root / libsylph / ssl.c @ 2347
History | View | Annotate | Download (9.2 kB)
| 1 | 528 | hiro | /*
|
|---|---|---|---|
| 2 | 578 | hiro | * LibSylph -- E-Mail client library |
| 3 | 1952 | hiro | * Copyright (C) 1999-2008 Hiroyuki Yamamoto |
| 4 | 528 | hiro | * |
| 5 | 578 | hiro | * This library is free software; you can redistribute it and/or |
| 6 | 578 | hiro | * modify it under the terms of the GNU Lesser General Public |
| 7 | 578 | hiro | * License as published by the Free Software Foundation; either |
| 8 | 578 | hiro | * version 2.1 of the License, or (at your option) any later version. |
| 9 | 528 | hiro | * |
| 10 | 578 | hiro | * This library is distributed in the hope that it will be useful, |
| 11 | 528 | hiro | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | 578 | hiro | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 13 | 578 | hiro | * Lesser General Public License for more details. |
| 14 | 528 | hiro | * |
| 15 | 578 | hiro | * You should have received a copy of the GNU Lesser General Public |
| 16 | 578 | hiro | * License along with this library; if not, write to the Free Software |
| 17 | 578 | hiro | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| 18 | 528 | hiro | */ |
| 19 | 528 | hiro | |
| 20 | 528 | hiro | #ifdef HAVE_CONFIG_H
|
| 21 | 528 | hiro | # include "config.h" |
| 22 | 528 | hiro | #endif
|
| 23 | 528 | hiro | |
| 24 | 528 | hiro | #if USE_SSL
|
| 25 | 528 | hiro | |
| 26 | 528 | hiro | #include "defs.h" |
| 27 | 528 | hiro | |
| 28 | 528 | hiro | #include <glib.h> |
| 29 | 528 | hiro | #include <glib/gi18n.h> |
| 30 | 528 | hiro | |
| 31 | 528 | hiro | #include "utils.h" |
| 32 | 528 | hiro | #include "ssl.h" |
| 33 | 528 | hiro | |
| 34 | 1415 | hiro | static SSL_CTX *ssl_ctx_SSLv23 = NULL; |
| 35 | 1415 | hiro | static SSL_CTX *ssl_ctx_TLSv1 = NULL; |
| 36 | 528 | hiro | |
| 37 | 1415 | hiro | static GSList *trust_list = NULL; |
| 38 | 1952 | hiro | static GSList *tmp_trust_list = NULL; |
| 39 | 1415 | hiro | static GSList *reject_list = NULL; |
| 40 | 1415 | hiro | |
| 41 | 1415 | hiro | static SSLVerifyFunc verify_ui_func = NULL; |
| 42 | 1415 | hiro | |
| 43 | 1431 | hiro | static gchar *find_certs_file(const gchar *certs_dir) |
| 44 | 1431 | hiro | {
|
| 45 | 1431 | hiro | gchar *certs_file; |
| 46 | 1431 | hiro | |
| 47 | 1431 | hiro | #define LOOK_FOR(crt) \
|
| 48 | 1431 | hiro | { \
|
| 49 | 1431 | hiro | certs_file = g_strconcat(certs_dir, G_DIR_SEPARATOR_S, crt, NULL); \
|
| 50 | 1431 | hiro | debug_print("looking for %s\n", certs_file); \
|
| 51 | 1431 | hiro | if (is_file_exist(certs_file)) \
|
| 52 | 1431 | hiro | return certs_file; \
|
| 53 | 1431 | hiro | g_free(certs_file); \ |
| 54 | 1431 | hiro | } |
| 55 | 1431 | hiro | |
| 56 | 1431 | hiro | if (certs_dir) {
|
| 57 | 1431 | hiro | LOOK_FOR("ca-certificates.crt");
|
| 58 | 1431 | hiro | LOOK_FOR("ca-bundle.crt");
|
| 59 | 1465 | hiro | LOOK_FOR("ca-root.crt");
|
| 60 | 1431 | hiro | LOOK_FOR("certs.crt");
|
| 61 | 1431 | hiro | } |
| 62 | 1431 | hiro | |
| 63 | 1431 | hiro | #undef LOOK_FOR
|
| 64 | 1431 | hiro | |
| 65 | 1431 | hiro | return NULL; |
| 66 | 1431 | hiro | } |
| 67 | 1431 | hiro | |
| 68 | 528 | hiro | void ssl_init(void) |
| 69 | 528 | hiro | {
|
| 70 | 1952 | hiro | gchar *certs_file, *certs_dir; |
| 71 | 1952 | hiro | FILE *fp; |
| 72 | 528 | hiro | |
| 73 | 528 | hiro | SSL_library_init(); |
| 74 | 528 | hiro | SSL_load_error_strings(); |
| 75 | 528 | hiro | |
| 76 | 528 | hiro | certs_dir = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, "certs", NULL); |
| 77 | 528 | hiro | if (!is_dir_exist(certs_dir)) {
|
| 78 | 1417 | hiro | debug_print("ssl_init(): %s doesn't exist, or not a directory.\n",
|
| 79 | 528 | hiro | certs_dir); |
| 80 | 528 | hiro | g_free(certs_dir); |
| 81 | 1417 | hiro | #ifdef G_OS_WIN32
|
| 82 | 1417 | hiro | certs_dir = g_strconcat(get_startup_dir(), G_DIR_SEPARATOR_S |
| 83 | 1417 | hiro | "etc" G_DIR_SEPARATOR_S
|
| 84 | 1417 | hiro | "ssl" G_DIR_SEPARATOR_S "certs", NULL); |
| 85 | 1417 | hiro | #else
|
| 86 | 1417 | hiro | certs_dir = g_strdup("/etc/ssl/certs");
|
| 87 | 1417 | hiro | #endif
|
| 88 | 1417 | hiro | if (!is_dir_exist(certs_dir)) {
|
| 89 | 1417 | hiro | debug_print("ssl_init(): %s doesn't exist, or not a directory.\n",
|
| 90 | 1417 | hiro | certs_dir); |
| 91 | 1417 | hiro | g_free(certs_dir); |
| 92 | 1417 | hiro | certs_dir = NULL;
|
| 93 | 1417 | hiro | } |
| 94 | 528 | hiro | } |
| 95 | 1417 | hiro | if (certs_dir)
|
| 96 | 1417 | hiro | debug_print("ssl_init(): certs dir %s found.\n", certs_dir);
|
| 97 | 528 | hiro | |
| 98 | 1431 | hiro | certs_file = find_certs_file(get_rc_dir()); |
| 99 | 1431 | hiro | |
| 100 | 1431 | hiro | if (certs_dir && !certs_file)
|
| 101 | 1431 | hiro | certs_file = find_certs_file(certs_dir); |
| 102 | 1431 | hiro | |
| 103 | 1431 | hiro | if (!certs_file) {
|
| 104 | 1431 | hiro | #ifdef G_OS_WIN32
|
| 105 | 1431 | hiro | certs_dir = g_strconcat(get_startup_dir(), |
| 106 | 1431 | hiro | G_DIR_SEPARATOR_S "etc"
|
| 107 | 1431 | hiro | G_DIR_SEPARATOR_S "ssl", NULL); |
| 108 | 1431 | hiro | certs_file = find_certs_file(certs_dir); |
| 109 | 1431 | hiro | g_free(certs_dir); |
| 110 | 1431 | hiro | certs_dir = NULL;
|
| 111 | 1431 | hiro | if (!certs_file) {
|
| 112 | 1431 | hiro | certs_dir = g_strconcat(get_startup_dir(), |
| 113 | 1431 | hiro | G_DIR_SEPARATOR_S "etc", NULL); |
| 114 | 1431 | hiro | certs_file = find_certs_file(certs_dir); |
| 115 | 1431 | hiro | g_free(certs_dir); |
| 116 | 1431 | hiro | certs_dir = NULL;
|
| 117 | 1431 | hiro | } |
| 118 | 1431 | hiro | #else
|
| 119 | 1431 | hiro | certs_file = find_certs_file("/etc/ssl");
|
| 120 | 1431 | hiro | if (!certs_file)
|
| 121 | 1431 | hiro | certs_file = find_certs_file("/etc");
|
| 122 | 1431 | hiro | #endif
|
| 123 | 1431 | hiro | } |
| 124 | 1431 | hiro | |
| 125 | 1431 | hiro | if (certs_file)
|
| 126 | 1431 | hiro | debug_print("ssl_init(): certs file %s found.\n", certs_file);
|
| 127 | 1431 | hiro | |
| 128 | 528 | hiro | ssl_ctx_SSLv23 = SSL_CTX_new(SSLv23_client_method()); |
| 129 | 528 | hiro | if (ssl_ctx_SSLv23 == NULL) { |
| 130 | 528 | hiro | debug_print(_("SSLv23 not available\n"));
|
| 131 | 528 | hiro | } else {
|
| 132 | 528 | hiro | debug_print(_("SSLv23 available\n"));
|
| 133 | 1432 | hiro | if ((certs_file || certs_dir) &&
|
| 134 | 1431 | hiro | !SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file, |
| 135 | 528 | hiro | certs_dir)) |
| 136 | 528 | hiro | g_warning("SSLv23 SSL_CTX_load_verify_locations failed.\n");
|
| 137 | 528 | hiro | } |
| 138 | 528 | hiro | |
| 139 | 528 | hiro | ssl_ctx_TLSv1 = SSL_CTX_new(TLSv1_client_method()); |
| 140 | 528 | hiro | if (ssl_ctx_TLSv1 == NULL) { |
| 141 | 528 | hiro | debug_print(_("TLSv1 not available\n"));
|
| 142 | 528 | hiro | } else {
|
| 143 | 528 | hiro | debug_print(_("TLSv1 available\n"));
|
| 144 | 1432 | hiro | if ((certs_file || certs_dir) &&
|
| 145 | 1431 | hiro | !SSL_CTX_load_verify_locations(ssl_ctx_TLSv1, certs_file, |
| 146 | 528 | hiro | certs_dir)) |
| 147 | 528 | hiro | g_warning("TLSv1 SSL_CTX_load_verify_locations failed.\n");
|
| 148 | 528 | hiro | } |
| 149 | 528 | hiro | |
| 150 | 528 | hiro | g_free(certs_dir); |
| 151 | 1952 | hiro | g_free(certs_file); |
| 152 | 1952 | hiro | |
| 153 | 1952 | hiro | certs_file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, "trust.crt",
|
| 154 | 1952 | hiro | NULL);
|
| 155 | 1952 | hiro | if ((fp = g_fopen(certs_file, "rb")) != NULL) { |
| 156 | 1952 | hiro | X509 *cert; |
| 157 | 1952 | hiro | |
| 158 | 1952 | hiro | debug_print("ssl_init(): reading trust.crt\n");
|
| 159 | 1952 | hiro | |
| 160 | 1952 | hiro | while ((cert = PEM_read_X509(fp, NULL, NULL, NULL)) != NULL) |
| 161 | 1952 | hiro | trust_list = g_slist_append(trust_list, cert); |
| 162 | 1952 | hiro | fclose(fp); |
| 163 | 1952 | hiro | } |
| 164 | 1952 | hiro | g_free(certs_file); |
| 165 | 528 | hiro | } |
| 166 | 528 | hiro | |
| 167 | 528 | hiro | void ssl_done(void) |
| 168 | 528 | hiro | {
|
| 169 | 1952 | hiro | gchar *trust_file; |
| 170 | 1415 | hiro | GSList *cur; |
| 171 | 1952 | hiro | FILE *fp; |
| 172 | 1415 | hiro | |
| 173 | 1952 | hiro | if (trust_list) {
|
| 174 | 1952 | hiro | trust_file = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, |
| 175 | 1952 | hiro | "trust.crt", NULL); |
| 176 | 1952 | hiro | if ((fp = g_fopen(trust_file, "wb")) == NULL) { |
| 177 | 1952 | hiro | FILE_OP_ERROR(trust_file, "fopen");
|
| 178 | 1952 | hiro | } |
| 179 | 1952 | hiro | for (cur = trust_list; cur != NULL; cur = cur->next) { |
| 180 | 1952 | hiro | if (fp && !PEM_write_X509(fp, (X509 *)cur->data))
|
| 181 | 1952 | hiro | g_warning("can't write X509 to PEM file: %s",
|
| 182 | 1952 | hiro | trust_file); |
| 183 | 1952 | hiro | X509_free((X509 *)cur->data); |
| 184 | 1952 | hiro | } |
| 185 | 1952 | hiro | fclose(fp); |
| 186 | 1952 | hiro | g_free(trust_file); |
| 187 | 1952 | hiro | g_slist_free(trust_list); |
| 188 | 1952 | hiro | trust_list = NULL;
|
| 189 | 1952 | hiro | } |
| 190 | 1952 | hiro | for (cur = tmp_trust_list; cur != NULL; cur = cur->next) |
| 191 | 1415 | hiro | X509_free((X509 *)cur->data); |
| 192 | 1952 | hiro | g_slist_free(tmp_trust_list); |
| 193 | 1952 | hiro | tmp_trust_list = NULL;
|
| 194 | 1415 | hiro | for (cur = reject_list; cur != NULL; cur = cur->next) |
| 195 | 1415 | hiro | X509_free((X509 *)cur->data); |
| 196 | 1415 | hiro | g_slist_free(reject_list); |
| 197 | 1415 | hiro | reject_list = NULL;
|
| 198 | 1415 | hiro | |
| 199 | 528 | hiro | if (ssl_ctx_SSLv23) {
|
| 200 | 528 | hiro | SSL_CTX_free(ssl_ctx_SSLv23); |
| 201 | 1415 | hiro | ssl_ctx_SSLv23 = NULL;
|
| 202 | 528 | hiro | } |
| 203 | 528 | hiro | |
| 204 | 528 | hiro | if (ssl_ctx_TLSv1) {
|
| 205 | 528 | hiro | SSL_CTX_free(ssl_ctx_TLSv1); |
| 206 | 1415 | hiro | ssl_ctx_TLSv1 = NULL;
|
| 207 | 528 | hiro | } |
| 208 | 528 | hiro | } |
| 209 | 528 | hiro | |
| 210 | 528 | hiro | gboolean ssl_init_socket(SockInfo *sockinfo) |
| 211 | 528 | hiro | {
|
| 212 | 528 | hiro | return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
|
| 213 | 528 | hiro | } |
| 214 | 528 | hiro | |
| 215 | 1415 | hiro | static gint x509_cmp_func(gconstpointer a, gconstpointer b)
|
| 216 | 1415 | hiro | {
|
| 217 | 1415 | hiro | const X509 *xa = a;
|
| 218 | 1415 | hiro | const X509 *xb = b;
|
| 219 | 1415 | hiro | |
| 220 | 1426 | hiro | return X509_cmp(xa, xb);
|
| 221 | 1415 | hiro | } |
| 222 | 1415 | hiro | |
| 223 | 528 | hiro | gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) |
| 224 | 528 | hiro | {
|
| 225 | 528 | hiro | X509 *server_cert; |
| 226 | 1200 | hiro | gint err, ret; |
| 227 | 528 | hiro | |
| 228 | 528 | hiro | switch (method) {
|
| 229 | 528 | hiro | case SSL_METHOD_SSLv23:
|
| 230 | 528 | hiro | if (!ssl_ctx_SSLv23) {
|
| 231 | 528 | hiro | g_warning(_("SSL method not available\n"));
|
| 232 | 528 | hiro | return FALSE;
|
| 233 | 528 | hiro | } |
| 234 | 528 | hiro | sockinfo->ssl = SSL_new(ssl_ctx_SSLv23); |
| 235 | 528 | hiro | break;
|
| 236 | 528 | hiro | case SSL_METHOD_TLSv1:
|
| 237 | 528 | hiro | if (!ssl_ctx_TLSv1) {
|
| 238 | 528 | hiro | g_warning(_("SSL method not available\n"));
|
| 239 | 528 | hiro | return FALSE;
|
| 240 | 528 | hiro | } |
| 241 | 528 | hiro | sockinfo->ssl = SSL_new(ssl_ctx_TLSv1); |
| 242 | 528 | hiro | break;
|
| 243 | 528 | hiro | default:
|
| 244 | 528 | hiro | g_warning(_("Unknown SSL method *PROGRAM BUG*\n"));
|
| 245 | 528 | hiro | return FALSE;
|
| 246 | 528 | hiro | break;
|
| 247 | 528 | hiro | } |
| 248 | 528 | hiro | |
| 249 | 528 | hiro | if (sockinfo->ssl == NULL) { |
| 250 | 528 | hiro | g_warning(_("Error creating ssl context\n"));
|
| 251 | 528 | hiro | return FALSE;
|
| 252 | 528 | hiro | } |
| 253 | 528 | hiro | |
| 254 | 528 | hiro | SSL_set_fd(sockinfo->ssl, sockinfo->sock); |
| 255 | 1200 | hiro | while ((ret = SSL_connect(sockinfo->ssl)) != 1) { |
| 256 | 1200 | hiro | err = SSL_get_error(sockinfo->ssl, ret); |
| 257 | 1200 | hiro | if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
|
| 258 | 1200 | hiro | g_usleep(100000);
|
| 259 | 1200 | hiro | g_warning("SSL_connect(): try again\n");
|
| 260 | 1200 | hiro | continue;
|
| 261 | 1200 | hiro | } |
| 262 | 1200 | hiro | g_warning("SSL_connect() failed with error %d, ret = %d (%s)\n",
|
| 263 | 1200 | hiro | err, ret, ERR_error_string(ERR_get_error(), NULL));
|
| 264 | 528 | hiro | return FALSE;
|
| 265 | 528 | hiro | } |
| 266 | 528 | hiro | |
| 267 | 528 | hiro | /* Get the cipher */
|
| 268 | 528 | hiro | |
| 269 | 528 | hiro | debug_print(_("SSL connection using %s\n"),
|
| 270 | 528 | hiro | SSL_get_cipher(sockinfo->ssl)); |
| 271 | 528 | hiro | |
| 272 | 528 | hiro | /* Get server's certificate (note: beware of dynamic allocation) */
|
| 273 | 528 | hiro | |
| 274 | 528 | hiro | if ((server_cert = SSL_get_peer_certificate(sockinfo->ssl)) != NULL) { |
| 275 | 528 | hiro | gchar *str; |
| 276 | 528 | hiro | glong verify_result; |
| 277 | 528 | hiro | |
| 278 | 528 | hiro | debug_print(_("Server certificate:\n"));
|
| 279 | 528 | hiro | |
| 280 | 528 | hiro | if ((str = X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0)) != NULL) { |
| 281 | 528 | hiro | debug_print(_(" Subject: %s\n"), str);
|
| 282 | 1664 | hiro | OPENSSL_free(str); |
| 283 | 528 | hiro | } |
| 284 | 528 | hiro | |
| 285 | 528 | hiro | if ((str = X509_NAME_oneline(X509_get_issuer_name(server_cert), 0, 0)) != NULL) { |
| 286 | 528 | hiro | debug_print(_(" Issuer: %s\n"), str);
|
| 287 | 1664 | hiro | OPENSSL_free(str); |
| 288 | 528 | hiro | } |
| 289 | 528 | hiro | |
| 290 | 528 | hiro | verify_result = SSL_get_verify_result(sockinfo->ssl); |
| 291 | 1415 | hiro | if (verify_result == X509_V_OK) {
|
| 292 | 528 | hiro | debug_print("SSL verify OK\n");
|
| 293 | 1415 | hiro | X509_free(server_cert); |
| 294 | 1415 | hiro | return TRUE;
|
| 295 | 1415 | hiro | } else if (g_slist_find_custom(trust_list, server_cert, |
| 296 | 1952 | hiro | x509_cmp_func) || |
| 297 | 1952 | hiro | g_slist_find_custom(tmp_trust_list, server_cert, |
| 298 | 1952 | hiro | x509_cmp_func)) {
|
| 299 | 1415 | hiro | log_message("SSL certificate of %s previously accepted\n", sockinfo->hostname);
|
| 300 | 1415 | hiro | X509_free(server_cert); |
| 301 | 1415 | hiro | return TRUE;
|
| 302 | 1415 | hiro | } else if (g_slist_find_custom(reject_list, server_cert, |
| 303 | 1415 | hiro | x509_cmp_func)) {
|
| 304 | 1415 | hiro | log_message("SSL certificate of %s previously rejected\n", sockinfo->hostname);
|
| 305 | 1415 | hiro | X509_free(server_cert); |
| 306 | 1415 | hiro | return FALSE;
|
| 307 | 1415 | hiro | } |
| 308 | 528 | hiro | |
| 309 | 1415 | hiro | g_warning("%s: SSL certificate verify failed (%ld: %s)\n",
|
| 310 | 1415 | hiro | sockinfo->hostname, verify_result, |
| 311 | 1415 | hiro | X509_verify_cert_error_string(verify_result)); |
| 312 | 1415 | hiro | |
| 313 | 1415 | hiro | if (verify_ui_func) {
|
| 314 | 1415 | hiro | gint res; |
| 315 | 1415 | hiro | |
| 316 | 1415 | hiro | res = verify_ui_func(sockinfo, sockinfo->hostname, |
| 317 | 1415 | hiro | server_cert, verify_result); |
| 318 | 1415 | hiro | /* 0: accept 1: temporarily accept -1: reject */
|
| 319 | 1415 | hiro | if (res < 0) { |
| 320 | 1415 | hiro | debug_print("SSL certificate of %s rejected\n",
|
| 321 | 1415 | hiro | sockinfo->hostname); |
| 322 | 1431 | hiro | #if 0
|
| 323 | 1415 | hiro | reject_list = g_slist_prepend |
| 324 | 1415 | hiro | (reject_list, X509_dup(server_cert)); |
| 325 | 1431 | hiro | #endif |
| 326 | 1415 | hiro | X509_free(server_cert); |
| 327 | 1415 | hiro | return FALSE;
|
| 328 | 1415 | hiro | } else if (res > 0) { |
| 329 | 1415 | hiro | debug_print("Temporarily accept SSL certificate of %s\n", sockinfo->hostname);
|
| 330 | 1952 | hiro | tmp_trust_list = g_slist_prepend |
| 331 | 1952 | hiro | (tmp_trust_list, X509_dup(server_cert)); |
| 332 | 1415 | hiro | } else {
|
| 333 | 1415 | hiro | debug_print("Permanently accept SSL certificate of %s\n", sockinfo->hostname);
|
| 334 | 1415 | hiro | trust_list = g_slist_prepend |
| 335 | 1415 | hiro | (trust_list, X509_dup(server_cert)); |
| 336 | 1415 | hiro | } |
| 337 | 1415 | hiro | } |
| 338 | 1415 | hiro | |
| 339 | 528 | hiro | X509_free(server_cert); |
| 340 | 1415 | hiro | } else {
|
| 341 | 1415 | hiro | g_warning("%s: couldn't get SSL certificate\n",
|
| 342 | 1415 | hiro | sockinfo->hostname); |
| 343 | 1415 | hiro | return FALSE;
|
| 344 | 528 | hiro | } |
| 345 | 528 | hiro | |
| 346 | 528 | hiro | return TRUE;
|
| 347 | 528 | hiro | } |
| 348 | 528 | hiro | |
| 349 | 528 | hiro | void ssl_done_socket(SockInfo *sockinfo)
|
| 350 | 528 | hiro | {
|
| 351 | 528 | hiro | if (sockinfo->ssl) {
|
| 352 | 528 | hiro | SSL_free(sockinfo->ssl); |
| 353 | 528 | hiro | } |
| 354 | 528 | hiro | } |
| 355 | 528 | hiro | |
| 356 | 1415 | hiro | void ssl_set_verify_func(SSLVerifyFunc func)
|
| 357 | 1415 | hiro | {
|
| 358 | 1415 | hiro | verify_ui_func = func; |
| 359 | 1415 | hiro | } |
| 360 | 1415 | hiro | |
| 361 | 528 | hiro | #endif /* USE_SSL */ |