227         int r;
 228
 229         *cert_list = NULL;
 230         *num_certs = 0;
 231
 232         if (fp == NULL)
 233                 return -ENOENT;
 234
 235         if (fstat(fileno(fp), &s) < 0) {
 236                 perror("fstat");
 237                 return -errno;
 238         }
 239
 240         crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
 241         tmp.data = malloc(s.st_size);
 242         memset(tmp.data, 0, s.st_size);
 243         tmp.size = s.st_size;
 244         if (claws_fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
 245                 perror("claws_fread");
 246                 free(tmp.data);
 247                 free(crt_list);
 248                 return -EIO;
 249         }
 250
 251         if ((r = gnutls_x509_crt_list_import(crt_list, &max,
 252                         &tmp, format, flags)) < 0) {
 253                 debug_print("cert import failed: %s\n", gnutls_strerror(r));
 254                 free(tmp.data);
 255                 free(crt_list);
 256                 return r;
 257         }
 258         free(tmp.data);
 259         debug_print("got %d certs in crt_list! %p\n", max, &crt_list);
 260
 261         *cert_list = crt_list;
 262         *num_certs = max;
 263
 264         return r;
 265 }
 266
 267 /* return one certificate, read from file */
 268 static gnutls_x509_crt_t gnutls_import_X509_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 269 {
 270         gnutls_x509_crt_t *certs = NULL;
 271         gnutls_x509_crt_t cert = NULL;
 272         int i, ncerts, r;
 273
 274         if ((r = gnutls_import_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {
 275                 return NULL;
 276         }
 277
 278         if (ncerts == 0)
 279                 return NULL;
 280
 281         for (i = 1; i < ncerts; i++)
 282                 gnutls_x509_crt_deinit(certs[i]);
 283
 284         cert = certs[0];
 285         free(certs);
 286
 287         return cert;
 288 }
 289
 290 static gnutls_x509_privkey_t gnutls_import_key_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 291 {
 292         gnutls_x509_privkey_t key = NULL;
 293         gnutls_datum_t tmp;
 294         struct stat s;
 295         int r;
 296         if (fstat(fileno(fp), &s) < 0) {
 297                 perror("fstat");
 298                 return NULL;
 299         }
 300         tmp.data = malloc(s.st_size);
 301         memset(tmp.data, 0, s.st_size);
 302         tmp.size = s.st_size;
 303         if (claws_fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
 304                 perror("claws_fread");
 305                 free(tmp.data);
 306                 return NULL;
 307         }
 308
 309         gnutls_x509_privkey_init(&key);
 310         if ((r = gnutls_x509_privkey_import(key, &tmp, format)) < 0) {
 311                 debug_print("key import failed: %s\n", gnutls_strerror(r));
 312                 gnutls_x509_privkey_deinit(key);
 313                 key = NULL;
 314         }
 315         free(tmp.data);
 316         debug_print("got key! %p\n", key);
 317         return key;
 318 }
 319
 320 static gnutls_pkcs12_t gnutls_import_PKCS12_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 321 {
 322         gnutls_pkcs12_t p12 = NULL;
 323         gnutls_datum_t tmp;
 324         struct stat s;
 325         int r;
 326         if (fstat(fileno(fp), &s) < 0) {
 327                 log_error(LOG_PROTOCOL, _("Cannot stat P12 certificate file (%s)\n"),
 328                                   g_strerror(errno));
 329                 return NULL;
 330         }
 331         tmp.data = malloc(s.st_size);
 332         memset(tmp.data, 0, s.st_size);
 333         tmp.size = s.st_size;
 334         if (claws_fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
 335                 log_error(LOG_PROTOCOL, _("Cannot read P12 certificate file (%s)\n"),
 336                                   g_strerror(errno));
 337                 free(tmp.data);
 338                 return NULL;
 339         }
 340
 341         gnutls_pkcs12_init(&p12);
 342
 343         if ((r = gnutls_pkcs12_import(p12, &tmp, format, 0)) < 0) {
 344                 log_error(LOG_PROTOCOL, _("Cannot import P12 certificate file (%s)\n"),
 345                                   gnutls_strerror(r));
 346                 gnutls_pkcs12_deinit(p12);
 347                 p12 = NULL;
 348         }
 349         free(tmp.data);
 350         debug_print("got p12! %p\n", p12);
 351         return p12;
 352 }
 353
 354 static void ssl_certificate_save (SSLCertificate *cert)
 355 {
 356         gchar *file, *port;
 357         FILE *fp;
 358
 359         file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S,
 360                           "certs", G_DIR_SEPARATOR_S, NULL);
 361
 362         if (!is_dir_exist(file))
 363                 make_dir_hier(file);
 364         g_free(file);
 365
 366         port = g_strdup_printf("%d", cert->port);
 367         file = get_certificate_path(cert->host, port, cert->fingerprint);
 368
 369         g_free(port);
 370         fp = claws_fopen(file, "wb");
 371         if (fp == NULL) {
 372                 g_free(file);
 373                 debug_print("Can't save certificate !\n");
 374                 return;
 375         }
 376
 377         gnutls_export_X509_fp(fp, cert->x509_cert, GNUTLS_X509_FMT_DER);
 378
 379         g_free(file);
 380         claws_safe_fclose(fp);
 381
 382 }
 383
 384 void ssl_certificate_destroy(SSLCertificate *cert)
 385 {
 386         if (cert == NULL)
 387                 return;
 388
 389         if (cert->x509_cert)
 390                 gnutls_x509_crt_deinit(cert->x509_cert);
 391         g_free(cert->host);
 392         g_free(cert->fingerprint);
 393         g_free(cert);
 394         cert = NULL;
 395 }
 396
 397 void ssl_certificate_delete_from_disk(SSLCertificate *cert)
 398 {
 399         gchar *buf;
 400         gchar *file;
 401         buf = g_strdup_printf("%d", cert->port);
 402         file = get_certificate_path(cert->host, buf, cert->fingerprint);
 403         claws_unlink (file);
 404         g_free(file);
 405         file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
 406         claws_unlink (file);
 407         g_free(file);
 408         g_free(buf);
 409 }
 410
 411 SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gchar *fingerprint)
 412 {
 413         gchar *file = NULL;
 414         gchar *buf;
 415         SSLCertificate *cert = NULL;
 416         gnutls_x509_crt_t tmp_x509;
 417         FILE *fp = NULL;
 418         gboolean must_rename = FALSE;
 419
 420         buf = g_strdup_printf("%d", port);
 421
 422         if (fingerprint != NULL) {
 423                 file = get_certificate_path(host, buf, fingerprint);
 424                 fp = claws_fopen(file, "rb");
 425         }
 426         if (fp == NULL) {
 427                 /* see if we have the old one */
 428                 debug_print("didn't get %s\n", file);
 429                 g_free(file);
 430                 file = get_certificate_path(host, buf, NULL);
 431                 fp = claws_fopen(file, "rb");
 432
 433                 if (fp) {
 434                         debug_print("got %s\n", file);
 435                         must_rename = (fingerprint != NULL);
 436                 }
 437         } else {
 438                 debug_print("got %s first try\n", file);
 439         }
 440         if (fp == NULL) {
 441                 g_free(file);
 442                 g_free(buf);
 443                 return NULL;
 444         }
 445
 446         if ((tmp_x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_DER)) != NULL) {
 447                 cert = ssl_certificate_new(tmp_x509, host, port);
 448                 debug_print("got cert %p\n", cert);
 449                 gnutls_x509_crt_deinit(tmp_x509);
 450         }
 451
 452         claws_fclose(fp);
 453         g_free(file);
 454
 455         if (must_rename) {
 456                 gchar *old = get_certificate_path(host, buf, NULL);
 457                 gchar *new = get_certificate_path(host, buf, fingerprint);
 458                 if (strcmp(old, new))
 459                         move_file(old, new, TRUE);
 460                 g_free(old);
 461                 g_free(new);
 462         }
 463         g_free(buf);
 464
 465         return cert;
 466 }
 467
 468 static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate *cert_b)
 469 {
 470         char *output_a;
 471         char *output_b;
 472         size_t cert_size_a = 0, cert_size_b = 0;
 473         int r;
 474
 475         if (cert_a == NULL || cert_b == NULL)
 476                 return FALSE;
 477
 478         if ((r = gnutls_x509_crt_export(cert_a->x509_cert, GNUTLS_X509_FMT_DER, NULL, &cert_size_a))
 479             != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 480                 g_warning("couldn't gnutls_x509_crt_export to get size a %s", gnutls_strerror(r));
 481                 return FALSE;
 482         }
 483
 484         if ((r = gnutls_x509_crt_export(cert_b->x509_cert, GNUTLS_X509_FMT_DER, NULL, &cert_size_b))
 485             != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 486                 g_warning("couldn't gnutls_x509_crt_export to get size b %s", gnutls_strerror(r));
 487                 return FALSE;
 488         }
 489
 490         output_a = g_malloc(cert_size_a);
 491         output_b = g_malloc(cert_size_b);
 492         if ((r = gnutls_x509_crt_export(cert_a->x509_cert, GNUTLS_X509_FMT_DER, output_a, &cert_size_a)) < 0) {
 493                 g_warning("couldn't gnutls_x509_crt_export a %s", gnutls_strerror(r));
 494                 g_free(output_a);
 495                 g_free(output_b);
 496                 return FALSE;
 497         }
 498         if ((r = gnutls_x509_crt_export(cert_b->x509_cert, GNUTLS_X509_FMT_DER, output_b, &cert_size_b)) < 0) {
 499                 g_warning("couldn't gnutls_x509_crt_export b %s", gnutls_strerror(r));
 500                 g_free(output_a);
 501                 g_free(output_b);
 502                 return FALSE;
 503         }
 504         if (cert_size_a != cert_size_b) {
 505                 g_warning("size differ %zd %zd", cert_size_a, cert_size_b);
 506                 g_free(output_a);
 507                 g_free(output_b);
 508                 return FALSE;
 509         }
 510         if (memcmp(output_a, output_b, cert_size_a)) {
 511                 g_warning("contents differ");
 512                 g_free(output_a);
 513                 g_free(output_b);
 514                 return FALSE;
 515         }
 516         g_free(output_a);
 517         g_free(output_b);
 518
 519         return TRUE;
 520 }
 521
 522 static guint check_cert(SSLCertificate *cert)
 523 {
 524         gnutls_x509_crt_t *ca_list = NULL;
 525         gnutls_x509_crt_t *chain = NULL;
 526         unsigned int max_ca = 512, max_certs;
 527         unsigned int flags = 0;
 528         int r, i;
 529         unsigned int status;
 530         gchar *chain_file = NULL, *buf = NULL;
 531         FILE *fp;
 532
 533         if (claws_ssl_get_cert_file())
 534                 fp = claws_fopen(claws_ssl_get_cert_file(), "r");
 535         else
 536                 return (guint)-1;
 537
 538         if (fp == NULL)
 539                 return (guint)-1;
 540
 541         if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max_ca)) < 0) {
 542                 debug_print("CA import failed: %s\n", gnutls_strerror(r));
 543                 claws_fclose(fp);
 544                 return (guint)-1;
 545         }
 546         claws_fclose(fp);
 547         fp = NULL;
 548
 549         buf = g_strdup_printf("%d", cert->port);
 550         chain_file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
 551         g_free(buf);
 552         if (is_file_exist(chain_file)) {
 553                 unsigned char md[128];
 554                 size_t n = 128;
 555                 char *fingerprint;
 556
 557                 fp = claws_fopen(chain_file, "r");
 558                 if (fp == NULL) {
 559                         debug_print("claws_fopen %s failed: %s\n", chain_file, g_strerror(errno));
 560                         g_free(chain_file);
 561                         return (guint)-1;
 562                 }
 563                 if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &chain, &max_certs)) < 0) {
 564                         debug_print("chain import failed: %s\n", gnutls_strerror(r));
 565                         claws_fclose(fp);
 566                         g_free(chain_file);
 567                         return (guint)-1;
 568                 }
 569                 g_free(chain_file);
 570                 claws_fclose(fp);
 571                 fp = NULL;
 572
 573                 gnutls_x509_crt_get_fingerprint(chain[0], GNUTLS_DIG_MD5, md, &n);
 574                 fingerprint = readable_fingerprint(md, n);
 575                 if (!fingerprint || strcmp(fingerprint, cert->fingerprint)) {
 576                         debug_print("saved chain fingerprint does not match current : %s / %s\n",
 577                                 cert->fingerprint, fingerprint);
 578
 579                         return (guint)-1;
 580                 }
 581                 g_free(fingerprint);
 582
 583                 r = gnutls_x509_crt_list_verify (chain,
 584                                      max_certs,
 585                                      ca_list, max_ca,
 586                                      NULL, 0,
 587                                      GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
 588                                      &status);
 589                 if (r < 0)
 590                         debug_print("chain check failed: %s\n", gnutls_strerror(r));
 591
 592                 for (i = 0; i < max_certs; i++)
 593                         gnutls_x509_crt_deinit(chain[i]);
 594                 free(chain);
 595
 596         } else {
 597                 r = gnutls_x509_crt_verify(cert->x509_cert, ca_list, max_ca, flags, &status);
 598                 if (r < 0)
 599                         debug_print("cert check failed: %s\n", gnutls_strerror(r));
 600         }
 601
 602         for (i = 0; i < max_ca; i++)
 603                 gnutls_x509_crt_deinit(ca_list[i]);
 604         free(ca_list);
 605
 606         if (r < 0)
 607                 return (guint)-1;
 608         else
 609                 return status;
 610
 611 }
 612
 613 static gboolean ssl_certificate_is_valid(SSLCertificate *cert, guint status)
 614 {
 615         gchar *str_status = ssl_certificate_check_signer(cert, status);
 616
 617         if (str_status != NULL) {
 618                 g_free(str_status);
 619                 return FALSE;
 620         }
 621         return ssl_certificate_check_subject_cn(cert);
 622 }
 623
 624 char *ssl_certificate_check_signer (SSLCertificate *cert, guint status)
 625 {
 626         gnutls_x509_crt_t x509_cert = cert ? cert->x509_cert : NULL;
 627
 628         if (!cert)
 629                 return g_strdup(_("Internal error"));
 630
 631         if (status == (guint)-1) {
 632                 status = check_cert(cert);
 633                 if (status == -1)
 634                         return g_strdup(_("Uncheckable"));
 635         }
 636         if (status & GNUTLS_CERT_INVALID) {
 637                 if (gnutls_x509_crt_check_issuer(x509_cert, x509_cert))
 638                         return g_strdup(_("Self-signed certificate"));
 639         }
 640         if (status & GNUTLS_CERT_REVOKED)
 641                 return g_strdup(_("Revoked certificate"));
 642         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
 643                 return g_strdup(_("No certificate issuer found"));
 644         if (status & GNUTLS_CERT_SIGNER_NOT_CA)
 645                 return g_strdup(_("Certificate issuer is not a CA"));
 646
 647
 648         return NULL;
 649 }
 650
 651 static void ssl_certificate_save_chain(gnutls_x509_crt_t *certs, gint len, const gchar *host, gushort port)
 652 {
 653         gint i;
 654         gchar *file = NULL;
 655         FILE *fp = NULL;
 656
 657         for (i = 0; i < len; i++) {
 658                 size_t n;
 659                 unsigned char md[128];
 660                 gnutls_x509_crt_t cert = certs[i];
 661
 662                 if (i == 0) {
 663                         n = sizeof(md);
 664                         gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, md, &n);
 665                         gchar *fingerprint = readable_fingerprint(md, n);
 666                         gchar *buf = g_strdup_printf("%d", port);
 667
 668                         file = get_certificate_chain_path(host, buf, fingerprint);
 669                         g_free(fingerprint);
 670
 671                         g_free(buf);
 672
 673                         fp = claws_fopen(file, "wb");
 674                         if (fp == NULL) {
 675                                 g_free(file);
 676                                 debug_print("Can't save certificate !\n");
 677                                 return;
 678                         }
 679                         g_free(file);
 680                 }
 681
 682                 gnutls_export_X509_fp(fp, cert, GNUTLS_X509_FMT_PEM);
 683
 684         }
 685         if (fp)
 686                 claws_safe_fclose(fp);
 687 }
 688
 689 gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status,
 690                                 const gchar *host, gushort port,
 691                                 gboolean accept_if_valid)
 692 {
 693         SSLCertificate *current_cert = NULL;
 694         SSLCertificate *known_cert;
 695         SSLCertHookData cert_hook_data;
 696         gchar *fingerprint;
 697         size_t n;
 698         unsigned char md[128];
 699         gboolean valid = FALSE;
 700
 701         current_cert = ssl_certificate_new(x509_cert, host, port);
 702
 703         if (current_cert == NULL) {
 704                 debug_print("Buggy certificate !\n");
 705                 return FALSE;
 706         }
 707
 708         current_cert->status = status;
 709         /* fingerprint */
 710         n = sizeof(md);
 711         gnutls_x509_crt_get_fingerprint(x509_cert, GNUTLS_DIG_MD5, md, &n);
 712         fingerprint = readable_fingerprint(md, n);
 713
 714         known_cert = ssl_certificate_find(host, port, fingerprint);
 715
 716         g_free(fingerprint);
 717
 718         if (accept_if_valid)
 719                 valid = ssl_certificate_is_valid(current_cert, status);
 720         else
 721                 valid = FALSE; /* Force check */
 722
 723         if (known_cert == NULL) {
 724                 if (valid) {
 725                         ssl_certificate_save(current_cert);
 726                         ssl_certificate_destroy(current_cert);
 727                         return TRUE;
 728                 }
 729
 730                 cert_hook_data.cert = current_cert;
 731                 cert_hook_data.old_cert = NULL;
 732                 cert_hook_data.expired = FALSE;
 733                 cert_hook_data.accept = FALSE;
 734
 735                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
 736
 737                 if (!cert_hook_data.accept) {
 738                         ssl_certificate_destroy(current_cert);
 739                         return FALSE;
 740                 } else {
 741                         ssl_certificate_save(current_cert);
 742                         ssl_certificate_destroy(current_cert);
 743                         return TRUE;
 744                 }
 745         } else if (!ssl_certificate_compare (current_cert, known_cert)) {
 746                 if (valid) {
 747                         ssl_certificate_save(current_cert);
 748                         ssl_certificate_destroy(current_cert);
 749                         ssl_certificate_destroy(known_cert);
 750                         return TRUE;
 751                 }
 752
 753                 cert_hook_data.cert = current_cert;
 754                 cert_hook_data.old_cert = known_cert;
 755                 cert_hook_data.expired = FALSE;
 756                 cert_hook_data.accept = FALSE;
 757
 758                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
 759
 760                 if (!cert_hook_data.accept) {
 761                         ssl_certificate_destroy(current_cert);
 762                         ssl_certificate_destroy(known_cert);
 763                         return FALSE;
 764                 } else {
 765                         ssl_certificate_save(current_cert);
 766                         ssl_certificate_destroy(current_cert);
 767                         ssl_certificate_destroy(known_cert);
 768                         return TRUE;
 769                 }
 770         } else if (gnutls_x509_crt_get_expiration_time(current_cert->x509_cert) < time(NULL)) {
 771                 gchar *tmp = g_strdup_printf("%s:%d", current_cert->host, current_cert->port);
 772
 773                 if (warned_expired == NULL)
 774                         warned_expired = g_hash_table_new(g_str_hash, g_str_equal);
 775
 776                 if (g_hash_table_lookup(warned_expired, tmp)) {
 777                         g_free(tmp);
 778                         ssl_certificate_destroy(current_cert);
 779                         ssl_certificate_destroy(known_cert);
 780                         return TRUE;
 781                 }
 782
 783                 cert_hook_data.cert = current_cert;
 784                 cert_hook_data.old_cert = NULL;
 785                 cert_hook_data.expired = TRUE;
 786                 cert_hook_data.accept = FALSE;
 787
 788                 hooks_invoke(SSLCERT_ASK_HOOKLIST, &cert_hook_data);
 789
 790                 if (!cert_hook_data.accept) {
 791                         g_free(tmp);
 792                         ssl_certificate_destroy(current_cert);
 793                         ssl_certificate_destroy(known_cert);
 794                         return FALSE;
 795                 } else {
 796                         g_hash_table_insert(warned_expired, tmp, GINT_TO_POINTER(1));
 797                         ssl_certificate_destroy(current_cert);
 798                         ssl_certificate_destroy(known_cert);
 799                         return TRUE;
 800                 }
 801         }
 802
 803         ssl_certificate_destroy(current_cert);
 804         ssl_certificate_destroy(known_cert);
 805         return TRUE;
 806 }
 807
 808 gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len,
 809                                      const gchar *host, gushort port,
 810                                      gboolean accept_if_valid)
 811 {
 812         int ncas = 0;
 813         gnutls_x509_crt_t *cas = NULL;
 814         gboolean result = FALSE;
 815         int i;
 816         gint status;
 817
 818         if (claws_ssl_get_cert_file()) {
 819                 FILE *fp = claws_fopen(claws_ssl_get_cert_file(), "rb");
 820                 int r = -errno;
 821
 822                 if (fp) {
 823                         r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);
 824                         claws_fclose(fp);
 825                 }
 826
 827                 if (r < 0)
 828                         g_warning("Can't read SSL_CERT_FILE '%s': %s",
 829                                 claws_ssl_get_cert_file(),
 830                                 gnutls_strerror(r));
 831         } else {
 832                 debug_print("Can't find SSL ca-certificates file\n");
 833         }
 834
 835
 836         gnutls_x509_crt_list_verify (certs,
 837                              chain_len,
 838                              cas, ncas,
 839                              NULL, 0,
 840                              GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
 841                              &status);
 842
 843         result = ssl_certificate_check(certs[0], status, host, port,
 844                                         accept_if_valid);
 845
 846         if (result == TRUE) {
 847                 ssl_certificate_save_chain(certs, chain_len, host, port);
 848         }
 849
 850         for (i = 0; i < ncas; i++)
 851                 gnutls_x509_crt_deinit(cas[i]);
 852         free(cas);
 853
 854         return result;
 855 }
 856
 857 gnutls_x509_crt_t ssl_certificate_get_x509_from_pem_file(const gchar *file)
 858 {
 859         gnutls_x509_crt_t x509 = NULL;
 860         if (!file)
 861                 return NULL;
 862
 863         if (is_file_exist(file)) {
 864                 FILE *fp = claws_fopen(file, "r");
 865                 if (fp) {
 866                         x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_PEM);
 867                         claws_fclose(fp);
 868                         return x509;
 869                 } else {
 870                         log_error(LOG_PROTOCOL, _("Cannot open certificate file %s: %s\n"),
 871                                   file, g_strerror(errno));
 872                 }
 873         } else {
 874                 log_error(LOG_PROTOCOL, _("Certificate file %s missing (%s)\n"),
 875                           file, g_strerror(errno));
 876         }
 877         return NULL;
 878 }
 879
 880 gnutls_x509_privkey_t ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 881 {
 882         gnutls_x509_privkey_t key = NULL;
 883         if (!file)
 884                 return NULL;
 885
 886         if (is_file_exist(file)) {
 887                 FILE *fp = claws_fopen(file, "r");
 888                 if (fp) {
 889                         key = gnutls_import_key_fp(fp, GNUTLS_X509_FMT_PEM);
 890                         claws_fclose(fp);
 891                         return key;
 892                 } else {
 893                         log_error(LOG_PROTOCOL, _("Cannot open key file %s (%s)\n"),
 894                         file, g_strerror(errno));
 895                 }
 896         } else {
 897                 log_error(LOG_PROTOCOL, _("Key file %s missing (%s)\n"), file,
 898                           g_strerror(errno));
 899         }
 900         return NULL;
 901 }
 902
 903 /* From GnuTLS lib/gnutls_x509.c */
 904 static int
 905 parse_pkcs12 (gnutls_pkcs12_t p12,
 906               const char *password,
 907               gnutls_x509_privkey_t * key,
 908               gnutls_x509_crt_t * cert)
 909 {
 910   gnutls_pkcs12_bag_t bag = NULL;
 911   int index = 0;
 912   int ret;
 913
 914   for (;;)
 915     {
 916       int elements_in_bag;
 917       int i;
 918
 919       ret = gnutls_pkcs12_bag_init (&bag);
 920       if (ret < 0)
 921         {
 922           bag = NULL;
 923           goto done;
 924         }
 925
 926       ret = gnutls_pkcs12_get_bag (p12, index, bag);
 927       if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 928         break;
 929       if (ret < 0)
 930         {
 931           goto done;
 932         }
 933
 934       ret = gnutls_pkcs12_bag_get_type (bag, 0);
 935       if (ret < 0)
 936         {
 937           goto done;
 938         }
 939
 940       if (ret == GNUTLS_BAG_ENCRYPTED)
 941         {
 942           ret = gnutls_pkcs12_bag_decrypt (bag, password);
 943           if (ret < 0)
 944             {
 945               goto done;
 946             }
 947         }
 948
 949       elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
 950       if (elements_in_bag < 0)
 951         {
 952           goto done;
 953         }
 954
 955       for (i = 0; i < elements_in_bag; i++)
 956         {
 957           int type;
 958           gnutls_datum_t data;
 959
 960           type = gnutls_pkcs12_bag_get_type (bag, i);
 961           if (type < 0)
 962             {
 963               goto done;
 964             }
 965
 966           ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
 967           if (ret < 0)
 968             {
 969               goto done;
 970             }
 971
 972           switch (type)
 973             {
 974             case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
 975             case GNUTLS_BAG_PKCS8_KEY:
 976               ret = gnutls_x509_privkey_init (key);
 977               if (ret < 0)
 978                 {
 979                   goto done;
 980                 }
 981
 982               ret = gnutls_x509_privkey_import_pkcs8
 983                 (*key, &data, GNUTLS_X509_FMT_DER, password,
 984                  type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
 985               if (ret < 0)
 986                 {
 987                   goto done;
 988                 }
 989               break;
 990
 991             case GNUTLS_BAG_CERTIFICATE:
 992               ret = gnutls_x509_crt_init (cert);
 993               if (ret < 0)
 994                 {
 995                   goto done;
 996                 }
 997
 998               ret =
 999                 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1000               if (ret < 0)
1001                 {
1002                   goto done;
1003                 }
1004               break;
1005
1006             case GNUTLS_BAG_ENCRYPTED:
1007               /* XXX Bother to recurse one level down?  Unlikely to
1008                  use the same password anyway. */
1009             case GNUTLS_BAG_EMPTY:
1010             default:
1011               break;
1012             }
1013         }
1014
1015       index++;
1016       gnutls_pkcs12_bag_deinit (bag);
1017     }
1018
1019   ret = 0;
1020
1021 done:
1022   if (bag)
1023     gnutls_pkcs12_bag_deinit (bag);
1024
1025   return ret;
1026 }
1027 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
1028                         gnutls_x509_crt_t *x509, gnutls_x509_privkey_t *pkey)
1029 {
1030         gnutls_pkcs12_t p12 = NULL;
1031
1032         int r;
1033
1034         *x509 = NULL;
1035         *pkey = NULL;
1036         if (!file)
1037                 return;
1038
1039         if (is_file_exist(file)) {
1040                 FILE *fp = claws_fopen(file, "r");
1041                 if (fp) {
1042                         p12 = gnutls_import_PKCS12_fp(fp, GNUTLS_X509_FMT_DER);
1043                         claws_fclose(fp);
1044                         if (!p12) {
1045                                 log_error(LOG_PROTOCOL, _("Failed to read P12 certificate file %s\n"), file);
1046                         }
1047                 } else {
1048                         log_error(LOG_PROTOCOL, _("Cannot open P12 certificate file %s (%s)\n"),
1049                                   file, g_strerror(errno));
1050                 }
1051         } else {
1052                 log_error(LOG_PROTOCOL, _("P12 Certificate file %s missing (%s)\n"), file,
1053                           g_strerror(errno));
1054         }
1055         if (p12 != NULL) {
1056                 if ((r = parse_pkcs12(p12, password, pkey, x509)) == 0) {
1057                         debug_print("got p12\n");
1058                 } else {
1059                         log_error(LOG_PROTOCOL, "%s\n", gnutls_strerror(r));
1060                 }
1061                 gnutls_pkcs12_deinit(p12);
1062         }
1063 }
1064
1065 gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
1066 {
1067         return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
1068 }
1069
1070 gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
1071 {
1072         gchar subject_cn[BUFFSIZE];
1073         size_t n = BUFFSIZE;
1074
1075         if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
1076                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
1077                 return g_strdup(_("<not in certificate>"));
1078
1079         return g_strdup(subject_cn);
1080 }
1081
1082 #endif /* USE_GNUTLS */