Rename i2d/d2i internal functions to clearer import/export.

[claws.git] / src / common / ssl_certificate.c

diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index 4911acb8a94cefc7e459040ac4f155b56e00e032..6155fe3a8e502710214846031e681da7cb657bde 100644 (file)
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -1,6 +1,6 @@
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2011 Colin Leroy <colin@colino.net> 
+ * Copyright (C) 1999-2012 Colin Leroy <colin@colino.net> 
  * and the Claws Mail team
  *
  * This program is free software; you can redistribute it and/or modify
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include "config.h"
+#include "claws-features.h"
 #endif
 
 #ifdef USE_GNUTLS
@@ -33,6 +34,7 @@
 #include <stdio.h>
 #include <glib.h>
 #include <glib/gi18n.h>
+#include <errno.h>
 #ifdef G_OS_WIN32
 #  include <winsock2.h>
 #else
@@ -86,12 +88,13 @@ char * readable_fingerprint(unsigned char *src, int len)
 }
 
 #if USE_GNUTLS
-static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
+static gnutls_x509_crt_t x509_crt_copy(gnutls_x509_crt_t src)
 {
     int ret;
     size_t size;
-    gnutls_datum tmp;
-    gnutls_x509_crt dest;
+    gnutls_datum_t tmp;
+    gnutls_x509_crt_t dest;
+    size = 0;
     
     if (gnutls_x509_crt_init(&dest) != 0) {
        g_warning("couldn't gnutls_x509_crt_init\n");
@@ -127,7 +130,7 @@ static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
 }
 #endif
 
-static SSLCertificate *ssl_certificate_new(gnutls_x509_crt x509_cert, const gchar *host, gushort port)
+static SSLCertificate *ssl_certificate_new(gnutls_x509_crt_t x509_cert, const gchar *host, gushort port)
 {
        SSLCertificate *cert = g_new0(SSLCertificate, 1);
        size_t n;
@@ -150,13 +153,13 @@ static SSLCertificate *ssl_certificate_new(gnutls_x509_crt x509_cert, const gcha
 }
 
 #ifdef USE_GNUTLS
-static void gnutls_i2d_X509_fp(FILE *fp, gnutls_x509_crt x509_cert)
+static void gnutls_export_X509_fp(FILE *fp, gnutls_x509_crt_t x509_cert, gnutls_x509_crt_fmt_t format)
 {
        char output[10*1024];
        size_t cert_size = 10*1024;
        int r;
        
-       if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, output, &cert_size)) < 0) {
+       if ((r = gnutls_x509_crt_export(x509_cert, format, output, &cert_size)) < 0) {
                g_warning("couldn't export cert %s (%zd)\n", gnutls_strerror(r), cert_size);
                return;
        }
@@ -166,7 +169,7 @@ static void gnutls_i2d_X509_fp(FILE *fp, gnutls_x509_crt x509_cert)
        }
 }
 
-size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
+size_t gnutls_i2d_X509(gnutls_x509_crt_t x509_cert, unsigned char **output)
 {
        size_t cert_size = 10*1024;
        int r;
@@ -185,7 +188,7 @@ size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
        return cert_size;
 }
 
-size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
+size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)
 {
        size_t key_size = 10*1024;
        int r;
@@ -204,40 +207,81 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
        return key_size;
 }
 
-static gnutls_x509_crt gnutls_d2i_X509_fp(FILE *fp, int format)
+static int gnutls_import_X509_list_fp(FILE *fp, gnutls_x509_crt_fmt_t format,
+                                  gnutls_x509_crt_t **cert_list, gint *num_certs)
 {
-       gnutls_x509_crt cert = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_crt_t *crt_list;
+       unsigned int max = 512;
+       unsigned int flags = 0;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
+
+       *cert_list = NULL;
+       *num_certs = 0;
+
+       if (fp == NULL)
+               return -ENOENT;
+
        if (fstat(fileno(fp), &s) < 0) {
                perror("fstat");
-               return NULL;
+               return -errno;
        }
+
+       crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
                perror("fread");
                free(tmp.data);
-               return NULL;
+               free(crt_list);
+               return -EIO;
        }
 
-       gnutls_x509_crt_init(&cert);
-       if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+       if ((r = gnutls_x509_crt_list_import(crt_list, &max, 
+                       &tmp, format, flags)) < 0) {
                debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               gnutls_x509_crt_deinit(cert);
-               cert = NULL;
+               free(tmp.data);
+               free(crt_list);
+               return r;
        }
        free(tmp.data);
-       debug_print("got cert! %p\n", cert);
+       debug_print("got %d certs in crt_list! %p\n", max, &crt_list);
+
+       *cert_list = crt_list;
+       *num_certs = max;
+
+       return r;
+}
+
+/* return one certificate, read from file */
+static gnutls_x509_crt_t gnutls_import_X509_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
+{
+       gnutls_x509_crt_t *certs = NULL;
+       gnutls_x509_crt_t cert = NULL;
+       int i, ncerts, r;
+
+       if ((r = gnutls_import_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {
+               return NULL;
+       }
+
+       if (ncerts == 0)
+               return NULL;
+
+       for (i = 1; i < ncerts; i++)
+               gnutls_x509_crt_deinit(certs[i]);
+
+       cert = certs[0];
+       free(certs);
+
        return cert;
 }
 
-static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
+static gnutls_x509_privkey_t gnutls_import_key_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
-       gnutls_x509_privkey key = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_privkey_t key = NULL;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
@@ -264,21 +308,23 @@ static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
        return key;
 }
 
-static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
+static gnutls_pkcs12_t gnutls_import_PKCS12_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
        gnutls_pkcs12_t p12 = NULL;
-       gnutls_datum tmp;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
+               log_error(LOG_PROTOCOL, _("Cannot stat P12 certificate file (%s)\n"),
+                                 strerror(errno));
                return NULL;
        }
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
+               log_error(LOG_PROTOCOL, _("Cannot read P12 certificate file (%s)\n"),
+                                 strerror(errno));
                free(tmp.data);
                return NULL;
        }
@@ -286,7 +332,8 @@ static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
        gnutls_pkcs12_init(&p12);
 
        if ((r = gnutls_pkcs12_import(p12, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM,0)) < 0) {
-               g_warning("p12 import failed: %s\n", gnutls_strerror(r));
+               log_error(LOG_PROTOCOL, _("Cannot import P12 certificate file (%s)\n"),
+                                 gnutls_strerror(r));
                gnutls_pkcs12_deinit(p12);
                p12 = NULL;
        }
@@ -319,11 +366,9 @@ static void ssl_certificate_save (SSLCertificate *cert)
                debug_print("Can't save certificate !\n");
                return;
        }
-#ifdef USE_GNUTLS
-       gnutls_i2d_X509_fp(fp, cert->x509_cert);
-#else
-       i2d_X509_fp(fp, cert->x509_cert);
-#endif
+
+       gnutls_export_X509_fp(fp, cert->x509_cert, GNUTLS_X509_FMT_DER);
+
        g_free(file);
        fclose(fp);
 
@@ -358,7 +403,7 @@ SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gch
        gchar *file = NULL;
        gchar *buf;
        SSLCertificate *cert = NULL;
-       gnutls_x509_crt tmp_x509;
+       gnutls_x509_crt_t tmp_x509;
        FILE *fp = NULL;
        gboolean must_rename = FALSE;
 
@@ -388,7 +433,7 @@ SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gch
                return NULL;
        }
        
-       if ((tmp_x509 = gnutls_d2i_X509_fp(fp, 0)) != NULL) {
+       if ((tmp_x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_DER)) != NULL) {
                cert = ssl_certificate_new(tmp_x509, host, port);
                debug_print("got cert %p\n", cert);
                gnutls_x509_crt_deinit(tmp_x509);
@@ -463,13 +508,11 @@ static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate
        return TRUE;
 }
 
-static guint check_cert(gnutls_x509_crt cert)
+static guint check_cert(gnutls_x509_crt_t cert)
 {
-       gnutls_x509_crt *ca_list;
+       gnutls_x509_crt_t *ca_list;
        unsigned int max = 512;
        unsigned int flags = 0;
-       gnutls_datum tmp;
-       struct stat s;
        int r, i;
        unsigned int status;
        FILE *fp;
@@ -479,34 +522,12 @@ static guint check_cert(gnutls_x509_crt cert)
        else
                return (guint)-1;
 
-       if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
-               fclose(fp);
-               return (guint)-1;
-       }
-
-       ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
-       tmp.data = malloc(s.st_size);
-       memset(tmp.data, 0, s.st_size);
-       tmp.size = s.st_size;
-       if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
-               free(tmp.data);
-               free(ca_list);
-               fclose(fp);
-               return (guint)-1;
-       }
-
-       if ((r = gnutls_x509_crt_list_import(ca_list, &max, 
-                       &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {
+       if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max)) < 0) {
                debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               free(tmp.data);
-               free(ca_list);
                fclose(fp);
                return (guint)-1;
        }
-       free(tmp.data);
-       debug_print("got %d certs in ca_list! %p\n", max, &ca_list);
+
        r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);
        fclose(fp);
 
@@ -521,7 +542,7 @@ static guint check_cert(gnutls_x509_crt cert)
 
 }
 
-char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
+char *ssl_certificate_check_signer (gnutls_x509_crt_t cert, guint status) 
 {
        if (status == (guint)-1) {
                status = check_cert(cert);
@@ -543,7 +564,7 @@ char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status)
        return NULL;
 }
 
-gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, const gchar *host, gushort port)
+gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const gchar *host, gushort port)
 {
        SSLCertificate *current_cert = NULL;
        SSLCertificate *known_cert;
@@ -641,40 +662,91 @@ gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, const g
        return TRUE;
 }
 
-gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file)
+gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len, const gchar *host, gushort port)
+{
+       int ncas = 0, ncrls = 0;
+       gnutls_x509_crt_t *cas = NULL;
+       gnutls_x509_crl_t *crls = NULL;
+       gboolean result = FALSE;
+       int i;
+       gint status;
+
+       if (claws_ssl_get_cert_file()) {
+               FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb");
+               int r = -errno;
+
+               if (fp) {
+                       r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);
+                       fclose(fp);
+               }
+
+               if (r < 0)
+                       g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+                               claws_ssl_get_cert_file(), 
+                               gnutls_strerror(r));
+       } else {
+               debug_print("Can't find SSL ca-certificates file\n");
+       }
+
+
+       gnutls_x509_crt_list_verify (certs,
+                             chain_len,
+                             cas, ncas,
+                             NULL, 0,
+                             GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                             &status);
+
+       result = ssl_certificate_check(certs[0], status, host, port);
+
+       for (i = 0; i < ncas; i++)
+               gnutls_x509_crt_deinit(cas[i]);
+       free(cas);
+
+       return result;
+}
+
+gnutls_x509_crt_t ssl_certificate_get_x509_from_pem_file(const gchar *file)
 {
-       gnutls_x509_crt x509 = NULL;
+       gnutls_x509_crt_t x509 = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       x509 = gnutls_d2i_X509_fp(fp, 1);
+                       x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return x509;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open certificate file %s: %s\n"),
+                                 file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open certificate file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("Certificate file %s missing (%s)\n"),
+                         file, strerror(errno));
        }
        return NULL;
 }
 
-gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
+gnutls_x509_privkey_t ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 {
-       gnutls_x509_privkey key = NULL;
+       gnutls_x509_privkey_t key = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       key = gnutls_d2i_key_fp(fp, 1);
+                       key = gnutls_import_key_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return key;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open key file %s (%s)\n"),
+                       file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open key file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("Key file %s missing (%s)\n"), file,
+                         strerror(errno));
        }
        return NULL;
 }
@@ -683,7 +755,7 @@ gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 static int
 parse_pkcs12 (gnutls_pkcs12_t p12,
              const char *password,
-             gnutls_x509_privkey * key,
+             gnutls_x509_privkey_t * key,
              gnutls_x509_crt_t * cert)
 {
   gnutls_pkcs12_bag_t bag = NULL;
@@ -734,7 +806,7 @@ parse_pkcs12 (gnutls_pkcs12_t p12,
       for (i = 0; i < elements_in_bag; i++)
        {
          int type;
-         gnutls_datum data;
+         gnutls_datum_t data;
 
          type = gnutls_pkcs12_bag_get_type (bag, i);
          if (type < 0)
@@ -804,7 +876,7 @@ done:
   return ret;
 }
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
-                       gnutls_x509_crt *x509, gnutls_x509_privkey *pkey)
+                       gnutls_x509_crt_t *x509, gnutls_x509_privkey_t *pkey)
 {
        gnutls_pkcs12_t p12 = NULL;
 
@@ -818,11 +890,18 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       p12 = gnutls_d2i_PKCS12_fp(fp, 0);
+                       p12 = gnutls_import_PKCS12_fp(fp, GNUTLS_X509_FMT_DER);
                        fclose(fp);
+                       if (!p12) {
+                               log_error(LOG_PROTOCOL, _("Failed to read P12 certificate file %s\n"), file);
+                       }
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open P12 certificate file %s (%s)\n"),
+                                 file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open certificate file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("P12 Certificate file %s missing (%s)\n"), file,
+                         strerror(errno));
        }
        if (p12 != NULL) {
                if ((r = parse_pkcs12(p12, password, pkey, x509)) == 0) {
@@ -833,4 +912,22 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
                gnutls_pkcs12_deinit(p12);
        }
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+       return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */