Add OpenBSD CA cert path.

[claws.git] / src / common / ssl.c

diff --git a/src/common/ssl.c b/src/common/ssl.c
index 1c7c335ba2dbe2214789398fbb36898ff84556c4..bc8ab7de7bcf03424dcea7909dc20923d9da64cf 100644 (file)
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -57,6 +57,12 @@ typedef struct _thread_data {
 } thread_data;
 #endif
 
+#if GNUTLS_VERSION_NUMBER < 0x030400
+#define DEFAULT_GNUTLS_PRIORITY "NORMAL:-VERS-SSL3.0"
+#else
+#define DEFAULT_GNUTLS_PRIORITY "NORMAL"
+#endif
+
 #if GNUTLS_VERSION_NUMBER <= 0x020c00
 static int gnutls_client_cert_cb(gnutls_session_t session,
                                const gnutls_datum_t *req_ca_rdn, int nreqs,
@@ -83,8 +89,10 @@ static int gnutls_cert_cb(gnutls_session_t session,
        hookdata.is_smtp = sockinfo->is_smtp;
        hooks_invoke(SSLCERT_GET_CLIENT_CERT_HOOKLIST, &hookdata);      
 
-       if (hookdata.cert_path == NULL)
+       if (hookdata.cert_path == NULL) {
+               g_free(hookdata.password);
                return 0;
+       }
 
        sockinfo->client_crt = ssl_certificate_get_x509_from_pem_file(hookdata.cert_path);
        sockinfo->client_key = ssl_certificate_get_pkey_from_pem_file(hookdata.cert_path);
@@ -106,14 +114,18 @@ static int gnutls_cert_cb(gnutls_session_t session,
                st->cert.x509 = &(sockinfo->client_crt);
                st->key.x509 = sockinfo->client_key;
                st->deinit_all = 0;
+               g_free(hookdata.password);
                return 0;
        }
+       g_free(hookdata.password);
        return 0;
 }
 
 const gchar *claws_ssl_get_cert_file(void)
 {
+#ifndef G_OS_WIN32
        const char *cert_files[]={
+               "/etc/ssl/cert.pem",
                "/etc/pki/tls/certs/ca-bundle.crt",
                "/etc/certs/ca-bundle.crt",
                "/etc/ssl/ca-bundle.pem",
@@ -126,9 +138,12 @@ const gchar *claws_ssl_get_cert_file(void)
                "/usr/lib/ssl/cert.pem",
                NULL};
        int i;
-       
+#endif
+
+       /* We honor this environment variable on all platforms. */
        if (g_getenv("SSL_CERT_FILE"))
                return g_getenv("SSL_CERT_FILE");
+
 #ifndef G_OS_WIN32
        for (i = 0; cert_files[i]; i++) {
                if (is_file_exist(cert_files[i]))
@@ -136,7 +151,7 @@ const gchar *claws_ssl_get_cert_file(void)
        }
        return NULL;
 #else
-       return get_cert_file();
+       return w32_get_cert_file();
 #endif
 }
 
@@ -255,11 +270,6 @@ static gint SSL_connect_nb(gnutls_session_t ssl)
 #endif
 }
 
-gboolean ssl_init_socket(SockInfo *sockinfo)
-{
-       return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
-}
-
 gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *list_len)
 {
        const gnutls_datum_t *raw_cert_list;
@@ -275,6 +285,9 @@ gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *lis
        if (raw_cert_list && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
                int i = 0;
 
+               if (*list_len > 128)
+                       *list_len = 128;
+
                certs = g_malloc(sizeof(gnutls_x509_crt_t) * (*list_len));
 
                for(i = 0 ; i < (*list_len) ; i++) {
@@ -283,7 +296,7 @@ gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *lis
                        gnutls_x509_crt_init(&certs[i]);
                        r = gnutls_x509_crt_import(certs[i], &raw_cert_list[i], GNUTLS_X509_FMT_DER);
                        if (r < 0) {
-                               g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
+                               g_warning("cert get failure: %d %s", r, gnutls_strerror(r));
 
                                result = FALSE;
                                i--;
@@ -304,7 +317,7 @@ gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *lis
        return certs;
 }
 
-gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
+gboolean ssl_init_socket(SockInfo *sockinfo)
 {
        gnutls_session_t session;
        int r, i;
@@ -325,11 +338,9 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
                            sockinfo->gnutls_priority, r);
        }
        else {
-               if (method == 0)
-                       gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
-               else
-                       gnutls_priority_set_direct(session, "NORMAL", NULL);
+               gnutls_priority_set_direct(session, DEFAULT_GNUTLS_PRIORITY, NULL);
        }
+
        gnutls_record_disable_padding(session);
 
        gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
@@ -337,7 +348,7 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
        if (claws_ssl_get_cert_file()) {
                r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
                if (r < 0)
-                       g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+                       g_warning("Can't read SSL_CERT_FILE '%s': %s",
                                claws_ssl_get_cert_file(), 
                                gnutls_strerror(r));
        } else {