/* * LibSylph -- E-Mail client library * Copyright (C) 1999-2006 Hiroyuki Yamamoto * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #ifdef HAVE_CONFIG_H # include "config.h" #endif #if USE_SSL #include "defs.h" #include #include #include "utils.h" #include "ssl.h" static SSL_CTX *ssl_ctx_SSLv23 = NULL; static SSL_CTX *ssl_ctx_TLSv1 = NULL; static GSList *trust_list = NULL; static GSList *reject_list = NULL; static SSLVerifyFunc verify_ui_func = NULL; static gchar *find_certs_file(const gchar *certs_dir) { gchar *certs_file; #define LOOK_FOR(crt) \ { \ certs_file = g_strconcat(certs_dir, G_DIR_SEPARATOR_S, crt, NULL); \ debug_print("looking for %s\n", certs_file); \ if (is_file_exist(certs_file)) \ return certs_file; \ g_free(certs_file); \ } if (certs_dir) { LOOK_FOR("ca-certificates.crt"); LOOK_FOR("ca-bundle.crt"); LOOK_FOR("certs.crt"); } #undef LOOK_FOR return NULL; } void ssl_init(void) { gchar *certs_file = NULL, *certs_dir; SSL_library_init(); SSL_load_error_strings(); certs_dir = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, "certs", NULL); if (!is_dir_exist(certs_dir)) { debug_print("ssl_init(): %s doesn't exist, or not a directory.\n", certs_dir); g_free(certs_dir); #ifdef G_OS_WIN32 certs_dir = g_strconcat(get_startup_dir(), G_DIR_SEPARATOR_S "etc" G_DIR_SEPARATOR_S "ssl" G_DIR_SEPARATOR_S "certs", NULL); #else certs_dir = g_strdup("/etc/ssl/certs"); #endif if (!is_dir_exist(certs_dir)) { debug_print("ssl_init(): %s doesn't exist, or not a directory.\n", certs_dir); g_free(certs_dir); certs_dir = NULL; } } if (certs_dir) debug_print("ssl_init(): certs dir %s found.\n", certs_dir); certs_file = find_certs_file(get_rc_dir()); if (certs_dir && !certs_file) certs_file = find_certs_file(certs_dir); if (!certs_file) { #ifdef G_OS_WIN32 certs_dir = g_strconcat(get_startup_dir(), G_DIR_SEPARATOR_S "etc" G_DIR_SEPARATOR_S "ssl", NULL); certs_file = find_certs_file(certs_dir); g_free(certs_dir); certs_dir = NULL; if (!certs_file) { certs_dir = g_strconcat(get_startup_dir(), G_DIR_SEPARATOR_S "etc", NULL); certs_file = find_certs_file(certs_dir); g_free(certs_dir); certs_dir = NULL; } #else certs_file = find_certs_file("/etc/ssl"); if (!certs_file) certs_file = find_certs_file("/etc"); #endif } if (certs_file) debug_print("ssl_init(): certs file %s found.\n", certs_file); ssl_ctx_SSLv23 = SSL_CTX_new(SSLv23_client_method()); if (ssl_ctx_SSLv23 == NULL) { debug_print(_("SSLv23 not available\n")); } else { debug_print(_("SSLv23 available\n")); if ((certs_file || certs_dir) && !SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file, certs_dir)) g_warning("SSLv23 SSL_CTX_load_verify_locations failed.\n"); } ssl_ctx_TLSv1 = SSL_CTX_new(TLSv1_client_method()); if (ssl_ctx_TLSv1 == NULL) { debug_print(_("TLSv1 not available\n")); } else { debug_print(_("TLSv1 available\n")); if ((certs_file || certs_dir) && !SSL_CTX_load_verify_locations(ssl_ctx_TLSv1, certs_file, certs_dir)) g_warning("TLSv1 SSL_CTX_load_verify_locations failed.\n"); } g_free(certs_dir); } void ssl_done(void) { GSList *cur; for (cur = trust_list; cur != NULL; cur = cur->next) X509_free((X509 *)cur->data); g_slist_free(trust_list); trust_list = NULL; for (cur = reject_list; cur != NULL; cur = cur->next) X509_free((X509 *)cur->data); g_slist_free(reject_list); reject_list = NULL; if (ssl_ctx_SSLv23) { SSL_CTX_free(ssl_ctx_SSLv23); ssl_ctx_SSLv23 = NULL; } if (ssl_ctx_TLSv1) { SSL_CTX_free(ssl_ctx_TLSv1); ssl_ctx_TLSv1 = NULL; } } gboolean ssl_init_socket(SockInfo *sockinfo) { return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23); } static gint x509_cmp_func(gconstpointer a, gconstpointer b) { const X509 *xa = a; const X509 *xb = b; return X509_cmp(xa, xb); } gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) { X509 *server_cert; gint err, ret; switch (method) { case SSL_METHOD_SSLv23: if (!ssl_ctx_SSLv23) { g_warning(_("SSL method not available\n")); return FALSE; } sockinfo->ssl = SSL_new(ssl_ctx_SSLv23); break; case SSL_METHOD_TLSv1: if (!ssl_ctx_TLSv1) { g_warning(_("SSL method not available\n")); return FALSE; } sockinfo->ssl = SSL_new(ssl_ctx_TLSv1); break; default: g_warning(_("Unknown SSL method *PROGRAM BUG*\n")); return FALSE; break; } if (sockinfo->ssl == NULL) { g_warning(_("Error creating ssl context\n")); return FALSE; } SSL_set_fd(sockinfo->ssl, sockinfo->sock); while ((ret = SSL_connect(sockinfo->ssl)) != 1) { err = SSL_get_error(sockinfo->ssl, ret); if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { g_usleep(100000); g_warning("SSL_connect(): try again\n"); continue; } g_warning("SSL_connect() failed with error %d, ret = %d (%s)\n", err, ret, ERR_error_string(ERR_get_error(), NULL)); return FALSE; } /* Get the cipher */ debug_print(_("SSL connection using %s\n"), SSL_get_cipher(sockinfo->ssl)); /* Get server's certificate (note: beware of dynamic allocation) */ if ((server_cert = SSL_get_peer_certificate(sockinfo->ssl)) != NULL) { gchar *str; glong verify_result; debug_print(_("Server certificate:\n")); if ((str = X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0)) != NULL) { debug_print(_(" Subject: %s\n"), str); g_free(str); } if ((str = X509_NAME_oneline(X509_get_issuer_name(server_cert), 0, 0)) != NULL) { debug_print(_(" Issuer: %s\n"), str); g_free(str); } verify_result = SSL_get_verify_result(sockinfo->ssl); if (verify_result == X509_V_OK) { debug_print("SSL verify OK\n"); X509_free(server_cert); return TRUE; } else if (g_slist_find_custom(trust_list, server_cert, x509_cmp_func)) { log_message("SSL certificate of %s previously accepted\n", sockinfo->hostname); X509_free(server_cert); return TRUE; } else if (g_slist_find_custom(reject_list, server_cert, x509_cmp_func)) { log_message("SSL certificate of %s previously rejected\n", sockinfo->hostname); X509_free(server_cert); return FALSE; } g_warning("%s: SSL certificate verify failed (%ld: %s)\n", sockinfo->hostname, verify_result, X509_verify_cert_error_string(verify_result)); if (verify_ui_func) { gint res; res = verify_ui_func(sockinfo, sockinfo->hostname, server_cert, verify_result); /* 0: accept 1: temporarily accept -1: reject */ if (res < 0) { debug_print("SSL certificate of %s rejected\n", sockinfo->hostname); #if 0 reject_list = g_slist_prepend (reject_list, X509_dup(server_cert)); #endif X509_free(server_cert); return FALSE; } else if (res > 0) { debug_print("Temporarily accept SSL certificate of %s\n", sockinfo->hostname); trust_list = g_slist_prepend (trust_list, X509_dup(server_cert)); } else { debug_print("Permanently accept SSL certificate of %s\n", sockinfo->hostname); /* TODO: save server cert */ trust_list = g_slist_prepend (trust_list, X509_dup(server_cert)); } } X509_free(server_cert); } else { g_warning("%s: couldn't get SSL certificate\n", sockinfo->hostname); return FALSE; } return TRUE; } void ssl_done_socket(SockInfo *sockinfo) { if (sockinfo->ssl) { SSL_free(sockinfo->ssl); } } void ssl_set_verify_func(SSLVerifyFunc func) { verify_ui_func = func; } #endif /* USE_SSL */