Factorize SSL things in etpan
authorColin Leroy <colin@colino.net>
Wed, 23 Apr 2014 07:14:33 +0000 (09:14 +0200)
committerColin Leroy <colin@colino.net>
Wed, 23 Apr 2014 07:14:33 +0000 (09:14 +0200)
src/etpan/Makefile.am
src/etpan/etpan-ssl.c [new file with mode: 0644]
src/etpan/etpan-ssl.h [new file with mode: 0644]
src/etpan/imap-thread.c
src/etpan/nntp-thread.c

index b4bfe62..eb343b2 100644 (file)
@@ -5,7 +5,8 @@ noinst_LTLIBRARIES = libclawsetpan.la
 libclawsetpan_la_SOURCES = \
        etpan-thread-manager.c \
        imap-thread.c \
 libclawsetpan_la_SOURCES = \
        etpan-thread-manager.c \
        imap-thread.c \
-       nntp-thread.c
+       nntp-thread.c \
+       etpan-ssl.c
 
 clawsetpanincludedir = $(pkgincludedir)/etpan
 clawsetpaninclude_HEADERS = \
 
 clawsetpanincludedir = $(pkgincludedir)/etpan
 clawsetpaninclude_HEADERS = \
@@ -13,7 +14,8 @@ clawsetpaninclude_HEADERS = \
        etpan-thread-manager.h \
        etpan-errors.h \
        imap-thread.h \
        etpan-thread-manager.h \
        etpan-errors.h \
        imap-thread.h \
-       nntp-thread.h
+       nntp-thread.h \
+       etpan-ssl.h
 
 INCLUDES = \
        -I$(top_srcdir)/src \
 
 INCLUDES = \
        -I$(top_srcdir)/src \
diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c
new file mode 100644 (file)
index 0000000..6642e40
--- /dev/null
@@ -0,0 +1,121 @@
+/*
+ * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
+ * Copyright (C) 1999-2012 Colin Leroy <colin@colino.net> 
+ * and the Claws Mail team
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#ifdef HAVE_CONFIG_H
+#  include "config.h"
+#include "claws-features.h"
+#endif
+
+#ifdef USE_GNUTLS
+#ifdef HAVE_LIBETPAN
+#include <libetpan/libetpan.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <stdlib.h>
+#include <glib.h>
+#include <glib/gi18n.h>
+#include <errno.h>
+
+#include "ssl_certificate.h"
+#include "utils.h"
+#include "log.h"
+#include "prefs_account.h"
+
+gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port)
+{
+       unsigned char *cert_der = NULL;
+       int len;
+       gnutls_x509_crt_t cert = NULL;
+       gnutls_datum_t tmp;
+
+       if (stream == NULL)
+               return FALSE;
+
+       len = (int)mailstream_ssl_get_certificate(stream, &cert_der);
+
+       if (cert_der == NULL || len < 0) {
+               g_warning("no cert presented.\n");
+               return FALSE;
+       }
+
+       tmp.data = malloc(len);
+       memcpy(tmp.data, cert_der, len);
+       tmp.size = len;
+       gnutls_x509_crt_init(&cert);
+
+       free(cert_der);
+
+       if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
+               free(tmp.data);
+               g_warning("IMAP: can't get cert\n");
+               return FALSE;
+       } else if (ssl_certificate_check(cert, (guint)-1, host, port) == TRUE) {
+               free(tmp.data);
+               gnutls_x509_crt_deinit(cert);
+               return TRUE;
+       } else {
+               free(tmp.data);
+               gnutls_x509_crt_deinit(cert);
+               return FALSE;
+       }
+}
+
+void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data)
+{
+       PrefsAccount *account = (PrefsAccount *)data;
+       const gchar *cert_path = NULL;
+       const gchar *password = NULL;
+       gnutls_x509_crt_t x509 = NULL;
+       gnutls_x509_privkey_t pkey = NULL;
+
+       if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file)
+               cert_path = account->in_ssl_client_cert_file;
+       if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass)
+               password = account->in_ssl_client_cert_pass;
+
+       if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 ||
+           mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0)
+               debug_print("Impossible to set the client certificate.\n");
+       x509 = ssl_certificate_get_x509_from_pem_file(cert_path);
+       pkey = ssl_certificate_get_pkey_from_pem_file(cert_path);
+       if (!(x509 && pkey)) {
+               /* try pkcs12 format */
+               ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey);
+       }
+       if (x509 && pkey) {
+               unsigned char *x509_der = NULL, *pkey_der = NULL;
+               size_t x509_len, pkey_len;
+
+               x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der);
+               pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der);
+               if (x509_len > 0 && pkey_len > 0) {
+                       if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 ||
+                           mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) 
+                               log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n"));
+                       g_free(x509_der);
+                       g_free(pkey_der);
+               }
+               gnutls_x509_crt_deinit(x509);
+               gnutls_x509_privkey_deinit(pkey);
+       }
+}
+
+#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBETPAN */
diff --git a/src/etpan/etpan-ssl.h b/src/etpan/etpan-ssl.h
new file mode 100644 (file)
index 0000000..5607d1a
--- /dev/null
@@ -0,0 +1,40 @@
+/*
+ * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
+ * Copyright (C) 1999-2012 Colin Leroy <colin@colino.net> 
+ * and the Claws Mail team
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#ifndef __ETPAN_SSL_H__
+#define __ETPAN_SSL_H__
+
+#ifdef HAVE_CONFIG_H
+#  include "config.h"
+#include "claws-features.h"
+#endif
+
+#ifdef USE_GNUTLS
+#ifdef HAVE_LIBETPAN
+
+#include <libetpan/libetpan.h>
+
+gboolean etpan_certificate_check(mailstream *imap_stream, const char *host, gint port);
+void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data);
+
+#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBETPAN */
+
+#endif /* __ETPAN_SSL_H__ */
index ad5e3b3..1073683 100644 (file)
@@ -41,6 +41,7 @@
 #include <gtk/gtk.h>
 #include <log.h>
 #include "etpan-thread-manager.h"
 #include <gtk/gtk.h>
 #include <log.h>
 #include "etpan-thread-manager.h"
+#include "etpan-ssl.h"
 #include "utils.h"
 #include "mainwindow.h"
 #include "ssl.h"
 #include "utils.h"
 #include "mainwindow.h"
 #include "ssl.h"
@@ -506,93 +507,17 @@ int imap_threaded_connect(Folder * folder, const char * server, int port)
        value.data = imap;
        value.len = 0;
        chash_set(session_hash, &key, &value, NULL);
        value.data = imap;
        value.len = 0;
        chash_set(session_hash, &key, &value, NULL);
-       
+
        param.imap = imap;
        param.server = server;
        param.port = port;
        param.imap = imap;
        param.server = server;
        param.port = port;
-       
+
        refresh_resolvers();
        threaded_run(folder, &param, &result, connect_run);
        refresh_resolvers();
        threaded_run(folder, &param, &result, connect_run);
-       
+
        debug_print("connect ok %i with imap %p\n", result.error, imap);
        debug_print("connect ok %i with imap %p\n", result.error, imap);
-       
-       return result.error;
-}
 
 
-static int etpan_certificate_check(const unsigned char *certificate, int len, void *data)
-{
-#ifdef USE_GNUTLS
-       struct connect_param *param = (struct connect_param *)data;
-       gnutls_x509_crt_t cert = NULL;
-       gnutls_datum_t tmp;
-       
-       if (certificate == NULL || len < 0) {
-               g_warning("no cert presented.\n");
-               return 0;
-       }
-       
-       tmp.data = malloc(len);
-       memcpy(tmp.data, certificate, len);
-       tmp.size = len;
-       gnutls_x509_crt_init(&cert);
-       if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
-               free(tmp.data);
-               g_warning("IMAP: can't get cert\n");
-               return 0;
-       } else if (ssl_certificate_check(cert, (guint)-1, (gchar *)param->server,
-                       (gushort)param->port) == TRUE) {
-               free(tmp.data);
-               gnutls_x509_crt_deinit(cert);
-               return 0;
-       } else {
-               free(tmp.data);
-               gnutls_x509_crt_deinit(cert);
-               return -1;
-       }
-#endif
-       return 0;
-}
-
-static void connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data)
-{
-#ifdef USE_GNUTLS
-       PrefsAccount *account = (PrefsAccount *)data;
-       const gchar *cert_path = NULL;
-       const gchar *password = NULL;
-       gnutls_x509_crt_t x509 = NULL;
-       gnutls_x509_privkey_t pkey = NULL;
-
-       if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file)
-               cert_path = account->in_ssl_client_cert_file;
-       if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass)
-               password = account->in_ssl_client_cert_pass;
-       
-       if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 ||
-           mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0)
-               debug_print("Impossible to set the client certificate.\n");
-       x509 = ssl_certificate_get_x509_from_pem_file(cert_path);
-       pkey = ssl_certificate_get_pkey_from_pem_file(cert_path);
-       if (!(x509 && pkey)) {
-               /* try pkcs12 format */
-               ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey);
-       }
-       if (x509 && pkey) {
-               unsigned char *x509_der = NULL, *pkey_der = NULL;
-               size_t x509_len, pkey_len;
-               
-               x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der);
-               pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der);
-               if (x509_len > 0 && pkey_len > 0) {
-                       if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 ||
-                           mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) 
-                               log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n"));
-                       g_free(x509_der);
-                       g_free(pkey_der);
-               }
-               gnutls_x509_crt_deinit(x509);
-               gnutls_x509_privkey_deinit(pkey);
-       }
-#endif
+       return result.error;
 }
 
 static void connect_ssl_run(struct etpan_thread_op * op)
 }
 
 static void connect_ssl_run(struct etpan_thread_op * op)
@@ -608,7 +533,7 @@ static void connect_ssl_run(struct etpan_thread_op * op)
 
        r = mailimap_ssl_connect_with_callback(param->imap,
                                                param->server, param->port,
 
        r = mailimap_ssl_connect_with_callback(param->imap,
                                                param->server, param->port,
-                                               connect_ssl_context_cb, param->account);
+                                               etpan_connect_ssl_context_cb, param->account);
        result->error = r;
 }
 
        result->error = r;
 }
 
@@ -619,8 +544,6 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port)
        chashdatum key;
        chashdatum value;
        mailimap * imap, * oldimap;
        chashdatum key;
        chashdatum value;
        mailimap * imap, * oldimap;
-       unsigned char *certificate = NULL;
-       int cert_len;
        
        oldimap = get_imap(folder);
 
        
        oldimap = get_imap(folder);
 
@@ -647,11 +570,8 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port)
 
        if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED ||
             result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) {
 
        if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED ||
             result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) {
-               cert_len = (int)mailstream_ssl_get_certificate(imap->imap_stream, &certificate);
-               if (etpan_certificate_check(certificate, cert_len, &param) < 0)
-                       return -1;
-               if (certificate) 
-                       free(certificate); 
+               if (etpan_certificate_check(imap->imap_stream, server, port) < 0)
+                       result.error = MAILIMAP_ERROR_SSL;
        }
        debug_print("connect %d with imap %p\n", result.error, imap);
        
        }
        debug_print("connect %d with imap %p\n", result.error, imap);
        
@@ -1159,7 +1079,7 @@ static void starttls_run(struct etpan_thread_op * op)
                        return;
                }
 
                        return;
                }
 
-               tls_low = mailstream_low_tls_open_with_callback(fd, connect_ssl_context_cb, param->account);
+               tls_low = mailstream_low_tls_open_with_callback(fd, etpan_connect_ssl_context_cb, param->account);
                if (tls_low == NULL) {
                        debug_print("imap starttls run - can't tls_open\n");
                        result->error = MAILIMAP_ERROR_STREAM;
                if (tls_low == NULL) {
                        debug_print("imap starttls run - can't tls_open\n");
                        result->error = MAILIMAP_ERROR_STREAM;
@@ -1174,8 +1094,6 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port)
 {
        struct connect_param param;
        struct starttls_result result;
 {
        struct connect_param param;
        struct starttls_result result;
-       int cert_len;
-       unsigned char *certificate = NULL;
        
        debug_print("imap starttls - begin\n");
        
        
        debug_print("imap starttls - begin\n");
        
@@ -1189,11 +1107,8 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port)
        debug_print("imap starttls - end\n");
 
        if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) {
        debug_print("imap starttls - end\n");
 
        if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) {
-               cert_len = (int)mailstream_ssl_get_certificate(param.imap->imap_stream, &certificate);
-               if (etpan_certificate_check(certificate, cert_len, &param) < 0)
-                       result.error = MAILIMAP_ERROR_STREAM;
-               if (certificate) 
-                       free(certificate); 
+               if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0)
+                       return MAILIMAP_ERROR_SSL;
        }       
        return result.error;
 }
        }       
        return result.error;
 }
index 6d76e7a..84a2f83 100644 (file)
@@ -41,6 +41,7 @@
 #include <gtk/gtk.h>
 #include <log.h>
 #include "etpan-thread-manager.h"
 #include <gtk/gtk.h>
 #include <log.h>
 #include "etpan-thread-manager.h"
+#include "etpan-ssl.h"
 #include "utils.h"
 #include "mainwindow.h"
 #include "ssl_certificate.h"
 #include "utils.h"
 #include "mainwindow.h"
 #include "ssl_certificate.h"
@@ -373,79 +374,6 @@ int nntp_threaded_connect(Folder * folder, const char * server, int port)
        return result.error;
 }
 
        return result.error;
 }
 
-static int etpan_certificate_check(const unsigned char *certificate, int len, void *data)
-{
-#ifdef USE_GNUTLS
-       struct connect_param *param = (struct connect_param *)data;
-       gnutls_x509_crt_t cert = NULL;
-       gnutls_datum_t tmp;
-       
-       if (certificate == NULL || len < 0) {
-               g_warning("no cert presented.\n");
-               return 0;
-       }
-       
-       tmp.data = malloc(len);
-       memcpy(tmp.data, certificate, len);
-       tmp.size = len;
-       gnutls_x509_crt_init(&cert);
-       if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
-               g_warning("nntp: can't get cert\n");
-               return 0;
-       } else if (ssl_certificate_check(cert, (guint)-1,
-               (gchar *)param->server, (gushort)param->port) == TRUE) {
-               gnutls_x509_crt_deinit(cert);
-               return 0;
-       } else {
-               gnutls_x509_crt_deinit(cert);
-               return -1;
-       }
-#endif
-       return 0;
-}
-
-static void connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data)
-{
-#ifdef USE_GNUTLS
-       PrefsAccount *account = (PrefsAccount *)data;
-       const gchar *cert_path = NULL;
-       const gchar *password = NULL;
-       gnutls_x509_crt_t x509 = NULL;
-       gnutls_x509_privkey_t pkey = NULL;
-
-       if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file)
-               cert_path = account->in_ssl_client_cert_file;
-       if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass)
-               password = account->in_ssl_client_cert_pass;
-       
-       if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 ||
-           mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0)
-               debug_print("Impossible to set the client certificate.\n");
-       x509 = ssl_certificate_get_x509_from_pem_file(cert_path);
-       pkey = ssl_certificate_get_pkey_from_pem_file(cert_path);
-       if (!(x509 && pkey)) {
-               /* try pkcs12 format */
-               ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey);
-       }
-       if (x509 && pkey) {
-               unsigned char *x509_der = NULL, *pkey_der = NULL;
-               size_t x509_len, pkey_len;
-               
-               x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der);
-               pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der);
-               if (x509_len > 0 && pkey_len > 0) {
-                       if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 ||
-                           mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) 
-                               log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n"));
-                       g_free(x509_der);
-                       g_free(pkey_der);
-               }
-               gnutls_x509_crt_deinit(x509);
-               gnutls_x509_privkey_deinit(pkey);
-       }
-#endif
-}
-
 static void connect_ssl_run(struct etpan_thread_op * op)
 {
        int r;
 static void connect_ssl_run(struct etpan_thread_op * op)
 {
        int r;
@@ -459,7 +387,7 @@ static void connect_ssl_run(struct etpan_thread_op * op)
 
        r = newsnntp_ssl_connect_with_callback(param->nntp,
                                 param->server, param->port,
 
        r = newsnntp_ssl_connect_with_callback(param->nntp,
                                 param->server, param->port,
-                                connect_ssl_context_cb, param->account);
+                                etpan_connect_ssl_context_cb, param->account);
        result->error = r;
 }
 
        result->error = r;
 }
 
@@ -470,8 +398,6 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port)
        chashdatum key;
        chashdatum value;
        newsnntp * nntp, * oldnntp;
        chashdatum key;
        chashdatum value;
        newsnntp * nntp, * oldnntp;
-       unsigned char *certificate = NULL;
-       int cert_len;
        
        oldnntp = get_nntp(folder);
 
        
        oldnntp = get_nntp(folder);
 
@@ -497,11 +423,8 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port)
        threaded_run(folder, &param, &result, connect_ssl_run);
 
        if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) {
        threaded_run(folder, &param, &result, connect_ssl_run);
 
        if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) {
-               cert_len = (int)mailstream_ssl_get_certificate(nntp->nntp_stream, &certificate);
-               if (etpan_certificate_check(certificate, cert_len, &param) < 0)
+               if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0)
                        return -1;
                        return -1;
-               if (certificate) 
-                       free(certificate); 
        }
        debug_print("connect %d with nntp %p\n", result.error, nntp);
        
        }
        debug_print("connect %d with nntp %p\n", result.error, nntp);