diff options
Diffstat (limited to 'libempathy/empathy-tls-verifier.c')
| -rw-r--r-- | libempathy/empathy-tls-verifier.c | 737 |
1 files changed, 737 insertions, 0 deletions
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c new file mode 100644 index 000000000..000c9a35b --- /dev/null +++ b/libempathy/empathy-tls-verifier.c @@ -0,0 +1,737 @@ +/* + * empathy-tls-verifier.c - Source for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the + * same GNU Lesser General Public License 2.1 (or later) version. See + * get_certified_hostname (). + */ + +#include <config.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include <telepathy-glib/util.h> + +#include "empathy-tls-verifier.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier, + G_TYPE_OBJECT) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_HOSTNAME, + + LAST_PROPERTY, +}; + +static const gchar* system_ca_paths[] = { + "/etc/ssl/certs/ca-certificates.crt", + NULL, +}; + +typedef struct { + GPtrArray *cert_chain; + + GPtrArray *trusted_ca_list; + GPtrArray *trusted_crl_list; + + EmpathyTLSCertificate *certificate; + gchar *hostname; + + GSimpleAsyncResult *verify_result; + GHashTable *details; + + gboolean dispose_run; +} EmpathyTLSVerifierPriv; + +static gnutls_x509_crt_t * +ptr_array_to_x509_crt_list (GPtrArray *chain) +{ + gnutls_x509_crt_t *retval; + gint idx; + + retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len); + + for (idx = 0; idx < (gint) chain->len; idx++) + retval[idx] = g_ptr_array_index (chain, idx); + + return retval; +} + +static gboolean +verification_output_to_reason (gint res, + guint verify_output, + EmpTLSCertificateRejectReason *reason) +{ + gboolean retval = TRUE; + + g_assert (reason != NULL); + + if (res != GNUTLS_E_SUCCESS) + { + retval = FALSE; + + /* the certificate is not structurally valid */ + switch (res) + { + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + break; + case GNUTLS_E_CONSTRAINT_ERROR: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED; + break; + default: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + break; + } + + goto out; + } + + /* the certificate is structurally valid, check for other errors. */ + if (verify_output & GNUTLS_CERT_INVALID) + { + retval = FALSE; + + if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE; + else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED; + else if (verify_output & GNUTLS_CERT_EXPIRED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED; + else + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + goto out; + } + + out: + return retval; +} + +static gboolean +verify_last_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + gnutls_x509_crt_t *trusted_ca_list; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + if (priv->trusted_ca_list->len > 0) + { + trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); + res = gnutls_x509_crt_verify (cert, trusted_ca_list, + priv->trusted_ca_list->len, 0, &verify_output); + + DEBUG ("Checking last certificate %p against trusted CAs, output %u", + cert, verify_output); + + g_free (trusted_ca_list); + } + else + { + /* check it against itself to see if it's structurally valid */ + res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output); + + DEBUG ("Checking last certificate %p against itself, output %u", cert, + verify_output); + + /* if it's valid, return the SelfSigned error, so that we can add it + * later to our trusted CAs whitelist. + */ + if (res == GNUTLS_E_SUCCESS) + { + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + return FALSE; + } + } + + return verification_output_to_reason (res, verify_output, reason); +} + +static gboolean +verify_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + + res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output); + + DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output); + + return verification_output_to_reason (res, verify_output, reason); +} + +static void +complete_verification (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification successful, completing..."); + + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +abort_verification (EmpathyTLSVerifier *self, + EmpTLSCertificateRejectReason reason) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification error %u, aborting...", reason); + + g_simple_async_result_set_error (priv->verify_result, + G_IO_ERROR, reason, "TLS verification failed with reason %u", + reason); + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static gchar * +get_certified_hostname (gnutls_x509_crt_t cert) +{ + gchar dns_name[256]; + gsize dns_name_size; + gint idx; + gint res = 0; + + /* this snippet is taken from GnuTLS. + * see gnutls/lib/x509/rfc2818_hostname.c + */ + for (idx = 0; res >= 0; idx++) + { + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_subject_alt_name (cert, idx, + dns_name, &dns_name_size, NULL); + + if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS) + return g_strndup (dns_name, dns_name_size); + } + + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, + 0, 0, dns_name, &dns_name_size); + + if (res >= 0) + return g_strndup (dns_name, dns_name_size); + + return NULL; +} + +static void +real_start_verification (EmpathyTLSVerifier *self) +{ + gnutls_x509_crt_t first_cert, last_cert; + gint idx; + gboolean res = FALSE; + gint num_certs; + EmpTLSCertificateRejectReason reason = + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Starting verification"); + + /* check if the certificate matches the hostname first. */ + first_cert = g_ptr_array_index (priv->cert_chain, 0); + if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0) + { + gchar *certified_hostname; + + reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH; + certified_hostname = get_certified_hostname (first_cert); + tp_asv_set_string (priv->details, + "expected-hostname", priv->hostname); + tp_asv_set_string (priv->details, + "certificate-hostname", certified_hostname); + + DEBUG ("Hostname mismatch: got %s but expected %s", + certified_hostname, priv->hostname); + + g_free (certified_hostname); + goto out; + } + + DEBUG ("Hostname matched"); + + num_certs = priv->cert_chain->len; + + if (priv->trusted_ca_list->len > 0) + { + /* if the last certificate is self-signed, and we have a list of + * trusted CAs, ignore it, as we want to check the chain against our + * trusted CAs list first. + */ + last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); + + if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0) + num_certs--; + } + + for (idx = 1; idx < num_certs; idx++) + { + res = verify_certificate (self, + g_ptr_array_index (priv->cert_chain, idx -1), + g_ptr_array_index (priv->cert_chain, idx), + &reason); + + DEBUG ("Certificate verification %d gave result %d with reason %u", idx, + res, reason); + + if (!res) + { + abort_verification (self, reason); + return; + } + } + + res = verify_last_certificate (self, + g_ptr_array_index (priv->cert_chain, num_certs - 1), + &reason); + + DEBUG ("Last verification gave result %d with reason %u", res, reason); + + out: + if (!res) + { + abort_verification (self, reason); + return; + } + + complete_verification (self); +} + +static gboolean +start_verification (gpointer user_data) +{ + EmpathyTLSVerifier *self = user_data; + + real_start_verification (self); + + return FALSE; +} + +static void +build_gnutls_cert_list (EmpathyTLSVerifier *self) +{ + guint num_certs; + guint idx; + GPtrArray *certificate_data = NULL; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &certificate_data, + NULL); + num_certs = certificate_data->len; + + priv->cert_chain = g_ptr_array_new_with_free_func ( + (GDestroyNotify) gnutls_x509_crt_deinit); + + for (idx = 0; idx < num_certs; idx++) + { + gnutls_x509_crt_t cert; + GArray *one_cert; + gnutls_datum_t datum = { NULL, 0 }; + + one_cert = g_ptr_array_index (certificate_data, idx); + datum.data = (guchar *) one_cert->data; + datum.size = one_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + g_ptr_array_add (priv->cert_chain, cert); + } +} + +static gint +get_number_and_type_of_certificates (gnutls_datum_t *datum, + gnutls_x509_crt_fmt_t *format) +{ + gnutls_x509_crt_t fake; + guint retval = 1; + gint res; + + res = gnutls_x509_crt_list_import (&fake, &retval, datum, + GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); + + if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0) + { + DEBUG ("Found PEM, with %u certificates", retval); + *format = GNUTLS_X509_FMT_PEM; + return retval; + } + + /* try DER */ + res = gnutls_x509_crt_list_import (&fake, &retval, datum, + GNUTLS_X509_FMT_DER, 0); + + if (res > 0) + { + *format = GNUTLS_X509_FMT_DER; + return retval; + } + + return res; +} + +static gboolean +build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, + GCancellable *cancellable, + gpointer user_data) +{ + gint idx; + gchar *user_certs_dir; + GDir *dir; + GError *error = NULL; + EmpathyTLSVerifier *self = user_data; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->trusted_ca_list = g_ptr_array_new_with_free_func + ((GDestroyNotify) gnutls_x509_crt_deinit); + + for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++) + { + const gchar *path; + gchar *contents = NULL; + gsize length = 0; + gint res, n_certs; + gnutls_x509_crt_t *cert_list; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_fmt_t format = 0; + + path = system_ca_paths[idx]; + g_file_get_contents (path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Unable to read system CAs from path %s: %s", path, + error->message); + g_clear_error (&error); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + n_certs = get_number_and_type_of_certificates (&datum, &format); + + if (n_certs < 0) + { + DEBUG ("Unable to parse the system CAs from path %s: GnuTLS " + "returned error %d", path, n_certs); + + g_free (contents); + continue; + } + + cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs); + res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum, + format, 0); + + if (res < 0) + { + DEBUG ("Unable to import system CAs from path %s; " + "GnuTLS returned error %d", path, res); + + g_free (contents); + continue; + } + + DEBUG ("Successfully imported %d system CA certificates from path %s", + n_certs, path); + + /* append the newly created cert structutes into the global GPtrArray */ + for (idx = 0; idx < n_certs; idx++) + g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]); + + g_free (contents); + g_free (cert_list); + } + + /* user certs */ + user_certs_dir = g_build_filename (g_get_user_config_dir (), + "telepathy", "certs", NULL); + dir = g_dir_open (user_certs_dir, 0, &error); + + if (error != NULL) + { + DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir, + error->message); + + g_error_free (error); + } + else + { + const gchar *cert_name; + + while ((cert_name = g_dir_read_name (dir)) != NULL) + { + gchar *contents = NULL, *cert_path = NULL; + gsize length = 0; + gint res; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_t cert; + + cert_path = g_build_filename (user_certs_dir, cert_name, NULL); + + g_file_get_contents (cert_path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Can't open the certificate file at path %s: %s", + cert_path, error->message); + + g_clear_error (&error); + g_free (cert_path); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + + gnutls_x509_crt_init (&cert); + res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM); + + if (res != GNUTLS_E_SUCCESS) + { + DEBUG ("Can't import the certificate at path %s: " + "GnuTLS returned %d", cert_path, res); + } + else + { + g_ptr_array_add (priv->trusted_ca_list, cert); + } + + g_free (contents); + g_free (cert_path); + } + + g_dir_close (dir); + } + + g_free (user_certs_dir); + + /* TODO: do the CRL too */ + + g_io_scheduler_job_send_to_mainloop_async (job, + start_verification, self, NULL); + + return FALSE; +} + +static void +empathy_tls_verifier_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_HOSTNAME: + priv->hostname = g_value_dup_string (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_dispose (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object); +} + +static void +empathy_tls_verifier_finalize (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref); + tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref); + tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); + g_free (priv->hostname); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); +} + +static void +empathy_tls_verifier_constructed (GObject *object) +{ + EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object); + + build_gnutls_cert_list (self); + + if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL) + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object); +} + +static void +empathy_tls_verifier_init (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv; + + priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv); + priv->details = tp_asv_new (NULL, NULL); +} + +static void +empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv)); + + oclass->set_property = empathy_tls_verifier_set_property; + oclass->get_property = empathy_tls_verifier_get_property; + oclass->finalize = empathy_tls_verifier_finalize; + oclass->dispose = empathy_tls_verifier_dispose; + oclass->constructed = empathy_tls_verifier_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be verified.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the certificate.", + NULL, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); +} + +EmpathyTLSVerifier * +empathy_tls_verifier_new (EmpathyTLSCertificate *certificate, + const gchar *hostname) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + g_assert (hostname != NULL); + + return g_object_new (EMPATHY_TYPE_TLS_VERIFIER, + "certificate", certificate, + "hostname", hostname, + NULL); +} + +void +empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_return_if_fail (priv->verify_result == NULL); + + priv->verify_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + + g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists, + self, NULL, G_PRIORITY_DEFAULT, NULL); +} + +gboolean +empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GHashTable **details, + GError **error) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) + { + if (reason != NULL) + *reason = (*error)->code; + + if (details != NULL) + { + *details = tp_asv_new (NULL, NULL); + tp_g_hash_table_update (*details, priv->details, + (GBoxedCopyFunc) g_strdup, + (GBoxedCopyFunc) tp_g_value_slice_dup); + } + + return FALSE; + } + + if (reason != NULL) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + return TRUE; +} |