diff options
| author | Cosimo Cecchi <cosimoc@gnome.org> | 2010-08-24 21:24:38 +0800 |
|---|---|---|
| committer | Cosimo Cecchi <cosimoc@gnome.org> | 2010-08-24 21:24:38 +0800 |
| commit | 3bd33b4812d0b909a8a44b12791fcac75fcf365d (patch) | |
| tree | 6c92c15512f3440f93f064a9cb2740ff781158f2 | |
| parent | 180d83485a0d10d8c45760852d8d588e20a7d3e2 (diff) | |
| parent | dc73f3d3e51958edaf3b0508c4205c387e735547 (diff) | |
| download | gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar.gz gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar.bz2 gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar.lz gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar.xz gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.tar.zst gsoc2013-empathy-3bd33b4812d0b909a8a44b12791fcac75fcf365d.zip | |
Merge branch 'tls-connection'
31 files changed, 3472 insertions, 10 deletions
diff --git a/configure.ac b/configure.ac index 6e86b3d67..a4fb6e6cf 100644 --- a/configure.ac +++ b/configure.ac @@ -34,8 +34,9 @@ AC_COPYRIGHT([ FOLKS_REQUIRED=0.1.13 GCONF_REQUIRED=1.2.0 GLIB_REQUIRED=2.25.9 +GNUTLS_REQUIRED=2.8.5 GTK_REQUIRED=2.21.2 -KEYRING_REQUIRED=2.22 +KEYRING_REQUIRED=2.26.0 LIBCANBERRA_GTK_REQUIRED=0.4 LIBNOTIFY_REQUIRED=0.4.4 LIBNOTIFY_REQUIRED_GTK3=0.5.1 @@ -150,9 +151,11 @@ PKG_CHECK_MODULES(EMPATHY, folks >= $FOLKS_REQUIRED folks-telepathy >= $FOLKS_REQUIRED gconf-2.0 >= $GCONF_REQUIRED + gcr-0 >= $KEYRING_REQUIRED gio-2.0 >= $GLIB_REQUIRED gio-unix-2.0 >= $GLIB_REQUIRED gnome-keyring-1 >= $KEYRING_REQUIRED + gnutls >= $GNUTLS_REQUIRED gobject-2.0 gstreamer-0.10 gstreamer-interfaces-0.10 diff --git a/data/Empathy.Auth.client b/data/Empathy.Auth.client new file mode 100644 index 000000000..9b86a8b76 --- /dev/null +++ b/data/Empathy.Auth.client @@ -0,0 +1,6 @@ +[org.freedesktop.Telepathy.Client] +Interfaces=org.freedesktop.Telepathy.Client.Handler + +[org.freedesktop.Telepathy.Client.Handler.HandlerChannelFilter 0] +org.freedesktop.Telepathy.Channel.ChannelType s=org.freedesktop.Telepathy.Channel.Type.ServerTLSConnection.DRAFT +org.freedesktop.Telepathy.Channel.TargetHandleType u=0 diff --git a/data/Makefile.am b/data/Makefile.am index 64054da3f..befd1c926 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -27,7 +27,8 @@ streamingprefs_DATA = \ servicefiledir = $(datadir)/dbus-1/services servicefile_in_files = \ org.freedesktop.Telepathy.Client.Empathy.service.in \ - org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in + org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in \ + org.freedesktop.Telepathy.Client.Empathy.Auth.service.in servicefile_DATA = $(servicefile_in_files:.service.in=.service) @@ -37,10 +38,14 @@ org.freedesktop.Telepathy.Client.Empathy.service: org.freedesktop.Telepathy.Clie org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service: org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in $(AM_V_GEN)sed -e "s|[@]libexecdir[@]|$(libexecdir)|" $< > $@ +org.freedesktop.Telepathy.Client.Empathy.Auth.service: org.freedesktop.Telepathy.Client.Empathy.Auth.service.in + $(AM_V_GEN)sed -e "s|[@]libexecdir[@]|$(libexecdir)|" $< > $@ + clientfiledir = $(datarootdir)/telepathy/clients clientfile_DATA = \ Empathy.client \ - Empathy.AudioVideo.client + Empathy.AudioVideo.client \ + Empathy.Auth.client htmldir = $(datadir)/empathy html_DATA = Template.html diff --git a/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in new file mode 100644 index 000000000..65c47d3e1 --- /dev/null +++ b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.freedesktop.Telepathy.Client.Empathy.Auth +Exec=@libexecdir@/empathy-auth-client
\ No newline at end of file diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml new file mode 100644 index 000000000..709ea282c --- /dev/null +++ b/extensions/Authentication_TLS_Certificate.xml @@ -0,0 +1,304 @@ +<?xml version="1.0" ?> +<node name="/Authentication_TLS_Certificate" xmlns:tp="http://telepathy.freedesktop.org/wiki/DbusSpec#extensions-v0"> + <tp:copyright>Copyright © 2010 Collabora Limited</tp:copyright> + <tp:license> + This library is free software; you can redistribute it and/or +modify it under the terms of the GNU Lesser General Public +License as published by the Free Software Foundation; either +version 2.1 of the License, or (at your option) any later version. + +This library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public +License along with this library; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + </tp:license> + + <interface name="org.freedesktop.Telepathy.Authentication.TLSCertificate.DRAFT" + tp:causes-havoc="experimental"> + <tp:added version="0.19.11">(draft 1)</tp:added> + + <tp:docstring> + This object represents a TLS certificate. + </tp:docstring> + + <tp:simple-type name="Certificate_Data" array-name="Certificate_Data_List" + type="ay"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>The raw data contained in a TLS certificate.</p> + + <p>For X.509 certificates (<tp:member-ref>CertificateType</tp:member-ref> + = "x509"), this MUST be in DER format, as defined by the + <a href="http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">X.690</a> + ITU standard.</p> + + <p>For PGP certificates (<tp:member-ref>CertificateType</tp:member-ref> + = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 + of <a href="http://www.rfc-editor.org/rfc/4880.txt">RFC 4880</a>.</p> + </tp:docstring> + </tp:simple-type> + + <tp:enum type="u" name="TLS_Certificate_State"> + <tp:docstring> + The possible states for a <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> + object. + </tp:docstring> + + <tp:enumvalue suffix="Pending" value="0"> + <tp:docstring> + The certificate is currently waiting to be accepted or rejected. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Accepted" value="1"> + <tp:docstring> + The certificate has been verified. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Rejected" value="2"> + <tp:docstring> + The certificate has been rejected. + </tp:docstring> + </tp:enumvalue> + </tp:enum> + + <tp:enum type="u" name="TLS_Certificate_Reject_Reason"> + <tp:docstring> + Possible reasons to reject a TLS certificate. + </tp:docstring> + + <tp:enumvalue suffix="Unknown" value="0"> + <tp:docstring> + The certificate has been rejected for another reason + not listed in this enumeration. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Untrusted" value="1"> + <tp:docstring> + The certificate is not trusted. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Expired" value="2"> + <tp:docstring> + The certificate is expired. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Not_Activated" value="3"> + <tp:docstring> + The certificate is not active yet. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Fingerprint_Mismatch" value="4"> + <tp:docstring> + The certificate provided does not have the expected + fingerprint. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Hostname_Mismatch" value="5"> + <tp:docstring> + The hostname certified does not match the provided one. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Self_Signed" value="6"> + <tp:docstring> + The certificate is self-signed. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Revoked" value="7"> + <tp:docstring> + The certificate has been revoked. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Insecure" value="8"> + <tp:docstring> + The certificate uses an insecure cipher algorithm, or is + cryptographically weak. + </tp:docstring> + </tp:enumvalue> + + <tp:enumvalue suffix="Limit_Exceeded" value="9"> + <tp:docstring> + The length in bytes of the certificate, or the depth of the + certificate chain exceed the limits imposed by the crypto + library. + </tp:docstring> + </tp:enumvalue> + </tp:enum> + + <property name="State" type="u" access="read" + tp:type="TLS_Certificate_State" + tp:name-for-bindings="State"> + <tp:docstring> + The current state of this certificate. + State change notifications happen by means of the + <tp:member-ref>Accepted</tp:member-ref> and + <tp:member-ref>Rejected</tp:member-ref> signals. + </tp:docstring> + </property> + + <property name="RejectError" type="s" access="read" + tp:type="DBus_Error_Name" + tp:name-for-bindings="Reject_Error"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, + the reason why the certificate was rejected; this MAY correspond to + the <tp:member-ref>RejectReason</tp:member-ref>, or MAY be a more + specific D-Bus error name, perhaps implementation-specific.</p> + <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, + this property is not meaningful, and SHOULD be set to an empty + string.</p> + </tp:docstring> + </property> + + <property name="RejectDetails" type="a{sv}" access="read" + tp:type="String_Variant_Map" + tp:name-for-bindings="Reject_Details"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, + additional information about why the certificate was rejected.</p> + <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, + this property is not meaningful and SHOULD be set to an empty + map.</p> + <p>The additional information MAY also include + one or more of the following well-known keys:</p> + <dl> + <dt>user-requested (b)</dt> + <dd>True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.</dd> + <dt>expected-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.</dd> + <dt>certificate-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + <tp:rationale> + <p>For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:</p> + <pre> + { + 'expected-hostname': 'gmail.com', + 'certificate-hostname': 'evil.example.org', + } + </pre> + </tp:rationale> + </dd> + <dt>debug-message (s)</dt> + <dd>Debugging information on the error, corresponding to the + message part of a D-Bus error message, which SHOULD NOT be + displayed to users under normal circumstances</dd> + </dl> + </tp:docstring> + </property> + + <property name="RejectReason" type="u" access="read" + tp:type="TLS_Certificate_Reject_Reason" + tp:name-for-bindings="Reject_Reason"> + <tp:docstring> + If the <tp:member-ref>State</tp:member-ref> is Rejected, the + reason why the certificate was rejected. + <tp:rationale> + Clients that do not understand the <tp:member-ref>RejectError</tp:member-ref>, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + </tp:rationale> + Otherwise, this property is not meaningful, and SHOULD be set to + Unknown. + </tp:docstring> + </property> + + <property name="CertificateType" type="s" access="read" + tp:name-for-bindings="Certificate_Type"> + <tp:docstring> + The type of this TLS certificate (e.g. 'x509' or 'pgp'). + <p>This property is immutable</p> + </tp:docstring> + </property> + + <property name="CertificateChainData" type="aay" access="read" + tp:type="Certificate_Data[]" tp:name-for-bindings="Certificate_Chain_Data"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>One or more TLS certificates forming a trust chain, each encoded as + specified by <tp:type>Certificate_Data</tp:type>.</p> + <p>The first certificate in the chain MUST be the server certificate, + followed by the issuer's certificate, followed by the issuer's issuer + and so on.</p> + </tp:docstring> + </property> + + <signal name="Accepted" + tp:name-for-bindings="Accepted"> + <tp:docstring> + The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Accepted. + </tp:docstring> + </signal> + + <signal name="Rejected" + tp:name-for-bindings="Rejected"> + <tp:docstring> + The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Rejected. + </tp:docstring> + <arg name="Reason" type="u" tp:type="TLS_Certificate_Reject_Reason"> + <tp:docstring> + The new value of <tp:member-ref>RejectReason</tp:member-ref>. + </tp:docstring> + </arg> + <arg name="Error" type="s" tp:type="DBus_Error_Name"> + <tp:docstring> + The new value of <tp:member-ref>RejectError</tp:member-ref>. + </tp:docstring> + </arg> + <arg name="Details" type="a{sv}" tp:type="String_Variant_Map"> + <tp:docstring> + The new value of <tp:member-ref>RejectDetails</tp:member-ref> + </tp:docstring> + </arg> + </signal> + + <method name="Accept" tp:name-for-bindings="Accept"> + <tp:docstring> + Accepts this certificate, i.e. marks it as verified. + </tp:docstring> + </method> + + <method name="Reject" tp:name-for-bindings="Reject"> + <tp:docstring> + Rejects this certificate. + </tp:docstring> + <arg direction="in" type="u" name="Reason" + tp:type="TLS_Certificate_Reject_Reason"> + <tp:docstring> + The new value of <tp:member-ref>RejectReason</tp:member-ref>. + </tp:docstring> + </arg> + <arg direction="in" type="s" name="Error" + tp:type="DBus_Error_Name"> + <tp:docstring> + The new value of <tp:member-ref>RejectError</tp:member-ref>. + </tp:docstring> + </arg> + <arg direction="in" type="a{sv}" name="Details" + tp:type="String_Variant_Map"> + <tp:docstring> + The new value of <tp:member-ref>RejectDetails</tp:member-ref>. + </tp:docstring> + </arg> + </method> + + </interface> +</node> +<!-- vim:set sw=2 sts=2 et ft=xml: --> diff --git a/extensions/Channel_Type_Server_TLS_Connection.xml b/extensions/Channel_Type_Server_TLS_Connection.xml new file mode 100644 index 000000000..977002f95 --- /dev/null +++ b/extensions/Channel_Type_Server_TLS_Connection.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" ?> +<node name="/Channel_Type_Server_TLS_Connection" + xmlns:tp="http://telepathy.freedesktop.org/wiki/DbusSpec#extensions-v0"> + <tp:copyright> Copyright © 2010 Collabora Limited </tp:copyright> + <tp:license> + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + </tp:license> + + <interface name="org.freedesktop.Telepathy.Channel.Type.ServerTLSConnection.DRAFT" + tp:causes-havoc="experimental"> + <tp:added version="0.19.11">(draft 1)</tp:added> + + <tp:requires interface="org.freedesktop.Telepathy.Channel"/> + + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>A channel type that carries a TLS certificate between a server + and a client connecting to it.</p> + <p>Channels of this kind always have <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Channel">Requested</tp:dbus-ref> = False, + <tp:dbus-ref namespace="org.freedesktop.Telepathy.Channel">TargetHandleType</tp:dbus-ref> + = None and <tp:dbus-ref namespace="org.freedesktop.Telepathy.Channel">TargetHandle</tp:dbus-ref> + = 0, and cannot be requested with methods such as <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Connection.Interface.Requests">CreateChannel</tp:dbus-ref>. + Also, they SHOULD be dispatched while the + <tp:dbus-ref namespace="org.freedesktop.Telepathy">Connection</tp:dbus-ref> + owning them is in the CONNECTING state.</p> + <p>In this case, handlers SHOULD accept or reject the certificate, using + the relevant methods on the provided object, or MAY just <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Channel">Close</tp:dbus-ref> the channel before doing so, to fall + back to a non-interactive verification process done inside the CM.</p> + <p>For example, channels of this kind can pop up while a client is + connecting to an XMPP server.</p> + </tp:docstring> + + <property name="ServerCertificate" type="o" access="read" + tp:name-for-bindings="ServerCertificate"> + <tp:docstring> + <p>A <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> + containing the certificate chain as sent by the server, + and other relevant information.</p> + <p>This property is immutable.</p> + </tp:docstring> + </property> + + <property name="Hostname" type="s" access="read" + tp:name-for-bindings="Hostname"> + <tp:docstring> + The hostname of the server we expect <tp:member-ref>ServerCertificate</tp:member-ref> + to certify; clients SHOULD verify <tp:member-ref>ServerCertificate</tp:member-ref> against + this hostname when checking its validity. + </tp:docstring> + </property> + + </interface> +</node> +<!-- vim:set sw=2 sts=2 et ft=xml: --> diff --git a/extensions/Makefile.am b/extensions/Makefile.am index a60994b70..8f4c8e581 100644 --- a/extensions/Makefile.am +++ b/extensions/Makefile.am @@ -15,6 +15,8 @@ EXTRA_DIST = \ Debug.xml \ Channel_Interface_Conference.xml \ Logger.xml \ + Authentication_TLS_Certificate.xml \ + Channel_Type_Server_TLS_Connection.xml \ $(NULL) noinst_LTLIBRARIES = libemp-extensions.la diff --git a/extensions/misc.xml b/extensions/misc.xml index 6fe06d8ab..320d488fd 100644 --- a/extensions/misc.xml +++ b/extensions/misc.xml @@ -7,5 +7,7 @@ <xi:include href="Debug.xml" /> <xi:include href="Channel_Interface_Conference.xml" /> <xi:include href="Logger.xml" /> +<xi:include href="Authentication_TLS_Certificate.xml" /> +<xi:include href="Channel_Type_Server_TLS_Connection.xml" /> </tp:spec> diff --git a/libempathy-gtk/Makefile.am b/libempathy-gtk/Makefile.am index 377e86a05..de6cba2f1 100644 --- a/libempathy-gtk/Makefile.am +++ b/libempathy-gtk/Makefile.am @@ -6,6 +6,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir) \ -DDATADIR=\""$(datadir)"\" \ -DPKGDATADIR=\""$(pkgdatadir)"\" \ + -DGCR_API_SUBJECT_TO_CHANGE \ $(EMPATHY_CFLAGS) \ $(GTK_CFLAGS) \ $(LIBNOTIFY_CFLAGS) \ @@ -82,6 +83,7 @@ libempathy_gtk_handwritten_source = \ empathy-theme-boxes.c \ empathy-theme-irc.c \ empathy-theme-manager.c \ + empathy-tls-dialog.c \ empathy-ui-utils.c \ empathy-video-src.c \ empathy-video-widget.c @@ -141,6 +143,7 @@ libempathy_gtk_headers = \ empathy-theme-boxes.h \ empathy-theme-irc.h \ empathy-theme-manager.h \ + empathy-tls-dialog.h \ empathy-ui-utils.h \ empathy-video-src.h \ empathy-video-widget.h @@ -148,6 +151,7 @@ libempathy_gtk_headers = \ libempathy_gtk_la_SOURCES = \ $(libempathy_gtk_handwritten_source) \ $(libempathy_gtk_headers) \ + gcr-simple-certificate.c gcr-simple-certificate.h \ totem-subtitle-encoding.c totem-subtitle-encoding.h # do not distribute generated files diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c new file mode 100644 index 000000000..bcfe92e65 --- /dev/null +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -0,0 +1,367 @@ +/* + * empathy-tls-dialog.c - Source for EmpathyTLSDialog + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include <config.h> + +#include "empathy-tls-dialog.h" + +#include <glib/gi18n-lib.h> +#include <gcr/gcr.h> +#include <telepathy-glib/util.h> + +#include "gcr-simple-certificate.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include <libempathy/empathy-debug.h> +#include <libempathy/empathy-utils.h> + +G_DEFINE_TYPE (EmpathyTLSDialog, empathy_tls_dialog, + GTK_TYPE_MESSAGE_DIALOG) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSDialog); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_REASON, + PROP_REMEMBER, + PROP_DETAILS, + + LAST_PROPERTY, +}; + +typedef struct { + EmpathyTLSCertificate *certificate; + EmpTLSCertificateRejectReason reason; + GHashTable *details; + + gboolean remember; + + gboolean dispose_run; +} EmpathyTLSDialogPriv; + +static void +empathy_tls_dialog_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_REASON: + g_value_set_uint (value, priv->reason); + break; + case PROP_REMEMBER: + g_value_set_boolean (value, priv->remember); + break; + case PROP_DETAILS: + g_value_set_boxed (value, priv->details); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_dialog_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_REASON: + priv->reason = g_value_get_uint (value); + break; + case PROP_DETAILS: + priv->details = g_value_dup_boxed (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_dialog_dispose (GObject *object) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_dialog_parent_class)->dispose (object); +} + +static void +empathy_tls_dialog_finalize (GObject *object) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); + + G_OBJECT_CLASS (empathy_tls_dialog_parent_class)->finalize (object); +} + +static gchar * +reason_to_string (EmpathyTLSDialog *self) +{ + GString *str; + const gchar *reason_str; + EmpTLSCertificateRejectReason reason; + GHashTable *details; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + str = g_string_new (NULL); + reason = priv->reason; + details = priv->details; + + g_string_append (str, _("The identity provided by the chat server cannot be " + "verified.\n")); + + switch (reason) + { + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: + reason_str = _("The certrificate is not signed by a Certification " + "Authority"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED: + reason_str = _("The certificate is expired"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED: + reason_str = _("The certificate hasn't yet been activated"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH: + reason_str = _("The certificate does not have the expected fingerprint"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH: + reason_str = _("The hostname verified by the certificate doesn't match " + "the server name"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED: + reason_str = _("The certificate is self-signed"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: + reason_str = _("The certificate has been revoked by the issuing " + "Certification Authority"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: + reason_str = _("The certificate is cryptographically weak"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: + reason_str = _("The certificate length exceeds verifiable limits"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: + default: + reason_str = _("The certificate is malformed"); + break; + } + + g_string_append_printf (str, "%s.", reason_str); + + /* add more information in case of HOSTNAME_MISMATCH */ + if (reason == EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH) + { + const gchar *expected_hostname, *certificate_hostname; + + expected_hostname = tp_asv_get_string (details, "expected-hostname"); + certificate_hostname = tp_asv_get_string (details, + "certificate-hostname"); + + if (expected_hostname != NULL && certificate_hostname != NULL) + { + g_string_append (str, "\n"); + g_string_append_printf (str, _("Expected hostname: %s"), + expected_hostname); + g_string_append (str, "\n"); + g_string_append_printf (str, _("Certificate hostname: %s"), + certificate_hostname); + } + } + + return g_string_free (str, FALSE); +} + +static GtkWidget * +build_gcr_widget (EmpathyTLSDialog *self) +{ + GcrCertificateBasicsWidget *widget; + GcrCertificate *certificate; + GPtrArray *cert_chain = NULL; + GArray *first_cert; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &cert_chain, + NULL); + first_cert = g_ptr_array_index (cert_chain, 0); + + certificate = gcr_simple_certificate_new ((const guchar *) first_cert->data, + first_cert->len); + widget = gcr_certificate_basics_widget_new (certificate); + + g_object_unref (certificate); + g_ptr_array_unref (cert_chain); + + return GTK_WIDGET (widget); +} + +static void +checkbox_toggled_cb (GtkToggleButton *checkbox, + gpointer user_data) +{ + EmpathyTLSDialog *self = user_data; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + priv->remember = gtk_toggle_button_get_active (checkbox); + g_object_notify (G_OBJECT (self), "remember"); +} + +static void +empathy_tls_dialog_constructed (GObject *object) +{ + GtkWidget *content_area, *expander, *details, *checkbox; + gchar *text; + EmpathyTLSDialog *self = EMPATHY_TLS_DIALOG (object); + GtkMessageDialog *message_dialog = GTK_MESSAGE_DIALOG (self); + GtkDialog *dialog = GTK_DIALOG (self); + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + gtk_dialog_add_buttons (dialog, + GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, + _("Continue"), GTK_RESPONSE_YES, + NULL); + + text = reason_to_string (self); + + g_object_set (message_dialog, + "text", _("This connection is untrusted, would you like to " + "continue anyway?"), + "secondary-text", text, + NULL); + + g_free (text); + + content_area = gtk_dialog_get_content_area (dialog); + + /* FIXME: right now we do this only if the error is SelfSigned, as we can + * easily store the new CA cert in $XDG_CONFIG_DIR/telepathy/certs in that + * case. For the other errors, we probably need a smarter/more powerful + * certificate storage. + */ + if (priv->reason == EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED) + { + checkbox = gtk_check_button_new_with_label ( + _("Remember this choice for future connections")); + gtk_box_pack_end (GTK_BOX (content_area), checkbox, FALSE, FALSE, 0); + gtk_widget_show (checkbox); + + g_signal_connect (checkbox, "toggled", + G_CALLBACK (checkbox_toggled_cb), self); + } + + text = g_strdup_printf ("<b>%s</b>", _("Certificate Details")); + expander = gtk_expander_new (text); + gtk_expander_set_use_markup (GTK_EXPANDER (expander), TRUE); + gtk_box_pack_end (GTK_BOX (content_area), expander, TRUE, TRUE, 0); + gtk_widget_show (expander); + + g_free (text); + + details = build_gcr_widget (self); + gtk_container_add (GTK_CONTAINER (expander), details); + gtk_widget_show (details); +} + +static void +empathy_tls_dialog_init (EmpathyTLSDialog *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_DIALOG, EmpathyTLSDialogPriv); +} + +static void +empathy_tls_dialog_class_init (EmpathyTLSDialogClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSDialogPriv)); + + oclass->set_property = empathy_tls_dialog_set_property; + oclass->get_property = empathy_tls_dialog_get_property; + oclass->dispose = empathy_tls_dialog_dispose; + oclass->finalize = empathy_tls_dialog_finalize; + oclass->constructed = empathy_tls_dialog_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be displayed.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_uint ("reason", "The reason", + "The reason why the certificate is being asked for confirmation.", + 0, NUM_EMP_TLS_CERTIFICATE_REJECT_REASONS - 1, + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_REASON, pspec); + + pspec = g_param_spec_boolean ("remember", "Whether to remember the decision", + "Whether we should remember the decision for this certificate.", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_REMEMBER, pspec); + + pspec = g_param_spec_boxed ("details", "Rejection details", + "Additional details about the rejection of this certificate.", + G_TYPE_HASH_TABLE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_DETAILS, pspec); +} + +GtkWidget * +empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason, + GHashTable *details) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + + return g_object_new (EMPATHY_TYPE_TLS_DIALOG, + "message-type", GTK_MESSAGE_WARNING, + "certificate", certificate, + "reason", reason, + "details", details, + NULL); +} diff --git a/libempathy-gtk/empathy-tls-dialog.h b/libempathy-gtk/empathy-tls-dialog.h new file mode 100644 index 000000000..fcf72fe9b --- /dev/null +++ b/libempathy-gtk/empathy-tls-dialog.h @@ -0,0 +1,69 @@ +/* + * empathy-tls-dialog.h - Header for EmpathyTLSDialog + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_DIALOG_H__ +#define __EMPATHY_TLS_DIALOG_H__ + +#include <glib-object.h> +#include <gtk/gtk.h> + +#include <libempathy/empathy-tls-certificate.h> + +#include <extensions/extensions.h> + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSDialog EmpathyTLSDialog; +typedef struct _EmpathyTLSDialogClass EmpathyTLSDialogClass; + +struct _EmpathyTLSDialogClass { + GtkMessageDialogClass parent_class; +}; + +struct _EmpathyTLSDialog { + GtkMessageDialog parent; + gpointer priv; +}; + +GType empathy_tls_dialog_get_type (void); + +#define EMPATHY_TYPE_TLS_DIALOG \ + (empathy_tls_dialog_get_type ()) +#define EMPATHY_TLS_DIALOG(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialog)) +#define EMPATHY_TLS_DIALOG_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialogClass)) +#define EMPATHY_IS_TLS_DIALOG(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_DIALOG)) +#define EMPATHY_IS_TLS_DIALOG_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_DIALOG)) +#define EMPATHY_TLS_DIALOG_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialogClass)) + +GtkWidget * empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason, + GHashTable *details); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_DIALOG_H__*/ diff --git a/libempathy-gtk/gcr-simple-certificate.c b/libempathy-gtk/gcr-simple-certificate.c new file mode 100644 index 000000000..072cbac97 --- /dev/null +++ b/libempathy-gtk/gcr-simple-certificate.c @@ -0,0 +1,134 @@ +/* + * gnome-keyring + * + * Copyright (C) 2008 Stefan Walter + * + * This file is copied from the gnome-keyring gcr library, which can be + * found at git://git.gnome.org/gnome-keyring + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + */ + +#include "config.h" + +#include <gcr/gcr.h> +#include "gcr-simple-certificate.h" + +#include <string.h> + +struct _GcrSimpleCertificatePrivate { + guchar *owned_data; + gsize n_owned_data; +}; + +static void gcr_certificate_iface (GcrCertificateIface *iface); +G_DEFINE_TYPE_WITH_CODE (GcrSimpleCertificate, gcr_simple_certificate, G_TYPE_OBJECT, + G_IMPLEMENT_INTERFACE (GCR_TYPE_CERTIFICATE, gcr_certificate_iface)); + +/* ----------------------------------------------------------------------------- + * OBJECT + */ + +static void +gcr_simple_certificate_init (GcrSimpleCertificate *self) +{ + self->pv = G_TYPE_INSTANCE_GET_PRIVATE (self, GCR_TYPE_SIMPLE_CERTIFICATE, GcrSimpleCertificatePrivate); +} + +static void +gcr_simple_certificate_finalize (GObject *obj) +{ + GcrSimpleCertificate *self = GCR_SIMPLE_CERTIFICATE (obj); + + g_free (self->pv->owned_data); + self->pv->owned_data = NULL; + self->pv->n_owned_data = 0; + + G_OBJECT_CLASS (gcr_simple_certificate_parent_class)->finalize (obj); +} + +static void +gcr_simple_certificate_set_property (GObject *obj, guint prop_id, const GValue *value, + GParamSpec *pspec) +{ + switch (prop_id) { + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec); + break; + } +} + +static void +gcr_simple_certificate_get_property (GObject *obj, guint prop_id, GValue *value, + GParamSpec *pspec) +{ + switch (prop_id) { + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec); + break; + } +} + +static void +gcr_simple_certificate_class_init (GcrSimpleCertificateClass *klass) +{ + GObjectClass *gobject_class = G_OBJECT_CLASS (klass); + + gobject_class->finalize = gcr_simple_certificate_finalize; + gobject_class->set_property = gcr_simple_certificate_set_property; + gobject_class->get_property = gcr_simple_certificate_get_property; + + g_type_class_add_private (gobject_class, sizeof (GcrSimpleCertificatePrivate)); +} + +static const guchar* +gcr_simple_certificate_real_get_der_data (GcrCertificate *base, gsize *n_data) +{ + GcrSimpleCertificate *self = GCR_SIMPLE_CERTIFICATE (base); + + g_return_val_if_fail (GCR_IS_CERTIFICATE (self), NULL); + g_return_val_if_fail (n_data, NULL); + g_return_val_if_fail (self->pv->owned_data, NULL); + + /* This is called when we're not a base class */ + *n_data = self->pv->n_owned_data; + return self->pv->owned_data; +} + +static void +gcr_certificate_iface (GcrCertificateIface *iface) +{ + iface->get_der_data = (gpointer)gcr_simple_certificate_real_get_der_data; +} + +/* ----------------------------------------------------------------------------- + * PUBLIC + */ + +GcrCertificate* +gcr_simple_certificate_new (const guchar *data, gsize n_data) +{ + GcrSimpleCertificate *cert; + + g_return_val_if_fail (data, NULL); + g_return_val_if_fail (n_data, NULL); + + cert = g_object_new (GCR_TYPE_SIMPLE_CERTIFICATE, NULL); + + cert->pv->owned_data = g_memdup (data, n_data); + cert->pv->n_owned_data = n_data; + return GCR_CERTIFICATE (cert); +} diff --git a/libempathy-gtk/gcr-simple-certificate.h b/libempathy-gtk/gcr-simple-certificate.h new file mode 100644 index 000000000..ee46b4817 --- /dev/null +++ b/libempathy-gtk/gcr-simple-certificate.h @@ -0,0 +1,61 @@ +/* + * gnome-keyring + * + * Copyright (C) 2008 Stefan Walter + * + * This file is copied from the gnome-keyring gcr library, which can be + * found at git://git.gnome.org/gnome-keyring + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + */ + +#ifndef __GCR_SIMPLE_CERTIFICATE_H__ +#define __GCR_SIMPLE_CERTIFICATE_H__ + +#include <gcr/gcr.h> + +#include <glib-object.h> + +G_BEGIN_DECLS + +#define GCR_TYPE_SIMPLE_CERTIFICATE (gcr_simple_certificate_get_type ()) +#define GCR_SIMPLE_CERTIFICATE(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GCR_TYPE_CERTIFICATE, GcrSimpleCertificate)) +#define GCR_SIMPLE_CERTIFICATE_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), GCR_TYPE_CERTIFICATE, GcrSimpleCertificateClass)) +#define GCR_IS_SIMPLE_CERTIFICATE(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GCR_TYPE_CERTIFICATE)) +#define GCR_IS_SIMPLE_CERTIFICATE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), GCR_TYPE_CERTIFICATE)) +#define GCR_SIMPLE_CERTIFICATE_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GCR_TYPE_CERTIFICATE, GcrSimpleCertificateClass)) + +typedef struct _GcrSimpleCertificate GcrSimpleCertificate; +typedef struct _GcrSimpleCertificateClass GcrSimpleCertificateClass; +typedef struct _GcrSimpleCertificatePrivate GcrSimpleCertificatePrivate; + +struct _GcrSimpleCertificate { + GObject parent; + GcrSimpleCertificatePrivate *pv; +}; + +struct _GcrSimpleCertificateClass { + GObjectClass parent_class; +}; + +GType gcr_simple_certificate_get_type (void); + +GcrCertificate* gcr_simple_certificate_new (const guchar *data, + gsize n_data); + +G_END_DECLS + +#endif /* __GCR_SIMPLE_CERTIFICATE_H__ */ diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am index 94bbabe77..9b0dcfb92 100644 --- a/libempathy/Makefile.am +++ b/libempathy/Makefile.am @@ -26,6 +26,7 @@ noinst_LTLIBRARIES = libempathy.la libempathy_headers = \ empathy-account-settings.h \ + empathy-auth-factory.h \ empathy-call-factory.h \ empathy-call-handler.h \ empathy-chatroom-manager.h \ @@ -48,8 +49,11 @@ libempathy_headers = \ empathy-irc-server.h \ empathy-location.h \ empathy-message.h \ + empathy-server-tls-handler.h \ empathy-status-presets.h \ empathy-time.h \ + empathy-tls-certificate.h \ + empathy-tls-verifier.h \ empathy-tp-call.h \ empathy-tp-chat.h \ empathy-tp-contact-factory.h \ @@ -62,6 +66,7 @@ libempathy_headers = \ libempathy_la_SOURCES = \ $(libempathy_headers) \ empathy-account-settings.c \ + empathy-auth-factory.c \ empathy-call-factory.c \ empathy-call-handler.c \ empathy-chatroom-manager.c \ @@ -82,8 +87,11 @@ libempathy_la_SOURCES = \ empathy-irc-network.c \ empathy-irc-server.c \ empathy-message.c \ + empathy-server-tls-handler.c \ empathy-status-presets.c \ empathy-time.c \ + empathy-tls-certificate.c \ + empathy-tls-verifier.c \ empathy-tp-call.c \ empathy-tp-chat.c \ empathy-tp-contact-factory.c \ diff --git a/libempathy/empathy-auth-factory.c b/libempathy/empathy-auth-factory.c new file mode 100644 index 000000000..5a8f9f9f7 --- /dev/null +++ b/libempathy/empathy-auth-factory.c @@ -0,0 +1,251 @@ +/* + * empathy-auth-factory.c - Source for EmpathyAuthFactory + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "empathy-auth-factory.h" + +#include <telepathy-glib/interfaces.h> +#include <telepathy-glib/simple-handler.h> +#include <telepathy-glib/util.h> + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-server-tls-handler.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +G_DEFINE_TYPE (EmpathyAuthFactory, empathy_auth_factory, G_TYPE_OBJECT); + +typedef struct { + TpBaseClient *handler; + TpHandleChannelsContext *context; + + gboolean dispose_run; +} EmpathyAuthFactoryPriv; + +enum { + NEW_SERVER_TLS_HANDLER, + LAST_SIGNAL, +}; + +static guint signals[LAST_SIGNAL] = { 0, }; + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyAuthFactory) + +static EmpathyAuthFactory *auth_factory_singleton = NULL; + +static void +server_tls_handler_ready_cb (GObject *source, + GAsyncResult *res, + gpointer user_data) +{ + EmpathyServerTLSHandler *handler; + GError *error = NULL; + EmpathyAuthFactory *self = user_data; + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); + + handler = empathy_server_tls_handler_new_finish (res, &error); + + if (error != NULL) + { + DEBUG ("Failed to create a server TLS handler; error %s", + error->message); + tp_handle_channels_context_fail (priv->context, error); + + g_error_free (error); + } + else + { + tp_handle_channels_context_accept (priv->context); + g_signal_emit (self, signals[NEW_SERVER_TLS_HANDLER], 0, + handler); + + g_object_unref (handler); + } + + tp_clear_object (&priv->context); +} + +static void +handle_channels_cb (TpSimpleHandler *handler, + TpAccount *account, + TpConnection *connection, + GList *channels, + GList *requests_satisfied, + gint64 user_action_time, + TpHandleChannelsContext *context, + gpointer user_data) +{ + TpChannel *channel; + const GError *dbus_error; + GError *error = NULL; + EmpathyAuthFactory *self = user_data; + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); + + DEBUG ("Handle TLS carrier channels."); + + /* there can't be more than one ServerTLSConnection channels + * at the same time, for the same connection/account. + */ + if (g_list_length (channels) != 1) + { + g_set_error_literal (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT, + "Can't handle more than one ServerTLSConnection channel " + "for the same connection."); + + goto error; + } + + channel = channels->data; + + if (tp_channel_get_channel_type_id (channel) != + EMP_IFACE_QUARK_CHANNEL_TYPE_SERVER_TLS_CONNECTION) + { + g_set_error (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT, + "Can only handle ServerTLSConnection channels, this was a %s " + "channel", tp_channel_get_channel_type (channel)); + + goto error; + } + + dbus_error = tp_proxy_get_invalidated (channel); + + if (dbus_error != NULL) + { + error = g_error_copy (dbus_error); + goto error; + } + + /* create a handler */ + priv->context = g_object_ref (context); + tp_handle_channels_context_delay (context); + empathy_server_tls_handler_new_async (channel, server_tls_handler_ready_cb, + self); + + return; + + error: + tp_handle_channels_context_fail (context, error); + g_clear_error (&error); +} + +static GObject * +empathy_auth_factory_constructor (GType type, + guint n_params, + GObjectConstructParam *params) +{ + GObject *retval; + + if (auth_factory_singleton != NULL) + { + retval = g_object_ref (auth_factory_singleton); + } + else + { + retval = G_OBJECT_CLASS (empathy_auth_factory_parent_class)->constructor + (type, n_params, params); + + auth_factory_singleton = EMPATHY_AUTH_FACTORY (retval); + g_object_add_weak_pointer (retval, (gpointer *) &auth_factory_singleton); + } + + return retval; +} + +static void +empathy_auth_factory_init (EmpathyAuthFactory *self) +{ + EmpathyAuthFactoryPriv *priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_AUTH_FACTORY, EmpathyAuthFactoryPriv); + TpDBusDaemon *bus; + GError *error = NULL; + + self->priv = priv; + + bus = tp_dbus_daemon_dup (&error); + if (error != NULL) + { + g_critical ("Failed to get TpDBusDaemon: %s", error->message); + g_error_free (error); + return; + } + + priv->handler = tp_simple_handler_new (bus, FALSE, FALSE, "Empathy.Auth", + FALSE, handle_channels_cb, self, NULL); + + tp_base_client_take_handler_filter (priv->handler, tp_asv_new ( + TP_PROP_CHANNEL_CHANNEL_TYPE, G_TYPE_STRING, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION, + TP_PROP_CHANNEL_TARGET_HANDLE_TYPE, G_TYPE_UINT, + TP_HANDLE_TYPE_NONE, NULL)); + + g_object_unref (bus); +} + +static void +empathy_auth_factory_dispose (GObject *object) +{ + EmpathyAuthFactoryPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->handler); + tp_clear_object (&priv->context); + + G_OBJECT_CLASS (empathy_auth_factory_parent_class)->dispose (object); +} + +static void +empathy_auth_factory_class_init (EmpathyAuthFactoryClass *klass) +{ + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + oclass->constructor = empathy_auth_factory_constructor; + oclass->dispose = empathy_auth_factory_dispose; + + g_type_class_add_private (klass, sizeof (EmpathyAuthFactoryPriv)); + + signals[NEW_SERVER_TLS_HANDLER] = + g_signal_new ("new-server-tls-handler", + G_TYPE_FROM_CLASS (klass), + G_SIGNAL_RUN_LAST, 0, + NULL, NULL, + g_cclosure_marshal_VOID__OBJECT, + G_TYPE_NONE, + 1, EMPATHY_TYPE_SERVER_TLS_HANDLER); +} + +EmpathyAuthFactory * +empathy_auth_factory_dup_singleton (void) +{ + return g_object_new (EMPATHY_TYPE_AUTH_FACTORY, NULL); +} + +gboolean +empathy_auth_factory_register (EmpathyAuthFactory *self, + GError **error) +{ + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); + + return tp_base_client_register (priv->handler, error); +} diff --git a/libempathy/empathy-auth-factory.h b/libempathy/empathy-auth-factory.h new file mode 100644 index 000000000..507f69b95 --- /dev/null +++ b/libempathy/empathy-auth-factory.h @@ -0,0 +1,66 @@ +/* + * empathy-auth-factory.h - Header for EmpathyAuthFactory + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_AUTH_FACTORY_H__ +#define __EMPATHY_AUTH_FACTORY_H__ + +#include <glib-object.h> + +G_BEGIN_DECLS + +typedef struct _EmpathyAuthFactory EmpathyAuthFactory; +typedef struct _EmpathyAuthFactoryClass EmpathyAuthFactoryClass; + +struct _EmpathyAuthFactoryClass { + GObjectClass parent_class; +}; + +struct _EmpathyAuthFactory { + GObject parent; + gpointer priv; +}; + +GType empathy_auth_factory_get_type (void); + +/* TYPE MACROS */ +#define EMPATHY_TYPE_AUTH_FACTORY \ + (empathy_auth_factory_get_type ()) +#define EMPATHY_AUTH_FACTORY(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactory)) +#define EMPATHY_AUTH_FACTORY_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactoryClass)) +#define EMPATHY_IS_AUTH_FACTORY(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_AUTH_FACTORY)) +#define EMPATHY_IS_AUTH_FACTORY_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_AUTH_FACTORY)) +#define EMPATHY_AUTH_FACTORY_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactoryClass)) + +EmpathyAuthFactory * empathy_auth_factory_dup_singleton (void); + +gboolean empathy_auth_factory_register (EmpathyAuthFactory *self, + GError **error); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_AUTH_FACTORY_H__*/ diff --git a/libempathy/empathy-debug.c b/libempathy/empathy-debug.c index 1f29259fd..dd507bc42 100644 --- a/libempathy/empathy-debug.c +++ b/libempathy/empathy-debug.c @@ -52,6 +52,7 @@ static GDebugKey keys[] = { { "ImportMc4Accounts", EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS }, { "Tests", EMPATHY_DEBUG_TESTS }, { "Voip", EMPATHY_DEBUG_VOIP }, + { "Tls", EMPATHY_DEBUG_TLS }, { 0, } }; diff --git a/libempathy/empathy-debug.h b/libempathy/empathy-debug.h index 0a5c3f697..ece3af73c 100644 --- a/libempathy/empathy-debug.h +++ b/libempathy/empathy-debug.h @@ -46,6 +46,7 @@ typedef enum EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS = 1 << 11, EMPATHY_DEBUG_TESTS = 1 << 12, EMPATHY_DEBUG_VOIP = 1 << 13, + EMPATHY_DEBUG_TLS = 1 << 14, } EmpathyDebugFlags; gboolean empathy_debug_flag_is_set (EmpathyDebugFlags flag); diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c new file mode 100644 index 000000000..6180fefea --- /dev/null +++ b/libempathy/empathy-server-tls-handler.c @@ -0,0 +1,290 @@ +/* + * empathy-server-tls-handler.c - Source for EmpathyServerTLSHandler + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "empathy-server-tls-handler.h" + +#include <telepathy-glib/util.h> + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-tls-certificate.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +static void async_initable_iface_init (GAsyncInitableIface *iface); + +enum { + PROP_CHANNEL = 1, + PROP_TLS_CERTIFICATE, + PROP_HOSTNAME, + LAST_PROPERTY, +}; + +typedef struct { + TpChannel *channel; + + EmpathyTLSCertificate *certificate; + gchar *hostname; + + GSimpleAsyncResult *async_init_res; +} EmpathyServerTLSHandlerPriv; + +G_DEFINE_TYPE_WITH_CODE (EmpathyServerTLSHandler, empathy_server_tls_handler, + G_TYPE_OBJECT, + G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init)); + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyServerTLSHandler); + +static void +tls_certificate_prepared_cb (GObject *source, + GAsyncResult *result, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = EMPATHY_TLS_CERTIFICATE (source); + EmpathyServerTLSHandler *self = user_data; + GError *error = NULL; + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + empathy_tls_certificate_prepare_finish (certificate, result, &error); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_error_free (error); + } + + g_simple_async_result_complete_in_idle (priv->async_init_res); + tp_clear_object (&priv->async_init_res); +} + +static gboolean +tls_handler_init_finish (GAsyncInitable *initable, + GAsyncResult *res, + GError **error) +{ + gboolean retval = TRUE; + + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) + retval = FALSE; + + return retval; +} + +static void +tls_handler_init_async (GAsyncInitable *initable, + gint io_priority, + GCancellable *cancellable, + GAsyncReadyCallback callback, + gpointer user_data) +{ + GHashTable *properties; + const gchar *cert_object_path; + const gchar *hostname; + const gchar *bus_name; + TpDBusDaemon *dbus; + GError *error = NULL; + EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + g_assert (priv->channel != NULL); + + priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_server_tls_handler_new_async); + properties = tp_channel_borrow_immutable_properties (priv->channel); + + hostname = tp_asv_get_string (properties, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".Hostname"); + priv->hostname = g_strdup (hostname); + + DEBUG ("Received hostname: %s", hostname); + + cert_object_path = tp_asv_get_object_path (properties, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".ServerCertificate"); + bus_name = tp_proxy_get_bus_name (TP_PROXY (priv->channel)); + dbus = tp_proxy_get_dbus_daemon (TP_PROXY (priv->channel)); + + DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s", + cert_object_path, bus_name); + + priv->certificate = empathy_tls_certificate_new (dbus, bus_name, + cert_object_path, &error); + + if (error != NULL) + { + DEBUG ("Unable to create the EmpathyTLSCertificate: error %s", + error->message); + + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_simple_async_result_complete_in_idle (priv->async_init_res); + + g_error_free (error); + tp_clear_object (&priv->async_init_res); + + return; + } + + empathy_tls_certificate_prepare_async (priv->certificate, + tls_certificate_prepared_cb, self); +} + +static void +async_initable_iface_init (GAsyncInitableIface *iface) +{ + iface->init_async = tls_handler_init_async; + iface->init_finish = tls_handler_init_finish; +} + +static void +empathy_server_tls_handler_finalize (GObject *object) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + tp_clear_object (&priv->channel); + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_server_tls_handler_parent_class)->finalize (object); +} + +static void +empathy_server_tls_handler_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_CHANNEL: + g_value_set_object (value, priv->channel); + break; + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_server_tls_handler_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_CHANNEL: + priv->channel = g_value_dup_object (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_server_tls_handler_class_init (EmpathyServerTLSHandlerClass *klass) +{ + GObjectClass *oclass = G_OBJECT_CLASS (klass); + GParamSpec *pspec; + + oclass->get_property = empathy_server_tls_handler_get_property; + oclass->set_property = empathy_server_tls_handler_set_property; + oclass->finalize = empathy_server_tls_handler_finalize; + + g_type_class_add_private (klass, sizeof (EmpathyServerTLSHandlerPriv)); + + pspec = g_param_spec_object ("channel", "The TpChannel", + "The TpChannel this handler is supposed to handle.", + TP_TYPE_CHANNEL, + G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CHANNEL, pspec); + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate carried by the channel.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the server certificate.", + NULL, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); +} + +static void +empathy_server_tls_handler_init (EmpathyServerTLSHandler *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_SERVER_TLS_HANDLER, EmpathyServerTLSHandlerPriv); +} + +void +empathy_server_tls_handler_new_async (TpChannel *channel, + GAsyncReadyCallback callback, + gpointer user_data) +{ + g_assert (TP_IS_CHANNEL (channel)); + g_assert (channel != NULL); + + g_async_initable_new_async (EMPATHY_TYPE_SERVER_TLS_HANDLER, + G_PRIORITY_DEFAULT, NULL, callback, user_data, + "channel", channel, NULL); +} + +EmpathyServerTLSHandler * +empathy_server_tls_handler_new_finish (GAsyncResult *result, + GError **error) +{ + GObject *object, *source_object; + + source_object = g_async_result_get_source_object (result); + + object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object), + result, error); + g_object_unref (source_object); + + if (object != NULL) + return EMPATHY_SERVER_TLS_HANDLER (object); + else + return NULL; +} + +EmpathyTLSCertificate * +empathy_server_tls_handler_get_certificate (EmpathyServerTLSHandler *self) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + g_assert (priv->certificate != NULL); + + return priv->certificate; +} diff --git a/libempathy/empathy-server-tls-handler.h b/libempathy/empathy-server-tls-handler.h new file mode 100644 index 000000000..1fae98b0a --- /dev/null +++ b/libempathy/empathy-server-tls-handler.h @@ -0,0 +1,73 @@ +/* + * empathy-server-tls-handler.h - Header for EmpathyServerTLSHandler + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_SERVER_TLS_HANDLER_H__ +#define __EMPATHY_SERVER_TLS_HANDLER_H__ + +#include <glib-object.h> +#include <gio/gio.h> + +#include <telepathy-glib/channel.h> + +#include <libempathy/empathy-tls-certificate.h> + +G_BEGIN_DECLS + +typedef struct _EmpathyServerTLSHandler EmpathyServerTLSHandler; +typedef struct _EmpathyServerTLSHandlerClass EmpathyServerTLSHandlerClass; + +struct _EmpathyServerTLSHandlerClass { + GObjectClass parent_class; +}; + +struct _EmpathyServerTLSHandler { + GObject parent; + gpointer priv; +}; + +GType empathy_server_tls_handler_get_type (void); + +#define EMPATHY_TYPE_SERVER_TLS_HANDLER \ + (empathy_server_tls_handler_get_type ()) +#define EMPATHY_SERVER_TLS_HANDLER(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandler)) +#define EMPATHY_SERVER_TLS_HANDLER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandlerClass)) +#define EMPATHY_IS_SERVER_TLS_HANDLER(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER)) +#define EMPATHY_IS_SERVER_TLS_HANDLER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER)) +#define EMPATHY_SERVER_TLS_HANDLER_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandlerClass)) + +void empathy_server_tls_handler_new_async (TpChannel *channel, + GAsyncReadyCallback callback, gpointer user_data); +EmpathyServerTLSHandler * empathy_server_tls_handler_new_finish ( + GAsyncResult *result, GError **error); + +EmpathyTLSCertificate * empathy_server_tls_handler_get_certificate ( + EmpathyServerTLSHandler *self); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_SERVER_TLS_HANDLER_H__*/ diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c new file mode 100644 index 000000000..acb94c79d --- /dev/null +++ b/libempathy/empathy-tls-certificate.c @@ -0,0 +1,537 @@ +/* + * empathy-tls-certificate.c - Source for EmpathyTLSCertificate + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include <config.h> + +#include "empathy-tls-certificate.h" + +#include <errno.h> + +#include <glib/gstdio.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include <telepathy-glib/util.h> + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +enum { + /* proxy properties */ + PROP_CERT_TYPE = 1, + PROP_CERT_DATA, + PROP_STATE, + LAST_PROPERTY, +}; + +typedef struct { + GSimpleAsyncResult *async_prepare_res; + + /* TLSCertificate properties */ + gchar *cert_type; + GPtrArray *cert_data; + EmpTLSCertificateState state; + + gboolean is_prepared; +} EmpathyTLSCertificatePriv; + +G_DEFINE_TYPE (EmpathyTLSCertificate, empathy_tls_certificate, + TP_TYPE_PROXY); + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSCertificate); + +static GType +array_of_ay_get_type (void) +{ + static GType t = 0; + + if (G_UNLIKELY (t == 0)) + { + t = dbus_g_type_get_collection ("GPtrArray", + dbus_g_type_get_collection ("GArray", + G_TYPE_UCHAR)); + } + + return t; +} + +static void +tls_certificate_got_all_cb (TpProxy *proxy, + GHashTable *properties, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + GPtrArray *cert_data; + EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (weak_object); + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_prepare_res, error); + g_simple_async_result_complete (priv->async_prepare_res); + tp_clear_object (&priv->async_prepare_res); + + return; + } + + priv->cert_type = g_strdup (tp_asv_get_string (properties, + "CertificateType")); + priv->state = tp_asv_get_uint32 (properties, "State", NULL); + + cert_data = tp_asv_get_boxed (properties, "CertificateChainData", + array_of_ay_get_type ()); + g_assert (cert_data != NULL); + priv->cert_data = g_boxed_copy (array_of_ay_get_type (), cert_data); + + DEBUG ("Got a certificate chain long %u, of type %s", + priv->cert_data->len, priv->cert_type); + + priv->is_prepared = TRUE; + + g_simple_async_result_complete (priv->async_prepare_res); + tp_clear_object (&priv->async_prepare_res); +} + +void +empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + /* emit an error if we're already preparing the object */ + if (priv->async_prepare_res != NULL) + { + g_simple_async_report_error_in_idle (G_OBJECT (self), + callback, user_data, + G_IO_ERROR, G_IO_ERROR_PENDING, + "%s", + "Prepare operation already in progress on the TLS certificate."); + + return; + } + + + /* if the object is already prepared, just complete in idle */ + if (priv->is_prepared) + { + tp_simple_async_report_success_in_idle (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_prepare_async); + + return; + } + + priv->async_prepare_res = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_prepare_async); + + /* call GetAll() on the certificate */ + tp_cli_dbus_properties_call_get_all (self, + -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE, + tls_certificate_got_all_cb, NULL, NULL, + G_OBJECT (self)); +} + +gboolean +empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) +{ + gboolean retval = TRUE; + + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + retval = FALSE; + + return retval; +} + +static void +empathy_tls_certificate_finalize (GObject *object) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + g_free (priv->cert_type); + tp_clear_boxed (array_of_ay_get_type (), &priv->cert_data); + + G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object); +} + +static void +empathy_tls_certificate_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_CERT_TYPE: + g_value_set_string (value, priv->cert_type); + break; + case PROP_CERT_DATA: + g_value_set_boxed (value, priv->cert_data); + break; + case PROP_STATE: + g_value_set_uint (value, priv->state); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_certificate_init (EmpathyTLSCertificate *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_CERTIFICATE, EmpathyTLSCertificatePriv); +} + +static void +empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + TpProxyClass *pclass = TP_PROXY_CLASS (klass); + + oclass->get_property = empathy_tls_certificate_get_property; + oclass->finalize = empathy_tls_certificate_finalize; + + pclass->interface = EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE; + pclass->must_have_unique_name = TRUE; + + g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); + + pspec = g_param_spec_string ("cert-type", "Certificate type", + "The type of this certificate.", + NULL, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CERT_TYPE, pspec); + + pspec = g_param_spec_boxed ("cert-data", "Certificate chain data", + "The raw DER-encoded certificate chain data.", + array_of_ay_get_type (), + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CERT_DATA, pspec); + + pspec = g_param_spec_uint ("state", "State", + "The state of this certificate.", + EMP_TLS_CERTIFICATE_STATE_PENDING, NUM_EMP_TLS_CERTIFICATE_STATES -1, + EMP_TLS_CERTIFICATE_STATE_PENDING, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_STATE, pspec); +} + +static void +cert_proxy_accept_cb (TpProxy *proxy, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + GSimpleAsyncResult *accept_result = user_data; + + DEBUG ("Callback for accept(), error %p", error); + + if (error != NULL) + { + DEBUG ("Error was %s", error->message); + g_simple_async_result_set_from_error (accept_result, error); + } + + g_simple_async_result_complete (accept_result); +} + +static void +cert_proxy_reject_cb (TpProxy *proxy, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + GSimpleAsyncResult *reject_result = user_data; + + DEBUG ("Callback for reject(), error %p", error); + + if (error != NULL) + { + DEBUG ("Error was %s", error->message); + g_simple_async_result_set_from_error (reject_result, error); + } + + g_simple_async_result_complete (reject_result); +} + +static const gchar * +reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) +{ + const gchar *retval = NULL; + + switch (reason) + { + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_UNTRUSTED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_EXPIRED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_NOT_ACTIVATED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_FINGERPRINT_MISMATCH); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_HOSTNAME_MISMATCH); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_SELF_SIGNED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_REVOKED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_INSECURE); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_LIMIT_EXCEEDED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: + default: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID); + break; + } + + return retval; +} + +EmpathyTLSCertificate * +empathy_tls_certificate_new (TpDBusDaemon *dbus, + const gchar *bus_name, + const gchar *object_path, + GError **error) +{ + EmpathyTLSCertificate *retval = NULL; + + if (!tp_dbus_check_valid_bus_name (bus_name, + TP_DBUS_NAME_TYPE_UNIQUE, error)) + goto finally; + + if (!tp_dbus_check_valid_object_path (object_path, error)) + goto finally; + + retval = g_object_new (EMPATHY_TYPE_TLS_CERTIFICATE, + "dbus-daemon", dbus, + "bus-name", bus_name, + "object-path", object_path, + NULL); + +finally: + if (*error != NULL) + DEBUG ("Error while creating the TLS certificate: %s", + (*error)->message); + + return retval; +} + +void +empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + GSimpleAsyncResult *accept_result; + + g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); + + DEBUG ("Accepting TLS certificate"); + + accept_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_accept_async); + + emp_cli_authentication_tls_certificate_call_accept (TP_PROXY (self), + -1, cert_proxy_accept_cb, + accept_result, g_object_unref, + G_OBJECT (self)); +} + +gboolean +empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + return FALSE; + + return TRUE; +} + +void +empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, + EmpTLSCertificateRejectReason reason, + GHashTable *details, + GAsyncReadyCallback callback, + gpointer user_data) +{ + const gchar *dbus_error; + GSimpleAsyncResult *reject_result; + + g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); + + DEBUG ("Rejecting TLS certificate with reason %u", reason); + + dbus_error = reject_reason_get_dbus_error (reason); + reject_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_reject_async); + + emp_cli_authentication_tls_certificate_call_reject (TP_PROXY (self), + -1, reason, dbus_error, details, cert_proxy_reject_cb, + reject_result, g_object_unref, G_OBJECT (self)); +} + +gboolean +empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + return FALSE; + + return TRUE; +} + +static gsize +get_exported_size (gnutls_x509_crt_t cert) +{ + gsize retval; + guchar fake; + + /* fake an export so we get the size to allocate */ + gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, + &fake, &retval); + + DEBUG ("Should allocate %lu bytes", (gulong) retval); + + return retval; +} + +void +empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self) +{ + GArray *last_cert; + gnutls_x509_crt_t cert; + gnutls_datum_t datum = { NULL, 0 }; + gsize exported_len; + guchar *exported_cert = NULL; + gint res; + gchar *user_certs_dir = NULL, *filename = NULL, *path = NULL; + GError *error = NULL; + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + last_cert = g_ptr_array_index (priv->cert_data, priv->cert_data->len - 1); + datum.data = (guchar *) last_cert->data; + datum.size = last_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + /* make sure it's self-signed, otherwise it's not a CA */ + if (gnutls_x509_crt_check_issuer (cert, cert) <= 0) + { + DEBUG ("Can't import the CA, as it's not self-signed"); + gnutls_x509_crt_deinit (cert); + + return; + } + + if (gnutls_x509_crt_get_ca_status (cert, NULL) <= 0) + { + DEBUG ("Can't import the CA, it's not a valid CA certificate"); + gnutls_x509_crt_deinit (cert); + + goto out; + } + + exported_len = get_exported_size (cert); + exported_cert = g_malloc (sizeof (guchar) * exported_len); + + res = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, + exported_cert, &exported_len); + + if (res < 0) + { + DEBUG ("Failed to export the CA certificate; GnuTLS returned %d", res); + gnutls_x509_crt_deinit (cert); + + goto out; + } + + gnutls_x509_crt_deinit (cert); + + /* write the file */ + user_certs_dir = g_build_filename (g_get_user_config_dir (), + "telepathy", "certs", NULL); + + res = g_mkdir_with_parents (user_certs_dir, S_IRWXU | S_IRWXG); + + if (res < 0) + { + DEBUG ("Failed to create the user certificate directory: %s", + g_strerror (errno)); + + goto out; + } + + do + { + g_free (path); + + filename = g_strdup_printf ("cert-%p", cert); + path = g_build_filename (user_certs_dir, filename, NULL); + + g_free (filename); + } + while (g_file_test (path, G_FILE_TEST_EXISTS)); + + DEBUG ("Will save to %s", path); + + g_file_set_contents (path, (const gchar *) exported_cert, exported_len, + &error); + + if (error != NULL) + { + DEBUG ("Can't save the CA certificate to %s: %s", + path, error->message); + + g_error_free (error); + } + + out: + g_free (path); + g_free (exported_cert); + g_free (user_certs_dir); +} diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h new file mode 100644 index 000000000..d9dd07d44 --- /dev/null +++ b/libempathy/empathy-tls-certificate.h @@ -0,0 +1,95 @@ +/* + * empathy-tls-certificate.h - Header for EmpathyTLSCertificate + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_CERTIFICATE_H__ +#define __EMPATHY_TLS_CERTIFICATE_H__ + +#include <glib-object.h> +#include <gio/gio.h> + +#include <telepathy-glib/proxy-subclass.h> + +#include <extensions/extensions.h> + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSCertificate EmpathyTLSCertificate; +typedef struct _EmpathyTLSCertificateClass EmpathyTLSCertificateClass; + +struct _EmpathyTLSCertificateClass { + TpProxyClass parent_class; +}; + +struct _EmpathyTLSCertificate { + TpProxy parent; + gpointer priv; +}; + +GType empathy_tls_certificate_get_type (void); + +#define EMPATHY_TYPE_TLS_CERTIFICATE \ + (empathy_tls_certificate_get_type ()) +#define EMPATHY_TLS_CERTIFICATE(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificate)) +#define EMPATHY_TLS_CERTIFICATE_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificateClass)) +#define EMPATHY_IS_TLS_CERTIFICATE(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_CERTIFICATE)) +#define EMPATHY_IS_TLS_CERTIFICATE_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_CERTIFICATE)) +#define EMPATHY_TLS_CERTIFICATE_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificateClass)) + +EmpathyTLSCertificate * empathy_tls_certificate_new (TpDBusDaemon *dbus, + const gchar *bus_name, + const gchar *object_path, + GError **error); + +void empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data); +gboolean empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error); + +void empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data); +gboolean empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error); + +void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, + EmpTLSCertificateRejectReason reason, + GHashTable *details, + GAsyncReadyCallback callback, + gpointer user_data); +gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error); + +void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/ diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c new file mode 100644 index 000000000..000c9a35b --- /dev/null +++ b/libempathy/empathy-tls-verifier.c @@ -0,0 +1,737 @@ +/* + * empathy-tls-verifier.c - Source for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the + * same GNU Lesser General Public License 2.1 (or later) version. See + * get_certified_hostname (). + */ + +#include <config.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include <telepathy-glib/util.h> + +#include "empathy-tls-verifier.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier, + G_TYPE_OBJECT) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_HOSTNAME, + + LAST_PROPERTY, +}; + +static const gchar* system_ca_paths[] = { + "/etc/ssl/certs/ca-certificates.crt", + NULL, +}; + +typedef struct { + GPtrArray *cert_chain; + + GPtrArray *trusted_ca_list; + GPtrArray *trusted_crl_list; + + EmpathyTLSCertificate *certificate; + gchar *hostname; + + GSimpleAsyncResult *verify_result; + GHashTable *details; + + gboolean dispose_run; +} EmpathyTLSVerifierPriv; + +static gnutls_x509_crt_t * +ptr_array_to_x509_crt_list (GPtrArray *chain) +{ + gnutls_x509_crt_t *retval; + gint idx; + + retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len); + + for (idx = 0; idx < (gint) chain->len; idx++) + retval[idx] = g_ptr_array_index (chain, idx); + + return retval; +} + +static gboolean +verification_output_to_reason (gint res, + guint verify_output, + EmpTLSCertificateRejectReason *reason) +{ + gboolean retval = TRUE; + + g_assert (reason != NULL); + + if (res != GNUTLS_E_SUCCESS) + { + retval = FALSE; + + /* the certificate is not structurally valid */ + switch (res) + { + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + break; + case GNUTLS_E_CONSTRAINT_ERROR: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED; + break; + default: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + break; + } + + goto out; + } + + /* the certificate is structurally valid, check for other errors. */ + if (verify_output & GNUTLS_CERT_INVALID) + { + retval = FALSE; + + if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE; + else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED; + else if (verify_output & GNUTLS_CERT_EXPIRED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED; + else + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + goto out; + } + + out: + return retval; +} + +static gboolean +verify_last_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + gnutls_x509_crt_t *trusted_ca_list; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + if (priv->trusted_ca_list->len > 0) + { + trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); + res = gnutls_x509_crt_verify (cert, trusted_ca_list, + priv->trusted_ca_list->len, 0, &verify_output); + + DEBUG ("Checking last certificate %p against trusted CAs, output %u", + cert, verify_output); + + g_free (trusted_ca_list); + } + else + { + /* check it against itself to see if it's structurally valid */ + res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output); + + DEBUG ("Checking last certificate %p against itself, output %u", cert, + verify_output); + + /* if it's valid, return the SelfSigned error, so that we can add it + * later to our trusted CAs whitelist. + */ + if (res == GNUTLS_E_SUCCESS) + { + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + return FALSE; + } + } + + return verification_output_to_reason (res, verify_output, reason); +} + +static gboolean +verify_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + + res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output); + + DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output); + + return verification_output_to_reason (res, verify_output, reason); +} + +static void +complete_verification (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification successful, completing..."); + + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +abort_verification (EmpathyTLSVerifier *self, + EmpTLSCertificateRejectReason reason) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification error %u, aborting...", reason); + + g_simple_async_result_set_error (priv->verify_result, + G_IO_ERROR, reason, "TLS verification failed with reason %u", + reason); + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static gchar * +get_certified_hostname (gnutls_x509_crt_t cert) +{ + gchar dns_name[256]; + gsize dns_name_size; + gint idx; + gint res = 0; + + /* this snippet is taken from GnuTLS. + * see gnutls/lib/x509/rfc2818_hostname.c + */ + for (idx = 0; res >= 0; idx++) + { + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_subject_alt_name (cert, idx, + dns_name, &dns_name_size, NULL); + + if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS) + return g_strndup (dns_name, dns_name_size); + } + + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, + 0, 0, dns_name, &dns_name_size); + + if (res >= 0) + return g_strndup (dns_name, dns_name_size); + + return NULL; +} + +static void +real_start_verification (EmpathyTLSVerifier *self) +{ + gnutls_x509_crt_t first_cert, last_cert; + gint idx; + gboolean res = FALSE; + gint num_certs; + EmpTLSCertificateRejectReason reason = + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Starting verification"); + + /* check if the certificate matches the hostname first. */ + first_cert = g_ptr_array_index (priv->cert_chain, 0); + if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0) + { + gchar *certified_hostname; + + reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH; + certified_hostname = get_certified_hostname (first_cert); + tp_asv_set_string (priv->details, + "expected-hostname", priv->hostname); + tp_asv_set_string (priv->details, + "certificate-hostname", certified_hostname); + + DEBUG ("Hostname mismatch: got %s but expected %s", + certified_hostname, priv->hostname); + + g_free (certified_hostname); + goto out; + } + + DEBUG ("Hostname matched"); + + num_certs = priv->cert_chain->len; + + if (priv->trusted_ca_list->len > 0) + { + /* if the last certificate is self-signed, and we have a list of + * trusted CAs, ignore it, as we want to check the chain against our + * trusted CAs list first. + */ + last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); + + if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0) + num_certs--; + } + + for (idx = 1; idx < num_certs; idx++) + { + res = verify_certificate (self, + g_ptr_array_index (priv->cert_chain, idx -1), + g_ptr_array_index (priv->cert_chain, idx), + &reason); + + DEBUG ("Certificate verification %d gave result %d with reason %u", idx, + res, reason); + + if (!res) + { + abort_verification (self, reason); + return; + } + } + + res = verify_last_certificate (self, + g_ptr_array_index (priv->cert_chain, num_certs - 1), + &reason); + + DEBUG ("Last verification gave result %d with reason %u", res, reason); + + out: + if (!res) + { + abort_verification (self, reason); + return; + } + + complete_verification (self); +} + +static gboolean +start_verification (gpointer user_data) +{ + EmpathyTLSVerifier *self = user_data; + + real_start_verification (self); + + return FALSE; +} + +static void +build_gnutls_cert_list (EmpathyTLSVerifier *self) +{ + guint num_certs; + guint idx; + GPtrArray *certificate_data = NULL; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &certificate_data, + NULL); + num_certs = certificate_data->len; + + priv->cert_chain = g_ptr_array_new_with_free_func ( + (GDestroyNotify) gnutls_x509_crt_deinit); + + for (idx = 0; idx < num_certs; idx++) + { + gnutls_x509_crt_t cert; + GArray *one_cert; + gnutls_datum_t datum = { NULL, 0 }; + + one_cert = g_ptr_array_index (certificate_data, idx); + datum.data = (guchar *) one_cert->data; + datum.size = one_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + g_ptr_array_add (priv->cert_chain, cert); + } +} + +static gint +get_number_and_type_of_certificates (gnutls_datum_t *datum, + gnutls_x509_crt_fmt_t *format) +{ + gnutls_x509_crt_t fake; + guint retval = 1; + gint res; + + res = gnutls_x509_crt_list_import (&fake, &retval, datum, + GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); + + if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0) + { + DEBUG ("Found PEM, with %u certificates", retval); + *format = GNUTLS_X509_FMT_PEM; + return retval; + } + + /* try DER */ + res = gnutls_x509_crt_list_import (&fake, &retval, datum, + GNUTLS_X509_FMT_DER, 0); + + if (res > 0) + { + *format = GNUTLS_X509_FMT_DER; + return retval; + } + + return res; +} + +static gboolean +build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, + GCancellable *cancellable, + gpointer user_data) +{ + gint idx; + gchar *user_certs_dir; + GDir *dir; + GError *error = NULL; + EmpathyTLSVerifier *self = user_data; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->trusted_ca_list = g_ptr_array_new_with_free_func + ((GDestroyNotify) gnutls_x509_crt_deinit); + + for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++) + { + const gchar *path; + gchar *contents = NULL; + gsize length = 0; + gint res, n_certs; + gnutls_x509_crt_t *cert_list; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_fmt_t format = 0; + + path = system_ca_paths[idx]; + g_file_get_contents (path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Unable to read system CAs from path %s: %s", path, + error->message); + g_clear_error (&error); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + n_certs = get_number_and_type_of_certificates (&datum, &format); + + if (n_certs < 0) + { + DEBUG ("Unable to parse the system CAs from path %s: GnuTLS " + "returned error %d", path, n_certs); + + g_free (contents); + continue; + } + + cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs); + res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum, + format, 0); + + if (res < 0) + { + DEBUG ("Unable to import system CAs from path %s; " + "GnuTLS returned error %d", path, res); + + g_free (contents); + continue; + } + + DEBUG ("Successfully imported %d system CA certificates from path %s", + n_certs, path); + + /* append the newly created cert structutes into the global GPtrArray */ + for (idx = 0; idx < n_certs; idx++) + g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]); + + g_free (contents); + g_free (cert_list); + } + + /* user certs */ + user_certs_dir = g_build_filename (g_get_user_config_dir (), + "telepathy", "certs", NULL); + dir = g_dir_open (user_certs_dir, 0, &error); + + if (error != NULL) + { + DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir, + error->message); + + g_error_free (error); + } + else + { + const gchar *cert_name; + + while ((cert_name = g_dir_read_name (dir)) != NULL) + { + gchar *contents = NULL, *cert_path = NULL; + gsize length = 0; + gint res; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_t cert; + + cert_path = g_build_filename (user_certs_dir, cert_name, NULL); + + g_file_get_contents (cert_path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Can't open the certificate file at path %s: %s", + cert_path, error->message); + + g_clear_error (&error); + g_free (cert_path); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + + gnutls_x509_crt_init (&cert); + res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM); + + if (res != GNUTLS_E_SUCCESS) + { + DEBUG ("Can't import the certificate at path %s: " + "GnuTLS returned %d", cert_path, res); + } + else + { + g_ptr_array_add (priv->trusted_ca_list, cert); + } + + g_free (contents); + g_free (cert_path); + } + + g_dir_close (dir); + } + + g_free (user_certs_dir); + + /* TODO: do the CRL too */ + + g_io_scheduler_job_send_to_mainloop_async (job, + start_verification, self, NULL); + + return FALSE; +} + +static void +empathy_tls_verifier_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_HOSTNAME: + priv->hostname = g_value_dup_string (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_dispose (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object); +} + +static void +empathy_tls_verifier_finalize (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref); + tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref); + tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); + g_free (priv->hostname); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); +} + +static void +empathy_tls_verifier_constructed (GObject *object) +{ + EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object); + + build_gnutls_cert_list (self); + + if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL) + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object); +} + +static void +empathy_tls_verifier_init (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv; + + priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv); + priv->details = tp_asv_new (NULL, NULL); +} + +static void +empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv)); + + oclass->set_property = empathy_tls_verifier_set_property; + oclass->get_property = empathy_tls_verifier_get_property; + oclass->finalize = empathy_tls_verifier_finalize; + oclass->dispose = empathy_tls_verifier_dispose; + oclass->constructed = empathy_tls_verifier_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be verified.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the certificate.", + NULL, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); +} + +EmpathyTLSVerifier * +empathy_tls_verifier_new (EmpathyTLSCertificate *certificate, + const gchar *hostname) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + g_assert (hostname != NULL); + + return g_object_new (EMPATHY_TYPE_TLS_VERIFIER, + "certificate", certificate, + "hostname", hostname, + NULL); +} + +void +empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_return_if_fail (priv->verify_result == NULL); + + priv->verify_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + + g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists, + self, NULL, G_PRIORITY_DEFAULT, NULL); +} + +gboolean +empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GHashTable **details, + GError **error) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) + { + if (reason != NULL) + *reason = (*error)->code; + + if (details != NULL) + { + *details = tp_asv_new (NULL, NULL); + tp_g_hash_table_update (*details, priv->details, + (GBoxedCopyFunc) g_strdup, + (GBoxedCopyFunc) tp_g_value_slice_dup); + } + + return FALSE; + } + + if (reason != NULL) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + return TRUE; +} diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h new file mode 100644 index 000000000..e73a71aeb --- /dev/null +++ b/libempathy/empathy-tls-verifier.h @@ -0,0 +1,79 @@ +/* + * empathy-tls-verifier.h - Header for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_VERIFIER_H__ +#define __EMPATHY_TLS_VERIFIER_H__ + +#include <glib-object.h> +#include <gio/gio.h> + +#include <libempathy/empathy-tls-certificate.h> + +#include <extensions/extensions.h> + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSVerifier EmpathyTLSVerifier; +typedef struct _EmpathyTLSVerifierClass EmpathyTLSVerifierClass; + +struct _EmpathyTLSVerifierClass { + GObjectClass parent_class; +}; + +struct _EmpathyTLSVerifier { + GObject parent; + gpointer priv; +}; + +GType empathy_tls_verifier_get_type (void); + +#define EMPATHY_TYPE_TLS_VERIFIER \ + (empathy_tls_verifier_get_type ()) +#define EMPATHY_TLS_VERIFIER(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifier)) +#define EMPATHY_TLS_VERIFIER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifierClass)) +#define EMPATHY_IS_TLS_VERIFIER(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_VERIFIER)) +#define EMPATHY_IS_TLS_VERIFIER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_VERIFIER)) +#define EMPATHY_TLS_VERIFIER_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifierClass)) + +EmpathyTLSVerifier * empathy_tls_verifier_new ( + EmpathyTLSCertificate *certificate, + const gchar *hostname); + +void empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data); + +gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GHashTable **details, + GError **error); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_VERIFIER_H__*/ diff --git a/libempathy/empathy-utils.c b/libempathy/empathy-utils.c index 4ab367b42..579870f80 100644 --- a/libempathy/empathy-utils.c +++ b/libempathy/empathy-utils.c @@ -396,13 +396,24 @@ empathy_dbus_error_name_get_default_message (const gchar *error) } const gchar * -empathy_account_get_error_message (TpAccount *account) +empathy_account_get_error_message (TpAccount *account, + gboolean *user_requested) { const gchar *dbus_error; const gchar *message; + const GHashTable *details = NULL; TpConnectionStatusReason reason; - dbus_error = tp_account_get_detailed_error (account, NULL); + dbus_error = tp_account_get_detailed_error (account, &details); + + if (user_requested != NULL) + { + if (tp_asv_get_boolean (details, "user-requested", NULL)) + *user_requested = TRUE; + else + *user_requested = FALSE; + } + message = empathy_dbus_error_name_get_default_message (dbus_error); if (message != NULL) return message; diff --git a/libempathy/empathy-utils.h b/libempathy/empathy-utils.h index 47b9b84ad..f588479b4 100644 --- a/libempathy/empathy-utils.h +++ b/libempathy/empathy-utils.h @@ -76,7 +76,8 @@ gboolean empathy_check_available_state (void); gint empathy_uint_compare (gconstpointer a, gconstpointer b); -const gchar * empathy_account_get_error_message (TpAccount *account); +const gchar * empathy_account_get_error_message (TpAccount *account, + gboolean *user_requested); gchar *empathy_protocol_icon_name (const gchar *protocol); const gchar *empathy_protocol_name_to_display_name (const gchar *proto_name); diff --git a/po/POTFILES.in b/po/POTFILES.in index ac0f13a67..7c48d9dcf 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -62,6 +62,7 @@ libempathy-gtk/empathy-theme-adium.c libempathy-gtk/empathy-theme-boxes.c libempathy-gtk/empathy-theme-irc.c libempathy-gtk/empathy-theme-manager.c +libempathy-gtk/empathy-tls-dialog.c libempathy-gtk/empathy-ui-utils.c libempathy-gtk/totem-subtitle-encoding.c @@ -72,6 +73,7 @@ src/empathy-about-dialog.c src/empathy-account-assistant.c src/empathy-accounts-dialog.c [type: gettext/glade]src/empathy-accounts-dialog.ui +src/empathy-auth-client.c src/empathy-auto-salut-account-helper.c src/empathy-av.c src/empathy-call-window.c diff --git a/src/Makefile.am b/src/Makefile.am index 8800aee3c..e21b348bb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -85,7 +85,8 @@ bin_PROGRAMS = \ $(NULL) libexec_PROGRAMS = \ - empathy-av + empathy-av \ + empathy-auth-client BUILT_SOURCES= @@ -110,6 +111,9 @@ empathy_av_SOURCES = \ empathy-sidebar.c empathy-sidebar.h \ $(NULL) +empathy_auth_client_SOURCES = \ + empathy-auth-client.c + empathy_handwritten_source = \ empathy-about-dialog.c empathy-about-dialog.h \ empathy-chat-window.c empathy-chat-window.h \ diff --git a/src/empathy-accounts-dialog.c b/src/empathy-accounts-dialog.c index c41763d90..c753a9f20 100644 --- a/src/empathy-accounts-dialog.c +++ b/src/empathy-accounts-dialog.c @@ -310,7 +310,7 @@ accounts_dialog_update_status_infobar (EmpathyAccountsDialog *dialog, gchar *message; message = g_strdup_printf (_("Offline — %s"), - empathy_account_get_error_message (account)); + empathy_account_get_error_message (account, NULL)); gtk_info_bar_set_message_type (GTK_INFO_BAR (priv->infobar), GTK_MESSAGE_WARNING); @@ -322,7 +322,7 @@ accounts_dialog_update_status_infobar (EmpathyAccountsDialog *dialog, gchar *message; message = g_strdup_printf (_("Disconnected — %s"), - empathy_account_get_error_message (account)); + empathy_account_get_error_message (account, NULL)); gtk_info_bar_set_message_type (GTK_INFO_BAR (priv->infobar), GTK_MESSAGE_ERROR); diff --git a/src/empathy-auth-client.c b/src/empathy-auth-client.c new file mode 100644 index 000000000..17b66a57d --- /dev/null +++ b/src/empathy-auth-client.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2010 Collabora Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public + * License along with this program; if not, write to the + * Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, + * Boston, MA 02110-1301 USA + * + * Authors: Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + */ + +#include <config.h> + +#include <stdlib.h> +#include <glib.h> +#include <glib/gi18n.h> +#include <gtk/gtk.h> + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include <libempathy/empathy-debug.h> +#include <libempathy/empathy-auth-factory.h> +#include <libempathy/empathy-server-tls-handler.h> +#include <libempathy/empathy-tls-verifier.h> + +#include <libempathy-gtk/empathy-tls-dialog.h> +#include <libempathy-gtk/empathy-ui-utils.h> + +#include <gnutls/gnutls.h> + +#include <extensions/extensions.h> + +#define TIMEOUT 60 + +static gboolean use_timer = TRUE; +static guint timeout_id = 0; +static guint num_windows = 0; + +static gboolean +timeout_cb (gpointer p) +{ + DEBUG ("Timeout reached; exiting..."); + + gtk_main_quit (); + return FALSE; +} + +static void +start_timer (void) +{ + if (!use_timer) + return; + + if (timeout_id != 0) + return; + + DEBUG ("Start timer"); + + timeout_id = g_timeout_add_seconds (TIMEOUT, timeout_cb, NULL); +} + +static void +stop_timer (void) +{ + if (timeout_id == 0) + return; + + DEBUG ("Stop timer"); + + g_source_remove (timeout_id); + timeout_id = 0; +} + +static void +tls_dialog_response_cb (GtkDialog *dialog, + gint response_id, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = NULL; + EmpTLSCertificateRejectReason reason = 0; + GHashTable *details = NULL; + EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); + gboolean remember = FALSE; + + DEBUG ("Response %d", response_id); + + g_object_get (tls_dialog, + "certificate", &certificate, + "reason", &reason, + "remember", &remember, + "details", &details, + NULL); + + gtk_widget_destroy (GTK_WIDGET (dialog)); + + if (response_id == GTK_RESPONSE_YES) + { + empathy_tls_certificate_accept_async (certificate, NULL, NULL); + } + else + { + tp_asv_set_boolean (details, "user-requested", TRUE); + empathy_tls_certificate_reject_async (certificate, reason, details, + NULL, NULL); + } + + if (remember) + empathy_tls_certificate_store_ca (certificate); + + g_object_unref (certificate); + g_hash_table_unref (details); + + /* restart the timeout */ + num_windows--; + + if (num_windows > 0) + return; + + start_timer (); +} + +static void +display_interactive_dialog (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason, + GHashTable *details) +{ + GtkWidget *tls_dialog; + + /* stop the timeout */ + num_windows++; + stop_timer (); + + tls_dialog = empathy_tls_dialog_new (certificate, reason, details); + g_signal_connect (tls_dialog, "response", + G_CALLBACK (tls_dialog_response_cb), NULL); + + gtk_widget_show (tls_dialog); +} + +static void +verifier_verify_cb (GObject *source, + GAsyncResult *result, + gpointer user_data) +{ + gboolean res; + EmpTLSCertificateRejectReason reason; + GError *error = NULL; + EmpathyTLSCertificate *certificate = NULL; + GHashTable *details = NULL; + + g_object_get (source, + "certificate", &certificate, + NULL); + + res = empathy_tls_verifier_verify_finish (EMPATHY_TLS_VERIFIER (source), + result, &reason, &details, &error); + + if (error != NULL) + { + DEBUG ("Error: %s", error->message); + display_interactive_dialog (certificate, reason, details); + + g_error_free (error); + } + else + { + empathy_tls_certificate_accept_async (certificate, NULL, NULL); + } + + g_object_unref (certificate); +} + +static void +auth_factory_new_handler_cb (EmpathyAuthFactory *factory, + EmpathyServerTLSHandler *handler, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = NULL; + gchar *hostname = NULL; + EmpathyTLSVerifier *verifier; + + DEBUG ("New TLS server handler received from the factory"); + + g_object_get (handler, + "certificate", &certificate, + "hostname", &hostname, + NULL); + + verifier = empathy_tls_verifier_new (certificate, hostname); + empathy_tls_verifier_verify_async (verifier, + verifier_verify_cb, NULL); + + g_object_unref (verifier); + g_object_unref (certificate); + g_free (hostname); +} + +int +main (int argc, + char **argv) +{ + GOptionContext *context; + GError *error = NULL; + EmpathyAuthFactory *factory; + + g_thread_init (NULL); + + context = g_option_context_new (N_(" - Empathy authentication client")); + g_option_context_add_group (context, gtk_get_option_group (TRUE)); + g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); + + if (!g_option_context_parse (context, &argc, &argv, &error)) + { + g_print ("%s\nRun '%s --help' to see a full list of available command " + "line options.\n", error->message, argv[0]); + g_warning ("Error in empathy-auth-client init: %s", error->message); + return EXIT_FAILURE; + } + + g_option_context_free (context); + + empathy_gtk_init (); + gnutls_global_init (); + g_set_application_name (_("Empathy authentication client")); + + gtk_window_set_default_icon_name ("empathy"); + textdomain (GETTEXT_PACKAGE); + + factory = empathy_auth_factory_dup_singleton (); + + g_signal_connect (factory, "new-server-tls-handler", + G_CALLBACK (auth_factory_new_handler_cb), NULL); + + if (!empathy_auth_factory_register (factory, &error)) + { + g_critical ("Failed to register the auth factory: %s\n", error->message); + g_error_free (error); + g_object_unref (factory); + + return EXIT_FAILURE; + } + + DEBUG ("Empathy auth client started."); + + if (g_getenv ("EMPATHY_PERSIST") != NULL) + { + DEBUG ("Timed-exit disabled"); + + use_timer = FALSE; + } + + start_timer (); + + gtk_main (); + + g_object_unref (factory); + + return EXIT_SUCCESS; +} diff --git a/src/empathy-main-window.c b/src/empathy-main-window.c index ff8bb5e98..0efa4a97d 100644 --- a/src/empathy-main-window.c +++ b/src/empathy-main-window.c @@ -475,10 +475,19 @@ main_window_error_display (EmpathyMainWindow *window, GtkWidget *action_table; gchar *str; const gchar *icon_name; + const gchar *error_message; + gboolean user_requested; + + error_message = + empathy_account_get_error_message (account, &user_requested); + + if (user_requested) { + return; + } str = g_markup_printf_escaped ("<b>%s</b>\n%s", tp_account_get_display_name (account), - empathy_account_get_error_message (account)); + error_message); info_bar = g_hash_table_lookup (priv->errors, account); if (info_bar) { |