src/etpan/etpan-ssl.c

   1 /*
   2  * Claws Mail -- a GTK based, lightweight, and fast e-mail client
   3  * Copyright (C) 1999-2012 Colin Leroy <colin@colino.net>
   4  * and the Claws Mail team
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation; either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #ifdef HAVE_CONFIG_H
  22 #  include "config.h"
  23 #include "claws-features.h"
  24 #endif
  25
  26 #ifdef USE_GNUTLS
  27 #ifdef HAVE_LIBETPAN
  28 #include <libetpan/libetpan.h>
  29 #include <libetpan/libetpan_version.h>
  30 #include <gnutls/gnutls.h>
  31 #include <gnutls/x509.h>
  32 #include <stdlib.h>
  33 #include <glib.h>
  34 #include <glib/gi18n.h>
  35 #include <errno.h>
  36
  37 #include "etpan-ssl.h"
  38 #include "ssl_certificate.h"
  39 #include "utils.h"
  40 #include "log.h"
  41 #include "prefs_account.h"
  42
  43 gboolean etpan_certificate_check(mailstream *stream, const char *host, gint port,
  44                                  gboolean accept_if_valid)
  45 {
  46 #if (!defined LIBETPAN_API_CURRENT || LIBETPAN_API_CURRENT < 18)
  47         unsigned char *cert_der = NULL;
  48         int len;
  49         gnutls_x509_crt_t cert = NULL;
  50         gnutls_datum_t tmp;
  51
  52         if (stream == NULL)
  53                 return FALSE;
  54
  55         len = (int)mailstream_ssl_get_certificate(stream, &cert_der);
  56
  57         if (cert_der == NULL || len < 0) {
  58                 g_warning("no cert presented");
  59                 return FALSE;
  60         }
  61
  62         tmp.data = malloc(len);
  63         memcpy(tmp.data, cert_der, len);
  64         tmp.size = len;
  65         gnutls_x509_crt_init(&cert);
  66
  67         free(cert_der);
  68
  69         if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
  70                 free(tmp.data);
  71                 g_warning("IMAP: can't get cert");
  72                 return FALSE;
  73         } else if (ssl_certificate_check(cert, (guint)-1, host, port, accept_if_valid) == TRUE) {
  74                 free(tmp.data);
  75                 gnutls_x509_crt_deinit(cert);
  76                 return TRUE;
  77         } else {
  78                 free(tmp.data);
  79                 gnutls_x509_crt_deinit(cert);
  80                 return FALSE;
  81         }
  82 #else
  83         carray *certs_der = NULL;
  84         gint chain_len = 0, i;
  85         gnutls_x509_crt_t *certs = NULL;
  86         gboolean result;
  87
  88         if (stream == NULL)
  89                 return FALSE;
  90
  91         certs_der = mailstream_get_certificate_chain(stream);
  92         if (!certs_der) {
  93                 g_warning("could not get certs");
  94                 return FALSE;
  95         }
  96         chain_len = carray_count(certs_der);
  97
  98         certs = malloc(sizeof(gnutls_x509_crt_t) * chain_len);
  99         if  (certs == NULL) {
 100                 g_warning("could not allocate certs");
 101                 return FALSE;
 102         }
 103
 104         result = TRUE;
 105         for (i = 0; i < chain_len; i++) {
 106                 MMAPString *cert_str = carray_get(certs_der, i);
 107                 gnutls_datum_t tmp;
 108
 109                 tmp.data = malloc(cert_str->len);
 110                 memcpy(tmp.data, cert_str->str, cert_str->len);
 111                 tmp.size = cert_str->len;
 112
 113                 mmap_string_free(cert_str);
 114
 115                 gnutls_x509_crt_init(&certs[i]);
 116                 if (gnutls_x509_crt_import(certs[i], &tmp, GNUTLS_X509_FMT_DER) < 0)
 117                         result = FALSE;
 118
 119                 free(tmp.data);
 120         }
 121
 122         carray_free(certs_der);
 123
 124         if (result == TRUE)
 125                 result = ssl_certificate_check_chain(certs, chain_len, host, port,
 126                                                      accept_if_valid);
 127
 128         for (i = 0; i < chain_len; i++)
 129                 gnutls_x509_crt_deinit(certs[i]);
 130         free(certs);
 131
 132         return result;
 133 #endif
 134 }
 135
 136 void etpan_connect_ssl_context_cb(struct mailstream_ssl_context * ssl_context, void * data)
 137 {
 138         PrefsAccount *account = (PrefsAccount *)data;
 139         const gchar *cert_path = NULL;
 140         const gchar *password = NULL;
 141         gnutls_x509_crt_t x509 = NULL;
 142         gnutls_x509_privkey_t pkey = NULL;
 143
 144         if (account->in_ssl_client_cert_file && *account->in_ssl_client_cert_file)
 145                 cert_path = account->in_ssl_client_cert_file;
 146         if (account->in_ssl_client_cert_pass && *account->in_ssl_client_cert_pass)
 147                 password = account->in_ssl_client_cert_pass;
 148
 149         if (mailstream_ssl_set_client_certificate_data(ssl_context, NULL, 0) < 0 ||
 150             mailstream_ssl_set_client_private_key_data(ssl_context, NULL, 0) < 0)
 151                 debug_print("Impossible to set the client certificate.\n");
 152         x509 = ssl_certificate_get_x509_from_pem_file(cert_path);
 153         pkey = ssl_certificate_get_pkey_from_pem_file(cert_path);
 154         if (!(x509 && pkey)) {
 155                 /* try pkcs12 format */
 156                 ssl_certificate_get_x509_and_pkey_from_p12_file(cert_path, password, &x509, &pkey);
 157         }
 158         if (x509 && pkey) {
 159                 unsigned char *x509_der = NULL, *pkey_der = NULL;
 160                 size_t x509_len, pkey_len;
 161
 162                 x509_len = (size_t)gnutls_i2d_X509(x509, &x509_der);
 163                 pkey_len = (size_t)gnutls_i2d_PrivateKey(pkey, &pkey_der);
 164                 if (x509_len > 0 && pkey_len > 0) {
 165                         if (mailstream_ssl_set_client_certificate_data(ssl_context, x509_der, x509_len) < 0 ||
 166                             mailstream_ssl_set_client_private_key_data(ssl_context, pkey_der, pkey_len) < 0)
 167                                 log_error(LOG_PROTOCOL, _("Impossible to set the client certificate.\n"));
 168                         g_free(x509_der);
 169                         g_free(pkey_der);
 170                 }
 171                 gnutls_x509_crt_deinit(x509);
 172                 gnutls_x509_privkey_deinit(pkey);
 173         }
 174
 175 #if (defined LIBETPAN_API_CURRENT && LIBETPAN_API_CURRENT >= 23)
 176         /* If we have a host name, rather than a numerical IP address, tell
 177          * gnutls to send it in the Server Name Identification extension field,
 178          * to give the server a chance to select the correct certificate in the
 179          * virtual hosting case where multiple domain names are hosted on the
 180          * same IP address. */
 181         if (account->use_tls_sni &&
 182                         !is_numeric_host_address(account->recv_server)) {
 183                 int r;
 184
 185                 r = mailstream_ssl_set_server_name(ssl_context, account->recv_server);
 186                 debug_print("Set libetpan SSL mail stream server name indication to %s, status = %d\n",
 187                             account->recv_server, r);
 188         }
 189 #endif /* LIBETPAN_API_CURRENT >= 23 */
 190
 191 }
 192
 193 #endif /* USE_GNUTLS */
 194 #endif /* HAVE_LIBETPAN */