From 486ddb53b93b6677dc3feeb4afaad2ea93a71a81 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 15:50:58 +0100 Subject: Initial merge of tls_verify patch from AopicieR. --- lib/http_client.c | 5 ++- lib/ssl_bogus.c | 2 +- lib/ssl_client.h | 15 +++++++- lib/ssl_gnutls.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++---- lib/ssl_nss.c | 20 ++++++++-- lib/ssl_openssl.c | 22 +++++++++-- 6 files changed, 154 insertions(+), 20 deletions(-) (limited to 'lib') diff --git a/lib/http_client.c b/lib/http_client.c index 9d986412..02e5ebbe 100644 --- a/lib/http_client.c +++ b/lib/http_client.c @@ -32,7 +32,7 @@ static gboolean http_connected( gpointer data, int source, b_input_condition cond ); -static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ); +static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ); static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond ); static void http_free( struct http_request *req ); @@ -169,8 +169,9 @@ error: return FALSE; } -static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond ) +static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond ) { + //The returncode is not used at the moment. struct http_request *req = data; if( source == NULL ) diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index f4ce5d4d..e2466c19 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -55,7 +55,7 @@ int ssl_getfd( void *conn ) return( -1 ); } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { return NULL; } diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 091335c5..03355297 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,14 +36,25 @@ /* Some generic error codes. Especially SSL_AGAIN is important if you want to do asynchronous I/O. */ +#define NSS_VERIFY_ERROR -2 +#define OPENSSL_VERIFY_ERROR -1 #define SSL_OK 0 #define SSL_NOHANDSHAKE 1 #define SSL_AGAIN 2 +#define VERIFY_CERT_ERROR 2 +#define VERIFY_CERT_INVALID 4 +#define VERIFY_CERT_REVOKED 8 +#define VERIFY_CERT_SIGNER_NOT_FOUND 16 +#define VERIFY_CERT_SIGNER_NOT_CA 32 +#define VERIFY_CERT_INSECURE_ALGORITHM 64 +#define VERIFY_CERT_NOT_ACTIVATED 128 +#define VERIFY_CERT_EXPIRED 256 +#define VERIFY_CERT_WRONG_HOSTNAME 512 extern int ssl_errno; /* This is what your callback function should look like. */ -typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition); +typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition); /* Perform any global initialization the SSL library might need. */ @@ -56,7 +67,7 @@ G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ -G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ); /* Obviously you need special read/write functions to read data. */ G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len ); diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index ccab8aca..41f71f63 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -24,6 +24,7 @@ */ #include +#include #include #include #include @@ -31,6 +32,7 @@ #include "ssl_client.h" #include "sock.h" #include "stdlib.h" +#include "bitlbee.h" int ssl_errno = 0; @@ -53,6 +55,8 @@ struct scd int fd; gboolean established; int inpa; + char *hostname; + gboolean verify; gnutls_session session; gnutls_certificate_credentials xcred; @@ -91,7 +95,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data return conn; } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -99,6 +103,13 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) conn->func = func; conn->data = data; conn->inpa = -1; + conn->hostname = hostname; + + /* For now, SSL verification is globally enabled by setting the cafile + setting in bitlbee.conf. Commented out by default because probably + not everyone has this file in the same place and plenty of folks + may not have the cert of their private Jabber server in it. */ + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -121,13 +132,75 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition return ssl_connected( conn, conn->fd, B_EV_IO_WRITE ); } +static int verify_certificate_callback( gnutls_session_t session ) +{ + unsigned int status; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size; + int gnutlsret; + int verifyret = 0; + gnutls_x509_crt_t cert; + const char *hostname; + + hostname = gnutls_session_get_ptr(session ); + + gnutlsret = gnutls_certificate_verify_peers2( session, &status ); + if( gnutlsret < 0 ) + return VERIFY_CERT_ERROR; + + if( status & GNUTLS_CERT_INVALID ) + verifyret |= VERIFY_CERT_INVALID; + + if( status & GNUTLS_CERT_REVOKED ) + verifyret |= VERIFY_CERT_REVOKED; + + if( status & GNUTLS_CERT_SIGNER_NOT_FOUND ) + verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND; + + if( status & GNUTLS_CERT_SIGNER_NOT_CA ) + verifyret |= VERIFY_CERT_SIGNER_NOT_CA; + + if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) + verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; + + if( status & GNUTLS_CERT_NOT_ACTIVATED ) + verifyret |= VERIFY_CERT_NOT_ACTIVATED; + + if( status & GNUTLS_CERT_EXPIRED ) + verifyret |= VERIFY_CERT_EXPIRED; + + /* The following check is already performed inside + * gnutls_certificate_verify_peers2, so we don't need it. + + * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 ) + * return GNUTLS_E_CERTIFICATE_ERROR; + */ + + if( gnutls_x509_crt_init( &cert ) < 0 ) + return VERIFY_CERT_ERROR; + + cert_list = gnutls_certificate_get_peers( session, &cert_list_size ); + if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 ) + return VERIFY_CERT_ERROR; + + if( !gnutls_x509_crt_check_hostname( cert, hostname ) ) + { + verifyret |= VERIFY_CERT_INVALID; + verifyret |= VERIFY_CERT_WRONG_HOSTNAME; + } + + gnutls_x509_crt_deinit( cert ); + + return verifyret; +} + static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; if( source == -1 ) { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); g_free( conn ); return FALSE; } @@ -135,7 +208,15 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con ssl_init(); gnutls_certificate_allocate_credentials( &conn->xcred ); + if( conn->verify && global.conf->cafile ) + { + gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM ); + gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); + } + gnutls_init( &conn->session, GNUTLS_CLIENT ); + if( conn->verify ) + gnutls_session_set_ptr( conn->session, (void *) conn->hostname ); #if GNUTLS_VERSION_NUMBER < 0x020c00 gnutls_transport_set_lowat( conn->session, 0 ); #endif @@ -151,7 +232,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; - int st; + int st, stver; if( ( st = gnutls_handshake( conn->session ) ) < 0 ) { @@ -162,7 +243,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con } else { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); gnutls_deinit( conn->session ); gnutls_certificate_free_credentials( conn->xcred ); @@ -173,11 +254,24 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con } else { - /* For now we can't handle non-blocking perfectly everywhere... */ - sock_make_blocking( conn->fd ); + if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 ) + { + conn->func( conn->data, stver, NULL, cond ); + + gnutls_deinit( conn->session ); + gnutls_certificate_free_credentials( conn->xcred ); + closesocket( conn->fd ); + + g_free( conn ); + } + else + { + /* For now we can't handle non-blocking perfectly everywhere... */ + sock_make_blocking( conn->fd ); - conn->established = TRUE; - conn->func( conn->data, conn, cond ); + conn->established = TRUE; + conn->func( conn->data, 0, conn, cond ); + } } return FALSE; diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index ec524ca6..4dfa063d 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -51,6 +51,7 @@ struct scd int fd; PRFileDesc *prfd; gboolean established; + gboolean verify; }; static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ); @@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition return ssl_connected( conn, conn->fd, B_EV_IO_WRITE ); } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); conn->fd = fd; conn->func = func; conn->data = data; + conn->verify = verify; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con { struct scd *conn = data; + /* Right now we don't have any verification functionality for nss so we + fail in case verification has been requested by the user. */ + + if( conn->verify ) + { + conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); + if( source >= 0 ) closesocket( source ); + g_free( conn ); + + return FALSE; + } + if( source == -1 ) goto ssl_connected_failure; @@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con conn->established = TRUE; - conn->func( conn->data, conn, cond ); + conn->func( conn->data, 0, conn, cond ); return FALSE; ssl_connected_failure: - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); PR_Close( conn -> prfd ); if( source >= 0 ) closesocket( source ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 5f64042d..7c7f725e 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -44,6 +44,7 @@ struct scd gpointer data; int fd; gboolean established; + gboolean verify; int inpa; int lasterr; /* Necessary for SSL_get_error */ @@ -81,7 +82,7 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data return conn; } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -89,6 +90,7 @@ void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) conn->func = func; conn->data = data; conn->inpa = -1; + conn->verify = verify; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -116,6 +118,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con struct scd *conn = data; SSL_METHOD *meth; + /* Right now we don't have any verification functionality for openssl so we + fail in case verification has been requested by the user. */ + + if( conn->verify ) + { + conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond ); + if( source >= 0 ) closesocket( source ); + g_free( conn ); + + return FALSE; + } + if( source == -1 ) goto ssl_connected_failure; @@ -140,7 +154,7 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con return ssl_handshake( data, source, cond ); ssl_connected_failure: - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); if( conn->ssl ) { @@ -168,7 +182,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con conn->lasterr = SSL_get_error( conn->ssl, st ); if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE ) { - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); SSL_shutdown( conn->ssl ); SSL_free( conn->ssl ); @@ -186,7 +200,7 @@ static gboolean ssl_handshake( gpointer data, gint source, b_input_condition con conn->established = TRUE; sock_make_blocking( conn->fd ); /* For now... */ - conn->func( conn->data, conn, cond ); + conn->func( conn->data, 0, conn, cond ); return FALSE; } -- cgit v1.2.3 From 78b840187cc1e2d370dd758e6a73c21e510107b5 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:22:37 +0100 Subject: Move conversion of status codes to status messages into SSL libs. --- lib/ssl_bogus.c | 5 +++++ lib/ssl_client.h | 4 ++++ lib/ssl_gnutls.c | 31 +++++++++++++++++++++++++++++++ lib/ssl_nss.c | 5 +++++ lib/ssl_openssl.c | 5 +++++ 5 files changed, 50 insertions(+) (limited to 'lib') diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index e2466c19..8dba05f4 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -69,3 +69,8 @@ int ssl_pending( void *conn ) { return 0; } + +char *ssl_verify_strerror( int code ) +{ + return NULL; +} diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 03355297..9ce878a1 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -100,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn ); the same action as the handler that just received the SSL_AGAIN.) */ G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); +/* Converts a verification bitfield passed to ssl_input_function into + a more useful string. Or NULL if it had no useful bits set. */ +G_MODULE_EXPORT char *ssl_verify_strerror( int code ); + G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 41f71f63..3ecc6eee 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -194,6 +194,37 @@ static int verify_certificate_callback( gnutls_session_t session ) return verifyret; } +char *ssl_verify_strerror( int code ) +{ + GString *ret = g_string_new( "" ); + + if( code & VERIFY_CERT_REVOKED ) + g_string_append( ret, "certificate has been revoked, " ); + if( code & VERIFY_CERT_SIGNER_NOT_FOUND ) + g_string_append( ret, "certificate hasn't got a known issuer, " ); + if( code & VERIFY_CERT_SIGNER_NOT_CA ) + g_string_append( ret, "certificate's issuer is not a CA, " ); + if( code & VERIFY_CERT_INSECURE_ALGORITHM ) + g_string_append( ret, "certificate uses an insecure algorithm, " ); + if( code & VERIFY_CERT_NOT_ACTIVATED ) + g_string_append( ret, "certificate has not been activated, " ); + if( code & VERIFY_CERT_EXPIRED ) + g_string_append( ret, "certificate has expired, " ); + if( code & VERIFY_CERT_WRONG_HOSTNAME ) + g_string_append( ret, "certificate hostname mismatch, " ); + + if( ret->len == 0 ) + { + g_string_free( ret, TRUE ); + return NULL; + } + else + { + g_string_truncate( ret, ret->len - 2 ); + return g_string_free( ret, FALSE ); + } +} + static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 4dfa063d..3f26960c 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -251,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn ) /* Just in case someone calls us, let's return the most likely case: */ return B_EV_IO_READ; } + +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." ); +} diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 7c7f725e..d43c7ab2 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -287,6 +287,11 @@ b_input_condition ssl_getdirection( void *conn ) return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ ); } +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." ); +} + size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res) { int output_length = 0; -- cgit v1.2.3 From a72dc2bb447e754295f8efc6f44fc6572f0f8511 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:57:20 +0100 Subject: Add verify argument to ssl_connect() so HTTPS-based stuff is also secure. (Think of Twitter, but also MSN/Yahoo! authentication.) --- lib/http_client.c | 17 ++++++++++++++--- lib/ssl_bogus.c | 2 +- lib/ssl_client.h | 2 +- lib/ssl_gnutls.c | 4 +++- lib/ssl_nss.c | 2 +- lib/ssl_openssl.c | 2 +- 6 files changed, 21 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/http_client.c b/lib/http_client.c index 02e5ebbe..514daf80 100644 --- a/lib/http_client.c +++ b/lib/http_client.c @@ -46,7 +46,7 @@ struct http_request *http_dorequest( char *host, int port, int ssl, char *reques if( ssl ) { - req->ssl = ssl_connect( host, port, http_ssl_connected, req ); + req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } @@ -162,7 +162,8 @@ static gboolean http_connected( gpointer data, int source, b_input_condition con return FALSE; error: - req->status_string = g_strdup( "Error while writing HTTP request" ); + if( req->status_string == NULL ) + req->status_string = g_strdup( "Error while writing HTTP request" ); req->func( req ); http_free( req ); @@ -175,7 +176,17 @@ static gboolean http_ssl_connected( gpointer data, int returncode, void *source, struct http_request *req = data; if( source == NULL ) + { + if( returncode != 0 ) + { + char *err = ssl_verify_strerror( returncode ); + req->status_string = g_strdup_printf( + "Certificate verification problem 0x%x: %s", + returncode, err ? err : "Unknown" ); + g_free( err ); + } return http_connected( data, -1, cond ); + } req->fd = ssl_getfd( source ); @@ -439,7 +450,7 @@ got_reply: if( new_proto == PROTO_HTTPS ) { - req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req ); + req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index 8dba05f4..e134201d 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -31,7 +31,7 @@ void ssl_init( void ) { } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { return( NULL ); } diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 9ce878a1..d8822143 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -63,7 +63,7 @@ G_MODULE_EXPORT void ssl_init( void ); /* Connect to host:port, call the given function when the connection is ready to be used for SSL traffic. This is all done asynchronously, no blocking I/O! (Except for the DNS lookups, for now...) */ -G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ); /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 3ecc6eee..b4bc72d5 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -77,7 +77,7 @@ void ssl_init( void ) atexit( gnutls_global_deinit ); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -85,6 +85,8 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data conn->func = func; conn->data = data; conn->inpa = -1; + conn->hostname = g_strdup( host ); + conn->verify = verify && global.conf->cafile; if( conn->fd < 0 ) { diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 3f26960c..5b573f9b 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -102,7 +102,7 @@ void ssl_init( void ) initialized = TRUE; } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index d43c7ab2..955c8274 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -64,7 +64,7 @@ void ssl_init( void ) // SSLeay_add_ssl_algorithms(); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); -- cgit v1.2.3 From 9ff0c256ae51f2039abc36940618a5d9fe5e6ba7 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 21:46:01 +0100 Subject: Catch condition=G_IO_NVAL from glib's event handler, which should prevent some crashes on unclean shutdowns of connections. --- lib/events_glib.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/events_glib.c b/lib/events_glib.c index 3fafc872..8f53fbbf 100644 --- a/lib/events_glib.c +++ b/lib/events_glib.c @@ -74,6 +74,9 @@ static gboolean gaim_io_invoke(GIOChannel *source, GIOCondition condition, gpoin GaimIOClosure *closure = data; b_input_condition gaim_cond = 0; gboolean st; + + if (condition & G_IO_NVAL) + return FALSE; if (condition & GAIM_READ_COND) gaim_cond |= B_EV_IO_READ; -- cgit v1.2.3 From 200e151edbbcbb164e7fe2a01a28a0c1c9108972 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Fri, 23 Dec 2011 23:40:17 +0100 Subject: tls_verify correction: Don't fail cert verification in non-GnuTLS modules unless "cafile" setting is enabled. --- lib/ssl_client.h | 2 -- lib/ssl_nss.c | 7 +++---- lib/ssl_openssl.c | 7 +++---- 3 files changed, 6 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/ssl_client.h b/lib/ssl_client.h index d8822143..206fe9cb 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,8 +36,6 @@ /* Some generic error codes. Especially SSL_AGAIN is important if you want to do asynchronous I/O. */ -#define NSS_VERIFY_ERROR -2 -#define OPENSSL_VERIFY_ERROR -1 #define SSL_OK 0 #define SSL_NOHANDSHAKE 1 #define SSL_AGAIN 2 diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 5b573f9b..d50620d5 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -139,7 +139,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function conn->fd = fd; conn->func = func; conn->data = data; - conn->verify = verify; + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -159,12 +159,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con { struct scd *conn = data; - /* Right now we don't have any verification functionality for nss so we - fail in case verification has been requested by the user. */ + /* Right now we don't have any verification functionality for NSS. */ if( conn->verify ) { - conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); + conn->func( conn->data, 1, NULL, cond ); if( source >= 0 ) closesocket( source ); g_free( conn ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 955c8274..5c38d0e9 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -90,7 +90,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function conn->func = func; conn->data = data; conn->inpa = -1; - conn->verify = verify; + conn->verify = verify && global.conf->cafile; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -118,12 +118,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con struct scd *conn = data; SSL_METHOD *meth; - /* Right now we don't have any verification functionality for openssl so we - fail in case verification has been requested by the user. */ + /* Right now we don't have any verification functionality for OpenSSL. */ if( conn->verify ) { - conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond ); + conn->func( conn->data, 1, NULL, cond ); if( source >= 0 ) closesocket( source ); g_free( conn ); -- cgit v1.2.3 From 5513f3e56a45d4a227bfc7d01210fdded516458c Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sat, 24 Dec 2011 15:52:35 +0100 Subject: Fix compatibility with old GnuTLS versions, but with a warning. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 for details. --- lib/ssl_gnutls.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib') diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index b4bc72d5..f5e0ad47 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session ) if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; +#ifdef GNUTLS_CERT_NOT_ACTIVATED + /* Amusingly, the GnuTLS function used above didn't check for expiry + until GnuTLS 2.8 or so. (See CVE-2009-1417) */ if( status & GNUTLS_CERT_NOT_ACTIVATED ) verifyret |= VERIFY_CERT_NOT_ACTIVATED; if( status & GNUTLS_CERT_EXPIRED ) verifyret |= VERIFY_CERT_EXPIRED; +#endif /* The following check is already performed inside * gnutls_certificate_verify_peers2, so we don't need it. -- cgit v1.2.3