From b0c17cd08e482dbda407dabdc952dfcf5d8fdb6e Mon Sep 17 00:00:00 2001 From: Colin Leroy Date: Wed, 23 Apr 2014 09:14:33 +0200 Subject: [PATCH] Factorize SSL things in etpan --- src/etpan/Makefile.am | 6 +- src/etpan/etpan-ssl.c | 121 ++++++++++++++++++++++++++++++++++++++++ src/etpan/etpan-ssl.h | 40 +++++++++++++ src/etpan/imap-thread.c | 107 ++++------------------------------- src/etpan/nntp-thread.c | 83 +-------------------------- 5 files changed, 179 insertions(+), 178 deletions(-) create mode 100644 src/etpan/etpan-ssl.c create mode 100644 src/etpan/etpan-ssl.h diff --git a/src/etpan/Makefile.am b/src/etpan/Makefile.am index b4bfe62b4..eb343b24a 100644 --- a/src/etpan/Makefile.am +++ b/src/etpan/Makefile.am @@ -5,7 +5,8 @@ noinst_LTLIBRARIES = libclawsetpan.la libclawsetpan_la_SOURCES = \ etpan-thread-manager.c \ imap-thread.c \ - nntp-thread.c + nntp-thread.c \ + etpan-ssl.c clawsetpanincludedir = $(pkgincludedir)/etpan clawsetpaninclude_HEADERS = \ @@ -13,7 +14,8 @@ clawsetpaninclude_HEADERS = \ etpan-thread-manager.h \ etpan-errors.h \ imap-thread.h \ - nntp-thread.h + nntp-thread.h \ + etpan-ssl.h INCLUDES = \ -I$(top_srcdir)/src \ diff --git a/src/etpan/etpan-ssl.c b/src/etpan/etpan-ssl.c new file mode 100644 index 000000000..6642e4061 --- /dev/null +++ b/src/etpan/etpan-ssl.c @@ -0,0 +1,121 @@ +/* + * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client + * Copyright (C) 1999-2012 Colin Leroy + * and the Claws Mail team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#include "claws-features.h" +#endif + +#ifdef USE_GNUTLS +#ifdef HAVE_LIBETPAN +#include +#include +#include +#include +#include +#include +#include + +#include "ssl_certificate.h" +#include "utils.h" +#include "log.h" +#include "prefs_account.h" + +gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port) +{ + unsigned char *cert_der = NULL; + int len; + gnutls_x509_crt_t cert = NULL; + gnutls_datum_t tmp; + + if (stream == NULL) + return FALSE; + + len = (int)mailstream_ssl_get_certificate(stream, &cert_der); + + if (cert_der == NULL || len < 0) { + g_warning("no cert presented.\n"); + return FALSE; + } + + tmp.data = malloc(len); + memcpy(tmp.data, cert_der, len); + tmp.size = len; + gnutls_x509_crt_init(&cert); + + free(cert_der); + + if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) { + free(tmp.data); + g_warning("IMAP: can't get cert\n"); + return FALSE; + } else if (ssl_certificate_check(cert, (guint)-1, host, port) == TRUE) { + free(tmp.data); + gnutls_x509_crt_deinit(cert); + return TRUE; + } else { + free(tmp.data); + gnutls_x509_crt_deinit(cert); + return FALSE; + } +} + +void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data) +{ + PrefsAccount *account = (PrefsAccount *)data; + const gchar *cert_path = NULL; + const gchar *password = NULL; + gnutls_x509_crt_t x509 = NULL; + gnutls_x509_privkey_t pkey = NULL; + + if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file) + cert_path = account->in_ssl_client_cert_file; + if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass) + password = account->in_ssl_client_cert_pass; + + if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 || + mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0) + debug_print("Impossible to set the client certificate.\n"); + x509 = ssl_certificate_get_x509_from_pem_file(cert_path); + pkey = ssl_certificate_get_pkey_from_pem_file(cert_path); + if (!(x509 && pkey)) { + /* try pkcs12 format */ + ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey); + } + if (x509 && pkey) { + unsigned char *x509_der = NULL, *pkey_der = NULL; + size_t x509_len, pkey_len; + + x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der); + pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der); + if (x509_len > 0 && pkey_len > 0) { + if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 || + mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) + log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n")); + g_free(x509_der); + g_free(pkey_der); + } + gnutls_x509_crt_deinit(x509); + gnutls_x509_privkey_deinit(pkey); + } +} + +#endif /* USE_GNUTLS */ +#endif /* HAVE_LIBETPAN */ diff --git a/src/etpan/etpan-ssl.h b/src/etpan/etpan-ssl.h new file mode 100644 index 000000000..5607d1ad7 --- /dev/null +++ b/src/etpan/etpan-ssl.h @@ -0,0 +1,40 @@ +/* + * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client + * Copyright (C) 1999-2012 Colin Leroy + * and the Claws Mail team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +#ifndef __ETPAN_SSL_H__ +#define __ETPAN_SSL_H__ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#include "claws-features.h" +#endif + +#ifdef USE_GNUTLS +#ifdef HAVE_LIBETPAN + +#include + +gboolean etpan_certificate_check(mailstream *imap_stream, const char *host, gint port); +void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data); + +#endif /* USE_GNUTLS */ +#endif /* HAVE_LIBETPAN */ + +#endif /* __ETPAN_SSL_H__ */ diff --git a/src/etpan/imap-thread.c b/src/etpan/imap-thread.c index ad5e3b3ef..1073683ca 100644 --- a/src/etpan/imap-thread.c +++ b/src/etpan/imap-thread.c @@ -41,6 +41,7 @@ #include #include #include "etpan-thread-manager.h" +#include "etpan-ssl.h" #include "utils.h" #include "mainwindow.h" #include "ssl.h" @@ -506,93 +507,17 @@ int imap_threaded_connect(Folder * folder, const char * server, int port) value.data = imap; value.len = 0; chash_set(session_hash, &key, &value, NULL); - + param.imap = imap; param.server = server; param.port = port; - + refresh_resolvers(); threaded_run(folder, ¶m, &result, connect_run); - + debug_print("connect ok %i with imap %p\n", result.error, imap); - - return result.error; -} -static int etpan_certificate_check(const unsigned char *certificate, int len, void *data) -{ -#ifdef USE_GNUTLS - struct connect_param *param = (struct connect_param *)data; - gnutls_x509_crt_t cert = NULL; - gnutls_datum_t tmp; - - if (certificate == NULL || len < 0) { - g_warning("no cert presented.\n"); - return 0; - } - - tmp.data = malloc(len); - memcpy(tmp.data, certificate, len); - tmp.size = len; - gnutls_x509_crt_init(&cert); - if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) { - free(tmp.data); - g_warning("IMAP: can't get cert\n"); - return 0; - } else if (ssl_certificate_check(cert, (guint)-1, (gchar *)param->server, - (gushort)param->port) == TRUE) { - free(tmp.data); - gnutls_x509_crt_deinit(cert); - return 0; - } else { - free(tmp.data); - gnutls_x509_crt_deinit(cert); - return -1; - } -#endif - return 0; -} - -static void connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data) -{ -#ifdef USE_GNUTLS - PrefsAccount *account = (PrefsAccount *)data; - const gchar *cert_path = NULL; - const gchar *password = NULL; - gnutls_x509_crt_t x509 = NULL; - gnutls_x509_privkey_t pkey = NULL; - - if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file) - cert_path = account->in_ssl_client_cert_file; - if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass) - password = account->in_ssl_client_cert_pass; - - if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 || - mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0) - debug_print("Impossible to set the client certificate.\n"); - x509 = ssl_certificate_get_x509_from_pem_file(cert_path); - pkey = ssl_certificate_get_pkey_from_pem_file(cert_path); - if (!(x509 && pkey)) { - /* try pkcs12 format */ - ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey); - } - if (x509 && pkey) { - unsigned char *x509_der = NULL, *pkey_der = NULL; - size_t x509_len, pkey_len; - - x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der); - pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der); - if (x509_len > 0 && pkey_len > 0) { - if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 || - mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) - log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n")); - g_free(x509_der); - g_free(pkey_der); - } - gnutls_x509_crt_deinit(x509); - gnutls_x509_privkey_deinit(pkey); - } -#endif + return result.error; } static void connect_ssl_run(struct etpan_thread_op * op) @@ -608,7 +533,7 @@ static void connect_ssl_run(struct etpan_thread_op * op) r = mailimap_ssl_connect_with_callback(param->imap, param->server, param->port, - connect_ssl_context_cb, param->account); + etpan_connect_ssl_context_cb, param->account); result->error = r; } @@ -619,8 +544,6 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port) chashdatum key; chashdatum value; mailimap * imap, * oldimap; - unsigned char *certificate = NULL; - int cert_len; oldimap = get_imap(folder); @@ -647,11 +570,8 @@ int imap_threaded_connect_ssl(Folder * folder, const char * server, int port) if ((result.error == MAILIMAP_NO_ERROR_AUTHENTICATED || result.error == MAILIMAP_NO_ERROR_NON_AUTHENTICATED) && !etpan_skip_ssl_cert_check) { - cert_len = (int)mailstream_ssl_get_certificate(imap->imap_stream, &certificate); - if (etpan_certificate_check(certificate, cert_len, ¶m) < 0) - return -1; - if (certificate) - free(certificate); + if (etpan_certificate_check(imap->imap_stream, server, port) < 0) + result.error = MAILIMAP_ERROR_SSL; } debug_print("connect %d with imap %p\n", result.error, imap); @@ -1159,7 +1079,7 @@ static void starttls_run(struct etpan_thread_op * op) return; } - tls_low = mailstream_low_tls_open_with_callback(fd, connect_ssl_context_cb, param->account); + tls_low = mailstream_low_tls_open_with_callback(fd, etpan_connect_ssl_context_cb, param->account); if (tls_low == NULL) { debug_print("imap starttls run - can't tls_open\n"); result->error = MAILIMAP_ERROR_STREAM; @@ -1174,8 +1094,6 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port) { struct connect_param param; struct starttls_result result; - int cert_len; - unsigned char *certificate = NULL; debug_print("imap starttls - begin\n"); @@ -1189,11 +1107,8 @@ int imap_threaded_starttls(Folder * folder, const gchar *host, int port) debug_print("imap starttls - end\n"); if (result.error == 0 && param.imap && !etpan_skip_ssl_cert_check) { - cert_len = (int)mailstream_ssl_get_certificate(param.imap->imap_stream, &certificate); - if (etpan_certificate_check(certificate, cert_len, ¶m) < 0) - result.error = MAILIMAP_ERROR_STREAM; - if (certificate) - free(certificate); + if (etpan_certificate_check(param.imap->imap_stream, host, port) < 0) + return MAILIMAP_ERROR_SSL; } return result.error; } diff --git a/src/etpan/nntp-thread.c b/src/etpan/nntp-thread.c index 6d76e7a27..84a2f83d7 100644 --- a/src/etpan/nntp-thread.c +++ b/src/etpan/nntp-thread.c @@ -41,6 +41,7 @@ #include #include #include "etpan-thread-manager.h" +#include "etpan-ssl.h" #include "utils.h" #include "mainwindow.h" #include "ssl_certificate.h" @@ -373,79 +374,6 @@ int nntp_threaded_connect(Folder * folder, const char * server, int port) return result.error; } -static int etpan_certificate_check(const unsigned char *certificate, int len, void *data) -{ -#ifdef USE_GNUTLS - struct connect_param *param = (struct connect_param *)data; - gnutls_x509_crt_t cert = NULL; - gnutls_datum_t tmp; - - if (certificate == NULL || len < 0) { - g_warning("no cert presented.\n"); - return 0; - } - - tmp.data = malloc(len); - memcpy(tmp.data, certificate, len); - tmp.size = len; - gnutls_x509_crt_init(&cert); - if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) { - g_warning("nntp: can't get cert\n"); - return 0; - } else if (ssl_certificate_check(cert, (guint)-1, - (gchar *)param->server, (gushort)param->port) == TRUE) { - gnutls_x509_crt_deinit(cert); - return 0; - } else { - gnutls_x509_crt_deinit(cert); - return -1; - } -#endif - return 0; -} - -static void connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data) -{ -#ifdef USE_GNUTLS - PrefsAccount *account = (PrefsAccount *)data; - const gchar *cert_path = NULL; - const gchar *password = NULL; - gnutls_x509_crt_t x509 = NULL; - gnutls_x509_privkey_t pkey = NULL; - - if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file) - cert_path = account->in_ssl_client_cert_file; - if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass) - password = account->in_ssl_client_cert_pass; - - if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 || - mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0) - debug_print("Impossible to set the client certificate.\n"); - x509 = ssl_certificate_get_x509_from_pem_file(cert_path); - pkey = ssl_certificate_get_pkey_from_pem_file(cert_path); - if (!(x509 && pkey)) { - /* try pkcs12 format */ - ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey); - } - if (x509 && pkey) { - unsigned char *x509_der = NULL, *pkey_der = NULL; - size_t x509_len, pkey_len; - - x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der); - pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der); - if (x509_len > 0 && pkey_len > 0) { - if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 || - mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0) - log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n")); - g_free(x509_der); - g_free(pkey_der); - } - gnutls_x509_crt_deinit(x509); - gnutls_x509_privkey_deinit(pkey); - } -#endif -} - static void connect_ssl_run(struct etpan_thread_op * op) { int r; @@ -459,7 +387,7 @@ static void connect_ssl_run(struct etpan_thread_op * op) r = newsnntp_ssl_connect_with_callback(param->nntp, param->server, param->port, - connect_ssl_context_cb, param->account); + etpan_connect_ssl_context_cb, param->account); result->error = r; } @@ -470,8 +398,6 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port) chashdatum key; chashdatum value; newsnntp * nntp, * oldnntp; - unsigned char *certificate = NULL; - int cert_len; oldnntp = get_nntp(folder); @@ -497,11 +423,8 @@ int nntp_threaded_connect_ssl(Folder * folder, const char * server, int port) threaded_run(folder, ¶m, &result, connect_ssl_run); if (result.error == NEWSNNTP_NO_ERROR && !etpan_skip_ssl_cert_check) { - cert_len = (int)mailstream_ssl_get_certificate(nntp->nntp_stream, &certificate); - if (etpan_certificate_check(certificate, cert_len, ¶m) < 0) + if (etpan_certificate_check(nntp->nntp_stream, server, port) < 0) return -1; - if (certificate) - free(certificate); } debug_print("connect %d with nntp %p\n", result.error, nntp); -- 2.25.1