Add Server Name Indication support to TLS connections, if applicable.
authorAndrej Kacian <ticho@claws-mail.org>
Fri, 21 Dec 2018 09:21:10 +0000 (10:21 +0100)
committerAndrej Kacian <ticho@claws-mail.org>
Fri, 21 Dec 2018 09:29:46 +0000 (10:29 +0100)
Adds a hidden pref "use_tls_sni".

Patch by Alex Smith.
Closes bug #4103: TLS SNI (Server Name Indication) support for IMAP, POP & SMTP

16 files changed:
AUTHORS
src/common/session.c
src/common/session.h
src/common/socket.h
src/common/ssl.c
src/common/utils.c
src/common/utils.h
src/etpan/etpan-ssl.c
src/gtk/authors.h
src/imap.c
src/news.c
src/plugins/managesieve/managesieve.c
src/pop.c
src/prefs_account.c
src/prefs_account.h
src/send_message.c

diff --git a/AUTHORS b/AUTHORS
index e6eb907..5c5d9f5 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -325,3 +325,4 @@ contributors (in addition to the above; based on Changelog)
        Michael Schwendt
        Eric S. Raymond
        Avinash Sonawane
+       Alex Smith
index 1342ef9..2dc0a0a 100644 (file)
@@ -69,6 +69,7 @@ void session_init(Session *session, const void *prefs_account, gboolean is_smtp)
        session->port = 0;
 #ifdef USE_GNUTLS
        session->ssl_type = SSL_NONE;
+       session->use_tls_sni = TRUE;
 #endif
        session->nonblocking = TRUE;
        session->state = SESSION_READY;
@@ -194,6 +195,7 @@ static gint session_connect_cb(SockInfo *sock, gpointer data)
 
 #ifdef USE_GNUTLS
        sock->gnutls_priority = session->gnutls_priority;
+       sock->use_tls_sni = session->use_tls_sni;
 
        if (session->ssl_type == SSL_TUNNEL) {
                sock_set_nonblocking_mode(sock, FALSE);
@@ -407,6 +409,7 @@ gint session_start_tls(Session *session)
 
        session->sock->ssl_cert_auto_accept = session->ssl_cert_auto_accept;
        session->sock->gnutls_priority = session->gnutls_priority;
+       session->sock->use_tls_sni = session->use_tls_sni;
 
        if (nb_mode)
                sock_set_nonblocking_mode(session->sock, FALSE);
index 5cd518b..13a56c9 100644 (file)
@@ -160,6 +160,7 @@ struct _Session
 #ifdef USE_GNUTLS
        SSLType ssl_type;
        gchar *gnutls_priority;
+       gboolean use_tls_sni;
 #endif
 };
 
index 2c78066..005f5a0 100644 (file)
@@ -84,6 +84,7 @@ struct _SockInfo
        const void *account;
        gboolean is_smtp;
        gboolean ssl_cert_auto_accept;
+       gboolean use_tls_sni;
 };
 
 void refresh_resolvers                 (void);
index a143820..cc38c22 100644 (file)
@@ -410,6 +410,20 @@ gboolean ssl_init_socket(SockInfo *sockinfo)
 
        gnutls_record_disable_padding(session);
 
+       /* If we have a host name, rather than a numerical IP address, tell
+        * gnutls to send it in the server name identification extension field,
+        * to give the server a chance to select the correct certificate in the
+        * virtual hosting case where multiple domain names are hosted on the
+        * same IP address. */
+       if (sockinfo->use_tls_sni &&
+                       sockinfo->hostname != NULL &&
+                       !is_numeric_host_address(sockinfo->hostname)) {
+               r = gnutls_server_name_set(session, GNUTLS_NAME_DNS,
+                               sockinfo->hostname, strlen(sockinfo->hostname));
+               debug_print("Set GnuTLS session server name indication to %s, status = %d\n",
+                           sockinfo->hostname, r);
+       }
+
        gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 
        if (claws_ssl_get_cert_file()) {
index a815c48..195193b 100644 (file)
@@ -1908,6 +1908,29 @@ const gchar *get_domain_name(void)
 #endif
 }
 
+/* Tells whether the given host address string is a valid representation of a
+ * numerical IP (v4 or, if supported, v6) address.
+ */
+gboolean is_numeric_host_address(const gchar *hostaddress)
+{
+       struct addrinfo hints, *res;
+       int err;
+
+       /* See what getaddrinfo makes of the string when told that it is a
+        * numeric IP address representation. */
+       memset(&hints, 0, sizeof(struct addrinfo));
+       hints.ai_family = AF_UNSPEC;
+       hints.ai_socktype = 0;
+       hints.ai_flags = AI_NUMERICHOST;
+       hints.ai_protocol = 0;
+
+       err = getaddrinfo(hostaddress, NULL, &hints, &res);
+       if (err == 0)
+               freeaddrinfo(res);
+
+       return (err == 0);
+}
+
 off_t get_file_size(const gchar *file)
 {
 #ifdef G_OS_WIN32
index 64a639f..d51cc00 100644 (file)
@@ -395,6 +395,7 @@ const gchar *get_tmp_dir            (void);
 const gchar *get_locale_dir            (void);
 gchar *get_tmp_file                    (void);
 const gchar *get_domain_name           (void);
+gboolean is_numeric_host_address       (const gchar *hostaddress);
 const gchar *get_desktop_file(void);
 #ifdef G_OS_WIN32
 const gchar *w32_get_themes_dir    (void);
index aeb5be9..f853789 100644 (file)
@@ -171,6 +171,23 @@ void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, v
                gnutls_x509_crt_deinit(x509);
                gnutls_x509_privkey_deinit(pkey);
        }
+
+#if (defined LIBETPAN_API_CURRENT && LIBETPAN_API_CURRENT >= 23)
+       /* If we have a host name, rather than a numerical IP address, tell
+        * gnutls to send it in the Server Name Identification extension field,
+        * to give the server a chance to select the correct certificate in the
+        * virtual hosting case where multiple domain names are hosted on the
+        * same IP address. */
+       if (session->use_tls_sni &&
+                       !is_numeric_host_address(account->recv_server)) {
+               int r;
+
+               r = mailstream_ssl_set_server_name(ssl_context, account->recv_server);
+               debug_print("Set libetpan SSL mail stream server name indication to %s, status = %d\n",
+                           account->recv_server, r);
+       }
+#endif /* LIBETPAN_API_CURRENT >= 23 */
+
 }
 
 #endif /* USE_GNUTLS */
index 628f7d9..5765007 100644 (file)
@@ -283,6 +283,7 @@ static char *CONTRIBS_LIST[] = {
 "shigeri",
 "Jesse Skinner",
 "Ville Skytt√§",
+"Alex Smith",
 "Dale P. Smith",
 "Avinash Sonawane",
 "Andrea Spadaccini",
index 9b78b79..7124d83 100644 (file)
@@ -1277,7 +1277,9 @@ static IMAPSession *imap_session_new(Folder * folder,
                session->uidplus = FALSE;
                session->cmd_count = 1;
        }
+       SESSION(session)->use_tls_sni = account->use_tls_sni;
 #endif
+
        log_message(LOG_PROTOCOL, "IMAP connection is %s-authenticated\n",
                    (session->authenticated) ? "pre" : "un");
        
index 634a050..126db15 100644 (file)
@@ -361,6 +361,7 @@ static Session *news_session_new(Folder *folder, const PrefsAccount *account, gu
        nntp_init(folder);
 
 #ifdef USE_GNUTLS
+       SESSION(session)->use_tls_sni = account->use_tls_sni;
        if (ssl_type != SSL_NONE)
                r = nntp_threaded_connect_ssl(folder, server, port, proxy_info);
        else
index 74b08d3..d4d40e8 100644 (file)
@@ -1058,6 +1058,7 @@ static void sieve_session_reset(SieveSession *session)
        session->state = SIEVE_CAPABILITIES;
 #ifdef USE_GNUTLS
        session->tls_init_done = FALSE;
+       SESSION(session)->use_tls_sni = account->use_tls_sni;
 #endif
        session->avail_auth_type = 0;
        session->auth_type = 0;
index 6de10c6..2b8c70a 100644 (file)
--- a/src/pop.c
+++ b/src/pop.c
@@ -538,6 +538,7 @@ Session *pop3_session_new(PrefsAccount *account)
        if (account->set_gnutls_priority && account->gnutls_priority &&
                        strlen(account->gnutls_priority) != 0)
                SESSION(session)->gnutls_priority = g_strdup(account->gnutls_priority);
+       SESSION(session)->use_tls_sni = account->use_tls_sni;
 #endif
 
        session->state = POP3_READY;
index 137ebbc..63bafb9 100644 (file)
@@ -788,6 +788,9 @@ static PrefParam ssl_param[] = {
         &ssl_page.use_nonblocking_ssl_checkbtn,
         prefs_set_data_from_toggle, prefs_set_toggle},
 
+       {"use_tls_sni", "1", &tmp_ac_prefs.use_tls_sni, P_BOOL,
+        NULL, NULL, NULL},
+
        {"in_ssl_client_cert_file", "", &tmp_ac_prefs.in_ssl_client_cert_file, P_STRING,
         &ssl_page.entry_in_cert_file, prefs_set_data_from_entry, prefs_set_entry},
 
index 6c956cf..4c53fea 100644 (file)
@@ -86,6 +86,7 @@ struct _PrefsAccount
 
        gboolean ssl_certs_auto_accept;
        gboolean use_nonblocking_ssl;
+       gboolean use_tls_sni;
 
        /* Receive */
        gboolean use_apop_auth;
index ce8b125..820b097 100644 (file)
@@ -280,6 +280,7 @@ gint send_message_smtp_full(PrefsAccount *ac_prefs, GSList *to_list, FILE *fp, g
                if (ac_prefs->set_gnutls_priority && ac_prefs->gnutls_priority &&
                    strlen(ac_prefs->gnutls_priority))
                        session->gnutls_priority = g_strdup(ac_prefs->gnutls_priority);
+               session->use_tls_sni = ac_prefs->use_tls_sni;
 #else
                if (ac_prefs->ssl_smtp != SSL_NONE) {
                        if (alertpanel_full(_("Insecure connection"),