From 486ddb53b93b6677dc3feeb4afaad2ea93a71a81 Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Mon, 19 Dec 2011 15:50:58 +0100
Subject: Initial merge of tls_verify patch from AopicieR.

---
 protocols/jabber/io.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 3 deletions(-)

(limited to 'protocols/jabber/io.c')

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index a28eea90..9e55e3f9 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -275,7 +275,7 @@ gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition c
 	return jabber_start_stream( ic );
 }
 
-gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
+gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
 {
 	struct im_connection *ic = data;
 	struct jabber_data *jd;
@@ -292,6 +292,43 @@ gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition co
 		jd->ssl = NULL;
 		
 		imcb_error( ic, "Could not connect to server" );
+		if (returncode ==  OPENSSL_VERIFY_ERROR )
+		{
+			imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." );
+			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode ==  NSS_VERIFY_ERROR )
+		{
+			imcb_error( ic, "This BitlBee server is built agains the NSS library." );
+			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode == VERIFY_CERT_ERROR )
+		{
+			imcb_error( ic, "An error occured during the certificate verification." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode  & VERIFY_CERT_INVALID)
+		{
+			imcb_error( ic, "Unable to verify peer's certificate." );
+			if (returncode & VERIFY_CERT_REVOKED)
+				imcb_error( ic, "The certificate has been revoked." );
+			if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND)
+				imcb_error( ic, "The certificate hasn't got a known issuer." );
+			if (returncode & VERIFY_CERT_SIGNER_NOT_CA)
+				imcb_error( ic, "The certificate's issuer is not a CA." );
+			if (returncode & VERIFY_CERT_INSECURE_ALGORITHM)
+				imcb_error( ic, "The certificate uses an insecure algorithm." );
+			if (returncode & VERIFY_CERT_NOT_ACTIVATED)
+				imcb_error( ic, "The certificate has not been activated." );
+			if (returncode & VERIFY_CERT_EXPIRED)
+				imcb_error( ic, "The certificate has expired." );
+			if (returncode & VERIFY_CERT_WRONG_HOSTNAME)
+				imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." );
+			imc_logout( ic, FALSE );
+		}
+		else
 		imc_logout( ic, TRUE );
 		return FALSE;
 	}
@@ -396,7 +433,7 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data )
 {
 	struct im_connection *ic = data;
 	struct jabber_data *jd = ic->proto_data;
-	char *xmlns;
+	char *xmlns, *tlsname;
 	
 	xmlns = xt_find_attr( node, "xmlns" );
 	
@@ -422,7 +459,17 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data )
 	imcb_log( ic, "Converting stream to TLS" );
 	
 	jd->flags |= JFLAG_STARTTLS_DONE;
-	jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
+
+	/* If the user specified a server for the account, use this server as the 
+	 * hostname in the certificate verification. Else we use the domain from 
+	 * the username. */
+	if( ic->acc->server && *ic->acc->server )
+		tlsname = ic->acc->server;
+	else
+		tlsname = jd->server;
+	
+	jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
+	                        jabber_connected_ssl, ic );
 	
 	return XT_HANDLED;
 }
-- 
cgit v1.2.3


From 78b840187cc1e2d370dd758e6a73c21e510107b5 Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Mon, 19 Dec 2011 18:22:37 +0100
Subject: Move conversion of status codes to status messages into SSL libs.

---
 protocols/jabber/io.c | 43 +++++++++----------------------------------
 1 file changed, 9 insertions(+), 34 deletions(-)

(limited to 'protocols/jabber/io.c')

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index 9e55e3f9..5ff8052c 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -291,45 +291,20 @@ gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_in
 		   already, set it to NULL here to prevent a double cleanup: */
 		jd->ssl = NULL;
 		
-		imcb_error( ic, "Could not connect to server" );
-		if (returncode ==  OPENSSL_VERIFY_ERROR )
-		{
-			imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." );
-			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
-			imc_logout( ic, FALSE );
-		}
-		else if (returncode ==  NSS_VERIFY_ERROR )
-		{
-			imcb_error( ic, "This BitlBee server is built agains the NSS library." );
-			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
-			imc_logout( ic, FALSE );
-		}
-		else if (returncode == VERIFY_CERT_ERROR )
+		if( returncode & VERIFY_CERT_INVALID)
 		{
-			imcb_error( ic, "An error occured during the certificate verification." );
+			char *err = ssl_verify_strerror( returncode );
+			imcb_error( ic, "Certificate verification problem 0x%x: %s",
+			            returncode, err ? err : "Unknown" );
+			g_free( err );
 			imc_logout( ic, FALSE );
 		}
-		else if (returncode  & VERIFY_CERT_INVALID)
+		else
 		{
-			imcb_error( ic, "Unable to verify peer's certificate." );
-			if (returncode & VERIFY_CERT_REVOKED)
-				imcb_error( ic, "The certificate has been revoked." );
-			if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND)
-				imcb_error( ic, "The certificate hasn't got a known issuer." );
-			if (returncode & VERIFY_CERT_SIGNER_NOT_CA)
-				imcb_error( ic, "The certificate's issuer is not a CA." );
-			if (returncode & VERIFY_CERT_INSECURE_ALGORITHM)
-				imcb_error( ic, "The certificate uses an insecure algorithm." );
-			if (returncode & VERIFY_CERT_NOT_ACTIVATED)
-				imcb_error( ic, "The certificate has not been activated." );
-			if (returncode & VERIFY_CERT_EXPIRED)
-				imcb_error( ic, "The certificate has expired." );
-			if (returncode & VERIFY_CERT_WRONG_HOSTNAME)
-				imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." );
-			imc_logout( ic, FALSE );
+			imcb_error( ic, "Could not connect to server" );
+			imc_logout( ic, TRUE );
 		}
-		else
-		imc_logout( ic, TRUE );
+		
 		return FALSE;
 	}
 	
-- 
cgit v1.2.3


From 41658da57b611d17030dc7e2c3feb54f99b668ac Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Mon, 19 Dec 2011 19:45:53 +0100
Subject: Just check if verification code != 0 instead of checking for one
 specific bit. Any non-0 failure means a problem.

---
 protocols/jabber/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'protocols/jabber/io.c')

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index 5ff8052c..5b9149af 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -291,7 +291,7 @@ gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_in
 		   already, set it to NULL here to prevent a double cleanup: */
 		jd->ssl = NULL;
 		
-		if( returncode & VERIFY_CERT_INVALID)
+		if( returncode != 0 )
 		{
 			char *err = ssl_verify_strerror( returncode );
 			imcb_error( ic, "Certificate verification problem 0x%x: %s",
-- 
cgit v1.2.3


From ad46e4d3ed1997e6b3f718a7a8be9a37eb63388d Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Thu, 22 Dec 2011 12:23:18 +0100
Subject: Use initgroups() as well when dropping privileges. Closes bug #852.

---
 protocols/jabber/io.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'protocols/jabber/io.c')

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index a28eea90..d3383375 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -172,6 +172,9 @@ static gboolean jabber_read_callback( gpointer data, gint fd, b_input_condition
 	
 	if( st > 0 )
 	{
+		if( jd->flags & JFLAG_MOCK )
+			return TRUE;
+		
 		/* Parse. */
 		if( xt_feed( jd->xt, buf, st ) < 0 )
 		{
-- 
cgit v1.2.3


From 96f954df218e81f5580257c319b91217dac2f4bf Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Sat, 24 Dec 2011 18:49:12 +0100
Subject: Removing unfinished debugging stuff accidentally committed in
 changeset:devel,856.

---
 protocols/jabber/io.c | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'protocols/jabber/io.c')

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index 385c45c4..5b9149af 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -172,9 +172,6 @@ static gboolean jabber_read_callback( gpointer data, gint fd, b_input_condition
 	
 	if( st > 0 )
 	{
-		if( jd->flags & JFLAG_MOCK )
-			return TRUE;
-		
 		/* Parse. */
 		if( xt_feed( jd->xt, buf, st ) < 0 )
 		{
-- 
cgit v1.2.3