Initial merge of tls_verify patch from AopicieR.

6 files changed, 154 insertions, 20 deletions

diff --git a/lib/http_client.c b/lib/http_client.c
index 9d986412..02e5ebbe 100644
--- a/lib/http_client.c
+++ b/lib/http_client.c
@@ -32,7 +32,7 @@
 
 
 static gboolean http_connected( gpointer data, int source, b_input_condition cond );
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
 static void http_free( struct http_request *req );
 
@@ -169,8 +169,9 @@ error:
 	return FALSE;
 }
 
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
 {
+	//The returncode is not used at the moment.
 	struct http_request *req = data;
 	
 	if( source == NULL )
diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c
index f4ce5d4d..e2466c19 100644
--- a/lib/ssl_bogus.c
+++ b/lib/ssl_bogus.c
@@ -55,7 +55,7 @@ int ssl_getfd( void *conn )
 	return( -1 );
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 
 {
 	return NULL;
 }
diff --git a/lib/ssl_client.h b/lib/ssl_client.h
index 091335c5..03355297 100644
--- a/lib/ssl_client.h
+++ b/lib/ssl_client.h
@@ -36,14 +36,25 @@
 
 /* Some generic error codes. Especially SSL_AGAIN is important if you
    want to do asynchronous I/O. */
+#define NSS_VERIFY_ERROR -2
+#define OPENSSL_VERIFY_ERROR -1
 #define SSL_OK            0
 #define SSL_NOHANDSHAKE   1
 #define SSL_AGAIN         2
+#define VERIFY_CERT_ERROR 2
+#define VERIFY_CERT_INVALID 4
+#define VERIFY_CERT_REVOKED 8
+#define VERIFY_CERT_SIGNER_NOT_FOUND 16
+#define VERIFY_CERT_SIGNER_NOT_CA 32
+#define VERIFY_CERT_INSECURE_ALGORITHM 64
+#define VERIFY_CERT_NOT_ACTIVATED 128
+#define VERIFY_CERT_EXPIRED 256
+#define VERIFY_CERT_WRONG_HOSTNAME 512
 
 extern int ssl_errno;
 
 /* This is what your callback function should look like. */
-typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
+typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
 
 
 /* Perform any global initialization the SSL library might need. */
@@ -56,7 +67,7 @@ G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func
 
 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    for example in Jabber. */
-G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
 
 /* Obviously you need special read/write functions to read data. */
 G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len );
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index ccab8aca..41f71f63 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -24,6 +24,7 @@
 */
 
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 #include <gcrypt.h>
 #include <fcntl.h>
 #include <unistd.h>
@@ -31,6 +32,7 @@
 #include "ssl_client.h"
 #include "sock.h"
 #include "stdlib.h"
+#include "bitlbee.h"
 
 int ssl_errno = 0;
 
@@ -53,6 +55,8 @@ struct scd
 	int fd;
 	gboolean established;
 	int inpa;
+	char *hostname;
+	gboolean verify;
 	
 	gnutls_session session;
 	gnutls_certificate_credentials xcred;
@@ -91,7 +95,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data
 	return conn;
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -99,6 +103,13 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
+	conn->hostname = hostname;
+	
+	/* For now, SSL verification is globally enabled by setting the cafile
+	   setting in bitlbee.conf. Commented out by default because probably
+	   not everyone has this file in the same place and plenty of folks
+	   may not have the cert of their private Jabber server in it. */
+	conn->verify = verify && global.conf->cafile;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -121,13 +132,75 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition
 	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
 }
 
+static int verify_certificate_callback( gnutls_session_t session )
+{
+	unsigned int status;
+	const gnutls_datum_t *cert_list;
+	unsigned int cert_list_size;
+	int gnutlsret;
+	int verifyret = 0;
+	gnutls_x509_crt_t cert;
+	const char *hostname;
+	
+	hostname = gnutls_session_get_ptr(session );
+
+	gnutlsret = gnutls_certificate_verify_peers2( session, &status );
+	if( gnutlsret < 0 )
+		return VERIFY_CERT_ERROR;
+
+	if( status & GNUTLS_CERT_INVALID )
+		verifyret |= VERIFY_CERT_INVALID;
+
+	if( status & GNUTLS_CERT_REVOKED )
+		verifyret |= VERIFY_CERT_REVOKED;
+
+	if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
+		verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
+
+	if( status & GNUTLS_CERT_SIGNER_NOT_CA )
+		verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
+
+	if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
+		verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
+
+	if( status & GNUTLS_CERT_NOT_ACTIVATED )
+		verifyret |= VERIFY_CERT_NOT_ACTIVATED;
+
+	if( status & GNUTLS_CERT_EXPIRED )
+		verifyret |= VERIFY_CERT_EXPIRED;
+
+	/* The following check is already performed inside 
+	 * gnutls_certificate_verify_peers2, so we don't need it.
+
+	 * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
+	 * return GNUTLS_E_CERTIFICATE_ERROR;
+	 */
+
+	if( gnutls_x509_crt_init( &cert ) < 0 )
+		return VERIFY_CERT_ERROR;
+
+	cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
+	if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
+		return VERIFY_CERT_ERROR;
+
+	if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
+	{
+		verifyret |= VERIFY_CERT_INVALID;
+		verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
+	}
+
+	gnutls_x509_crt_deinit( cert );
+
+	return verifyret;
+}
+
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
 {
 	struct scd *conn = data;
 	
 	if( source == -1 )
 	{
-		conn->func( conn->data, NULL, cond );
+		conn->func( conn->data, 0, NULL, cond );
 		g_free( conn );
 		return FALSE;
 	}
@@ -135,7 +208,15 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	ssl_init();
 	
 	gnutls_certificate_allocate_credentials( &conn->xcred );
+	if( conn->verify && global.conf->cafile )
+	{
+		gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
+		gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+	}
+
 	gnutls_init( &conn->session, GNUTLS_CLIENT );
+	if( conn->verify )
+		gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
 #if GNUTLS_VERSION_NUMBER < 0x020c00
 	gnutls_transport_set_lowat( conn->session, 0 );
 #endif
@@ -151,7 +232,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond )
 {
 	struct scd *conn = data;
-	int st;
+	int st, stver;
 	
 	if( ( st = gnutls_handshake( conn->session ) ) < 0 )
 	{
@@ -162,7 +243,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 		}
 		else
 		{
-			conn->func( conn->data, NULL, cond );
+			conn->func( conn->data, 0, NULL, cond );
 			
 			gnutls_deinit( conn->session );
 			gnutls_certificate_free_credentials( conn->xcred );
@@ -173,11 +254,24 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 	}
 	else
 	{
-		/* For now we can't handle non-blocking perfectly everywhere... */
-		sock_make_blocking( conn->fd );
+		if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
+		{
+			conn->func( conn->data, stver, NULL, cond );
+
+			gnutls_deinit( conn->session );
+			gnutls_certificate_free_credentials( conn->xcred );
+			closesocket( conn->fd );
+
+			g_free( conn );
+		}
+		else
+		{
+			/* For now we can't handle non-blocking perfectly everywhere... */
+			sock_make_blocking( conn->fd );
 		
-		conn->established = TRUE;
-		conn->func( conn->data, conn, cond );
+			conn->established = TRUE;
+			conn->func( conn->data, 0, conn, cond );
+		}
 	}
 	
 	return FALSE;
diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index ec524ca6..4dfa063d 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -51,6 +51,7 @@ struct scd
 	int fd;
 	PRFileDesc *prfd;
 	gboolean established;
+	gboolean verify;
 };
 
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
@@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition
 	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 
 	conn->fd = fd;
 	conn->func = func;
 	conn->data = data;
+	conn->verify = verify;
 
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 {
 	struct scd *conn = data;
 	
+	/* Right now we don't have any verification functionality for nss so we 
+	   fail in case verification has been requested by the user. */
+
+	if( conn->verify )
+	{
+		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+		if( source >= 0 ) closesocket( source );
+		g_free( conn );
+
+		return FALSE;
+	}
+	
 	if( source == -1 )
 		goto ssl_connected_failure;
 	
@@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	
 	
 	conn->established = TRUE;
-	conn->func( conn->data, conn, cond );
+	conn->func( conn->data, 0, conn, cond );
 	return FALSE;
 	
 	ssl_connected_failure:
 	
-	conn->func( conn->data, NULL, cond );
+	conn->func( conn->data, 0, NULL, cond );
 	
 	PR_Close( conn -> prfd );
 	if( source >= 0 ) closesocket( source );
diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c
index 5f64042d..7c7f725e 100644
--- a/lib/ssl_openssl.c
+++ b/lib/ssl_openssl.c
@@ -44,6 +44,7 @@ struct scd
 	gpointer data;
 	int fd;
 	gboolean established;
+	gboolean verify;
 	
 	int inpa;
 	int lasterr;		/* Necessary for SSL_get_error */
@@ -81,7 +82,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data
 	return conn;
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -89,6 +90,7 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
+	conn->verify = verify;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -116,6 +118,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	struct scd *conn = data;
 	SSL_METHOD *meth;
 	
+	/* Right now we don't have any verification functionality for openssl so we 
+	   fail in case verification has been requested by the user. */
+
+	if( conn->verify )
+	{
+		conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
+		if( source >= 0 ) closesocket( source );
+		g_free( conn );
+
+		return FALSE;
+	}
+
 	if( source == -1 )
 		goto ssl_connected_failure;
 	
@@ -140,7 +154,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	return ssl_handshake( data, source, cond );
 
 ssl_connected_failure:
-	conn->func( conn->data, NULL, cond );
+	conn->func( conn->data, 0, NULL, cond );
 	
 	if( conn->ssl )
 	{
@@ -168,7 +182,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 		conn->lasterr = SSL_get_error( conn->ssl, st );
 		if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
 		{
-			conn->func( conn->data, NULL, cond );
+			conn->func( conn->data, 0, NULL, cond );
 			
 			SSL_shutdown( conn->ssl );
 			SSL_free( conn->ssl );
@@ -186,7 +200,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 	
 	conn->established = TRUE;
 	sock_make_blocking( conn->fd );		/* For now... */
-	conn->func( conn->data, conn, cond );
+	conn->func( conn->data, 0, conn, cond );
 	return FALSE;
 }