From 4efa5ce4d0778c841f957c2beb3458f9e76c5534 Mon Sep 17 00:00:00 2001 From: Alex Miller Date: Sun, 18 Dec 2011 14:44:11 -0600 Subject: Don't use the C++ keyword 'new' as a variable name. --- irc.h | 8 ++++---- protocols/bee.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/irc.h b/irc.h index f186b96a..930b90b3 100644 --- a/irc.h +++ b/irc.h @@ -181,7 +181,7 @@ struct irc_channel_funcs gboolean (*privmsg)( irc_channel_t *ic, const char *msg ); gboolean (*join)( irc_channel_t *ic ); gboolean (*part)( irc_channel_t *ic, const char *msg ); - gboolean (*topic)( irc_channel_t *ic, const char *new ); + gboolean (*topic)( irc_channel_t *ic, const char *new_topic ); gboolean (*invite)( irc_channel_t *ic, irc_user_t *iu ); gboolean (*_init)( irc_channel_t *ic ); @@ -331,16 +331,16 @@ void irc_send_who( irc_t *irc, GSList *l, const char *channel ); void irc_send_msg( irc_user_t *iu, const char *type, const char *dst, const char *msg, const char *prefix ); void irc_send_msg_raw( irc_user_t *iu, const char *type, const char *dst, const char *msg ); void irc_send_msg_f( irc_user_t *iu, const char *type, const char *dst, const char *format, ... ) G_GNUC_PRINTF( 4, 5 ); -void irc_send_nick( irc_user_t *iu, const char *new ); +void irc_send_nick( irc_user_t *iu, const char *new_nick ); void irc_send_channel_user_mode_diff( irc_channel_t *ic, irc_user_t *iu, - irc_channel_user_flags_t old, irc_channel_user_flags_t new ); + irc_channel_user_flags_t old_flags, irc_channel_user_flags_t new_flags ); void irc_send_invite( irc_user_t *iu, irc_channel_t *ic ); /* irc_user.c */ irc_user_t *irc_user_new( irc_t *irc, const char *nick ); int irc_user_free( irc_t *irc, irc_user_t *iu ); irc_user_t *irc_user_by_name( irc_t *irc, const char *nick ); -int irc_user_set_nick( irc_user_t *iu, const char *new ); +int irc_user_set_nick( irc_user_t *iu, const char *new_nick ); gint irc_user_cmp( gconstpointer a_, gconstpointer b_ ); const char *irc_user_get_away( irc_user_t *iu ); void irc_user_quit( irc_user_t *iu, const char *msg ); diff --git a/protocols/bee.h b/protocols/bee.h index 49ea6fb5..24f5824e 100644 --- a/protocols/bee.h +++ b/protocols/bee.h @@ -122,7 +122,7 @@ typedef struct bee_ui_funcs gboolean (*chat_msg)( bee_t *bee, struct groupchat *c, bee_user_t *bu, const char *msg, time_t sent_at ); gboolean (*chat_add_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); gboolean (*chat_remove_user)( bee_t *bee, struct groupchat *c, bee_user_t *bu ); - gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new, bee_user_t *bu ); + gboolean (*chat_topic)( bee_t *bee, struct groupchat *c, const char *new_topic, bee_user_t *bu ); gboolean (*chat_name_hint)( bee_t *bee, struct groupchat *c, const char *name ); gboolean (*chat_invite)( bee_t *bee, bee_user_t *bu, const char *name, const char *msg ); -- cgit v1.2.3 From c1a58cce5edf4767af5cc040f9528506727a5e13 Mon Sep 17 00:00:00 2001 From: Alex Miller Date: Sun, 18 Dec 2011 14:45:47 -0600 Subject: Wrap the external API in `extern "C"` if included in a C++ file. --- bitlbee.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bitlbee.h b/bitlbee.h index ace78880..847cecf8 100644 --- a/bitlbee.h +++ b/bitlbee.h @@ -26,6 +26,10 @@ #ifndef _BITLBEE_H #define _BITLBEE_H +#ifdef __cplusplus +extern "C" { +#endif + #ifndef _GNU_SOURCE #define _GNU_SOURCE /* Stupid GNU :-P */ #endif @@ -174,4 +178,9 @@ char *set_eval_control_channel( set_t *set, char *new_name ); extern global_t global; +#ifdef __cplusplus +} #endif + +#endif + -- cgit v1.2.3 From 5a48afdf1a4dafcda8eecf42fc7cabb12ee48b40 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 14:51:58 +0100 Subject: Slight documentation fix: "both" is no longer a valid scope for a setting since there are three possible scopes now. --- doc/user-guide/commands.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/user-guide/commands.xml b/doc/user-guide/commands.xml index 60e1cf61..3a9202dc 100644 --- a/doc/user-guide/commands.xml +++ b/doc/user-guide/commands.xml @@ -647,7 +647,7 @@ - + true @@ -671,7 +671,7 @@ - + true @@ -725,7 +725,7 @@ - + To mark yourself as away, it is recommended to just use /away, like on normal IRC networks. If you want to mark yourself as away on only one IM network, you can use this per-account setting. @@ -1075,7 +1075,7 @@ - + %-@nick @@ -1168,7 +1168,7 @@ - + Use this global setting to change your "NickServ" password. @@ -1396,10 +1396,10 @@ - + - Certain protocols (like Jabber/XMPP) support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. + Most IM protocols support status messages, similar to away messages. They can be used to indicate things like your location or activity, without showing up as away/busy. @@ -1407,7 +1407,7 @@ - Away states set using /away or the away setting will override this setting. To un-set the setting, use set -del status. + Away states set using /away or the away setting will override this setting. To clear the setting, use set -del status. -- cgit v1.2.3 From 486ddb53b93b6677dc3feeb4afaad2ea93a71a81 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 15:50:58 +0100 Subject: Initial merge of tls_verify patch from AopicieR. --- conf.c | 6 +++ conf.h | 1 + lib/http_client.c | 5 ++- lib/ssl_bogus.c | 2 +- lib/ssl_client.h | 15 ++++++- lib/ssl_gnutls.c | 110 ++++++++++++++++++++++++++++++++++++++++++---- lib/ssl_nss.c | 20 +++++++-- lib/ssl_openssl.c | 22 ++++++++-- protocols/jabber/io.c | 53 ++++++++++++++++++++-- protocols/jabber/jabber.c | 3 ++ protocols/jabber/jabber.h | 2 +- protocols/skype/skype.c | 2 +- 12 files changed, 216 insertions(+), 25 deletions(-) diff --git a/conf.c b/conf.c index b5993b4b..52055c35 100644 --- a/conf.c +++ b/conf.c @@ -66,6 +66,7 @@ conf_t *conf_load( int argc, char *argv[] ) conf->ft_max_kbps = G_MAXUINT; conf->ft_listen = NULL; conf->protocols = NULL; + conf->cafile = NULL; proxytype = 0; i = conf_loadini( conf, global.conf_file ); @@ -339,6 +340,11 @@ static int conf_loadini( conf_t *conf, char *file ) g_strfreev( conf->protocols ); conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 ); } + else if( g_strcasecmp( ini->key, "cafile" ) == 0 ) + { + g_free( conf->cafile ); + conf->cafile = g_strdup( ini->value ); + } else { fprintf( stderr, "Error: Unknown setting `%s` in configuration file (line %d).\n", ini->key, ini->line ); diff --git a/conf.h b/conf.h index f4976039..7eca09c1 100644 --- a/conf.h +++ b/conf.h @@ -53,6 +53,7 @@ typedef struct conf int ft_max_kbps; char *ft_listen; char **protocols; + char *cafile; } conf_t; G_GNUC_MALLOC conf_t *conf_load( int argc, char *argv[] ); diff --git a/lib/http_client.c b/lib/http_client.c index 9d986412..02e5ebbe 100644 --- a/lib/http_client.c +++ b/lib/http_client.c @@ -32,7 +32,7 @@ static gboolean http_connected( gpointer data, int source, b_input_condition cond ); -static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ); +static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ); static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond ); static void http_free( struct http_request *req ); @@ -169,8 +169,9 @@ error: return FALSE; } -static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ) +static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ) { + //The returncode is not used at the moment. struct http_request *req = data; if( source == NULL ) diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index f4ce5d4d..e2466c19 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -55,7 +55,7 @@ int ssl_getfd( void *conn ) return( -1 ); } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { return NULL; } diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 091335c5..03355297 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,14 +36,25 @@ /* Some generic error codes. Especially SSL_AGAIN is important if you want to do asynchronous I/O. */ +#define NSS_VERIFY_ERROR -2 +#define OPENSSL_VERIFY_ERROR -1 #define SSL_OK 0 #define SSL_NOHANDSHAKE 1 #define SSL_AGAIN 2 +#define VERIFY_CERT_ERROR 2 +#define VERIFY_CERT_INVALID 4 +#define VERIFY_CERT_REVOKED 8 +#define VERIFY_CERT_SIGNER_NOT_FOUND 16 +#define VERIFY_CERT_SIGNER_NOT_CA 32 +#define VERIFY_CERT_INSECURE_ALGORITHM 64 +#define VERIFY_CERT_NOT_ACTIVATED 128 +#define VERIFY_CERT_EXPIRED 256 +#define VERIFY_CERT_WRONG_HOSTNAME 512 extern int ssl_errno; /* This is what your callback function should look like. */ -typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition); +typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition); /* Perform any global initialization the SSL library might need. */ @@ -56,7 +67,7 @@ G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ -G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ); /* Obviously you need special read/write functions to read data. */ G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len ); diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index ccab8aca..41f71f63 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -24,6 +24,7 @@ */ #include +#include #include #include #include @@ -31,6 +32,7 @@ #include "ssl_client.h" #include "sock.h" #include "stdlib.h" +#include "bitlbee.h" int ssl_errno = 0; @@ -53,6 +55,8 @@ struct scd int fd; gboolean established; int inpa; + char *hostname; + gboolean verify; gnutls_session session; gnutls_certificate_credentials xcred; @@ -91,7 +95,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data return conn; } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -99,6 +103,13 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) conn->func = func; conn->data = data; conn->inpa = -1; + conn->hostname = hostname; + + /* For now, SSL verification is globally enabled by setting the cafile + setting in bitlbee.conf. Commented out by default because probably + not everyone has this file in the same place and plenty of folks + may not have the cert of their private Jabber server in it. */ + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -121,13 +132,75 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition return ssl_connected( conn, conn->fd, B_EV_IO_WRITE ); } +static int verify_certificate_callback( gnutls_session_t session ) +{ + unsigned int status; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size; + int gnutlsret; + int verifyret = 0; + gnutls_x509_crt_t cert; + const char *hostname; + + hostname = gnutls_session_get_ptr(session ); + + gnutlsret = gnutls_certificate_verify_peers2( session, &status ); + if( gnutlsret < 0 ) + return VERIFY_CERT_ERROR; + + if( status & GNUTLS_CERT_INVALID ) + verifyret |= VERIFY_CERT_INVALID; + + if( status & GNUTLS_CERT_REVOKED ) + verifyret |= VERIFY_CERT_REVOKED; + + if( status & GNUTLS_CERT_SIGNER_NOT_FOUND ) + verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND; + + if( status & GNUTLS_CERT_SIGNER_NOT_CA ) + verifyret |= VERIFY_CERT_SIGNER_NOT_CA; + + if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) + verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; + + if( status & GNUTLS_CERT_NOT_ACTIVATED ) + verifyret |= VERIFY_CERT_NOT_ACTIVATED; + + if( status & GNUTLS_CERT_EXPIRED ) + verifyret |= VERIFY_CERT_EXPIRED; + + /* The following check is already performed inside + * gnutls_certificate_verify_peers2, so we don't need it. + + * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 ) + * return GNUTLS_E_CERTIFICATE_ERROR; + */ + + if( gnutls_x509_crt_init( &cert ) < 0 ) + return VERIFY_CERT_ERROR; + + cert_list = gnutls_certificate_get_peers( session, &cert_list_size ); + if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 ) + return VERIFY_CERT_ERROR; + + if( !gnutls_x509_crt_check_hostname( cert, hostname ) ) + { + verifyret |= VERIFY_CERT_INVALID; + verifyret |= VERIFY_CERT_WRONG_HOSTNAME; + } + + gnutls_x509_crt_deinit( cert ); + + return verifyret; +} + static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; if( source == -1 ) { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); g_free( conn ); return FALSE; } @@ -135,7 +208,15 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con ssl_init(); gnutls_certificate_allocate_credentials( &conn->xcred ); + if( conn->verify && global.conf->cafile ) + { + gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM ); + gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); + } + gnutls_init( &conn->session, GNUTLS_CLIENT ); + if( conn->verify ) + gnutls_session_set_ptr( conn->session, (void *) conn->hostname ); #if GNUTLS_VERSION_NUMBER < 0x020c00 gnutls_transport_set_lowat( conn->session, 0 ); #endif @@ -151,7 +232,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; - int st; + int st, stver; if( ( st = gnutls_handshake( conn->session ) ) < 0 ) { @@ -162,7 +243,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con } else { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); gnutls_deinit( conn->session ); gnutls_certificate_free_credentials( conn->xcred ); @@ -173,11 +254,24 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con } else { - /* For now we can't handle non-blocking perfectly everywhere... */ - sock_make_blocking( conn->fd ); + if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 ) + { + conn->func( conn->data, stver, NULL, cond ); + + gnutls_deinit( conn->session ); + gnutls_certificate_free_credentials( conn->xcred ); + closesocket( conn->fd ); + + g_free( conn ); + } + else + { + /* For now we can't handle non-blocking perfectly everywhere... */ + sock_make_blocking( conn->fd ); - conn->established = TRUE; - conn->func( conn->data, conn, cond ); + conn->established = TRUE; + conn->func( conn->data, 0, conn, cond ); + } } return FALSE; diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index ec524ca6..4dfa063d 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -51,6 +51,7 @@ struct scd int fd; PRFileDesc *prfd; gboolean established; + gboolean verify; }; static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ); @@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition return ssl_connected( conn, conn->fd, B_EV_IO_WRITE ); } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); conn->fd = fd; conn->func = func; conn->data = data; + conn->verify = verify; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con { struct scd *conn = data; + /* Right now we don't have any verification functionality for nss so we + fail in case verification has been requested by the user. */ + + if( conn->verify ) + { + conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); + if( source >= 0 ) closesocket( source ); + g_free( conn ); + + return FALSE; + } + if( source == -1 ) goto ssl_connected_failure; @@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con conn->established = TRUE; - conn->func( conn->data, conn, cond ); + conn->func( conn->data, 0, conn, cond ); return FALSE; ssl_connected_failure: - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); PR_Close( conn -> prfd ); if( source >= 0 ) closesocket( source ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 5f64042d..7c7f725e 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -44,6 +44,7 @@ struct scd gpointer data; int fd; gboolean established; + gboolean verify; int inpa; int lasterr; /* Necessary for SSL_get_error */ @@ -81,7 +82,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data return conn; } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -89,6 +90,7 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) conn->func = func; conn->data = data; conn->inpa = -1; + conn->verify = verify; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -116,6 +118,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con struct scd *conn = data; SSL_METHOD *meth; + /* Right now we don't have any verification functionality for openssl so we + fail in case verification has been requested by the user. */ + + if( conn->verify ) + { + conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond ); + if( source >= 0 ) closesocket( source ); + g_free( conn ); + + return FALSE; + } + if( source == -1 ) goto ssl_connected_failure; @@ -140,7 +154,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con return ssl_handshake( data, source, cond ); ssl_connected_failure: - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); if( conn->ssl ) { @@ -168,7 +182,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con conn->lasterr = SSL_get_error( conn->ssl, st ); if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE ) { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); SSL_shutdown( conn->ssl ); SSL_free( conn->ssl ); @@ -186,7 +200,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con conn->established = TRUE; sock_make_blocking( conn->fd ); /* For now... */ - conn->func( conn->data, conn, cond ); + conn->func( conn->data, 0, conn, cond ); return FALSE; } diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index a28eea90..9e55e3f9 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -275,7 +275,7 @@ gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition c return jabber_start_stream( ic ); } -gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond ) +gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond ) { struct im_connection *ic = data; struct jabber_data *jd; @@ -292,6 +292,43 @@ gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition co jd->ssl = NULL; imcb_error( ic, "Could not connect to server" ); + if (returncode == OPENSSL_VERIFY_ERROR ) + { + imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." ); + imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); + imc_logout( ic, FALSE ); + } + else if (returncode == NSS_VERIFY_ERROR ) + { + imcb_error( ic, "This BitlBee server is built agains the NSS library." ); + imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); + imc_logout( ic, FALSE ); + } + else if (returncode == VERIFY_CERT_ERROR ) + { + imcb_error( ic, "An error occured during the certificate verification." ); + imc_logout( ic, FALSE ); + } + else if (returncode & VERIFY_CERT_INVALID) + { + imcb_error( ic, "Unable to verify peer's certificate." ); + if (returncode & VERIFY_CERT_REVOKED) + imcb_error( ic, "The certificate has been revoked." ); + if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND) + imcb_error( ic, "The certificate hasn't got a known issuer." ); + if (returncode & VERIFY_CERT_SIGNER_NOT_CA) + imcb_error( ic, "The certificate's issuer is not a CA." ); + if (returncode & VERIFY_CERT_INSECURE_ALGORITHM) + imcb_error( ic, "The certificate uses an insecure algorithm." ); + if (returncode & VERIFY_CERT_NOT_ACTIVATED) + imcb_error( ic, "The certificate has not been activated." ); + if (returncode & VERIFY_CERT_EXPIRED) + imcb_error( ic, "The certificate has expired." ); + if (returncode & VERIFY_CERT_WRONG_HOSTNAME) + imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." ); + imc_logout( ic, FALSE ); + } + else imc_logout( ic, TRUE ); return FALSE; } @@ -396,7 +433,7 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data ) { struct im_connection *ic = data; struct jabber_data *jd = ic->proto_data; - char *xmlns; + char *xmlns, *tlsname; xmlns = xt_find_attr( node, "xmlns" ); @@ -422,7 +459,17 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data ) imcb_log( ic, "Converting stream to TLS" ); jd->flags |= JFLAG_STARTTLS_DONE; - jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic ); + + /* If the user specified a server for the account, use this server as the + * hostname in the certificate verification. Else we use the domain from + * the username. */ + if( ic->acc->server && *ic->acc->server ) + tlsname = ic->acc->server; + else + tlsname = jd->server; + + jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ), + jabber_connected_ssl, ic ); return XT_HANDLED; } diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index 7d9547ab..dd2f0866 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -81,6 +81,9 @@ static void jabber_init( account_t *acc ) s = set_add( &acc->set, "tls", "try", set_eval_tls, acc ); s->flags |= ACC_SET_OFFLINE_ONLY; + s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc ); + s->flags |= ACC_SET_OFFLINE_ONLY; + s = set_add( &acc->set, "sasl", "true", set_eval_bool, acc ); s->flags |= ACC_SET_OFFLINE_ONLY | SET_HIDDEN_DEFAULT; diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h index adf9a291..5996c301 100644 --- a/protocols/jabber/jabber.h +++ b/protocols/jabber/jabber.h @@ -306,7 +306,7 @@ extern const struct jabber_away_state jabber_away_state_list[]; int jabber_write_packet( struct im_connection *ic, struct xt_node *node ); int jabber_write( struct im_connection *ic, char *buf, int len ); gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond ); -gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond ); +gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond ); gboolean jabber_start_stream( struct im_connection *ic ); void jabber_end_stream( struct im_connection *ic ); diff --git a/protocols/skype/skype.c b/protocols/skype/skype.c index 5b1a6c30..10f355a6 100644 --- a/protocols/skype/skype.c +++ b/protocols/skype/skype.c @@ -1156,7 +1156,7 @@ gboolean skype_start_stream(struct im_connection *ic) return st; } -gboolean skype_connected(gpointer data, void *source, b_input_condition cond) +gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond) { struct im_connection *ic = data; struct skype_data *sd = ic->proto_data; -- cgit v1.2.3 From 78b840187cc1e2d370dd758e6a73c21e510107b5 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:22:37 +0100 Subject: Move conversion of status codes to status messages into SSL libs. --- lib/ssl_bogus.c | 5 +++++ lib/ssl_client.h | 4 ++++ lib/ssl_gnutls.c | 31 +++++++++++++++++++++++++++++++ lib/ssl_nss.c | 5 +++++ lib/ssl_openssl.c | 5 +++++ protocols/jabber/io.c | 43 +++++++++---------------------------------- 6 files changed, 59 insertions(+), 34 deletions(-) diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index e2466c19..8dba05f4 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -69,3 +69,8 @@ int ssl_pending( void *conn ) { return 0; } + +char *ssl_verify_strerror( int code ) +{ + return NULL; +} diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 03355297..9ce878a1 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -100,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn ); the same action as the handler that just received the SSL_AGAIN.) */ G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); +/* Converts a verification bitfield passed to ssl_input_function into + a more useful string. Or NULL if it had no useful bits set. */ +G_MODULE_EXPORT char *ssl_verify_strerror( int code ); + G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 41f71f63..3ecc6eee 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -194,6 +194,37 @@ static int verify_certificate_callback( gnutls_session_t session ) return verifyret; } +char *ssl_verify_strerror( int code ) +{ + GString *ret = g_string_new( "" ); + + if( code & VERIFY_CERT_REVOKED ) + g_string_append( ret, "certificate has been revoked, " ); + if( code & VERIFY_CERT_SIGNER_NOT_FOUND ) + g_string_append( ret, "certificate hasn't got a known issuer, " ); + if( code & VERIFY_CERT_SIGNER_NOT_CA ) + g_string_append( ret, "certificate's issuer is not a CA, " ); + if( code & VERIFY_CERT_INSECURE_ALGORITHM ) + g_string_append( ret, "certificate uses an insecure algorithm, " ); + if( code & VERIFY_CERT_NOT_ACTIVATED ) + g_string_append( ret, "certificate has not been activated, " ); + if( code & VERIFY_CERT_EXPIRED ) + g_string_append( ret, "certificate has expired, " ); + if( code & VERIFY_CERT_WRONG_HOSTNAME ) + g_string_append( ret, "certificate hostname mismatch, " ); + + if( ret->len == 0 ) + { + g_string_free( ret, TRUE ); + return NULL; + } + else + { + g_string_truncate( ret, ret->len - 2 ); + return g_string_free( ret, FALSE ); + } +} + static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 4dfa063d..3f26960c 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -251,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn ) /* Just in case someone calls us, let's return the most likely case: */ return B_EV_IO_READ; } + +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." ); +} diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 7c7f725e..d43c7ab2 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -287,6 +287,11 @@ b_input_condition ssl_getdirection( void *conn ) return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ ); } +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." ); +} + size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res) { int output_length = 0; diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index 9e55e3f9..5ff8052c 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -291,45 +291,20 @@ gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_in already, set it to NULL here to prevent a double cleanup: */ jd->ssl = NULL; - imcb_error( ic, "Could not connect to server" ); - if (returncode == OPENSSL_VERIFY_ERROR ) - { - imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." ); - imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); - imc_logout( ic, FALSE ); - } - else if (returncode == NSS_VERIFY_ERROR ) - { - imcb_error( ic, "This BitlBee server is built agains the NSS library." ); - imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); - imc_logout( ic, FALSE ); - } - else if (returncode == VERIFY_CERT_ERROR ) + if( returncode & VERIFY_CERT_INVALID) { - imcb_error( ic, "An error occured during the certificate verification." ); + char *err = ssl_verify_strerror( returncode ); + imcb_error( ic, "Certificate verification problem 0x%x: %s", + returncode, err ? err : "Unknown" ); + g_free( err ); imc_logout( ic, FALSE ); } - else if (returncode & VERIFY_CERT_INVALID) + else { - imcb_error( ic, "Unable to verify peer's certificate." ); - if (returncode & VERIFY_CERT_REVOKED) - imcb_error( ic, "The certificate has been revoked." ); - if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND) - imcb_error( ic, "The certificate hasn't got a known issuer." ); - if (returncode & VERIFY_CERT_SIGNER_NOT_CA) - imcb_error( ic, "The certificate's issuer is not a CA." ); - if (returncode & VERIFY_CERT_INSECURE_ALGORITHM) - imcb_error( ic, "The certificate uses an insecure algorithm." ); - if (returncode & VERIFY_CERT_NOT_ACTIVATED) - imcb_error( ic, "The certificate has not been activated." ); - if (returncode & VERIFY_CERT_EXPIRED) - imcb_error( ic, "The certificate has expired." ); - if (returncode & VERIFY_CERT_WRONG_HOSTNAME) - imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." ); - imc_logout( ic, FALSE ); + imcb_error( ic, "Could not connect to server" ); + imc_logout( ic, TRUE ); } - else - imc_logout( ic, TRUE ); + return FALSE; } -- cgit v1.2.3 From af5764e30a841b82bcba603fc06366442daa9c0a Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:23:28 +0100 Subject: Refuse to start if cafile points at an unreadable file, to avoid silent cert verification failures. --- conf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/conf.c b/conf.c index 52055c35..3592f769 100644 --- a/conf.c +++ b/conf.c @@ -177,6 +177,14 @@ conf_t *conf_load( int argc, char *argv[] ) if( config_missing ) fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file ); + if( conf->cafile && access( conf->cafile, R_OK ) != 0 ) + { + /* Let's treat this as a serious problem so people won't think + they're secure when in fact they're not. */ + fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) ); + return NULL; + } + return conf; } -- cgit v1.2.3 From 25b05b75be1acdd4c96a301839be525809f35a47 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:34:06 +0100 Subject: Doc update. --- bitlbee.conf | 20 ++++++++++++++++---- doc/user-guide/commands.xml | 24 +++++++++++++++++++++++- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/bitlbee.conf b/bitlbee.conf index c5dafd9f..e0b74f41 100644 --- a/bitlbee.conf +++ b/bitlbee.conf @@ -115,9 +115,9 @@ ## ## (Obviously, the username and password are optional) ## -## Proxy = http://john:doe@proxy.localnet.com:8080 -## Proxy = socks4://socksproxy.localnet.com -## Proxy = socks5://socksproxy.localnet.com +# Proxy = http://john:doe@proxy.localnet.com:8080 +# Proxy = socks4://socksproxy.localnet.com +# Proxy = socks5://socksproxy.localnet.com ## Protocols offered by bitlbee ## @@ -125,8 +125,20 @@ ## allows to remove the support of protocol, even if compiled in. If ## nothing is given, there are no restrictions. ## -## Protocols = jabber yahoo +# Protocols = jabber yahoo +## Trusted CAs +## +## Path to a file containing a list of trusted certificate authorities used in +## the verification of server certificates. +## +## Uncomment this and make sure the file actually exists and contains all +## certificate authorities you're willing to accept (default value should +## work on at least Debian/Ubuntu systems with the "ca-certificates" package +## installed). As long as the line is commented out, SSL certificate +## verification is completely disabled. +## +# CAfile = /etc/ssl/certs/ca-certificates.crt [defaults] diff --git a/doc/user-guide/commands.xml b/doc/user-guide/commands.xml index 3a9202dc..eb050c31 100644 --- a/doc/user-guide/commands.xml +++ b/doc/user-guide/commands.xml @@ -1391,7 +1391,11 @@ - Currently only available for Jabber connections. Set this to true if the server accepts SSL connections. + Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223). + + + + Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the tls setting instead. @@ -1484,6 +1488,24 @@ + + true + + + + Currently only available for Jabber connections in combination with the tls setting. Set this to true if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities. + + + + The hostname used in the certificate verification is the value of the server setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the server setting. + + + + Please note that no certificate verification is performed when the ssl setting is used, or when the CAfile setting in bitlbee.conf is not set. + + + + ": " -- cgit v1.2.3 From a72dc2bb447e754295f8efc6f44fc6572f0f8511 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:57:20 +0100 Subject: Add verify argument to ssl_connect() so HTTPS-based stuff is also secure. (Think of Twitter, but also MSN/Yahoo! authentication.) --- lib/http_client.c | 17 ++++++++++++++--- lib/ssl_bogus.c | 2 +- lib/ssl_client.h | 2 +- lib/ssl_gnutls.c | 4 +++- lib/ssl_nss.c | 2 +- lib/ssl_openssl.c | 2 +- protocols/jabber/jabber.c | 2 +- protocols/skype/skype.c | 2 +- 8 files changed, 23 insertions(+), 10 deletions(-) diff --git a/lib/http_client.c b/lib/http_client.c index 02e5ebbe..514daf80 100644 --- a/lib/http_client.c +++ b/lib/http_client.c @@ -46,7 +46,7 @@ struct http_request *http_dorequest( char *host, int port, int ssl, char *reques if( ssl ) { - req->ssl = ssl_connect( host, port, http_ssl_connected, req ); + req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } @@ -162,7 +162,8 @@ static gboolean http_connected( gpointer data, int source, b_input_condition con return FALSE; error: - req->status_string = g_strdup( "Error while writing HTTP request" ); + if( req->status_string == NULL ) + req->status_string = g_strdup( "Error while writing HTTP request" ); req->func( req ); http_free( req ); @@ -175,7 +176,17 @@ static gboolean http_ssl_connected( gpointer data, int returncode, void *source, struct http_request *req = data; if( source == NULL ) + { + if( returncode != 0 ) + { + char *err = ssl_verify_strerror( returncode ); + req->status_string = g_strdup_printf( + "Certificate verification problem 0x%x: %s", + returncode, err ? err : "Unknown" ); + g_free( err ); + } return http_connected( data, -1, cond ); + } req->fd = ssl_getfd( source ); @@ -439,7 +450,7 @@ got_reply: if( new_proto == PROTO_HTTPS ) { - req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req ); + req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index 8dba05f4..e134201d 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -31,7 +31,7 @@ void ssl_init( void ) { } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { return( NULL ); } diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 9ce878a1..d8822143 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -63,7 +63,7 @@ G_MODULE_EXPORT void ssl_init( void ); /* Connect to host:port, call the given function when the connection is ready to be used for SSL traffic. This is all done asynchronously, no blocking I/O! (Except for the DNS lookups, for now...) */ -G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ); /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 3ecc6eee..b4bc72d5 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -77,7 +77,7 @@ void ssl_init( void ) atexit( gnutls_global_deinit ); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -85,6 +85,8 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data conn->func = func; conn->data = data; conn->inpa = -1; + conn->hostname = g_strdup( host ); + conn->verify = verify && global.conf->cafile; if( conn->fd < 0 ) { diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 3f26960c..5b573f9b 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -102,7 +102,7 @@ void ssl_init( void ) initialized = TRUE; } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index d43c7ab2..955c8274 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -64,7 +64,7 @@ void ssl_init( void ) // SSLeay_add_ssl_algorithms(); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index dd2f0866..372d73a9 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -235,7 +235,7 @@ static void jabber_login( account_t *acc ) non-standard ports... */ if( set_getbool( &acc->set, "ssl" ) ) { - jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic ); + jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic ); jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1; } else diff --git a/protocols/skype/skype.c b/protocols/skype/skype.c index 10f355a6..760aeb3d 100644 --- a/protocols/skype/skype.c +++ b/protocols/skype/skype.c @@ -1184,7 +1184,7 @@ static void skype_login(account_t *acc) imcb_log(ic, "Connecting"); sd->ssl = ssl_connect(set_getstr(&acc->set, "server"), - set_getint(&acc->set, "port"), skype_connected, ic); + set_getint(&acc->set, "port"), FALSE, skype_connected, ic); sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1; sd->username = g_strdup(acc->user); -- cgit v1.2.3 From 9f958f794a1710f17eaae79c64f90f1f66134094 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 19:09:11 +0100 Subject: Pass the SSL errors through another layer of indirection (Passport SOAP code). --- protocols/msn/soap.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/protocols/msn/soap.c b/protocols/msn/soap.c index 7d9f3791..d9804f49 100644 --- a/protocols/msn/soap.c +++ b/protocols/msn/soap.c @@ -59,6 +59,7 @@ struct msn_soap_req_data void *data; struct im_connection *ic; int ttl; + char *error; char *url, *action, *payload; struct http_request *http_req; @@ -157,13 +158,17 @@ static void msn_soap_handle_response( struct http_request *http_req ) xt_free( parser ); } + if( http_req->status_code != 200 ) + soap_req->error = g_strdup( http_req->status_string ); + st = soap_req->handle_response( soap_req ); fail: g_free( soap_req->url ); g_free( soap_req->action ); g_free( soap_req->payload ); - soap_req->url = soap_req->action = soap_req->payload = NULL; + g_free( soap_req->error ); + soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL; if( st == MSN_SOAP_RETRY && --soap_req->ttl ) { @@ -252,6 +257,7 @@ static void msn_soap_free( struct msn_soap_req_data *soap_req ) g_free( soap_req->url ); g_free( soap_req->action ); g_free( soap_req->payload ); + g_free( soap_req->error ); g_free( soap_req ); } @@ -409,7 +415,7 @@ static int msn_soap_passport_sso_handle_response( struct msn_soap_req_data *soap if( sd->secret == NULL ) { - msn_auth_got_passport_token( ic, NULL, sd->error ); + msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error ); return MSN_SOAP_OK; } -- cgit v1.2.3 From 41658da57b611d17030dc7e2c3feb54f99b668ac Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 19:45:53 +0100 Subject: Just check if verification code != 0 instead of checking for one specific bit. Any non-0 failure means a problem. --- protocols/jabber/io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index 5ff8052c..5b9149af 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -291,7 +291,7 @@ gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_in already, set it to NULL here to prevent a double cleanup: */ jd->ssl = NULL; - if( returncode & VERIFY_CERT_INVALID) + if( returncode != 0 ) { char *err = ssl_verify_strerror( returncode ); imcb_error( ic, "Certificate verification problem 0x%x: %s", -- cgit v1.2.3 From 9ff0c256ae51f2039abc36940618a5d9fe5e6ba7 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 21:46:01 +0100 Subject: Catch condition=G_IO_NVAL from glib's event handler, which should prevent some crashes on unclean shutdowns of connections. --- lib/events_glib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/events_glib.c b/lib/events_glib.c index 3fafc872..8f53fbbf 100644 --- a/lib/events_glib.c +++ b/lib/events_glib.c @@ -74,6 +74,9 @@ static gboolean gaim_io_invoke(GIOChannel *source, GIOCondition condition, gpoin GaimIOClosure *closure = data; b_input_condition gaim_cond = 0; gboolean st; + + if (condition & G_IO_NVAL) + return FALSE; if (condition & GAIM_READ_COND) gaim_cond |= B_EV_IO_READ; -- cgit v1.2.3 From 6c0fe9ba555df4950445775dfdcbd8cd1870d950 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Tue, 20 Dec 2011 10:57:35 +0100 Subject: Build skyped as arch=all, and don't build it by default. Debian has removed the python-skype package.. :-( --- debian/control | 2 +- debian/rules | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index 41fc0366..b7c1b4f4 100644 --- a/debian/control +++ b/debian/control @@ -82,7 +82,7 @@ Description: An IRC to other chat networks gateway (Skype plugin) You need to download and install the Skype client for this to work. Package: skyped -Architecture: any +Architecture: all Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7) Recommends: skype Description: Daemon to control Skype remotely diff --git a/debian/rules b/debian/rules index 57d60090..79024825 100755 --- a/debian/rules +++ b/debian/rules @@ -7,10 +7,12 @@ # exercise is over now. # -# Include the bitlbee-libpurple variant and OTR plugin by default +# Include the bitlbee-libpurple variant and OTR plugin by default. +# Don't build skype by default since it depends on deleted/non-free +# packages. Need to at least get python-skype back into Debian. BITLBEE_LIBPURPLE ?= 1 BITLBEE_OTR ?= plugin -BITLBEE_SKYPE ?= plugin +BITLBEE_SKYPE ?= 0 BITLBEE_CONFIGURE_FLAGS ?= DEBUG ?= 0 @@ -71,11 +73,13 @@ install: build $(MAKE) -C debian/build-native install-plugin-otr DESTDIR=`pwd`/debian/bitlbee-plugin-otr $(MAKE) -C debian/build-native install-plugin-skype DESTDIR=`pwd`/debian/skyped +ifneq ($(BITLBEE_SKYPE),0) mkdir -p debian/bitlbee-plugin-skype/usr mv debian/skyped/usr/lib debian/bitlbee-plugin-skype/usr mkdir -p debian/skyped/usr/share/man/man1 mv debian/bitlbee-common/usr/share/man/man1/skyped* debian/skyped/usr/share/man/man1 +endif ifeq ($(BITLBEE_LIBPURPLE),1) $(MAKE) -C debian/build-libpurple install-bin DESTDIR=`pwd`/debian/bitlbee-libpurple -- cgit v1.2.3 From 256164c49f83e85f5c5a04c9b659721b56cd35ec Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Tue, 20 Dec 2011 12:18:30 +0100 Subject: Merging Debian 3.0.3-1.1 changes. --- debian/changelog | 8 ++++++++ debian/control | 12 ++++++------ debian/rules | 6 +++--- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5702b417..bbc8aec9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,14 @@ bitlbee (3.0.4-1) unstable; urgency=low -- Wilmer van der Gaast Sun, 11 Dec 2011 16:53:31 +0000 +bitlbee (3.0.3-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Use the standard ${source:Version} and ${binary:Version} substvars instead + of the custom and broken ${bee:Version} (closes: #651612). + + -- Julien Cristau Thu, 15 Dec 2011 20:34:32 +0100 + bitlbee (3.0.3-1) unstable; urgency=low * New upstream release. (Skipped 3.0.2, sorry!) diff --git a/debian/control b/debian/control index b7c1b4f4..181feccb 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ DM-Upload-Allowed: yes Package: bitlbee Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version}) +Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version}) Conflicts: bitlbee-libpurple Replaces: bitlbee-libpurple Description: An IRC to other chat networks gateway (default version) @@ -21,7 +21,7 @@ Description: An IRC to other chat networks gateway (default version) Package: bitlbee-libpurple Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${bee:Version}) +Depends: ${misc:Depends}, ${shlibs:Depends}, debianutils (>= 1.16), bitlbee-common (= ${source:Version}) Conflicts: bitlbee Replaces: bitlbee Description: An IRC to other chat networks gateway (using libpurple) @@ -50,7 +50,7 @@ Description: An IRC to other chat networks gateway (common files/docs) Package: bitlbee-dev Architecture: all -Depends: ${misc:Depends}, bitlbee (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version}) +Depends: ${misc:Depends}, bitlbee (>= ${source:Version}), bitlbee (<< ${source:Version}.1~), bitlbee-common (= ${source:Version}) Description: An IRC to other chat networks gateway (dev files) This program can be used as an IRC server which forwards everything you say to people on other chat networks: Jabber (which includes Google Talk @@ -60,7 +60,7 @@ Description: An IRC to other chat networks gateway (dev files) Package: bitlbee-plugin-otr Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~), bitlbee-common (= ${bee:Version}) +Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version}) Description: An IRC to other chat networks gateway (OTR plugin) This program can be used as an IRC server which forwards everything you say to people on other chat networks: Jabber (which includes Google Talk @@ -71,7 +71,7 @@ Description: An IRC to other chat networks gateway (OTR plugin) Package: bitlbee-plugin-skype Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, bitlbee (>= ${bee:Version}) | bitlbee-libpurple (>= ${bee:Version}), bitlbee (<< ${bee:Version}.1~) | bitlbee-libpurple (<< ${bee:Version}.1~) +Depends: ${misc:Depends}, ${shlibs:Depends}, bitlbee (= ${binary:Version}) | bitlbee-libpurple (= ${binary:Version}), bitlbee-common (= ${source:Version}) Recommends: skyped Description: An IRC to other chat networks gateway (Skype plugin) This program can be used as an IRC server which forwards everything you @@ -83,7 +83,7 @@ Description: An IRC to other chat networks gateway (Skype plugin) Package: skyped Architecture: all -Depends: ${shlibs:Depends}, ${misc:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7) +Depends: ${misc:Depends}, ${shlibs:Depends}, python (>= 2.5), python-gnutls, python-skype (>=0.9.28.7) Recommends: skype Description: Daemon to control Skype remotely Daemon to control the GUI Skype client. Currently required to control Skype diff --git a/debian/rules b/debian/rules index 79024825..8b90640c 100755 --- a/debian/rules +++ b/debian/rules @@ -18,7 +18,7 @@ DEBUG ?= 0 ifndef BITLBEE_VERSION # Want to use the full package version number instead of just the release. -BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}')\" +BITLBEE_CONFIGURE_VERSION ?= BITLBEE_VERSION=\"$(shell dpkg-parsechangelog | awk '/^Version:/ {print $$2}')\" endif ifneq ($(BITLBEE_LIBPURPLE),1) @@ -110,9 +110,9 @@ binary-common: dh_installdeb dh_shlibdeps ifdef BITLBEE_VERSION - dh_gencontrol -- -v$(BITLBEE_VERSION) -Vbee:Version=$(BITLBEE_VERSION) + dh_gencontrol -- -v$(BITLBEE_VERSION) else - dh_gencontrol -- -Vbee:Version=$(shell dpkg-parsechangelog | grep ^Version: | awk '{print $$2}' | sed -e 's/+b[0-9]\+$$//') + dh_gencontrol endif dh_md5sums dh_builddeb -- cgit v1.2.3 From f1c870a20c1c8a1173fe6244952518f015fc1346 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Tue, 20 Dec 2011 13:01:08 +0100 Subject: Second attempt at a 3.0.4-1 upload. --- debian/changelog | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index bbc8aec9..2588c768 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,23 +1,25 @@ -bitlbee (3.0.4-1) unstable; urgency=low +bitlbee (3.0.4+bzr855-1) unstable; urgency=low * New upstream release. + * This is not a vanilla 3.0.4 tree but a Bazaar snapshot. The source + release was a few weeks ago by now. There should be no significant + differences. * Added bitlbee-plugin-skype and skyped packages, now part of BitlBee - instead of a separate package. - * Fixed dependencies of bitlbee-plugin-otr package to not break with - binary MTUs. (Closes: #651612) + instead of a separate package. Not building these for Debian for now + though since python-skype was removed. * ^B and some other things are stripped in outgoing XMPP stanzas. (Closes: #507856) * OTR module linking fix. Not with the fix from the Debian bug but with one from bugs.bitlbee.org. I hope that covers it. (Closes: #646369) * Closing a few old bugs that were filed against the Debian package - instead of upstream: + instead of/as well as upstream: - Joining password-protected MUCs is working for a while already, set the password using "chan set". (Closes: #615624) - "Headline:" msgs (Closes: #605459) - Yahoo! was fixed long ago and Etch is deprecated. (Closes: #476529) - identi.ca support is documented. (Closes: #613789) - -- Wilmer van der Gaast Sun, 11 Dec 2011 16:53:31 +0000 + -- Wilmer van der Gaast Tue, 20 Dec 2011 12:46:42 +0100 bitlbee (3.0.3-1.1) unstable; urgency=low -- cgit v1.2.3 From ad46e4d3ed1997e6b3f718a7a8be9a37eb63388d Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Thu, 22 Dec 2011 12:23:18 +0100 Subject: Use initgroups() as well when dropping privileges. Closes bug #852. --- protocols/jabber/io.c | 3 +++ protocols/jabber/jabber.c | 32 +++++++++++++++++++++++++++++++- protocols/jabber/jabber.h | 2 ++ unix.c | 6 ++++++ 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index a28eea90..d3383375 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -172,6 +172,9 @@ static gboolean jabber_read_callback( gpointer data, gint fd, b_input_condition if( st > 0 ) { + if( jd->flags & JFLAG_MOCK ) + return TRUE; + /* Parse. */ if( xt_feed( jd->xt, buf, st ) < 0 ) { diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index 7d9547ab..fae55ffe 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -335,6 +335,25 @@ static int jabber_buddy_msg( struct im_connection *ic, char *who, char *message, if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 ) return jabber_write( ic, message, strlen( message ) ); + + if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) + { + /* Parse. */ + if( xt_feed( jd->xt, message, strlen( message ) ) < 0 ) + { + imcb_error( ic, "XML stream error" ); + imc_logout( ic, TRUE ); + return FALSE; + } + + /* Execute all handlers. */ + if( !xt_handle( jd->xt, NULL, 1 ) ) + { + /* Don't do anything, the handlers should have + aborted the connection already. */ + return FALSE; + } + } if( ( s = strchr( who, '=' ) ) && jabber_chat_by_jid( ic, s + 1 ) ) bud = jabber_buddy_by_ext_jid( ic, who, 0 ); @@ -425,7 +444,13 @@ static void jabber_add_buddy( struct im_connection *ic, char *who, char *group ) if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 ) { jd->flags |= JFLAG_XMLCONSOLE; - imcb_add_buddy( ic, JABBER_XMLCONSOLE_HANDLE, NULL ); + imcb_add_buddy( ic, who, NULL ); + return; + } + else if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) + { + jd->flags |= JFLAG_MOCK; + imcb_add_buddy( ic, who, NULL ); return; } @@ -447,6 +472,11 @@ static void jabber_remove_buddy( struct im_connection *ic, char *who, char *grou */ return; } + else if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) + { + jd->flags &= ~JFLAG_MOCK; + return; + } /* We should always do this part. Clean up our administration a little bit. */ jabber_buddy_remove_bare( ic, who ); diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h index adf9a291..364d561c 100644 --- a/protocols/jabber/jabber.h +++ b/protocols/jabber/jabber.h @@ -46,6 +46,7 @@ typedef enum activates all XEP-85 related code. */ JFLAG_XMLCONSOLE = 64, /* If the user added an xmlconsole buddy. */ JFLAG_STARTTLS_DONE = 128, /* If a plaintext session was converted to TLS. */ + JFLAG_MOCK = 256, /* If the user added a mock buddy. */ } jabber_flags_t; typedef enum @@ -187,6 +188,7 @@ struct jabber_transfer }; #define JABBER_XMLCONSOLE_HANDLE "xmlconsole" +#define JABBER_MOCK_HANDLE "mock" /* Prefixes to use for packet IDs (mainly for IQ packets ATM). Usually the first one should be used, but when storing a packet in the cache, a diff --git a/unix.c b/unix.c index 07215c07..2ad2edfc 100644 --- a/unix.c +++ b/unix.c @@ -40,6 +40,7 @@ #include #include #include +#include #if defined(OTR_BI) || defined(OTR_PI) #include "otr.h" @@ -151,9 +152,14 @@ int main( int argc, char *argv[] ) pw = getpwnam( global.conf->user ); if( pw ) { + initgroups( global.conf->user, pw->pw_gid ); setgid( pw->pw_gid ); setuid( pw->pw_uid ); } + else + { + log_message( LOGLVL_WARNING, "Failed to look up user %s.", global.conf->user ); + } } /* Catch some signals to tell the user what's happening before quitting */ -- cgit v1.2.3 From d6ddff0d4dae3d93de21fc37ca2e4df6d0cc3fab Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Thu, 22 Dec 2011 17:10:27 +0100 Subject: bitlbee (3.0.4-2) unstable; urgency=low * Not a real Debian release, but just resetting the version number to get sane version numbers for the nightly builds. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 2588c768..70cb9418 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +bitlbee (3.0.4-2) unstable; urgency=low + + * Not a real Debian release, but just resetting the version number to + get sane version numbers for the nightly builds. + + -- Wilmer van der Gaast Thu, 22 Dec 2011 17:09:15 +0100 + bitlbee (3.0.4+bzr855-1) unstable; urgency=low * New upstream release. -- cgit v1.2.3 From 2d93a51e15ac2d6daaac0d6ac1e2c41e33486c53 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Fri, 23 Dec 2011 09:47:02 +0100 Subject: Removing the version number override hack broken by a recent NMU. Instead, I'll try to solve this problem on just the buildbot using "dch". --- debian/changelog | 9 +++++---- debian/rules | 4 ---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index 70cb9418..590d7b90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,10 @@ -bitlbee (3.0.4-2) unstable; urgency=low +bitlbee (3.0.4+z-2) UNRELEASED; urgency=low - * Not a real Debian release, but just resetting the version number to - get sane version numbers for the nightly builds. + * Removed some version override stuff from Debian build scripts. Instead, + my buildbot now uses dch to generate a changelog entry with the right + version number. - -- Wilmer van der Gaast Thu, 22 Dec 2011 17:09:15 +0100 + -- Wilmer van der Gaast Fri, 23 Dec 2011 09:45:55 +0100 bitlbee (3.0.4+bzr855-1) unstable; urgency=low diff --git a/debian/rules b/debian/rules index 8b90640c..2c9e3a12 100755 --- a/debian/rules +++ b/debian/rules @@ -109,11 +109,7 @@ binary-common: dh_fixperms dh_installdeb dh_shlibdeps -ifdef BITLBEE_VERSION - dh_gencontrol -- -v$(BITLBEE_VERSION) -else dh_gencontrol -endif dh_md5sums dh_builddeb -- cgit v1.2.3 From 200e151edbbcbb164e7fe2a01a28a0c1c9108972 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Fri, 23 Dec 2011 23:40:17 +0100 Subject: tls_verify correction: Don't fail cert verification in non-GnuTLS modules unless "cafile" setting is enabled. --- lib/ssl_client.h | 2 -- lib/ssl_nss.c | 7 +++---- lib/ssl_openssl.c | 7 +++---- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/lib/ssl_client.h b/lib/ssl_client.h index d8822143..206fe9cb 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,8 +36,6 @@ /* Some generic error codes. Especially SSL_AGAIN is important if you want to do asynchronous I/O. */ -#define NSS_VERIFY_ERROR -2 -#define OPENSSL_VERIFY_ERROR -1 #define SSL_OK 0 #define SSL_NOHANDSHAKE 1 #define SSL_AGAIN 2 diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 5b573f9b..d50620d5 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -139,7 +139,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function conn->fd = fd; conn->func = func; conn->data = data; - conn->verify = verify; + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -159,12 +159,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con { struct scd *conn = data; - /* Right now we don't have any verification functionality for nss so we - fail in case verification has been requested by the user. */ + /* Right now we don't have any verification functionality for NSS. */ if( conn->verify ) { - conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); + conn->func( conn->data, 1, NULL, cond ); if( source >= 0 ) closesocket( source ); g_free( conn ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 955c8274..5c38d0e9 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -90,7 +90,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function conn->func = func; conn->data = data; conn->inpa = -1; - conn->verify = verify; + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -118,12 +118,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con struct scd *conn = data; SSL_METHOD *meth; - /* Right now we don't have any verification functionality for openssl so we - fail in case verification has been requested by the user. */ + /* Right now we don't have any verification functionality for OpenSSL. */ if( conn->verify ) { - conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond ); + conn->func( conn->data, 1, NULL, cond ); if( source >= 0 ) closesocket( source ); g_free( conn ); -- cgit v1.2.3 From 5513f3e56a45d4a227bfc7d01210fdded516458c Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sat, 24 Dec 2011 15:52:35 +0100 Subject: Fix compatibility with old GnuTLS versions, but with a warning. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 for details. --- configure | 4 ++++ lib/ssl_gnutls.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/configure b/configure index 8fd61af5..2f1b5046 100755 --- a/configure +++ b/configure @@ -282,6 +282,10 @@ EFLAGS+=`$PKG_CONFIG --libs gnutls` `libgcrypt-config --libs` CFLAGS+=`$PKG_CONFIG --cflags gnutls` `libgcrypt-config --cflags` EOF ssl=gnutls + if ! pkg-config gnutls --atleast-version=2.8; then + echo + echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.' + fi ret=1 elif libgnutls-config --version > /dev/null 2> /dev/null; then cat <>Makefile.settings diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index b4bc72d5..f5e0ad47 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session ) if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; +#ifdef GNUTLS_CERT_NOT_ACTIVATED + /* Amusingly, the GnuTLS function used above didn't check for expiry + until GnuTLS 2.8 or so. (See CVE-2009-1417) */ if( status & GNUTLS_CERT_NOT_ACTIVATED ) verifyret |= VERIFY_CERT_NOT_ACTIVATED; if( status & GNUTLS_CERT_EXPIRED ) verifyret |= VERIFY_CERT_EXPIRED; +#endif /* The following check is already performed inside * gnutls_certificate_verify_peers2, so we don't need it. -- cgit v1.2.3 From 96f954df218e81f5580257c319b91217dac2f4bf Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sat, 24 Dec 2011 18:49:12 +0100 Subject: Removing unfinished debugging stuff accidentally committed in changeset:devel,856. --- protocols/jabber/io.c | 3 --- protocols/jabber/jabber.c | 32 +------------------------------- protocols/jabber/jabber.h | 2 -- 3 files changed, 1 insertion(+), 36 deletions(-) diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index 385c45c4..5b9149af 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -172,9 +172,6 @@ static gboolean jabber_read_callback( gpointer data, gint fd, b_input_condition if( st > 0 ) { - if( jd->flags & JFLAG_MOCK ) - return TRUE; - /* Parse. */ if( xt_feed( jd->xt, buf, st ) < 0 ) { diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index 2856f1b6..372d73a9 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -338,25 +338,6 @@ static int jabber_buddy_msg( struct im_connection *ic, char *who, char *message, if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 ) return jabber_write( ic, message, strlen( message ) ); - - if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) - { - /* Parse. */ - if( xt_feed( jd->xt, message, strlen( message ) ) < 0 ) - { - imcb_error( ic, "XML stream error" ); - imc_logout( ic, TRUE ); - return FALSE; - } - - /* Execute all handlers. */ - if( !xt_handle( jd->xt, NULL, 1 ) ) - { - /* Don't do anything, the handlers should have - aborted the connection already. */ - return FALSE; - } - } if( ( s = strchr( who, '=' ) ) && jabber_chat_by_jid( ic, s + 1 ) ) bud = jabber_buddy_by_ext_jid( ic, who, 0 ); @@ -447,13 +428,7 @@ static void jabber_add_buddy( struct im_connection *ic, char *who, char *group ) if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 ) { jd->flags |= JFLAG_XMLCONSOLE; - imcb_add_buddy( ic, who, NULL ); - return; - } - else if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) - { - jd->flags |= JFLAG_MOCK; - imcb_add_buddy( ic, who, NULL ); + imcb_add_buddy( ic, JABBER_XMLCONSOLE_HANDLE, NULL ); return; } @@ -475,11 +450,6 @@ static void jabber_remove_buddy( struct im_connection *ic, char *who, char *grou */ return; } - else if( g_strcasecmp( who, JABBER_MOCK_HANDLE ) == 0 ) - { - jd->flags &= ~JFLAG_MOCK; - return; - } /* We should always do this part. Clean up our administration a little bit. */ jabber_buddy_remove_bare( ic, who ); diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h index aa552558..5996c301 100644 --- a/protocols/jabber/jabber.h +++ b/protocols/jabber/jabber.h @@ -46,7 +46,6 @@ typedef enum activates all XEP-85 related code. */ JFLAG_XMLCONSOLE = 64, /* If the user added an xmlconsole buddy. */ JFLAG_STARTTLS_DONE = 128, /* If a plaintext session was converted to TLS. */ - JFLAG_MOCK = 256, /* If the user added a mock buddy. */ } jabber_flags_t; typedef enum @@ -188,7 +187,6 @@ struct jabber_transfer }; #define JABBER_XMLCONSOLE_HANDLE "xmlconsole" -#define JABBER_MOCK_HANDLE "mock" /* Prefixes to use for packet IDs (mainly for IQ packets ATM). Usually the first one should be used, but when storing a packet in the cache, a -- cgit v1.2.3