6 files changed, 224 insertions, 28 deletions

diff --git a/lib/http_client.c b/lib/http_client.c
index 9d986412..98a99f7c 100644
--- a/lib/http_client.c
+++ b/lib/http_client.c
@@ -32,7 +32,7 @@
 
 
 static gboolean http_connected( gpointer data, int source, b_input_condition cond );
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
 static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
 static void http_free( struct http_request *req );
 
@@ -46,7 +46,7 @@ struct http_request *http_dorequest( char *host, int port, int ssl, char *reques
 	
 	if( ssl )
 	{
-		req->ssl = ssl_connect( host, port, http_ssl_connected, req );
+		req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req );
 		if( req->ssl == NULL )
 			error = 1;
 	}
@@ -162,19 +162,30 @@ static gboolean http_connected( gpointer data, int source, b_input_condition con
 	return FALSE;
 	
 error:
-	req->status_string = g_strdup( "Error while writing HTTP request" );
+	if( req->status_string == NULL )
+		req->status_string = g_strdup( "Error while writing HTTP request" );
 	
 	req->func( req );
 	http_free( req );
 	return FALSE;
 }
 
-static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
+static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
 {
 	struct http_request *req = data;
 	
 	if( source == NULL )
+	{
+		if( returncode != 0 )
+		{
+			char *err = ssl_verify_strerror( returncode );
+			req->status_string = g_strdup_printf(
+				"Certificate verification problem 0x%x: %s",
+				returncode, err ? err : "Unknown" );
+			g_free( err );
+		}
 		return http_connected( data, -1, cond );
+	}
 	
 	req->fd = ssl_getfd( source );
 	
@@ -438,7 +449,7 @@ got_reply:
 	
 		if( new_proto == PROTO_HTTPS )
 		{
-			req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );
+			req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req );
 			if( req->ssl == NULL )
 				error = 1;
 		}
diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c
index f4ce5d4d..e134201d 100644
--- a/lib/ssl_bogus.c
+++ b/lib/ssl_bogus.c
@@ -31,7 +31,7 @@ void ssl_init( void )
 {
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
 	return( NULL );
 }
@@ -55,7 +55,7 @@ int ssl_getfd( void *conn )
 	return( -1 );
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) 
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) 
 {
 	return NULL;
 }
@@ -69,3 +69,8 @@ int ssl_pending( void *conn )
 {
 	return 0;
 }
+
+char *ssl_verify_strerror( int code )
+{
+	return NULL;
+}
diff --git a/lib/ssl_client.h b/lib/ssl_client.h
index 091335c5..d8822143 100644
--- a/lib/ssl_client.h
+++ b/lib/ssl_client.h
@@ -36,14 +36,25 @@
 
 /* Some generic error codes. Especially SSL_AGAIN is important if you
    want to do asynchronous I/O. */
+#define NSS_VERIFY_ERROR -2
+#define OPENSSL_VERIFY_ERROR -1
 #define SSL_OK            0
 #define SSL_NOHANDSHAKE   1
 #define SSL_AGAIN         2
+#define VERIFY_CERT_ERROR 2
+#define VERIFY_CERT_INVALID 4
+#define VERIFY_CERT_REVOKED 8
+#define VERIFY_CERT_SIGNER_NOT_FOUND 16
+#define VERIFY_CERT_SIGNER_NOT_CA 32
+#define VERIFY_CERT_INSECURE_ALGORITHM 64
+#define VERIFY_CERT_NOT_ACTIVATED 128
+#define VERIFY_CERT_EXPIRED 256
+#define VERIFY_CERT_WRONG_HOSTNAME 512
 
 extern int ssl_errno;
 
 /* This is what your callback function should look like. */
-typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
+typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
 
 
 /* Perform any global initialization the SSL library might need. */
@@ -52,11 +63,11 @@ G_MODULE_EXPORT void ssl_init( void );
 /* Connect to host:port, call the given function when the connection is
    ready to be used for SSL traffic. This is all done asynchronously, no
    blocking I/O! (Except for the DNS lookups, for now...) */
-G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
 
 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    for example in Jabber. */
-G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
 
 /* Obviously you need special read/write functions to read data. */
 G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len );
@@ -89,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn );
    the same action as the handler that just received the SSL_AGAIN.) */
 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
 
+/* Converts a verification bitfield passed to ssl_input_function into
+   a more useful string. Or NULL if it had no useful bits set. */
+G_MODULE_EXPORT char *ssl_verify_strerror( int code );
+
 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index ccab8aca..b4bc72d5 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -24,6 +24,7 @@
 */
 
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 #include <gcrypt.h>
 #include <fcntl.h>
 #include <unistd.h>
@@ -31,6 +32,7 @@
 #include "ssl_client.h"
 #include "sock.h"
 #include "stdlib.h"
+#include "bitlbee.h"
 
 int ssl_errno = 0;
 
@@ -53,6 +55,8 @@ struct scd
 	int fd;
 	gboolean established;
 	int inpa;
+	char *hostname;
+	gboolean verify;
 	
 	gnutls_session session;
 	gnutls_certificate_credentials xcred;
@@ -73,7 +77,7 @@ void ssl_init( void )
 	atexit( gnutls_global_deinit );
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -81,6 +85,8 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
+	conn->hostname = g_strdup( host );
+	conn->verify = verify && global.conf->cafile;
 	
 	if( conn->fd < 0 )
 	{
@@ -91,7 +97,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data
 	return conn;
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -99,6 +105,13 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
+	conn->hostname = hostname;
+	
+	/* For now, SSL verification is globally enabled by setting the cafile
+	   setting in bitlbee.conf. Commented out by default because probably
+	   not everyone has this file in the same place and plenty of folks
+	   may not have the cert of their private Jabber server in it. */
+	conn->verify = verify && global.conf->cafile;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -121,13 +134,106 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition
 	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
 }
 
+static int verify_certificate_callback( gnutls_session_t session )
+{
+	unsigned int status;
+	const gnutls_datum_t *cert_list;
+	unsigned int cert_list_size;
+	int gnutlsret;
+	int verifyret = 0;
+	gnutls_x509_crt_t cert;
+	const char *hostname;
+	
+	hostname = gnutls_session_get_ptr(session );
+
+	gnutlsret = gnutls_certificate_verify_peers2( session, &status );
+	if( gnutlsret < 0 )
+		return VERIFY_CERT_ERROR;
+
+	if( status & GNUTLS_CERT_INVALID )
+		verifyret |= VERIFY_CERT_INVALID;
+
+	if( status & GNUTLS_CERT_REVOKED )
+		verifyret |= VERIFY_CERT_REVOKED;
+
+	if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
+		verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
+
+	if( status & GNUTLS_CERT_SIGNER_NOT_CA )
+		verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
+
+	if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
+		verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
+
+	if( status & GNUTLS_CERT_NOT_ACTIVATED )
+		verifyret |= VERIFY_CERT_NOT_ACTIVATED;
+
+	if( status & GNUTLS_CERT_EXPIRED )
+		verifyret |= VERIFY_CERT_EXPIRED;
+
+	/* The following check is already performed inside 
+	 * gnutls_certificate_verify_peers2, so we don't need it.
+
+	 * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
+	 * return GNUTLS_E_CERTIFICATE_ERROR;
+	 */
+
+	if( gnutls_x509_crt_init( &cert ) < 0 )
+		return VERIFY_CERT_ERROR;
+
+	cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
+	if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
+		return VERIFY_CERT_ERROR;
+
+	if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
+	{
+		verifyret |= VERIFY_CERT_INVALID;
+		verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
+	}
+
+	gnutls_x509_crt_deinit( cert );
+
+	return verifyret;
+}
+
+char *ssl_verify_strerror( int code )
+{
+	GString *ret = g_string_new( "" );
+	
+	if( code & VERIFY_CERT_REVOKED )
+		g_string_append( ret, "certificate has been revoked, " );
+	if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
+		g_string_append( ret, "certificate hasn't got a known issuer, " );
+	if( code & VERIFY_CERT_SIGNER_NOT_CA )
+		g_string_append( ret, "certificate's issuer is not a CA, " );
+	if( code & VERIFY_CERT_INSECURE_ALGORITHM )
+		g_string_append( ret, "certificate uses an insecure algorithm, " );
+	if( code & VERIFY_CERT_NOT_ACTIVATED )
+		g_string_append( ret, "certificate has not been activated, " );
+	if( code & VERIFY_CERT_EXPIRED )
+		g_string_append( ret, "certificate has expired, " );
+	if( code & VERIFY_CERT_WRONG_HOSTNAME )
+		g_string_append( ret, "certificate hostname mismatch, " );
+	
+	if( ret->len == 0 )
+	{
+		g_string_free( ret, TRUE );
+		return NULL;
+	}
+	else
+	{
+		g_string_truncate( ret, ret->len - 2 );
+		return g_string_free( ret, FALSE );
+	}
+}
+
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
 {
 	struct scd *conn = data;
 	
 	if( source == -1 )
 	{
-		conn->func( conn->data, NULL, cond );
+		conn->func( conn->data, 0, NULL, cond );
 		g_free( conn );
 		return FALSE;
 	}
@@ -135,7 +241,15 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	ssl_init();
 	
 	gnutls_certificate_allocate_credentials( &conn->xcred );
+	if( conn->verify && global.conf->cafile )
+	{
+		gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
+		gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+	}
+
 	gnutls_init( &conn->session, GNUTLS_CLIENT );
+	if( conn->verify )
+		gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
 #if GNUTLS_VERSION_NUMBER < 0x020c00
 	gnutls_transport_set_lowat( conn->session, 0 );
 #endif
@@ -151,7 +265,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond )
 {
 	struct scd *conn = data;
-	int st;
+	int st, stver;
 	
 	if( ( st = gnutls_handshake( conn->session ) ) < 0 )
 	{
@@ -162,7 +276,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 		}
 		else
 		{
-			conn->func( conn->data, NULL, cond );
+			conn->func( conn->data, 0, NULL, cond );
 			
 			gnutls_deinit( conn->session );
 			gnutls_certificate_free_credentials( conn->xcred );
@@ -173,11 +287,24 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 	}
 	else
 	{
-		/* For now we can't handle non-blocking perfectly everywhere... */
-		sock_make_blocking( conn->fd );
+		if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
+		{
+			conn->func( conn->data, stver, NULL, cond );
+
+			gnutls_deinit( conn->session );
+			gnutls_certificate_free_credentials( conn->xcred );
+			closesocket( conn->fd );
+
+			g_free( conn );
+		}
+		else
+		{
+			/* For now we can't handle non-blocking perfectly everywhere... */
+			sock_make_blocking( conn->fd );
 		
-		conn->established = TRUE;
-		conn->func( conn->data, conn, cond );
+			conn->established = TRUE;
+			conn->func( conn->data, 0, conn, cond );
+		}
 	}
 	
 	return FALSE;
diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index ec524ca6..5b573f9b 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -51,6 +51,7 @@ struct scd
 	int fd;
 	PRFileDesc *prfd;
 	gboolean established;
+	gboolean verify;
 };
 
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
@@ -101,7 +102,7 @@ void ssl_init( void )
 	initialized = TRUE;
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition
 	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 
 	conn->fd = fd;
 	conn->func = func;
 	conn->data = data;
+	conn->verify = verify;
 
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 {
 	struct scd *conn = data;
 	
+	/* Right now we don't have any verification functionality for nss so we 
+	   fail in case verification has been requested by the user. */
+
+	if( conn->verify )
+	{
+		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+		if( source >= 0 ) closesocket( source );
+		g_free( conn );
+
+		return FALSE;
+	}
+	
 	if( source == -1 )
 		goto ssl_connected_failure;
 	
@@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	
 	
 	conn->established = TRUE;
-	conn->func( conn->data, conn, cond );
+	conn->func( conn->data, 0, conn, cond );
 	return FALSE;
 	
 	ssl_connected_failure:
 	
-	conn->func( conn->data, NULL, cond );
+	conn->func( conn->data, 0, NULL, cond );
 	
 	PR_Close( conn -> prfd );
 	if( source >= 0 ) closesocket( source );
@@ -237,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn )
 	/* Just in case someone calls us, let's return the most likely case: */
 	return B_EV_IO_READ;
 }
+
+char *ssl_verify_strerror( int code )
+{
+	return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
+}
diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c
index 5f64042d..955c8274 100644
--- a/lib/ssl_openssl.c
+++ b/lib/ssl_openssl.c
@@ -44,6 +44,7 @@ struct scd
 	gpointer data;
 	int fd;
 	gboolean established;
+	gboolean verify;
 	
 	int inpa;
 	int lasterr;		/* Necessary for SSL_get_error */
@@ -63,7 +64,7 @@ void ssl_init( void )
 	// SSLeay_add_ssl_algorithms();
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -81,7 +82,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data
 	return conn;
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 	
@@ -89,6 +90,7 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
+	conn->verify = verify;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -116,6 +118,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	struct scd *conn = data;
 	SSL_METHOD *meth;
 	
+	/* Right now we don't have any verification functionality for openssl so we 
+	   fail in case verification has been requested by the user. */
+
+	if( conn->verify )
+	{
+		conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
+		if( source >= 0 ) closesocket( source );
+		g_free( conn );
+
+		return FALSE;
+	}
+
 	if( source == -1 )
 		goto ssl_connected_failure;
 	
@@ -140,7 +154,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	return ssl_handshake( data, source, cond );
 
 ssl_connected_failure:
-	conn->func( conn->data, NULL, cond );
+	conn->func( conn->data, 0, NULL, cond );
 	
 	if( conn->ssl )
 	{
@@ -168,7 +182,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 		conn->lasterr = SSL_get_error( conn->ssl, st );
 		if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
 		{
-			conn->func( conn->data, NULL, cond );
+			conn->func( conn->data, 0, NULL, cond );
 			
 			SSL_shutdown( conn->ssl );
 			SSL_free( conn->ssl );
@@ -186,7 +200,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con
 	
 	conn->established = TRUE;
 	sock_make_blocking( conn->fd );		/* For now... */
-	conn->func( conn->data, conn, cond );
+	conn->func( conn->data, 0, conn, cond );
 	return FALSE;
 }
 
@@ -273,6 +287,11 @@ b_input_condition ssl_getdirection( void *conn )
 	return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ );
 }
 
+char *ssl_verify_strerror( int code )
+{
+	return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
+}
+
 size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res)
 {
 	int output_length = 0;