aboutsummaryrefslogtreecommitdiffstats
path: root/libempathy/empathy-tls-verifier.c
diff options
context:
space:
mode:
authorCosimo Cecchi <cosimoc@gnome.org>2010-08-12 00:33:08 +0800
committerCosimo Cecchi <cosimoc@gnome.org>2010-08-13 22:22:23 +0800
commit6a16791dc335fed6706352e1612893f312a80a3f (patch)
tree88dc6fa0ea813f5c6b53f6819e075146cd73c178 /libempathy/empathy-tls-verifier.c
parent2f63c0828065d86239a6ff6ebbb8b07ddc929046 (diff)
downloadgsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar.gz
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar.bz2
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar.lz
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar.xz
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.tar.zst
gsoc2013-empathy-6a16791dc335fed6706352e1612893f312a80a3f.zip
Add EmpathyTLSVerifier
This also introduces a dependency on GnuTLS
Diffstat (limited to 'libempathy/empathy-tls-verifier.c')
-rw-r--r--libempathy/empathy-tls-verifier.c558
1 files changed, 558 insertions, 0 deletions
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
new file mode 100644
index 000000000..55688f99c
--- /dev/null
+++ b/libempathy/empathy-tls-verifier.c
@@ -0,0 +1,558 @@
+/*
+ * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <config.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include <telepathy-glib/util.h>
+
+#include "empathy-tls-verifier.h"
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-utils.h"
+
+G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
+ G_TYPE_OBJECT)
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
+
+enum {
+ PROP_TLS_CERTIFICATE = 1,
+ PROP_HOSTNAME,
+
+ LAST_PROPERTY,
+};
+
+static const gchar* system_ca_paths[] = {
+ "/etc/ssl/certs/ca-certificates.crt",
+ NULL,
+};
+
+typedef struct {
+ GPtrArray *cert_chain;
+
+ GPtrArray *trusted_ca_list;
+ GPtrArray *trusted_crl_list;
+
+ EmpathyTLSCertificate *certificate;
+ gchar *hostname;
+
+ GSimpleAsyncResult *verify_result;
+
+ gboolean dispose_run;
+} EmpathyTLSVerifierPriv;
+
+static gnutls_x509_crt_t *
+ptr_array_to_x509_crt_list (GPtrArray *chain)
+{
+ gnutls_x509_crt_t *retval;
+ gint idx;
+
+ retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
+
+ for (idx = 0; idx < (gint) chain->len; idx++)
+ retval[idx] = g_ptr_array_index (chain, idx);
+
+ return retval;
+}
+
+static gboolean
+verification_output_to_reason (gint res,
+ guint verify_output,
+ EmpTLSCertificateRejectReason *reason)
+{
+ gboolean retval = TRUE;
+
+ if (res != GNUTLS_E_SUCCESS)
+ {
+ retval = FALSE;
+
+ /* the certificate is not structurally valid */
+ switch (res)
+ {
+ case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+ break;
+ case GNUTLS_E_CONSTRAINT_ERROR:
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
+ break;
+ default:
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ break;
+ }
+
+ goto out;
+ }
+
+ /* the certificate is structurally valid, check for other errors. */
+ if (verify_output & GNUTLS_CERT_INVALID)
+ {
+ retval = FALSE;
+
+ if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+ else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+ else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
+ else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
+ else if (verify_output & GNUTLS_CERT_EXPIRED)
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
+ else
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+
+ goto out;
+ }
+
+ out:
+ return retval;
+}
+
+static gboolean
+verify_last_certificate (EmpathyTLSVerifier *self,
+ gnutls_x509_crt_t cert,
+ EmpTLSCertificateRejectReason *reason)
+{
+ guint verify_output;
+ gint res;
+ gnutls_x509_crt_t *trusted_ca_list;
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
+ res = gnutls_x509_crt_verify (cert, trusted_ca_list,
+ priv->trusted_ca_list->len, 0, &verify_output);
+
+ g_free (trusted_ca_list);
+
+ return verification_output_to_reason (res, verify_output, reason);
+}
+
+static gboolean
+verify_certificate (EmpathyTLSVerifier *self,
+ gnutls_x509_crt_t cert,
+ gnutls_x509_crt_t issuer,
+ EmpTLSCertificateRejectReason *reason)
+{
+ guint verify_output;
+ gint res;
+
+ res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
+
+ return verification_output_to_reason (res, verify_output, reason);
+}
+
+static void
+complete_verification (EmpathyTLSVerifier *self)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ DEBUG ("Verification successful, completing...");
+
+ g_simple_async_result_complete_in_idle (priv->verify_result);
+
+ tp_clear_object (&priv->verify_result);
+}
+
+static void
+abort_verification (EmpathyTLSVerifier *self,
+ EmpTLSCertificateRejectReason reason)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ DEBUG ("Verification error %u, aborting...", reason);
+
+ g_simple_async_result_set_error (priv->verify_result,
+ G_IO_ERROR, reason, "TLS verification failed with reason %u",
+ reason);
+ g_simple_async_result_complete_in_idle (priv->verify_result);
+
+ tp_clear_object (&priv->verify_result);
+}
+
+static void
+real_start_verification (EmpathyTLSVerifier *self)
+{
+ gnutls_x509_crt_t last_cert;
+ gint idx;
+ gboolean res = FALSE;
+ gint num_certs;
+ EmpTLSCertificateRejectReason reason =
+ EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ num_certs = priv->cert_chain->len;
+
+ DEBUG ("Starting verification");
+
+ if (priv->trusted_ca_list->len > 0)
+ {
+ /* if the last certificate is self-signed, ignore it, as we want to check
+ * the chain against our trusted CA list first.
+ */
+ last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
+
+ if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
+ num_certs--;
+ }
+
+ for (idx = 1; idx < num_certs; idx++)
+ {
+ res = verify_certificate (self,
+ g_ptr_array_index (priv->cert_chain, idx -1),
+ g_ptr_array_index (priv->cert_chain, idx),
+ &reason);
+
+ DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
+ res, reason);
+
+ if (!res)
+ {
+ abort_verification (self, reason);
+ return;
+ }
+ }
+
+ if (priv->trusted_ca_list->len > 0)
+ {
+ res = verify_last_certificate (self,
+ g_ptr_array_index (priv->cert_chain, num_certs),
+ &reason);
+ }
+
+ if (!res)
+ {
+ abort_verification (self, reason);
+ return;
+ }
+
+ complete_verification (self);
+}
+
+static gboolean
+start_verification (gpointer user_data)
+{
+ EmpathyTLSVerifier *self = user_data;
+
+ real_start_verification (self);
+
+ return FALSE;
+}
+
+static void
+build_gnutls_cert_list (EmpathyTLSVerifier *self)
+{
+ guint num_certs;
+ guint idx;
+ GPtrArray *certificate_data = NULL;
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ g_object_get (priv->certificate,
+ "cert-data", &certificate_data,
+ NULL);
+ num_certs = certificate_data->len;
+
+ priv->cert_chain = g_ptr_array_sized_new (num_certs);
+
+ for (idx = 0; idx < num_certs; idx++)
+ {
+ gnutls_x509_crt_t cert;
+ GArray *one_cert;
+ gnutls_datum_t datum = { NULL, 0 };
+
+ one_cert = g_ptr_array_index (certificate_data, idx);
+ datum.data = (guchar *) one_cert->data;
+ datum.size = one_cert->len;
+
+ gnutls_x509_crt_init (&cert);
+ gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
+
+ g_ptr_array_add (priv->cert_chain, cert);
+ }
+}
+
+static gint
+get_number_and_type_of_certificates (gnutls_datum_t *datum,
+ gnutls_x509_crt_fmt_t *format)
+{
+ gnutls_x509_crt_t fake;
+ gint retval = 1;
+ gint res;
+
+ res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum,
+ GNUTLS_X509_FMT_PEM, 0);
+
+ if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
+ {
+ *format = GNUTLS_X509_FMT_PEM;
+ return retval;
+ }
+
+ /* try DER */
+ res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum,
+ GNUTLS_X509_FMT_DER, 0);
+
+ if (res > 0)
+ {
+ *format = GNUTLS_X509_FMT_DER;
+ return retval;
+ }
+
+ return res;
+}
+
+static gboolean
+build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
+ GCancellable *cancellable,
+ gpointer user_data)
+{
+ gint idx;
+ EmpathyTLSVerifier *self = user_data;
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ priv->trusted_ca_list = g_ptr_array_new ();
+
+ for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
+ {
+ const gchar *path;
+ gchar *contents = NULL;
+ gsize length = 0;
+ gint res, n_certs;
+ gnutls_x509_crt_t *cert_list;
+ gnutls_datum_t datum = { NULL, 0 };
+ gnutls_x509_crt_fmt_t format = 0;
+ GError *error = NULL;
+
+ path = system_ca_paths[idx];
+ g_file_get_contents (path, &contents, &length, &error);
+
+ if (error != NULL)
+ {
+ DEBUG ("Unable to read system CAs from path %s", path);
+ g_error_free (error);
+ continue;
+ }
+
+ datum.data = (guchar *) contents;
+ datum.size = length;
+ n_certs = get_number_and_type_of_certificates (&datum, &format);
+
+ if (n_certs < 0)
+ {
+ DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
+ "returned error %d", path, n_certs);
+
+ g_free (contents);
+ continue;
+ }
+
+ cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
+ res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
+ format, 0);
+
+ if (res < 0)
+ {
+ DEBUG ("Unable to import system CAs from path %s; "
+ "GnuTLS returned error %d", path, res);
+
+ g_free (contents);
+ continue;
+ }
+
+ DEBUG ("Successfully imported %d system CA certificates from path %s",
+ n_certs, path);
+
+ /* append the newly created cert structutes into the global GPtrArray */
+ for (idx = 0; idx < n_certs; idx++)
+ g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
+
+ g_free (contents);
+ }
+
+ /* TODO: do the CRL too */
+
+ g_io_scheduler_job_send_to_mainloop_async (job,
+ start_verification, self, NULL);
+
+ return FALSE;
+}
+
+static void
+empathy_tls_verifier_get_property (GObject *object,
+ guint property_id,
+ GValue *value,
+ GParamSpec *pspec)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+ switch (property_id)
+ {
+ case PROP_TLS_CERTIFICATE:
+ g_value_set_object (value, priv->certificate);
+ break;
+ case PROP_HOSTNAME:
+ g_value_set_string (value, priv->hostname);
+ break;
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+ break;
+ }
+}
+
+static void
+empathy_tls_verifier_set_property (GObject *object,
+ guint property_id,
+ const GValue *value,
+ GParamSpec *pspec)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+ switch (property_id)
+ {
+ case PROP_TLS_CERTIFICATE:
+ priv->certificate = g_value_dup_object (value);
+ break;
+ case PROP_HOSTNAME:
+ priv->hostname = g_value_dup_string (value);
+ break;
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+ break;
+ }
+}
+
+static void
+empathy_tls_verifier_dispose (GObject *object)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+ if (priv->dispose_run)
+ return;
+
+ priv->dispose_run = TRUE;
+
+ tp_clear_object (&priv->certificate);
+
+ G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
+}
+
+static void
+empathy_tls_verifier_finalize (GObject *object)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+ DEBUG ("%p", object);
+
+ g_free (priv->hostname);
+
+ G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
+}
+
+static void
+empathy_tls_verifier_constructed (GObject *object)
+{
+ EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
+
+ build_gnutls_cert_list (self);
+
+ if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
+ G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
+}
+
+static void
+empathy_tls_verifier_init (EmpathyTLSVerifier *self)
+{
+ self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+ EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
+}
+
+static void
+empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
+{
+ GParamSpec *pspec;
+ GObjectClass *oclass = G_OBJECT_CLASS (klass);
+
+ g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
+
+ oclass->set_property = empathy_tls_verifier_set_property;
+ oclass->get_property = empathy_tls_verifier_get_property;
+ oclass->finalize = empathy_tls_verifier_finalize;
+ oclass->dispose = empathy_tls_verifier_dispose;
+ oclass->constructed = empathy_tls_verifier_constructed;
+
+ pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
+ "The EmpathyTLSCertificate to be verified.",
+ EMPATHY_TYPE_TLS_CERTIFICATE,
+ G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+ g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
+
+ pspec = g_param_spec_string ("hostname", "The hostname",
+ "The hostname which should be certified by the certificate.",
+ NULL,
+ G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+ g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+}
+
+EmpathyTLSVerifier *
+empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
+ const gchar *hostname)
+{
+ g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
+ g_assert (hostname != NULL);
+
+ return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
+ "certificate", certificate,
+ "hostname", hostname,
+ NULL);
+}
+
+void
+empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
+ GAsyncReadyCallback callback,
+ gpointer user_data)
+{
+ EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+ priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
+ callback, user_data, NULL);
+
+ g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
+ self, NULL, G_PRIORITY_DEFAULT, NULL);
+}
+
+gboolean
+empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
+ GAsyncResult *res,
+ EmpTLSCertificateRejectReason *reason,
+ GError **error)
+{
+ if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
+ error))
+ {
+ *reason = (*error)->code;
+ return FALSE;
+ }
+
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ return TRUE;
+}