From 92655cecb16b8f0d370d03450804a5cbc4fd89d2 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 22 Jul 2010 17:50:09 +0200 Subject: Add EmpathyTLSCertificate. --- libempathy/Makefile.am | 2 + libempathy/empathy-tls-certificate.c | 292 +++++++++++++++++++++++++++++++++++ libempathy/empathy-tls-certificate.h | 69 +++++++++ 3 files changed, 363 insertions(+) create mode 100644 libempathy/empathy-tls-certificate.c create mode 100644 libempathy/empathy-tls-certificate.h diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am index 94bbabe77..096985358 100644 --- a/libempathy/Makefile.am +++ b/libempathy/Makefile.am @@ -50,6 +50,7 @@ libempathy_headers = \ empathy-message.h \ empathy-status-presets.h \ empathy-time.h \ + empathy-tls-certificate.h \ empathy-tp-call.h \ empathy-tp-chat.h \ empathy-tp-contact-factory.h \ @@ -84,6 +85,7 @@ libempathy_la_SOURCES = \ empathy-message.c \ empathy-status-presets.c \ empathy-time.c \ + empathy-tls-certificate.c \ empathy-tp-call.c \ empathy-tp-chat.c \ empathy-tp-contact-factory.c \ diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c new file mode 100644 index 000000000..d50cb6a87 --- /dev/null +++ b/libempathy/empathy-tls-certificate.c @@ -0,0 +1,292 @@ +/* + * empathy-tls-certificate.c - Source for EmpathyTLSCertificate + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include + +#include "empathy-tls-certificate.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +static void async_initable_iface_init (GAsyncInitableIface *iface); + +enum { + PROP_OBJECT_PATH = 1, + PROP_BUS_NAME, + LAST_PROPERTY, +}; + +typedef struct { + gchar *object_path; + gchar *bus_name; + + TpProxy *proxy; + + GSimpleAsyncResult *async_init_res; + + /* TLSCertificate properties */ + gchar *cert_type; + GPtrArray *cert_data; + EmpTLSCertificateState state; + EmpTLSCertificateRejectReason reject_reason; +} EmpathyTLSCertificatePriv; + +G_DEFINE_TYPE_WITH_CODE (EmpathyTLSCertificate, empathy_tls_certificate, + G_TYPE_OBJECT, + G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init)); + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSCertificate); + +static gboolean +tls_certificate_init_finish (GAsyncInitable *initable, + GAsyncResult *res, + GError **error) +{ + gboolean retval = TRUE; + EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (initable); + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + if (g_simple_async_result_propagate_error (priv->async_init_res, error)) + retval = FALSE; + + return retval; +} + +static GType +array_of_ay_get_type (void) +{ + static GType t = 0; + + if (G_UNLIKELY (t == 0)) + { + t = dbus_g_type_get_collection ("GPtrArray", + dbus_g_type_get_collection ("GArray", + G_TYPE_UCHAR)); + } + + return t; +} + +static void +tls_certificate_got_all_cb (TpProxy *proxy, + GHashTable *properties, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + GPtrArray *cert_data; + EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (weak_object); + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_simple_async_result_complete_in_idle (priv->async_init_res); + + return; + } + + priv->cert_type = g_strdup (tp_asv_get_string (properties, + "CertificateType")); + priv->state = tp_asv_get_uint32 (properties, "State", NULL); + priv->reject_reason = tp_asv_get_uint32 (properties, "RejectReason", NULL); + + cert_data = tp_asv_get_boxed (properties, "CertificateChainData", + array_of_ay_get_type ()); + g_assert (cert_data != NULL); + priv->cert_data = g_boxed_copy (array_of_ay_get_type (), cert_data); + + DEBUG ("Got a certificate chain long %u, of type %s", + priv->cert_data->len, priv->cert_type); + + g_simple_async_result_complete_in_idle (priv->async_init_res); +} + +static void +tls_certificate_init_async (GAsyncInitable *initable, + gint io_priority, + GCancellable *cancellable, + GAsyncReadyCallback callback, + gpointer user_data) +{ + TpDBusDaemon *dbus; + GError *error = NULL; + EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (initable); + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + g_assert (priv->object_path != NULL); + g_assert (priv->bus_name != NULL); + + priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + dbus = tp_dbus_daemon_dup (&error); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_simple_async_result_complete_in_idle (priv->async_init_res); + + g_error_free (error); + return; + } + + DEBUG ("Creating a proxy for object at path %s, owned by %s", + priv->object_path, priv->bus_name); + + priv->proxy = g_object_new (TP_TYPE_PROXY, + "object-path", priv->object_path, + "bus-name", priv->bus_name, + "dbus-daemon", dbus, NULL); + + /* call GetAll() on the certificate */ + tp_cli_dbus_properties_call_get_all (priv->proxy, + -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE, + tls_certificate_got_all_cb, NULL, NULL, G_OBJECT (self)); + + g_object_unref (dbus); +} + +static void +async_initable_iface_init (GAsyncInitableIface *iface) +{ + iface->init_async = tls_certificate_init_async; + iface->init_finish = tls_certificate_init_finish; +} + +static void +empathy_tls_certificate_finalize (GObject *object) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + + g_free (priv->object_path); + + G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object); +} + +static void +empathy_tls_certificate_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_OBJECT_PATH: + g_value_set_string (value, priv->object_path); + break; + case PROP_BUS_NAME: + g_value_set_string (value, priv->bus_name); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_certificate_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_OBJECT_PATH: + priv->object_path = g_value_dup_string (value); + break; + case PROP_BUS_NAME: + priv->bus_name = g_value_dup_string (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_certificate_init (EmpathyTLSCertificate *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_CERTIFICATE, EmpathyTLSCertificatePriv); +} + +static void +empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + oclass->get_property = empathy_tls_certificate_get_property; + oclass->set_property = empathy_tls_certificate_set_property; + oclass->finalize = empathy_tls_certificate_finalize; + + g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); + + pspec = g_param_spec_string ("object-path", "The object path", + "The path on the bus where the object we proxy is living.", + NULL, + G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_OBJECT_PATH, pspec); + + pspec = g_param_spec_string ("bus-name", "The bus name", + "The bus name owning this certificate.", + NULL, + G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_BUS_NAME, pspec); +} + +void +empathy_tls_certificate_new_async (const gchar *bus_name, + const gchar *object_path, + GAsyncReadyCallback callback, + gpointer user_data) +{ + g_assert (object_path != NULL); + + g_async_initable_new_async (EMPATHY_TYPE_TLS_CERTIFICATE, + G_PRIORITY_DEFAULT, NULL, callback, user_data, + "bus-name", bus_name, + "object-path", object_path, NULL); +} + +EmpathyTLSCertificate * +empathy_tls_certificate_new_finish (GAsyncResult *res, + GError **error) +{ + GObject *object, *source_object; + + source_object = g_async_result_get_source_object (res); + + object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object), + res, error); + g_object_unref (source_object); + + if (object != NULL) + return EMPATHY_TLS_CERTIFICATE (object); + else + return NULL; +} diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h new file mode 100644 index 000000000..de856be1e --- /dev/null +++ b/libempathy/empathy-tls-certificate.h @@ -0,0 +1,69 @@ +/* + * empathy-tls-certificate.h - Header for EmpathyTLSCertificate + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_CERTIFICATE_H__ +#define __EMPATHY_TLS_CERTIFICATE_H__ + +#include +#include + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSCertificate EmpathyTLSCertificate; +typedef struct _EmpathyTLSCertificateClass EmpathyTLSCertificateClass; + +struct _EmpathyTLSCertificateClass { + GObjectClass parent_class; +}; + +struct _EmpathyTLSCertificate { + GObject parent; + gpointer priv; +}; + +GType empathy_tls_certificate_get_type (void); + +#define EMPATHY_TYPE_TLS_CERTIFICATE \ + (empathy_tls_certificate_get_type ()) +#define EMPATHY_TLS_CERTIFICATE(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificate)) +#define EMPATHY_TLS_CERTIFICATE_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificateClass)) +#define EMPATHY_IS_TLS_CERTIFICATE(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_CERTIFICATE)) +#define EMPATHY_IS_TLS_CERTIFICATE_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_CERTIFICATE)) +#define EMPATHY_TLS_CERTIFICATE_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \ + EmpathyTLSCertificateClass)) + +void empathy_tls_certificate_new_async (const gchar *bus_name, + const gchar *object_path, + GAsyncReadyCallback callback, + gpointer user_data); + +EmpathyTLSCertificate * empathy_tls_certificate_new_finish (GAsyncResult * res, + GError **error); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/ -- cgit v1.2.3 From 2cbd1c3661cc56f3558bd7391c6f15cc16f2f61f Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 22 Jul 2010 17:50:30 +0200 Subject: Add EmpathyServerTLSHandler. --- libempathy/Makefile.am | 2 + libempathy/empathy-server-tls-handler.c | 265 ++++++++++++++++++++++++++++++++ libempathy/empathy-server-tls-handler.h | 74 +++++++++ 3 files changed, 341 insertions(+) create mode 100644 libempathy/empathy-server-tls-handler.c create mode 100644 libempathy/empathy-server-tls-handler.h diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am index 096985358..2817ae650 100644 --- a/libempathy/Makefile.am +++ b/libempathy/Makefile.am @@ -48,6 +48,7 @@ libempathy_headers = \ empathy-irc-server.h \ empathy-location.h \ empathy-message.h \ + empathy-server-tls-handler.h \ empathy-status-presets.h \ empathy-time.h \ empathy-tls-certificate.h \ @@ -83,6 +84,7 @@ libempathy_la_SOURCES = \ empathy-irc-network.c \ empathy-irc-server.c \ empathy-message.c \ + empathy-server-tls-handler.c \ empathy-status-presets.c \ empathy-time.c \ empathy-tls-certificate.c \ diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c new file mode 100644 index 000000000..3ca950715 --- /dev/null +++ b/libempathy/empathy-server-tls-handler.c @@ -0,0 +1,265 @@ +/* + * empathy-server-tls-handler.c - Source for EmpathyServerTLSHandler + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "empathy-server-tls-handler.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-tls-certificate.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +static void async_initable_iface_init (GAsyncInitableIface *iface); + +enum { + PROP_CHANNEL = 1, + LAST_PROPERTY, +}; + +typedef struct { + TpChannel *channel; + + EmpathyTLSCertificate *certificate; + + GSimpleAsyncResult *async_init_res; +} EmpathyServerTLSHandlerPriv; + +G_DEFINE_TYPE_WITH_CODE (EmpathyServerTLSHandler, empathy_server_tls_handler, + G_TYPE_OBJECT, + G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init)); + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyServerTLSHandler); + +static void +tls_certificate_constructed_cb (GObject *source, + GAsyncResult *result, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate; + EmpathyServerTLSHandler *self = user_data; + GError *error = NULL; + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + certificate = empathy_tls_certificate_new_finish (result, &error); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_error_free (error); + } + else + { + priv->certificate = certificate; + } + + g_simple_async_result_complete_in_idle (priv->async_init_res); +} + +static void +server_tls_channel_got_all_cb (TpProxy *proxy, + GHashTable *properties, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (weak_object); + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + if (error != NULL) + { + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_simple_async_result_complete_in_idle (priv->async_init_res); + } + else + { + const gchar *cert_object_path; + + cert_object_path = tp_asv_get_object_path (properties, + "ServerCertificate"); + + DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s", + cert_object_path, tp_proxy_get_bus_name (proxy)); + + empathy_tls_certificate_new_async ( + tp_proxy_get_bus_name (proxy), + cert_object_path, + tls_certificate_constructed_cb, self); + } +} + +static gboolean +tls_handler_init_finish (GAsyncInitable *initable, + GAsyncResult *res, + GError **error) +{ + gboolean retval = TRUE; + EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + if (g_simple_async_result_propagate_error (priv->async_init_res, error)) + retval = FALSE; + + return retval; +} + +static void +tls_handler_init_async (GAsyncInitable *initable, + gint io_priority, + GCancellable *cancellable, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + g_assert (priv->channel != NULL); + + priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + + /* call GetAll() on the channel properties */ + tp_cli_dbus_properties_call_get_all (priv->channel, + -1, EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION, + server_tls_channel_got_all_cb, NULL, NULL, G_OBJECT (self)); +} + +static void +async_initable_iface_init (GAsyncInitableIface *iface) +{ + iface->init_async = tls_handler_init_async; + iface->init_finish = tls_handler_init_finish; +} + +static void +empathy_server_tls_handler_finalize (GObject *object) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + if (priv->channel != NULL) + g_object_unref (priv->channel); + + G_OBJECT_CLASS (empathy_server_tls_handler_parent_class)->finalize (object); +} + +static void +empathy_server_tls_handler_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_CHANNEL: + g_value_set_object (value, priv->channel); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_server_tls_handler_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_CHANNEL: + priv->channel = g_value_dup_object (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_server_tls_handler_class_init (EmpathyServerTLSHandlerClass *klass) +{ + GObjectClass *oclass = G_OBJECT_CLASS (klass); + GParamSpec *pspec; + + oclass->get_property = empathy_server_tls_handler_get_property; + oclass->set_property = empathy_server_tls_handler_set_property; + oclass->finalize = empathy_server_tls_handler_finalize; + + g_type_class_add_private (klass, sizeof (EmpathyServerTLSHandlerPriv)); + + pspec = g_param_spec_object ("channel", "The TpChannel", + "The TpChannel this handler is supposed to handle.", + TP_TYPE_CHANNEL, + G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CHANNEL, pspec); +} + +static void +empathy_server_tls_handler_init (EmpathyServerTLSHandler *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_SERVER_TLS_HANDLER, EmpathyServerTLSHandlerPriv); +} + +void +empathy_server_tls_handler_new_async (TpChannel *channel, + GAsyncReadyCallback callback, + gpointer user_data) +{ + g_assert (TP_IS_CHANNEL (channel)); + g_assert (channel != NULL); + + g_async_initable_new_async (EMPATHY_TYPE_SERVER_TLS_HANDLER, + G_PRIORITY_DEFAULT, NULL, callback, user_data, + "channel", channel, NULL); +} + +EmpathyServerTLSHandler * +empathy_server_tls_handler_new_finish (GAsyncResult *result, + GError **error) +{ + GObject *object, *source_object; + + source_object = g_async_result_get_source_object (result); + + object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object), + result, error); + g_object_unref (source_object); + + if (object != NULL) + return EMPATHY_SERVER_TLS_HANDLER (object); + else + return NULL; +} + +EmpathyTLSCertificate * +empathy_server_tls_handler_get_certificate (EmpathyServerTLSHandler *self) +{ + EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); + + g_assert (priv->certificate != NULL); + + return priv->certificate; +} diff --git a/libempathy/empathy-server-tls-handler.h b/libempathy/empathy-server-tls-handler.h new file mode 100644 index 000000000..558a8512f --- /dev/null +++ b/libempathy/empathy-server-tls-handler.h @@ -0,0 +1,74 @@ +/* + * empathy-server-tls-handler.h - Header for EmpathyServerTLSHandler + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_SERVER_TLS_HANDLER_H__ +#define __EMPATHY_SERVER_TLS_HANDLER_H__ + +#include +#include + +#include + +#include + +G_BEGIN_DECLS + +typedef struct _EmpathyServerTLSHandler EmpathyServerTLSHandler; +typedef struct _EmpathyServerTLSHandlerClass EmpathyServerTLSHandlerClass; + +struct _EmpathyServerTLSHandlerClass { + GObjectClass parent_class; +}; + +struct _EmpathyServerTLSHandler { + GObject parent; + gpointer priv; +}; + +GType empathy_server_tls_handler_get_type (void); + +#define EMPATHY_TYPE_SERVER_TLS_HANDLER \ + (empathy_server_tls_handler_get_type ()) +#define EMPATHY_SERVER_TLS_HANDLER(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandler)) +#define EMPATHY_SERVER_TLS_HANDLER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandlerClass)) +#define EMPATHY_IS_SERVER_TLS_HANDLER(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER)) +#define EMPATHY_IS_SERVER_TLS_HANDLER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER)) +#define EMPATHY_SERVER_TLS_HANDLER_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \ + EmpathyServerTLSHandlerClass)) + +void empathy_server_tls_handler_new_async (TpChannel *channel, + GAsyncReadyCallback callback, gpointer user_data); +EmpathyServerTLSHandler * empathy_server_tls_handler_new_finish ( + GAsyncResult *result, GError **error); + +EmpathyTLSCertificate * empathy_server_tls_handler_get_certificate ( + EmpathyServerTLSHandler *self); + + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_SERVER_TLS_HANDLER_H__*/ -- cgit v1.2.3 From ed819ae5dfef5c6fd584fd8a63bbce9080cd4040 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 9 Jul 2010 16:43:25 +0200 Subject: Add a first skeleton of the auth factory. --- libempathy/Makefile.am | 2 + libempathy/empathy-auth-factory.c | 208 ++++++++++++++++++++++++++++++++++++++ libempathy/empathy-auth-factory.h | 66 ++++++++++++ 3 files changed, 276 insertions(+) create mode 100644 libempathy/empathy-auth-factory.c create mode 100644 libempathy/empathy-auth-factory.h diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am index 2817ae650..7a1f16a3e 100644 --- a/libempathy/Makefile.am +++ b/libempathy/Makefile.am @@ -26,6 +26,7 @@ noinst_LTLIBRARIES = libempathy.la libempathy_headers = \ empathy-account-settings.h \ + empathy-auth-factory.h \ empathy-call-factory.h \ empathy-call-handler.h \ empathy-chatroom-manager.h \ @@ -64,6 +65,7 @@ libempathy_headers = \ libempathy_la_SOURCES = \ $(libempathy_headers) \ empathy-account-settings.c \ + empathy-auth-factory.c \ empathy-call-factory.c \ empathy-call-handler.c \ empathy-chatroom-manager.c \ diff --git a/libempathy/empathy-auth-factory.c b/libempathy/empathy-auth-factory.c new file mode 100644 index 000000000..836be14d2 --- /dev/null +++ b/libempathy/empathy-auth-factory.c @@ -0,0 +1,208 @@ +/* + * empathy-auth-factory.c - Source for EmpathyAuthFactory + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "empathy-auth-factory.h" + +#include +#include + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-server-tls-handler.h" +#include "empathy-utils.h" + +#include "extensions/extensions.h" + +G_DEFINE_TYPE (EmpathyAuthFactory, empathy_auth_factory, G_TYPE_OBJECT); + +typedef struct { + TpBaseClient *handler; +} EmpathyAuthFactoryPriv; + +enum { + NEW_SERVER_TLS_HANDLER, + LAST_SIGNAL, +}; + +static guint signals[LAST_SIGNAL] = { 0, }; + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyAuthFactory) + +static EmpathyAuthFactory *auth_factory_singleton = NULL; + +static void +server_tls_handler_ready_cb (GObject *source, + GAsyncResult *res, + gpointer user_data) +{ + EmpathyAuthFactory *self = user_data; + GError *error = NULL; + EmpathyServerTLSHandler *handler; + + handler = empathy_server_tls_handler_new_finish (res, &error); + + if (error != NULL) + { + DEBUG ("Failed to create a server TLS handler; error %s", + error->message); + g_error_free (error); + } + else + { + g_signal_emit (self, signals[NEW_SERVER_TLS_HANDLER], 0, + handler); + } +} + +static void +handle_channels_cb (TpSimpleHandler *handler, + TpAccount *account, + TpConnection *connection, + GList *channels, + GList *requests_satisfied, + gint64 user_action_time, + TpHandleChannelsContext *context, + gpointer user_data) +{ + TpChannel *channel; + EmpathyAuthFactory *self = user_data; + + DEBUG ("Handle TLS carrier channels."); + + /* there can't be more than one ServerTLSConnection channels + * at the same time, for the same connection/account. + */ + g_assert (g_list_length (channels) == 1); + + channel = channels->data; + + if (tp_proxy_get_invalidated (channel) != NULL) + goto out; + + if (tp_channel_get_channel_type_id (channel) != + EMP_IFACE_QUARK_CHANNEL_TYPE_SERVER_TLS_CONNECTION) + goto out; + + /* create a handler */ + empathy_server_tls_handler_new_async (channel, server_tls_handler_ready_cb, + self); + + out: + tp_handle_channels_context_accept (context); +} + +static GObject * +empathy_auth_factory_constructor (GType type, + guint n_params, + GObjectConstructParam *params) +{ + GObject *retval; + + if (auth_factory_singleton != NULL) + { + retval = g_object_ref (auth_factory_singleton); + } + else + { + retval = G_OBJECT_CLASS (empathy_auth_factory_parent_class)->constructor + (type, n_params, params); + + auth_factory_singleton = EMPATHY_AUTH_FACTORY (retval); + g_object_add_weak_pointer (retval, (gpointer *) &auth_factory_singleton); + } + + return retval; +} + +static void +empathy_auth_factory_init (EmpathyAuthFactory *self) +{ + EmpathyAuthFactoryPriv *priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_AUTH_FACTORY, EmpathyAuthFactoryPriv); + TpDBusDaemon *bus; + GError *error = NULL; + + self->priv = priv; + + bus = tp_dbus_daemon_dup (&error); + if (error != NULL) + { + g_critical ("Failed to get TpDBusDaemon: %s", error->message); + g_error_free (error); + return; + } + + priv->handler = tp_simple_handler_new (bus, FALSE, FALSE, "Empathy.Auth", + FALSE, handle_channels_cb, self, NULL); + + tp_base_client_take_handler_filter (priv->handler, tp_asv_new ( + TP_PROP_CHANNEL_CHANNEL_TYPE, G_TYPE_STRING, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION, + TP_PROP_CHANNEL_TARGET_HANDLE_TYPE, G_TYPE_UINT, + TP_HANDLE_TYPE_NONE, NULL)); + + g_object_unref (bus); +} + +static void +empathy_auth_factory_finalize (GObject *object) +{ + EmpathyAuthFactoryPriv *priv = GET_PRIV (object); + + if (priv->handler != NULL) + g_object_unref (priv->handler); + + G_OBJECT_CLASS (empathy_auth_factory_parent_class)->finalize (object); +} + +static void +empathy_auth_factory_class_init (EmpathyAuthFactoryClass *klass) +{ + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + oclass->constructor = empathy_auth_factory_constructor; + oclass->finalize = empathy_auth_factory_finalize; + + g_type_class_add_private (klass, sizeof (EmpathyAuthFactoryPriv)); + + signals[NEW_SERVER_TLS_HANDLER] = + g_signal_new ("new-server-tls-handler", + G_TYPE_FROM_CLASS (klass), + G_SIGNAL_RUN_LAST, 0, + NULL, NULL, + g_cclosure_marshal_VOID__OBJECT, + G_TYPE_NONE, + 1, EMPATHY_TYPE_SERVER_TLS_HANDLER); +} + +EmpathyAuthFactory * +empathy_auth_factory_dup_singleton (void) +{ + return g_object_new (EMPATHY_TYPE_AUTH_FACTORY, NULL); +} + +gboolean +empathy_auth_factory_register (EmpathyAuthFactory *self, + GError **error) +{ + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); + + return tp_base_client_register (priv->handler, error); +} diff --git a/libempathy/empathy-auth-factory.h b/libempathy/empathy-auth-factory.h new file mode 100644 index 000000000..507f69b95 --- /dev/null +++ b/libempathy/empathy-auth-factory.h @@ -0,0 +1,66 @@ +/* + * empathy-auth-factory.h - Header for EmpathyAuthFactory + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_AUTH_FACTORY_H__ +#define __EMPATHY_AUTH_FACTORY_H__ + +#include + +G_BEGIN_DECLS + +typedef struct _EmpathyAuthFactory EmpathyAuthFactory; +typedef struct _EmpathyAuthFactoryClass EmpathyAuthFactoryClass; + +struct _EmpathyAuthFactoryClass { + GObjectClass parent_class; +}; + +struct _EmpathyAuthFactory { + GObject parent; + gpointer priv; +}; + +GType empathy_auth_factory_get_type (void); + +/* TYPE MACROS */ +#define EMPATHY_TYPE_AUTH_FACTORY \ + (empathy_auth_factory_get_type ()) +#define EMPATHY_AUTH_FACTORY(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactory)) +#define EMPATHY_AUTH_FACTORY_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactoryClass)) +#define EMPATHY_IS_AUTH_FACTORY(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_AUTH_FACTORY)) +#define EMPATHY_IS_AUTH_FACTORY_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_AUTH_FACTORY)) +#define EMPATHY_AUTH_FACTORY_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_AUTH_FACTORY, \ + EmpathyAuthFactoryClass)) + +EmpathyAuthFactory * empathy_auth_factory_dup_singleton (void); + +gboolean empathy_auth_factory_register (EmpathyAuthFactory *self, + GError **error); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_AUTH_FACTORY_H__*/ -- cgit v1.2.3 From 494ed942822cc9657465a03a5b95936cb60da280 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 9 Jul 2010 16:43:49 +0200 Subject: Add a first skeleton of the auth helper. --- src/Makefile.am | 6 ++- src/empathy-auth-helper.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 src/empathy-auth-helper.c diff --git a/src/Makefile.am b/src/Makefile.am index 8800aee3c..ec7b1a822 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -85,7 +85,8 @@ bin_PROGRAMS = \ $(NULL) libexec_PROGRAMS = \ - empathy-av + empathy-av \ + empathy-auth-helper BUILT_SOURCES= @@ -110,6 +111,9 @@ empathy_av_SOURCES = \ empathy-sidebar.c empathy-sidebar.h \ $(NULL) +empathy_auth_helper_SOURCES = \ + empathy-auth-helper.c + empathy_handwritten_source = \ empathy-about-dialog.c empathy-about-dialog.h \ empathy-chat-window.c empathy-chat-window.h \ diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c new file mode 100644 index 000000000..db22327fc --- /dev/null +++ b/src/empathy-auth-helper.c @@ -0,0 +1,93 @@ +/* + * Copyright (C) 2010 Collabora Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public + * License along with this program; if not, write to the + * Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, + * Boston, MA 02110-1301 USA + * + * Authors: Cosimo Cecchi + */ + +#include + +#include +#include +#include +#include + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include +#include +#include + +#include + +static void +auth_factory_new_handler_cb (EmpathyAuthFactory *factory, + EmpathyServerTLSHandler *handler, + gpointer user_data) +{ + DEBUG ("New TLS server handler received from the factory"); +} + +int +main (int argc, + char **argv) +{ + GOptionContext *context; + GError *error = NULL; + EmpathyAuthFactory *factory; + + g_thread_init (NULL); + + context = g_option_context_new (N_(" - Empathy authentication helper")); + g_option_context_add_group (context, gtk_get_option_group (TRUE)); + g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); + + if (!g_option_context_parse (context, &argc, &argv, &error)) + { + g_print ("%s\nRun '%s --help' to see a full list of available command " + "line options.\n", error->message, argv[0]); + g_warning ("Error in empathy-auth-helper init: %s", error->message); + return EXIT_FAILURE; + } + + g_option_context_free (context); + + empathy_gtk_init (); + g_set_application_name (_("Empathy authentication helper")); + + gtk_window_set_default_icon_name ("empathy"); + textdomain (GETTEXT_PACKAGE); + + factory = empathy_auth_factory_dup_singleton (); + + g_signal_connect (factory, "new-server-tls-handler", + G_CALLBACK (auth_factory_new_handler_cb), NULL); + + if (!empathy_auth_factory_register (factory, &error)) + { + g_critical ("Failed to register the auth factory: %s\n", error->message); + g_error_free (error); + g_object_unref (factory); + + return EXIT_FAILURE; + } + + DEBUG ("Empathy auth client started."); + + gtk_main (); + + return EXIT_SUCCESS; +} -- cgit v1.2.3 From 487385179b4d3156348c82637109bdc3f6f319f1 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 9 Jul 2010 16:44:11 +0200 Subject: Add tp-spec extensions for TLS auth. --- extensions/Authentication_TLS_Certificate.xml | 191 ++++++++++++++++++++++ extensions/Channel_Type_Server_TLS_Connection.xml | 54 ++++++ extensions/misc.xml | 2 + 3 files changed, 247 insertions(+) create mode 100644 extensions/Authentication_TLS_Certificate.xml create mode 100644 extensions/Channel_Type_Server_TLS_Connection.xml diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml new file mode 100644 index 000000000..1063d085f --- /dev/null +++ b/extensions/Authentication_TLS_Certificate.xml @@ -0,0 +1,191 @@ + + + Copyright © 2010 Collabora Limited + + This library is free software; you can redistribute it and/or +modify it under the terms of the GNU Lesser General Public +License as published by the Free Software Foundation; either +version 2.1 of the License, or (at your option) any later version. + +This library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public +License along with this library; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + + + + + This object represents a TLS certificate. + + + + + The raw data contained in a TLS certificate. + + + + + + The possible states for a TLSCertificate.DRAFT + object. + + + + + The certificate has no state associated with it. + + + + + + The certificate has been verified. + + + + + + The certificate has been rejected. + + + + + + + Possible reasons to reject a TLS certificate. + + + + + No reason specified. + + + + + + The certificate has been rejected for another reason + not listed in this enumeration. + + + + + + The certificate is not trusted. + + + + + + The certificate is expired. + + + + + + The certificate is not active yet. + + + + + + The hostname certified does not match the provided one. + + + + + + The certificate is self-signed. + + + + + + The certificate has been revoked. + + + + + + The certificate uses an insecure cipher algorithm. + + + + + + + The current state of this certificate. + State change notifications happen by means of the + StateChanged signal. + + + + + + The reason why this certificate has been rejected. + + + + + + The type of this TLS certificate (e.g. 'x509' or 'pgp'). + + + + + + The RAW PEM-encoded trust chain of this TLS certificate. + + + + + + The state of this TLS certificate has changed. + + + + The new state of the TLS certificate. + + + + + The reason why the state of the TLS certificate changed. + + + + + + + Accepts this certificate, i.e. marks it as verified. + This method doesn't do anything on local certificates. + + + + + + Rejects this certificate. This method doesn't do anything + on local certificates. + + + + The reason why this certificate is being rejected. + + + + + + diff --git a/extensions/Channel_Type_Server_TLS_Connection.xml b/extensions/Channel_Type_Server_TLS_Connection.xml new file mode 100644 index 000000000..47042731f --- /dev/null +++ b/extensions/Channel_Type_Server_TLS_Connection.xml @@ -0,0 +1,54 @@ + + + Copyright © 2010 Collabora Limited + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + + + + + + +

+ A channel type that carries a TLS certificate between a server + and a client connecting to it.
+ Channels of this kind are never requested, are anonymous, and SHOULD be + dispatched while the + Connection + owning it is in the CONNECTING state.

+

In this case, handlers SHOULD accept or reject the certificate, using + the relevant methods on the provided object, or MAY just close the channel before doing so, to fall + back to a non-interactive verification process done inside the CM.

+

For example, channels of this kind can pop up while a client is + connecting to an XMPP server.

+ + + + + A TLSCertificate.DRAFT + containing the certificate chain as sent by the server, + and other relevant information. + + + + + + diff --git a/extensions/misc.xml b/extensions/misc.xml index 6fe06d8ab..320d488fd 100644 --- a/extensions/misc.xml +++ b/extensions/misc.xml @@ -7,5 +7,7 @@ + + -- cgit v1.2.3 From c41523ab7160693a91640a68f309d5266c5708ad Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 12 Jul 2010 19:31:54 +0200 Subject: Add the service files for the new client. --- data/Empathy.Auth.client | 6 ++++++ data/Makefile.am | 9 +++++++-- data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in | 3 +++ 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 data/Empathy.Auth.client create mode 100644 data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in diff --git a/data/Empathy.Auth.client b/data/Empathy.Auth.client new file mode 100644 index 000000000..9b86a8b76 --- /dev/null +++ b/data/Empathy.Auth.client @@ -0,0 +1,6 @@ +[org.freedesktop.Telepathy.Client] +Interfaces=org.freedesktop.Telepathy.Client.Handler + +[org.freedesktop.Telepathy.Client.Handler.HandlerChannelFilter 0] +org.freedesktop.Telepathy.Channel.ChannelType s=org.freedesktop.Telepathy.Channel.Type.ServerTLSConnection.DRAFT +org.freedesktop.Telepathy.Channel.TargetHandleType u=0 diff --git a/data/Makefile.am b/data/Makefile.am index 64054da3f..befd1c926 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -27,7 +27,8 @@ streamingprefs_DATA = \ servicefiledir = $(datadir)/dbus-1/services servicefile_in_files = \ org.freedesktop.Telepathy.Client.Empathy.service.in \ - org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in + org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in \ + org.freedesktop.Telepathy.Client.Empathy.Auth.service.in servicefile_DATA = $(servicefile_in_files:.service.in=.service) @@ -37,10 +38,14 @@ org.freedesktop.Telepathy.Client.Empathy.service: org.freedesktop.Telepathy.Clie org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service: org.freedesktop.Telepathy.Client.Empathy.AudioVideo.service.in $(AM_V_GEN)sed -e "s|[@]libexecdir[@]|$(libexecdir)|" $< > $@ +org.freedesktop.Telepathy.Client.Empathy.Auth.service: org.freedesktop.Telepathy.Client.Empathy.Auth.service.in + $(AM_V_GEN)sed -e "s|[@]libexecdir[@]|$(libexecdir)|" $< > $@ + clientfiledir = $(datarootdir)/telepathy/clients clientfile_DATA = \ Empathy.client \ - Empathy.AudioVideo.client + Empathy.AudioVideo.client \ + Empathy.Auth.client htmldir = $(datadir)/empathy html_DATA = Template.html diff --git a/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in new file mode 100644 index 000000000..938b31df1 --- /dev/null +++ b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.freedesktop.Telepathy.Client.Empathy.Auth +Exec=@libexecdir@/empathy-auth-helper \ No newline at end of file -- cgit v1.2.3 From 268f91e2666922f1a7ced025d0a69956a7257e73 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 12 Jul 2010 19:32:39 +0200 Subject: Add a debug flag for TLS --- libempathy/empathy-debug.c | 1 + libempathy/empathy-debug.h | 1 + 2 files changed, 2 insertions(+) diff --git a/libempathy/empathy-debug.c b/libempathy/empathy-debug.c index 1f29259fd..dd507bc42 100644 --- a/libempathy/empathy-debug.c +++ b/libempathy/empathy-debug.c @@ -52,6 +52,7 @@ static GDebugKey keys[] = { { "ImportMc4Accounts", EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS }, { "Tests", EMPATHY_DEBUG_TESTS }, { "Voip", EMPATHY_DEBUG_VOIP }, + { "Tls", EMPATHY_DEBUG_TLS }, { 0, } }; diff --git a/libempathy/empathy-debug.h b/libempathy/empathy-debug.h index 0a5c3f697..ece3af73c 100644 --- a/libempathy/empathy-debug.h +++ b/libempathy/empathy-debug.h @@ -46,6 +46,7 @@ typedef enum EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS = 1 << 11, EMPATHY_DEBUG_TESTS = 1 << 12, EMPATHY_DEBUG_VOIP = 1 << 13, + EMPATHY_DEBUG_TLS = 1 << 14, } EmpathyDebugFlags; gboolean empathy_debug_flag_is_set (EmpathyDebugFlags flag); -- cgit v1.2.3 From 6ce5a087dad56816cb895dbdb2b30ac3a0c1f9a4 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 22 Jul 2010 19:26:13 +0200 Subject: Unref the handler after the signal. It's useless at that point, as it only carries the TLS certificate; also, if someone wants to keep it, they can always ref it. --- libempathy/empathy-auth-factory.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libempathy/empathy-auth-factory.c b/libempathy/empathy-auth-factory.c index 836be14d2..9d8e16e21 100644 --- a/libempathy/empathy-auth-factory.c +++ b/libempathy/empathy-auth-factory.c @@ -68,6 +68,7 @@ server_tls_handler_ready_cb (GObject *source, { g_signal_emit (self, signals[NEW_SERVER_TLS_HANDLER], 0, handler); + g_object_unref (handler); } } -- cgit v1.2.3 From 7a8b4058baa7f61cf93aa41076047a6f08d0eecb Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 22 Jul 2010 19:27:07 +0200 Subject: Add the Authentication.TLSCertificate iface --- libempathy/empathy-tls-certificate.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index d50cb6a87..bc5dff0f3 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -22,6 +22,8 @@ #include "empathy-tls-certificate.h" +#include + #define DEBUG_FLAG EMPATHY_DEBUG_TLS #include "empathy-debug.h" #include "empathy-utils.h" @@ -158,6 +160,9 @@ tls_certificate_init_async (GAsyncInitable *initable, "bus-name", priv->bus_name, "dbus-daemon", dbus, NULL); + tp_proxy_add_interface_by_id (priv->proxy, + EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE); + /* call GetAll() on the certificate */ tp_cli_dbus_properties_call_get_all (priv->proxy, -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE, -- cgit v1.2.3 From 3564f1760938f7312b3cd16f1c8c8227c44ab4ad Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 22 Jul 2010 19:28:23 +0200 Subject: Add the proxy properties and methods. Mirror them on the GObject itself, for Empathy to use and consume them. --- libempathy/empathy-tls-certificate.c | 96 ++++++++++++++++++++++++++++++++++++ libempathy/empathy-tls-certificate.h | 6 +++ 2 files changed, 102 insertions(+) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index bc5dff0f3..84103fc29 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -35,6 +35,12 @@ static void async_initable_iface_init (GAsyncInitableIface *iface); enum { PROP_OBJECT_PATH = 1, PROP_BUS_NAME, + + /* proxy properties */ + PROP_CERT_TYPE, + PROP_CERT_DATA, + PROP_STATE, + PROP_REJECT_REASON, LAST_PROPERTY, }; @@ -204,6 +210,18 @@ empathy_tls_certificate_get_property (GObject *object, case PROP_BUS_NAME: g_value_set_string (value, priv->bus_name); break; + case PROP_CERT_TYPE: + g_value_set_string (value, priv->cert_type); + break; + case PROP_CERT_DATA: + g_value_set_boxed (value, priv->cert_data); + break; + case PROP_STATE: + g_value_set_uint (value, priv->state); + break; + case PROP_REJECT_REASON: + g_value_set_uint (value, priv->reject_reason); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -262,6 +280,57 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) NULL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_BUS_NAME, pspec); + + pspec = g_param_spec_string ("cert-type", "Certificate type", + "The type of this certificate.", + NULL, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CERT_TYPE, pspec); + + pspec = g_param_spec_boxed ("cert-data", "Certificate chain data", + "The raw PEM-encoded certificate chain data.", + array_of_ay_get_type (), + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_CERT_DATA, pspec); + + pspec = g_param_spec_uint ("state", "State", + "The state of this certificate.", + EMP_TLS_CERTIFICATE_STATE_NONE, NUM_EMP_TLS_CERTIFICATE_STATES -1, + EMP_TLS_CERTIFICATE_STATE_NONE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_STATE, pspec); + + pspec = g_param_spec_uint ("reject-reason", "Reject reason", + "The reason why this certificate was rejected.", + EMP_TLS_CERTIFICATE_REJECT_REASON_NONE, + NUM_EMP_TLS_CERTIFICATE_REJECT_REASONS -1, + EMP_TLS_CERTIFICATE_REJECT_REASON_NONE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_REJECT_REASON, pspec); +} + +static void +cert_proxy_accept_cb (TpProxy *proxy, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + DEBUG ("Callback for accept(), error %p", error); + + if (error != NULL) + DEBUG ("Error was %s", error->message); +} + +static void +cert_proxy_reject_cb (TpProxy *proxy, + const GError *error, + gpointer user_data, + GObject *weak_object) +{ + DEBUG ("Callback for reject(), error %p", error); + + if (error != NULL) + DEBUG ("Error was %s", error->message); } void @@ -295,3 +364,30 @@ empathy_tls_certificate_new_finish (GAsyncResult *res, else return NULL; } + +void +empathy_tls_certificate_accept (EmpathyTLSCertificate *self) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); + + DEBUG ("Accepting TLS certificate"); + + emp_cli_authentication_tls_certificate_call_accept (priv->proxy, + -1, cert_proxy_accept_cb, NULL, NULL, G_OBJECT (self)); +} + +void +empathy_tls_certificate_reject (EmpathyTLSCertificate *self, + EmpTLSCertificateRejectReason reason) +{ + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); + + DEBUG ("Rejecting TLS certificate with reason %u", reason); + + emp_cli_authentication_tls_certificate_call_reject (priv->proxy, + -1, reason, cert_proxy_reject_cb, NULL, NULL, G_OBJECT (self)); +} diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index de856be1e..473134044 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -24,6 +24,8 @@ #include #include +#include + G_BEGIN_DECLS typedef struct _EmpathyTLSCertificate EmpathyTLSCertificate; @@ -64,6 +66,10 @@ void empathy_tls_certificate_new_async (const gchar *bus_name, EmpathyTLSCertificate * empathy_tls_certificate_new_finish (GAsyncResult * res, GError **error); +void empathy_tls_certificate_accept (EmpathyTLSCertificate *self); +void empathy_tls_certificate_reject (EmpathyTLSCertificate *self, + EmpTLSCertificateRejectReason reason); + G_END_DECLS #endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/ -- cgit v1.2.3 From ce6b6bc1f8662ff24ec44fb76e869394b3f64328 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 9 Aug 2010 12:27:09 +0200 Subject: Update to the merged spec. --- extensions/Authentication_TLS_Certificate.xml | 175 ++++++++++++++++++---- extensions/Channel_Type_Server_TLS_Connection.xml | 27 ++-- 2 files changed, 159 insertions(+), 43 deletions(-) diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml index 1063d085f..56e378f4c 100644 --- a/extensions/Authentication_TLS_Certificate.xml +++ b/extensions/Authentication_TLS_Certificate.xml @@ -26,8 +26,17 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - - The raw data contained in a TLS certificate. + +

The raw data contained in a TLS certificate.

+ +

For X.509 certificates (CertificateType + = "x509"), this MUST be in DER format, as defined by the + X.690 + ITU standard.

+ +

For PGP certificates (CertificateType + = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 + of RFC 4880.

 @@ -38,13 +47,13 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. object. - + - The certificate has no state associated with it. + The certificate is currently waiting to be accepted or rejected. - + The certificate has been verified. @@ -62,37 +71,38 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Possible reasons to reject a TLS certificate. - - - No reason specified. - - - - + The certificate has been rejected for another reason not listed in this enumeration. - + The certificate is not trusted. - + The certificate is expired. - + The certificate is not active yet. + + + The certificate provided does not have the expected + fingerprint. + + + The hostname certified does not match the provided one. @@ -111,9 +121,18 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - + + + The certificate uses an insecure cipher algorithm, or is + cryptographically weak. + + + + - The certificate uses an insecure cipher algorithm. + The length in bytes of the certificate, or the depth of the + certificate chain exceed the limits imposed by the crypto + library. @@ -124,7 +143,64 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. The current state of this certificate. State change notifications happen by means of the - StateChanged signal. + Accepted and + Rejected signals. + + + + + +

If the State is Rejected, + the reason why the certificate was rejected; this MAY correspond to + the RejectReason, or MAY be a more + specific D-Bus error name, perhaps implementation-specific.

+

If the State is not Rejected, + this property is not meaningful, and SHOULD be set to an empty + string.

+ + + + + +

If the State is Rejected, + additional information about why the certificate was rejected.

+

If the State is not Rejected, + this property is not meaningful and SHOULD be set to an empty + map.

+

The additional information MAY also include + one or more of the following well-known keys:

+
+
user-requested (b)
+
True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.
+
expected-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.
+
certificate-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + +

For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:

+ 
+	      {
+	        'expected-hostname': 'gmail.com',
+	        'certificate-hostname': 'evil.example.org',
+	      }
+
+ +
+
debug-message (s)
+
Debugging information on the error, corresponding to the + message part of a D-Bus error message, which SHOULD NOT be + displayed to users under normal circumstances
+
@@ -132,7 +208,15 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. tp:type="TLS_Certificate_Reject_Reason" tp:name-for-bindings="Reject_Reason"> - The reason why this certificate has been rejected. + If the State is Rejected, the + reason why the certificate was rejected. + + Clients that do not understand the RejectError, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + + Otherwise, this property is not meaningful, and SHOULD be set to + Unknown. @@ -140,29 +224,46 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. tp:name-for-bindings="Certificate_Type"> The type of this TLS certificate (e.g. 'x509' or 'pgp'). +

This property is immutable

 - - The RAW PEM-encoded trust chain of this TLS certificate. + +

One or more TLS certificates forming a trust chain, each encoded as + specified by Certificate_Data.

+

The first certificate in the chain MUST be the server certificate, + followed by the issuer's certificate, followed by the issuer's issuer + and so on.

 - + - The state of this TLS certificate has changed. + The State of this certificate has changed to Accepted. - + + + + + The State of this certificate has changed to Rejected. + + - The new state of the TLS certificate. + The new value of RejectReason. - + - The reason why the state of the TLS certificate changed. + The new value of RejectError. + + + + + The new value of RejectDetails @@ -170,19 +271,29 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Accepts this certificate, i.e. marks it as verified. - This method doesn't do anything on local certificates. - Rejects this certificate. This method doesn't do anything - on local certificates. + Rejects this certificate. - The reason why this certificate is being rejected. + The new value of RejectReason. + + + + + The new value of RejectError. + + + + + The new value of RejectDetails. diff --git a/extensions/Channel_Type_Server_TLS_Connection.xml b/extensions/Channel_Type_Server_TLS_Connection.xml index 47042731f..af11218a9 100644 --- a/extensions/Channel_Type_Server_TLS_Connection.xml +++ b/extensions/Channel_Type_Server_TLS_Connection.xml @@ -24,16 +24,20 @@ -

- A channel type that carries a TLS certificate between a server - and a client connecting to it.
- Channels of this kind are never requested, are anonymous, and SHOULD be - dispatched while the - Connection - owning it is in the CONNECTING state.

+

A channel type that carries a TLS certificate between a server + and a client connecting to it.

+

Channels of this kind always have Requested = False, + TargetHandleType + = None and TargetHandle + = 0, and cannot be requested with methods such as CreateChannel. + Also, they SHOULD be dispatched while the + Connection + owning them is in the CONNECTING state.

In this case, handlers SHOULD accept or reject the certificate, using - the relevant methods on the provided object, or MAY just close the channel before doing so, to fall + the relevant methods on the provided object, or MAY just Close the channel before doing so, to fall back to a non-interactive verification process done inside the CM.

For example, channels of this kind can pop up while a client is connecting to an XMPP server.

@@ -42,10 +46,11 @@ - A A TLSCertificate.DRAFT containing the certificate chain as sent by the server, - and other relevant information. + and other relevant information.

+

This property is immutable.

 -- cgit v1.2.3 From 2f63c0828065d86239a6ff6ebbb8b07ddc929046 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 9 Aug 2010 12:27:47 +0200 Subject: Update for the new tp-spec API --- libempathy/empathy-tls-certificate.c | 70 ++++++++++++++++++++++++++++++++---- libempathy/empathy-tls-certificate.h | 3 +- 2 files changed, 66 insertions(+), 7 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 84103fc29..01ae25cd6 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -295,16 +295,16 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) pspec = g_param_spec_uint ("state", "State", "The state of this certificate.", - EMP_TLS_CERTIFICATE_STATE_NONE, NUM_EMP_TLS_CERTIFICATE_STATES -1, - EMP_TLS_CERTIFICATE_STATE_NONE, + EMP_TLS_CERTIFICATE_STATE_PENDING, NUM_EMP_TLS_CERTIFICATE_STATES -1, + EMP_TLS_CERTIFICATE_STATE_PENDING, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_STATE, pspec); pspec = g_param_spec_uint ("reject-reason", "Reject reason", "The reason why this certificate was rejected.", - EMP_TLS_CERTIFICATE_REJECT_REASON_NONE, + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, NUM_EMP_TLS_CERTIFICATE_REJECT_REASONS -1, - EMP_TLS_CERTIFICATE_REJECT_REASON_NONE, + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_REJECT_REASON, pspec); } @@ -333,6 +333,54 @@ cert_proxy_reject_cb (TpProxy *proxy, DEBUG ("Error was %s", error->message); } +static const gchar * +reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) +{ + const gchar *retval = NULL; + + switch (reason) + { + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_UNTRUSTED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_EXPIRED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_NOT_ACTIVATED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_FINGERPRINT_MISMATCH); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_HOSTNAME_MISMATCH); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED: + retval = tp_error_get_dbus_name (TP_ERROR_CERT_SELF_SIGNED); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: + /* FIXME */ + retval = "org.freedesktop.Telepathy.Error.Cert.Revoked"; + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: + /* FIXME */ + retval = "org.freedesktop.Telepathy.Error.Cert.Insecure"; + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: + /* FIXME */ + retval = "org.freedesktop.Telepathy.Error.Cert.LimitExceeded"; + break; + default: + g_assert_not_reached (); + break; + } + + return retval; +} + void empathy_tls_certificate_new_async (const gchar *bus_name, const gchar *object_path, @@ -380,14 +428,24 @@ empathy_tls_certificate_accept (EmpathyTLSCertificate *self) void empathy_tls_certificate_reject (EmpathyTLSCertificate *self, - EmpTLSCertificateRejectReason reason) + EmpTLSCertificateRejectReason reason, + gboolean user_requested) { + GHashTable *details; + const gchar *dbus_error; EmpathyTLSCertificatePriv *priv = GET_PRIV (self); g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); DEBUG ("Rejecting TLS certificate with reason %u", reason); + dbus_error = reject_reason_get_dbus_error (reason); + details = tp_asv_new ("user-requested", G_TYPE_BOOLEAN, user_requested, + NULL); + emp_cli_authentication_tls_certificate_call_reject (priv->proxy, - -1, reason, cert_proxy_reject_cb, NULL, NULL, G_OBJECT (self)); + -1, reason, dbus_error, details, + cert_proxy_reject_cb, NULL, NULL, G_OBJECT (self)); + + g_hash_table_unref (details); } diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index 473134044..c79c26abd 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -68,7 +68,8 @@ EmpathyTLSCertificate * empathy_tls_certificate_new_finish (GAsyncResult * res, void empathy_tls_certificate_accept (EmpathyTLSCertificate *self); void empathy_tls_certificate_reject (EmpathyTLSCertificate *self, - EmpTLSCertificateRejectReason reason); + EmpTLSCertificateRejectReason reason, + gboolean user_requested); G_END_DECLS -- cgit v1.2.3 From 6a16791dc335fed6706352e1612893f312a80a3f Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:33:08 +0200 Subject: Add EmpathyTLSVerifier This also introduces a dependency on GnuTLS --- configure.ac | 1 + libempathy/Makefile.am | 2 + libempathy/empathy-tls-verifier.c | 558 ++++++++++++++++++++++++++++++++++++++ libempathy/empathy-tls-verifier.h | 78 ++++++ src/empathy-auth-helper.c | 9 + 5 files changed, 648 insertions(+) create mode 100644 libempathy/empathy-tls-verifier.c create mode 100644 libempathy/empathy-tls-verifier.h diff --git a/configure.ac b/configure.ac index dc21815fe..a09b476e4 100644 --- a/configure.ac +++ b/configure.ac @@ -153,6 +153,7 @@ PKG_CHECK_MODULES(EMPATHY, gio-2.0 >= $GLIB_REQUIRED gio-unix-2.0 >= $GLIB_REQUIRED gnome-keyring-1 >= $KEYRING_REQUIRED + gnutls gobject-2.0 gstreamer-0.10 gstreamer-interfaces-0.10 diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am index 7a1f16a3e..9b0dcfb92 100644 --- a/libempathy/Makefile.am +++ b/libempathy/Makefile.am @@ -53,6 +53,7 @@ libempathy_headers = \ empathy-status-presets.h \ empathy-time.h \ empathy-tls-certificate.h \ + empathy-tls-verifier.h \ empathy-tp-call.h \ empathy-tp-chat.h \ empathy-tp-contact-factory.h \ @@ -90,6 +91,7 @@ libempathy_la_SOURCES = \ empathy-status-presets.c \ empathy-time.c \ empathy-tls-certificate.c \ + empathy-tls-verifier.c \ empathy-tp-call.c \ empathy-tp-chat.c \ empathy-tp-contact-factory.c \ diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c new file mode 100644 index 000000000..55688f99c --- /dev/null +++ b/libempathy/empathy-tls-verifier.c @@ -0,0 +1,558 @@ +/* + * empathy-tls-verifier.c - Source for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include + +#include +#include + +#include + +#include "empathy-tls-verifier.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier, + G_TYPE_OBJECT) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_HOSTNAME, + + LAST_PROPERTY, +}; + +static const gchar* system_ca_paths[] = { + "/etc/ssl/certs/ca-certificates.crt", + NULL, +}; + +typedef struct { + GPtrArray *cert_chain; + + GPtrArray *trusted_ca_list; + GPtrArray *trusted_crl_list; + + EmpathyTLSCertificate *certificate; + gchar *hostname; + + GSimpleAsyncResult *verify_result; + + gboolean dispose_run; +} EmpathyTLSVerifierPriv; + +static gnutls_x509_crt_t * +ptr_array_to_x509_crt_list (GPtrArray *chain) +{ + gnutls_x509_crt_t *retval; + gint idx; + + retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len); + + for (idx = 0; idx < (gint) chain->len; idx++) + retval[idx] = g_ptr_array_index (chain, idx); + + return retval; +} + +static gboolean +verification_output_to_reason (gint res, + guint verify_output, + EmpTLSCertificateRejectReason *reason) +{ + gboolean retval = TRUE; + + if (res != GNUTLS_E_SUCCESS) + { + retval = FALSE; + + /* the certificate is not structurally valid */ + switch (res) + { + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + break; + case GNUTLS_E_CONSTRAINT_ERROR: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED; + break; + default: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + break; + } + + goto out; + } + + /* the certificate is structurally valid, check for other errors. */ + if (verify_output & GNUTLS_CERT_INVALID) + { + retval = FALSE; + + if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE; + else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED; + else if (verify_output & GNUTLS_CERT_EXPIRED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED; + else + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + goto out; + } + + out: + return retval; +} + +static gboolean +verify_last_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + gnutls_x509_crt_t *trusted_ca_list; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); + res = gnutls_x509_crt_verify (cert, trusted_ca_list, + priv->trusted_ca_list->len, 0, &verify_output); + + g_free (trusted_ca_list); + + return verification_output_to_reason (res, verify_output, reason); +} + +static gboolean +verify_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + + res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output); + + return verification_output_to_reason (res, verify_output, reason); +} + +static void +complete_verification (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification successful, completing..."); + + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +abort_verification (EmpathyTLSVerifier *self, + EmpTLSCertificateRejectReason reason) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification error %u, aborting...", reason); + + g_simple_async_result_set_error (priv->verify_result, + G_IO_ERROR, reason, "TLS verification failed with reason %u", + reason); + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +real_start_verification (EmpathyTLSVerifier *self) +{ + gnutls_x509_crt_t last_cert; + gint idx; + gboolean res = FALSE; + gint num_certs; + EmpTLSCertificateRejectReason reason = + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + num_certs = priv->cert_chain->len; + + DEBUG ("Starting verification"); + + if (priv->trusted_ca_list->len > 0) + { + /* if the last certificate is self-signed, ignore it, as we want to check + * the chain against our trusted CA list first. + */ + last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); + + if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0) + num_certs--; + } + + for (idx = 1; idx < num_certs; idx++) + { + res = verify_certificate (self, + g_ptr_array_index (priv->cert_chain, idx -1), + g_ptr_array_index (priv->cert_chain, idx), + &reason); + + DEBUG ("Certificate verification %d gave result %d with reason %u", idx, + res, reason); + + if (!res) + { + abort_verification (self, reason); + return; + } + } + + if (priv->trusted_ca_list->len > 0) + { + res = verify_last_certificate (self, + g_ptr_array_index (priv->cert_chain, num_certs), + &reason); + } + + if (!res) + { + abort_verification (self, reason); + return; + } + + complete_verification (self); +} + +static gboolean +start_verification (gpointer user_data) +{ + EmpathyTLSVerifier *self = user_data; + + real_start_verification (self); + + return FALSE; +} + +static void +build_gnutls_cert_list (EmpathyTLSVerifier *self) +{ + guint num_certs; + guint idx; + GPtrArray *certificate_data = NULL; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &certificate_data, + NULL); + num_certs = certificate_data->len; + + priv->cert_chain = g_ptr_array_sized_new (num_certs); + + for (idx = 0; idx < num_certs; idx++) + { + gnutls_x509_crt_t cert; + GArray *one_cert; + gnutls_datum_t datum = { NULL, 0 }; + + one_cert = g_ptr_array_index (certificate_data, idx); + datum.data = (guchar *) one_cert->data; + datum.size = one_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + g_ptr_array_add (priv->cert_chain, cert); + } +} + +static gint +get_number_and_type_of_certificates (gnutls_datum_t *datum, + gnutls_x509_crt_fmt_t *format) +{ + gnutls_x509_crt_t fake; + gint retval = 1; + gint res; + + res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, + GNUTLS_X509_FMT_PEM, 0); + + if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0) + { + *format = GNUTLS_X509_FMT_PEM; + return retval; + } + + /* try DER */ + res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, + GNUTLS_X509_FMT_DER, 0); + + if (res > 0) + { + *format = GNUTLS_X509_FMT_DER; + return retval; + } + + return res; +} + +static gboolean +build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, + GCancellable *cancellable, + gpointer user_data) +{ + gint idx; + EmpathyTLSVerifier *self = user_data; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->trusted_ca_list = g_ptr_array_new (); + + for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++) + { + const gchar *path; + gchar *contents = NULL; + gsize length = 0; + gint res, n_certs; + gnutls_x509_crt_t *cert_list; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_fmt_t format = 0; + GError *error = NULL; + + path = system_ca_paths[idx]; + g_file_get_contents (path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Unable to read system CAs from path %s", path); + g_error_free (error); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + n_certs = get_number_and_type_of_certificates (&datum, &format); + + if (n_certs < 0) + { + DEBUG ("Unable to parse the system CAs from path %s: GnuTLS " + "returned error %d", path, n_certs); + + g_free (contents); + continue; + } + + cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs); + res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum, + format, 0); + + if (res < 0) + { + DEBUG ("Unable to import system CAs from path %s; " + "GnuTLS returned error %d", path, res); + + g_free (contents); + continue; + } + + DEBUG ("Successfully imported %d system CA certificates from path %s", + n_certs, path); + + /* append the newly created cert structutes into the global GPtrArray */ + for (idx = 0; idx < n_certs; idx++) + g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]); + + g_free (contents); + } + + /* TODO: do the CRL too */ + + g_io_scheduler_job_send_to_mainloop_async (job, + start_verification, self, NULL); + + return FALSE; +} + +static void +empathy_tls_verifier_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_HOSTNAME: + priv->hostname = g_value_dup_string (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_dispose (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object); +} + +static void +empathy_tls_verifier_finalize (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + g_free (priv->hostname); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); +} + +static void +empathy_tls_verifier_constructed (GObject *object) +{ + EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object); + + build_gnutls_cert_list (self); + + if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL) + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object); +} + +static void +empathy_tls_verifier_init (EmpathyTLSVerifier *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv); +} + +static void +empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv)); + + oclass->set_property = empathy_tls_verifier_set_property; + oclass->get_property = empathy_tls_verifier_get_property; + oclass->finalize = empathy_tls_verifier_finalize; + oclass->dispose = empathy_tls_verifier_dispose; + oclass->constructed = empathy_tls_verifier_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be verified.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the certificate.", + NULL, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); +} + +EmpathyTLSVerifier * +empathy_tls_verifier_new (EmpathyTLSCertificate *certificate, + const gchar *hostname) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + g_assert (hostname != NULL); + + return g_object_new (EMPATHY_TYPE_TLS_VERIFIER, + "certificate", certificate, + "hostname", hostname, + NULL); +} + +void +empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->verify_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + + g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists, + self, NULL, G_PRIORITY_DEFAULT, NULL); +} + +gboolean +empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) + { + *reason = (*error)->code; + return FALSE; + } + + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + return TRUE; +} diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h new file mode 100644 index 000000000..b4cc1fcb7 --- /dev/null +++ b/libempathy/empathy-tls-verifier.h @@ -0,0 +1,78 @@ +/* + * empathy-tls-verifier.h - Header for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_VERIFIER_H__ +#define __EMPATHY_TLS_VERIFIER_H__ + +#include +#include + +#include + +#include + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSVerifier EmpathyTLSVerifier; +typedef struct _EmpathyTLSVerifierClass EmpathyTLSVerifierClass; + +struct _EmpathyTLSVerifierClass { + GObjectClass parent_class; +}; + +struct _EmpathyTLSVerifier { + GObject parent; + gpointer priv; +}; + +GType empathy_tls_verifier_get_type (void); + +#define EMPATHY_TYPE_TLS_VERIFIER \ + (empathy_tls_verifier_get_type ()) +#define EMPATHY_TLS_VERIFIER(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifier)) +#define EMPATHY_TLS_VERIFIER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifierClass)) +#define EMPATHY_IS_TLS_VERIFIER(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_VERIFIER)) +#define EMPATHY_IS_TLS_VERIFIER_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_VERIFIER)) +#define EMPATHY_TLS_VERIFIER_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_VERIFIER, \ + EmpathyTLSVerifierClass)) + +EmpathyTLSVerifier * empathy_tls_verifier_new ( + EmpathyTLSCertificate *certificate, + const gchar *hostname); + +void empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data); + +gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GError **error); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_VERIFIER_H__*/ diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index db22327fc..aaee48ec1 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -38,7 +38,16 @@ auth_factory_new_handler_cb (EmpathyAuthFactory *factory, EmpathyServerTLSHandler *handler, gpointer user_data) { + EmpathyTLSCertificate *certificate; + DEBUG ("New TLS server handler received from the factory"); + + certificate = g_object_ref ( + empathy_server_tls_handler_get_certificate (handler)); + + empathy_tls_certificate_accept (certificate); + + g_object_unref (certificate); } int -- cgit v1.2.3 From b5e5d4af88422f5afc0377bb20a0863520911837 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:33:36 +0200 Subject: Update spec snapshot --- extensions/Authentication_TLS_Certificate.xml | 308 +++++++++++----------- extensions/Channel_Type_Server_TLS_Connection.xml | 26 +- 2 files changed, 173 insertions(+), 161 deletions(-) diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml index 56e378f4c..709ea282c 100644 --- a/extensions/Authentication_TLS_Certificate.xml +++ b/extensions/Authentication_TLS_Certificate.xml @@ -18,285 +18,287 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + tp:causes-havoc="experimental"> + (draft 1) This object represents a TLS certificate. + type="ay"> -

The raw data contained in a TLS certificate.

+

The raw data contained in a TLS certificate.

-

For X.509 certificates (CertificateType - = "x509"), this MUST be in DER format, as defined by the - X.690 - ITU standard.

+

For X.509 certificates (CertificateType + = "x509"), this MUST be in DER format, as defined by the + X.690 + ITU standard.

-

For PGP certificates (CertificateType - = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 - of RFC 4880.

+

For PGP certificates (CertificateType + = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 + of RFC 4880.

 - The possible states for a TLSCertificate.DRAFT - object. + The possible states for a TLSCertificate.DRAFT + object. - - The certificate is currently waiting to be accepted or rejected. - + + The certificate is currently waiting to be accepted or rejected. + - - The certificate has been verified. - + + The certificate has been verified. + - - The certificate has been rejected. - + + The certificate has been rejected. + - Possible reasons to reject a TLS certificate. + Possible reasons to reject a TLS certificate. - - The certificate has been rejected for another reason - not listed in this enumeration. - + + The certificate has been rejected for another reason + not listed in this enumeration. + - - The certificate is not trusted. - + + The certificate is not trusted. + - - The certificate is expired. - + + The certificate is expired. + - - The certificate is not active yet. - + + The certificate is not active yet. + - - The certificate provided does not have the expected - fingerprint. - + + The certificate provided does not have the expected + fingerprint. + - - The hostname certified does not match the provided one. - + + The hostname certified does not match the provided one. + - - The certificate is self-signed. - + + The certificate is self-signed. + - - The certificate has been revoked. - + + The certificate has been revoked. + - - The certificate uses an insecure cipher algorithm, or is - cryptographically weak. - + + The certificate uses an insecure cipher algorithm, or is + cryptographically weak. + - - The length in bytes of the certificate, or the depth of the - certificate chain exceed the limits imposed by the crypto - library. - + + The length in bytes of the certificate, or the depth of the + certificate chain exceed the limits imposed by the crypto + library. + + tp:type="TLS_Certificate_State" + tp:name-for-bindings="State"> - The current state of this certificate. - State change notifications happen by means of the - Accepted and - Rejected signals. + The current state of this certificate. + State change notifications happen by means of the + Accepted and + Rejected signals. + tp:type="DBus_Error_Name" + tp:name-for-bindings="Reject_Error"> -

If the State is Rejected, - the reason why the certificate was rejected; this MAY correspond to - the RejectReason, or MAY be a more - specific D-Bus error name, perhaps implementation-specific.

-

If the State is not Rejected, - this property is not meaningful, and SHOULD be set to an empty - string.

+

If the State is Rejected, + the reason why the certificate was rejected; this MAY correspond to + the RejectReason, or MAY be a more + specific D-Bus error name, perhaps implementation-specific.

+

If the State is not Rejected, + this property is not meaningful, and SHOULD be set to an empty + string.

 + tp:type="String_Variant_Map" + tp:name-for-bindings="Reject_Details"> -

If the State is Rejected, - additional information about why the certificate was rejected.

-

If the State is not Rejected, - this property is not meaningful and SHOULD be set to an empty - map.

-

The additional information MAY also include - one or more of the following well-known keys:

-
-
user-requested (b)
-
True if the error was due to an user-requested rejection of - the certificate; False if there was an unrecoverable error in the - verification process.
-
expected-hostname (s)
-
If the rejection reason is Hostname_Mismatch, the hostname that - the server certificate was expected to have.
-
certificate-hostname (s)
-
If the rejection reason is Hostname_Mismatch, the hostname of - the certificate that was presented. - -

For instance, if you try to connect to gmail.com but are presented - with a TLS certificate issued to evil.example.org, the error details - for Hostname_Mismatch MAY include:

- 
-	      {
-	        'expected-hostname': 'gmail.com',
-	        'certificate-hostname': 'evil.example.org',
-	      }
-
- -
+

If the State is Rejected, + additional information about why the certificate was rejected.

+

If the State is not Rejected, + this property is not meaningful and SHOULD be set to an empty + map.

+

The additional information MAY also include + one or more of the following well-known keys:

+
+
user-requested (b)
+
True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.
+
expected-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.
+
certificate-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + +

For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:

+ 
+              {
+                'expected-hostname': 'gmail.com',
+                'certificate-hostname': 'evil.example.org',
+              }
+
+ +
debug-message (s)
Debugging information on the error, corresponding to the message part of a D-Bus error message, which SHOULD NOT be displayed to users under normal circumstances
-
+
+ tp:type="TLS_Certificate_Reject_Reason" + tp:name-for-bindings="Reject_Reason"> - If the State is Rejected, the - reason why the certificate was rejected. - - Clients that do not understand the RejectError, - which may be implementation-specific, can use this property to - classify rejection reasons into common categories. - - Otherwise, this property is not meaningful, and SHOULD be set to - Unknown. + If the State is Rejected, the + reason why the certificate was rejected. + + Clients that do not understand the RejectError, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + + Otherwise, this property is not meaningful, and SHOULD be set to + Unknown. + tp:name-for-bindings="Certificate_Type"> - The type of this TLS certificate (e.g. 'x509' or 'pgp'). -

This property is immutable

+ The type of this TLS certificate (e.g. 'x509' or 'pgp'). +

This property is immutable

 + tp:type="Certificate_Data[]" tp:name-for-bindings="Certificate_Chain_Data"> -

One or more TLS certificates forming a trust chain, each encoded as - specified by Certificate_Data.

-

The first certificate in the chain MUST be the server certificate, - followed by the issuer's certificate, followed by the issuer's issuer - and so on.

+

One or more TLS certificates forming a trust chain, each encoded as + specified by Certificate_Data.

+

The first certificate in the chain MUST be the server certificate, + followed by the issuer's certificate, followed by the issuer's issuer + and so on.

 + tp:name-for-bindings="Accepted"> - The State of this certificate has changed to Accepted. + The State of this certificate has changed to Accepted. + tp:name-for-bindings="Rejected"> - The State of this certificate has changed to Rejected. + The State of this certificate has changed to Rejected. - - The new value of RejectReason. - + + The new value of RejectReason. + - - The new value of RejectError. - + + The new value of RejectError. + - - The new value of RejectDetails - + + The new value of RejectDetails + - Accepts this certificate, i.e. marks it as verified. + Accepts this certificate, i.e. marks it as verified. - Rejects this certificate. + Rejects this certificate. - - The new value of RejectReason. - + tp:type="TLS_Certificate_Reject_Reason"> + + The new value of RejectReason. + - - The new value of RejectError. - + tp:type="DBus_Error_Name"> + + The new value of RejectError. + - - The new value of RejectDetails. - + tp:type="String_Variant_Map"> + + The new value of RejectDetails. + + diff --git a/extensions/Channel_Type_Server_TLS_Connection.xml b/extensions/Channel_Type_Server_TLS_Connection.xml index af11218a9..977002f95 100644 --- a/extensions/Channel_Type_Server_TLS_Connection.xml +++ b/extensions/Channel_Type_Server_TLS_Connection.xml @@ -19,7 +19,8 @@ + tp:causes-havoc="experimental"> + (draft 1) @@ -44,16 +45,25 @@ + tp:name-for-bindings="ServerCertificate"> -

A TLSCertificate.DRAFT - containing the certificate chain as sent by the server, - and other relevant information.

-

This property is immutable.

+

A TLSCertificate.DRAFT + containing the certificate chain as sent by the server, + and other relevant information.

+

This property is immutable.

+ + + + + + The hostname of the server we expect ServerCertificate + to certify; clients SHOULD verify ServerCertificate against + this hostname when checking its validity. - + -- cgit v1.2.3 From b8fcad07a799884570e6ac115622e8bf0f2762ce Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:34:12 +0200 Subject: Add Hostname and Certificate properties --- libempathy/empathy-server-tls-handler.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c index 3ca950715..feabdfbcd 100644 --- a/libempathy/empathy-server-tls-handler.c +++ b/libempathy/empathy-server-tls-handler.c @@ -31,6 +31,8 @@ static void async_initable_iface_init (GAsyncInitableIface *iface); enum { PROP_CHANNEL = 1, + PROP_TLS_CERTIFICATE, + PROP_HOSTNAME, LAST_PROPERTY, }; @@ -38,6 +40,7 @@ typedef struct { TpChannel *channel; EmpathyTLSCertificate *certificate; + gchar *hostname; GSimpleAsyncResult *async_init_res; } EmpathyServerTLSHandlerPriv; @@ -91,6 +94,7 @@ server_tls_channel_got_all_cb (TpProxy *proxy, else { const gchar *cert_object_path; + const gchar *hostname; cert_object_path = tp_asv_get_object_path (properties, "ServerCertificate"); @@ -102,6 +106,11 @@ server_tls_channel_got_all_cb (TpProxy *proxy, tp_proxy_get_bus_name (proxy), cert_object_path, tls_certificate_constructed_cb, self); + + hostname = tp_asv_get_string (properties, "Hostname"); + priv->hostname = g_strdup (hostname); + + DEBUG ("Received hostname: %s", hostname); } } @@ -153,6 +162,8 @@ empathy_server_tls_handler_finalize (GObject *object) { EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); + DEBUG ("%p", object); + if (priv->channel != NULL) g_object_unref (priv->channel); @@ -172,6 +183,12 @@ empathy_server_tls_handler_get_property (GObject *object, case PROP_CHANNEL: g_value_set_object (value, priv->channel); break; + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -214,6 +231,18 @@ empathy_server_tls_handler_class_init (EmpathyServerTLSHandlerClass *klass) TP_TYPE_CHANNEL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_CHANNEL, pspec); + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate carried by the channel.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the server certificate.", + NULL, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); } static void -- cgit v1.2.3 From 8293e56eb851b8780986e67043b55304218cb1cb Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:34:49 +0200 Subject: Update to the new tp-spec API --- libempathy/empathy-tls-certificate.c | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 01ae25cd6..bcefb3d89 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -40,7 +40,6 @@ enum { PROP_CERT_TYPE, PROP_CERT_DATA, PROP_STATE, - PROP_REJECT_REASON, LAST_PROPERTY, }; @@ -56,7 +55,6 @@ typedef struct { gchar *cert_type; GPtrArray *cert_data; EmpTLSCertificateState state; - EmpTLSCertificateRejectReason reject_reason; } EmpathyTLSCertificatePriv; G_DEFINE_TYPE_WITH_CODE (EmpathyTLSCertificate, empathy_tls_certificate, @@ -117,7 +115,6 @@ tls_certificate_got_all_cb (TpProxy *proxy, priv->cert_type = g_strdup (tp_asv_get_string (properties, "CertificateType")); priv->state = tp_asv_get_uint32 (properties, "State", NULL); - priv->reject_reason = tp_asv_get_uint32 (properties, "RejectReason", NULL); cert_data = tp_asv_get_boxed (properties, "CertificateChainData", array_of_ay_get_type ()); @@ -219,9 +216,6 @@ empathy_tls_certificate_get_property (GObject *object, case PROP_STATE: g_value_set_uint (value, priv->state); break; - case PROP_REJECT_REASON: - g_value_set_uint (value, priv->reject_reason); - break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -288,7 +282,7 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) g_object_class_install_property (oclass, PROP_CERT_TYPE, pspec); pspec = g_param_spec_boxed ("cert-data", "Certificate chain data", - "The raw PEM-encoded certificate chain data.", + "The raw DER-encoded certificate chain data.", array_of_ay_get_type (), G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_CERT_DATA, pspec); @@ -299,14 +293,6 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) EMP_TLS_CERTIFICATE_STATE_PENDING, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_STATE, pspec); - - pspec = g_param_spec_uint ("reject-reason", "Reject reason", - "The reason why this certificate was rejected.", - EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, - NUM_EMP_TLS_CERTIFICATE_REJECT_REASONS -1, - EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, - G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); - g_object_class_install_property (oclass, PROP_REJECT_REASON, pspec); } static void @@ -340,9 +326,6 @@ reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) switch (reason) { - case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: - retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID); - break; case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_UNTRUSTED); break; @@ -362,19 +345,17 @@ reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) retval = tp_error_get_dbus_name (TP_ERROR_CERT_SELF_SIGNED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: - /* FIXME */ - retval = "org.freedesktop.Telepathy.Error.Cert.Revoked"; + retval = tp_error_get_dbus_name (TP_ERROR_CERT_REVOKED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: - /* FIXME */ - retval = "org.freedesktop.Telepathy.Error.Cert.Insecure"; + retval = tp_error_get_dbus_name (TP_ERROR_CERT_INSECURE); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: - /* FIXME */ - retval = "org.freedesktop.Telepathy.Error.Cert.LimitExceeded"; + retval = tp_error_get_dbus_name (TP_ERROR_CERT_LIMIT_EXCEEDED); break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: default: - g_assert_not_reached (); + retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID); break; } -- cgit v1.2.3 From 2db2e6fb886a7406736c8343f9cbd8d61edc5b16 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:35:01 +0200 Subject: Add debug output --- libempathy/empathy-tls-certificate.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index bcefb3d89..965219064 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -186,6 +186,8 @@ empathy_tls_certificate_finalize (GObject *object) { EmpathyTLSCertificatePriv *priv = GET_PRIV (object); + DEBUG ("%p", object); + g_free (priv->object_path); G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object); -- cgit v1.2.3 From e750de24904feef14c5e1e4bd68f935abd3cb6de Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:35:20 +0200 Subject: Verify the certificate from the helper. --- src/empathy-auth-helper.c | 56 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index aaee48ec1..6cbffea94 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -30,24 +30,69 @@ #include #include #include +#include #include +#include + +#include + +static void +verifier_verify_cb (GObject *source, + GAsyncResult *result, + gpointer user_data) +{ + gboolean res; + EmpTLSCertificateRejectReason reason; + GError *error = NULL; + EmpathyTLSCertificate *certificate = NULL; + + g_object_get (source, + "certificate", &certificate, + NULL); + + res = empathy_tls_verifier_verify_finish (EMPATHY_TLS_VERIFIER (source), + result, &reason, &error); + + if (error != NULL) + { + DEBUG ("Error: %s", error->message); + empathy_tls_certificate_reject (certificate, reason, FALSE); + + g_error_free (error); + } + else + { + empathy_tls_certificate_accept (certificate); + } + + g_object_unref (certificate); +} + static void auth_factory_new_handler_cb (EmpathyAuthFactory *factory, EmpathyServerTLSHandler *handler, gpointer user_data) { - EmpathyTLSCertificate *certificate; + EmpathyTLSCertificate *certificate = NULL; + gchar *hostname = NULL; + EmpathyTLSVerifier *verifier; DEBUG ("New TLS server handler received from the factory"); - certificate = g_object_ref ( - empathy_server_tls_handler_get_certificate (handler)); + g_object_get (handler, + "certificate", &certificate, + "hostname", &hostname, + NULL); - empathy_tls_certificate_accept (certificate); + verifier = empathy_tls_verifier_new (certificate, hostname); + empathy_tls_verifier_verify_async (verifier, + verifier_verify_cb, NULL); + g_object_unref (verifier); g_object_unref (certificate); + g_free (hostname); } int @@ -75,6 +120,7 @@ main (int argc, g_option_context_free (context); empathy_gtk_init (); + gnutls_global_init (); g_set_application_name (_("Empathy authentication helper")); gtk_window_set_default_icon_name ("empathy"); @@ -98,5 +144,7 @@ main (int argc, gtk_main (); + g_object_unref (factory); + return EXIT_SUCCESS; } -- cgit v1.2.3 From 50f265ad2feffc9826a0c3a77782673fc39fca0e Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:35:36 +0200 Subject: Whitespace fix --- libempathy/empathy-server-tls-handler.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libempathy/empathy-server-tls-handler.h b/libempathy/empathy-server-tls-handler.h index 558a8512f..1fae98b0a 100644 --- a/libempathy/empathy-server-tls-handler.h +++ b/libempathy/empathy-server-tls-handler.h @@ -68,7 +68,6 @@ EmpathyServerTLSHandler * empathy_server_tls_handler_new_finish ( EmpathyTLSCertificate * empathy_server_tls_handler_get_certificate ( EmpathyServerTLSHandler *self); - G_END_DECLS #endif /* #ifndef __EMPATHY_SERVER_TLS_HANDLER_H__*/ -- cgit v1.2.3 From 5c313ddb2557218b7ccd4b3dd13dc1aad3834506 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 19:01:01 +0200 Subject: Make sure to release all the references --- libempathy/empathy-server-tls-handler.c | 10 +++++++--- libempathy/empathy-tls-certificate.c | 4 ++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c index feabdfbcd..10a2daf20 100644 --- a/libempathy/empathy-server-tls-handler.c +++ b/libempathy/empathy-server-tls-handler.c @@ -20,6 +20,8 @@ #include "empathy-server-tls-handler.h" +#include + #define DEBUG_FLAG EMPATHY_DEBUG_TLS #include "empathy-debug.h" #include "empathy-tls-certificate.h" @@ -74,6 +76,7 @@ tls_certificate_constructed_cb (GObject *source, } g_simple_async_result_complete_in_idle (priv->async_init_res); + g_object_unref (priv->async_init_res); } static void @@ -90,6 +93,7 @@ server_tls_channel_got_all_cb (TpProxy *proxy, { g_simple_async_result_set_from_error (priv->async_init_res, error); g_simple_async_result_complete_in_idle (priv->async_init_res); + g_object_unref (priv->async_init_res); } else { @@ -163,9 +167,9 @@ empathy_server_tls_handler_finalize (GObject *object) EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object); DEBUG ("%p", object); - - if (priv->channel != NULL) - g_object_unref (priv->channel); + + tp_clear_object (&priv->channel); + tp_clear_object (&priv->certificate); G_OBJECT_CLASS (empathy_server_tls_handler_parent_class)->finalize (object); } diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 965219064..a9e323cc0 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -109,6 +109,8 @@ tls_certificate_got_all_cb (TpProxy *proxy, g_simple_async_result_set_from_error (priv->async_init_res, error); g_simple_async_result_complete_in_idle (priv->async_init_res); + g_object_unref (priv->async_init_res); + return; } @@ -125,6 +127,7 @@ tls_certificate_got_all_cb (TpProxy *proxy, priv->cert_data->len, priv->cert_type); g_simple_async_result_complete_in_idle (priv->async_init_res); + g_object_unref (priv->async_init_res); } static void @@ -152,6 +155,7 @@ tls_certificate_init_async (GAsyncInitable *initable, g_simple_async_result_complete_in_idle (priv->async_init_res); g_error_free (error); + g_object_unref (priv->async_init_res); return; } -- cgit v1.2.3 From e04b713c4a14b7accff86fe57ca78cb4cd5e0e46 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 19:44:08 +0200 Subject: Use the right index to access the cert array. --- libempathy/empathy-tls-verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 55688f99c..75943bfbd 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -236,7 +236,7 @@ real_start_verification (EmpathyTLSVerifier *self) if (priv->trusted_ca_list->len > 0) { res = verify_last_certificate (self, - g_ptr_array_index (priv->cert_chain, num_certs), + g_ptr_array_index (priv->cert_chain, num_certs - 1), &reason); } -- cgit v1.2.3 From 7472633dcbe1e50a28224960a02b8cf8f83bf422 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 12 Aug 2010 18:45:05 +0200 Subject: Use the right GnuTLS->Tp mapping for reasons. --- libempathy/empathy-tls-verifier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 75943bfbd..1ed9ede0c 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -110,9 +110,9 @@ verification_output_to_reason (gint res, retval = FALSE; if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND) - *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; - else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM) *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE; else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED) -- cgit v1.2.3 From dd4b301661b2516731027eebbf3147692292d749 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 12 Aug 2010 18:46:08 +0200 Subject: Correctly treat the last certificate in the chain I.e. emit SelfSigned if we don't have any trusted CAs in our cache. --- libempathy/empathy-tls-verifier.c | 43 ++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 1ed9ede0c..f279efbfe 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -139,11 +139,34 @@ verify_last_certificate (EmpathyTLSVerifier *self, gnutls_x509_crt_t *trusted_ca_list; EmpathyTLSVerifierPriv *priv = GET_PRIV (self); - trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); - res = gnutls_x509_crt_verify (cert, trusted_ca_list, - priv->trusted_ca_list->len, 0, &verify_output); + if (priv->trusted_ca_list->len > 0) + { + trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); + res = gnutls_x509_crt_verify (cert, trusted_ca_list, + priv->trusted_ca_list->len, 0, &verify_output); + + DEBUG ("Checking last certificate %p against trusted CAs, output %u", + cert, verify_output); - g_free (trusted_ca_list); + g_free (trusted_ca_list); + } + else + { + /* check it against itself to see if it's structurally valid */ + res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output); + + DEBUG ("Checking last certificate %p against itself, output %u", cert, + verify_output); + + /* if it's valid, return the SelfSigned error, so that we can add it + * later to our trusted CAs whitelist. + */ + if (res == GNUTLS_E_SUCCESS) + { + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + return FALSE; + } + } return verification_output_to_reason (res, verify_output, reason); } @@ -233,13 +256,13 @@ real_start_verification (EmpathyTLSVerifier *self) } } - if (priv->trusted_ca_list->len > 0) - { - res = verify_last_certificate (self, - g_ptr_array_index (priv->cert_chain, num_certs - 1), - &reason); - } + res = verify_last_certificate (self, + g_ptr_array_index (priv->cert_chain, num_certs - 1), + &reason); + DEBUG ("Last verification gave result %d with reason %u", res, reason); + + out: if (!res) { abort_verification (self, reason); -- cgit v1.2.3 From 8d376fae7df339ead4ab9ef2ae588e2762849ccf Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 12 Aug 2010 18:47:13 +0200 Subject: Implement hostname checking --- libempathy/empathy-tls-verifier.c | 59 +++++++++++++++++++++++++++++++++++---- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index f279efbfe..07beda63b 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -213,10 +213,39 @@ abort_verification (EmpathyTLSVerifier *self, tp_clear_object (&priv->verify_result); } +static gchar * +get_certified_hostname (gnutls_x509_crt_t cert) +{ + gchar dns_name[256]; + gsize dns_name_size; + gint idx; + gint res = 0; + + /* this is taken from GnuTLS */ + for (idx = 0; res >= 0; idx++) + { + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_subject_alt_name (cert, idx, + dns_name, &dns_name_size, NULL); + + if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS) + return g_strndup (dns_name, dns_name_size); + } + + dns_name_size = sizeof (dns_name); + res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, + 0, 0, dns_name, &dns_name_size); + + if (res >= 0) + return g_strndup (dns_name, dns_name_size); + + return NULL; +} + static void real_start_verification (EmpathyTLSVerifier *self) { - gnutls_x509_crt_t last_cert; + gnutls_x509_crt_t first_cert, last_cert; gint idx; gboolean res = FALSE; gint num_certs; @@ -224,14 +253,34 @@ real_start_verification (EmpathyTLSVerifier *self) EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; EmpathyTLSVerifierPriv *priv = GET_PRIV (self); - num_certs = priv->cert_chain->len; - DEBUG ("Starting verification"); + /* check if the certificate matches the hostname first. */ + first_cert = g_ptr_array_index (priv->cert_chain, 0); + if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0) + { + gchar *certified_hostname; + + certified_hostname = get_certified_hostname (first_cert); + DEBUG ("Hostname mismatch: got %s but expected %s", + certified_hostname, priv->hostname); + + /* TODO: pass-through the expected hostname in the reject details */ + reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH; + + g_free (certified_hostname); + goto out; + } + + DEBUG ("Hostname matched"); + + num_certs = priv->cert_chain->len; + if (priv->trusted_ca_list->len > 0) { - /* if the last certificate is self-signed, ignore it, as we want to check - * the chain against our trusted CA list first. + /* if the last certificate is self-signed, and we have a list of + * trusted CAs, ignore it, as we want to check the chain against our + * trusted CAs list first. */ last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); -- cgit v1.2.3 From 20a75e4d53bb2b72de3f2fc535956a9ad57b9eb4 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 12 Aug 2010 18:47:42 +0200 Subject: Cosmetic changes --- libempathy/empathy-tls-verifier.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 07beda63b..e1ec7ee6d 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -182,6 +182,8 @@ verify_certificate (EmpathyTLSVerifier *self, res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output); + DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output); + return verification_output_to_reason (res, verify_output, reason); } @@ -368,20 +370,21 @@ get_number_and_type_of_certificates (gnutls_datum_t *datum, gnutls_x509_crt_fmt_t *format) { gnutls_x509_crt_t fake; - gint retval = 1; + guint retval = 1; gint res; - res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, - GNUTLS_X509_FMT_PEM, 0); + res = gnutls_x509_crt_list_import (&fake, &retval, datum, + GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0) { + DEBUG ("Found PEM, with %u certificates", retval); *format = GNUTLS_X509_FMT_PEM; return retval; } /* try DER */ - res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, + res = gnutls_x509_crt_list_import (&fake, &retval, datum, GNUTLS_X509_FMT_DER, 0); if (res > 0) -- cgit v1.2.3 From b06a27336c0e42fc81ae4c9e51dfd2a02967e88f Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Thu, 12 Aug 2010 18:48:06 +0200 Subject: Add also certificates from our storage I.e. ~/.config/telepathy/certs. Also, make sure we release memory when finalizing the object. --- libempathy/empathy-tls-verifier.c | 83 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 77 insertions(+), 6 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index e1ec7ee6d..e85d8a750 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -346,7 +346,8 @@ build_gnutls_cert_list (EmpathyTLSVerifier *self) NULL); num_certs = certificate_data->len; - priv->cert_chain = g_ptr_array_sized_new (num_certs); + priv->cert_chain = g_ptr_array_new_with_free_func ( + (GDestroyNotify) gnutls_x509_crt_deinit); for (idx = 0; idx < num_certs; idx++) { @@ -402,10 +403,14 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, gpointer user_data) { gint idx; + gchar *user_certs_dir; + GDir *dir; + GError *error = NULL; EmpathyTLSVerifier *self = user_data; EmpathyTLSVerifierPriv *priv = GET_PRIV (self); - priv->trusted_ca_list = g_ptr_array_new (); + priv->trusted_ca_list = g_ptr_array_new_with_free_func + ((GDestroyNotify) gnutls_x509_crt_deinit); for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++) { @@ -416,15 +421,15 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, gnutls_x509_crt_t *cert_list; gnutls_datum_t datum = { NULL, 0 }; gnutls_x509_crt_fmt_t format = 0; - GError *error = NULL; path = system_ca_paths[idx]; g_file_get_contents (path, &contents, &length, &error); if (error != NULL) { - DEBUG ("Unable to read system CAs from path %s", path); - g_error_free (error); + DEBUG ("Unable to read system CAs from path %s: %s", path, + error->message); + g_clear_error (&error); continue; } @@ -462,8 +467,68 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]); g_free (contents); + g_free (cert_list); } + /* user certs */ + user_certs_dir = g_build_filename (g_get_user_config_dir (), + "telepathy", "certs", NULL); + dir = g_dir_open (user_certs_dir, 0, &error); + + if (error != NULL) + { + DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir, + error->message); + + g_error_free (error); + } + else + { + const gchar *cert_path; + + while ((cert_path = g_dir_read_name (dir)) != NULL) + { + gchar *contents = NULL; + gsize length = 0; + gint res; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_t cert; + + g_file_get_contents (cert_path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Can't open the certificate file at path %s: %s", + cert_path, error->message); + + g_clear_error (&error); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + + gnutls_x509_crt_init (&cert); + res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM); + + if (res != GNUTLS_E_SUCCESS) + { + DEBUG ("Can't import the certificate at path %s: " + "GnuTLS returned %d", cert_path, res); + } + else + { + g_ptr_array_add (priv->trusted_ca_list, cert); + } + + g_free (contents); + } + + g_dir_close (dir); + } + + g_free (user_certs_dir); + /* TODO: do the CRL too */ g_io_scheduler_job_send_to_mainloop_async (job, @@ -537,7 +602,13 @@ empathy_tls_verifier_finalize (GObject *object) EmpathyTLSVerifierPriv *priv = GET_PRIV (object); DEBUG ("%p", object); - + + if (priv->trusted_ca_list != NULL) + g_ptr_array_unref (priv->trusted_ca_list); + + if (priv->cert_chain != NULL) + g_ptr_array_unref (priv->cert_chain); + g_free (priv->hostname); G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); -- cgit v1.2.3 From 1c109373f9911de8f639cb6b355035478c0ab899 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 12:30:11 +0200 Subject: Depend on gcr from gnome-keyring --- configure.ac | 3 ++- libempathy-gtk/Makefile.am | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index a09b476e4..97ea195ff 100644 --- a/configure.ac +++ b/configure.ac @@ -35,7 +35,7 @@ FOLKS_REQUIRED=0.1.13 GCONF_REQUIRED=1.2.0 GLIB_REQUIRED=2.25.9 GTK_REQUIRED=2.21.2 -KEYRING_REQUIRED=2.22 +KEYRING_REQUIRED=2.26.0 LIBCANBERRA_GTK_REQUIRED=0.4 LIBNOTIFY_REQUIRED=0.4.4 LIBNOTIFY_REQUIRED_GTK3=0.5.1 @@ -150,6 +150,7 @@ PKG_CHECK_MODULES(EMPATHY, folks >= $FOLKS_REQUIRED folks-telepathy >= $FOLKS_REQUIRED gconf-2.0 >= $GCONF_REQUIRED + gcr-0 >= $KEYRING_REQUIRED gio-2.0 >= $GLIB_REQUIRED gio-unix-2.0 >= $GLIB_REQUIRED gnome-keyring-1 >= $KEYRING_REQUIRED diff --git a/libempathy-gtk/Makefile.am b/libempathy-gtk/Makefile.am index fea658c0d..2284d1338 100644 --- a/libempathy-gtk/Makefile.am +++ b/libempathy-gtk/Makefile.am @@ -6,6 +6,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir) \ -DDATADIR=\""$(datadir)"\" \ -DPKGDATADIR=\""$(pkgdatadir)"\" \ + -DGCR_API_SUBJECT_TO_CHANGE \ $(EMPATHY_CFLAGS) \ $(GTK_CFLAGS) \ $(LIBNOTIFY_CFLAGS) \ -- cgit v1.2.3 From f0f6e527dfe5de231d202bcc3cfcb4c7d85ab19e Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 12:30:48 +0200 Subject: Add EmpathyTLSDialog --- libempathy-gtk/Makefile.am | 2 + libempathy-gtk/empathy-tls-dialog.c | 275 ++++++++++++++++++++++++++++++++++++ libempathy-gtk/empathy-tls-dialog.h | 68 +++++++++ 3 files changed, 345 insertions(+) create mode 100644 libempathy-gtk/empathy-tls-dialog.c create mode 100644 libempathy-gtk/empathy-tls-dialog.h diff --git a/libempathy-gtk/Makefile.am b/libempathy-gtk/Makefile.am index 2284d1338..59119dfaf 100644 --- a/libempathy-gtk/Makefile.am +++ b/libempathy-gtk/Makefile.am @@ -80,6 +80,7 @@ libempathy_gtk_handwritten_source = \ empathy-theme-boxes.c \ empathy-theme-irc.c \ empathy-theme-manager.c \ + empathy-tls-dialog.c \ empathy-ui-utils.c \ empathy-video-src.c \ empathy-video-widget.c @@ -136,6 +137,7 @@ libempathy_gtk_headers = \ empathy-theme-boxes.h \ empathy-theme-irc.h \ empathy-theme-manager.h \ + empathy-tls-dialog.h \ empathy-ui-utils.h \ empathy-video-src.h \ empathy-video-widget.h diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c new file mode 100644 index 000000000..d149dedbf --- /dev/null +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -0,0 +1,275 @@ +/* + * empathy-tls-dialog.c - Source for EmpathyTLSDialog + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include + +#include "empathy-tls-dialog.h" + +#include +#include +#include + +#include "gcr-simple-certificate.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include +#include + +G_DEFINE_TYPE (EmpathyTLSDialog, empathy_tls_dialog, + GTK_TYPE_MESSAGE_DIALOG) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSDialog); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_REASON, + + LAST_PROPERTY, +}; + +typedef struct { + EmpathyTLSCertificate *certificate; + EmpTLSCertificateRejectReason reason; + + gboolean dispose_run; +} EmpathyTLSDialogPriv; + +static void +empathy_tls_dialog_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_REASON: + g_value_set_uint (value, priv->reason); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_dialog_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_REASON: + priv->reason = g_value_get_uint (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_dialog_dispose (GObject *object) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_dialog_parent_class)->dispose (object); +} + +static gchar * +reason_to_string (EmpTLSCertificateRejectReason reason) +{ + GString *str; + const gchar *reason_str; + + str = g_string_new (NULL); + + g_string_append (str, _("The identity provided by the chat server cannot be " + "verified.\n")); + + switch (reason) + { + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: + reason_str = _("The certrificate is not signed by a Certification " + "Authority"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED: + reason_str = _("The certificate is expired"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED: + reason_str = _("The certificate hasn't yet been activated"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH: + reason_str = _("The certificate does not have the expected fingerprint"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH: + reason_str = _("The hostname verified by the certificate doesn't match " + "the server name"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED: + reason_str = _("The certificate is self-signed"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: + reason_str = _("The certificate has been revoked by the issuing " + "Certification Authority"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: + reason_str = _("The certificate is cryptographically weak"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: + reason_str = _("The certificate length exceeds verifiable limits"); + break; + case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: + default: + reason_str = _("The certificate is malformed"); + break; + } + + g_string_append (str, reason_str); + + return g_string_free (str, FALSE); +} + +static GtkWidget * +build_gcr_widget (EmpathyTLSDialog *self) +{ + GcrCertificateBasicsWidget *widget; + GcrCertificate *certificate; + GPtrArray *cert_chain = NULL; + GArray *first_cert; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &cert_chain, + NULL); + first_cert = g_ptr_array_index (cert_chain, 0); + + certificate = gcr_simple_certificate_new ((const guchar *) first_cert->data, + first_cert->len); + widget = gcr_certificate_basics_widget_new (certificate); + + g_object_unref (certificate); + g_ptr_array_unref (cert_chain); + + return GTK_WIDGET (widget); +} + +static void +empathy_tls_dialog_constructed (GObject *object) +{ + GtkWidget *content_area, *expander, *details; + gchar *text; + EmpathyTLSDialog *self = EMPATHY_TLS_DIALOG (object); + GtkMessageDialog *message_dialog = GTK_MESSAGE_DIALOG (self); + GtkDialog *dialog = GTK_DIALOG (self); + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + gtk_dialog_add_buttons (dialog, + GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, + _("Continue"), GTK_RESPONSE_YES, + NULL); + + text = reason_to_string (priv->reason); + + g_object_set (message_dialog, + "text", _("This connection is untrusted, would you like to " + "continue anyway?"), + "secondary-text", text, + NULL); + + g_free (text); + + content_area = gtk_dialog_get_content_area (dialog); + text = g_strdup_printf ("%s", _("Certificate Details")); + expander = gtk_expander_new (text); + gtk_expander_set_use_markup (GTK_EXPANDER (expander), TRUE); + gtk_box_pack_end (GTK_BOX (content_area), expander, TRUE, TRUE, 6); + gtk_widget_show (expander); + + g_free (text); + + details = build_gcr_widget (self); + gtk_container_add (GTK_CONTAINER (expander), details); + gtk_widget_show (details); +} + +static void +empathy_tls_dialog_init (EmpathyTLSDialog *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_DIALOG, EmpathyTLSDialogPriv); +} + +static void +empathy_tls_dialog_class_init (EmpathyTLSDialogClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSDialogPriv)); + + oclass->set_property = empathy_tls_dialog_set_property; + oclass->get_property = empathy_tls_dialog_get_property; + oclass->dispose = empathy_tls_dialog_dispose; + oclass->constructed = empathy_tls_dialog_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be displayed.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_uint ("reason", "The reason", + "The reason why the certificate is being asked for confirmation.", + 0, NUM_EMP_TLS_CERTIFICATE_REJECT_REASONS - 1, + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_REASON, pspec); +} + +GtkWidget * +empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + + return g_object_new (EMPATHY_TYPE_TLS_DIALOG, + "message-type", GTK_MESSAGE_WARNING, + "certificate", certificate, + "reason", reason, + NULL); +} diff --git a/libempathy-gtk/empathy-tls-dialog.h b/libempathy-gtk/empathy-tls-dialog.h new file mode 100644 index 000000000..c8e5e7662 --- /dev/null +++ b/libempathy-gtk/empathy-tls-dialog.h @@ -0,0 +1,68 @@ +/* + * empathy-tls-dialog.h - Header for EmpathyTLSDialog + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __EMPATHY_TLS_DIALOG_H__ +#define __EMPATHY_TLS_DIALOG_H__ + +#include +#include + +#include + +#include + +G_BEGIN_DECLS + +typedef struct _EmpathyTLSDialog EmpathyTLSDialog; +typedef struct _EmpathyTLSDialogClass EmpathyTLSDialogClass; + +struct _EmpathyTLSDialogClass { + GtkMessageDialogClass parent_class; +}; + +struct _EmpathyTLSDialog { + GtkMessageDialog parent; + gpointer priv; +}; + +GType empathy_tls_dialog_get_type (void); + +#define EMPATHY_TYPE_TLS_DIALOG \ + (empathy_tls_dialog_get_type ()) +#define EMPATHY_TLS_DIALOG(obj) \ + (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialog)) +#define EMPATHY_TLS_DIALOG_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialogClass)) +#define EMPATHY_IS_TLS_DIALOG(obj) \ + (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_DIALOG)) +#define EMPATHY_IS_TLS_DIALOG_CLASS(klass) \ + (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_DIALOG)) +#define EMPATHY_TLS_DIALOG_GET_CLASS(obj) \ + (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_DIALOG, \ + EmpathyTLSDialogClass)) + +GtkWidget * empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason); + +G_END_DECLS + +#endif /* #ifndef __EMPATHY_TLS_DIALOG_H__*/ -- cgit v1.2.3 From ae9cd01797616138fc16931e558fa1b65d9301eb Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 12:31:21 +0200 Subject: Import gcr-simple-certificate from gcr Don't know why, but this isn't exported from gcr. While we try to make this public, include it here, as it's self-contained anyway. --- libempathy-gtk/Makefile.am | 1 + libempathy-gtk/gcr-simple-certificate.c | 131 ++++++++++++++++++++++++++++++++ libempathy-gtk/gcr-simple-certificate.h | 58 ++++++++++++++ 3 files changed, 190 insertions(+) create mode 100644 libempathy-gtk/gcr-simple-certificate.c create mode 100644 libempathy-gtk/gcr-simple-certificate.h diff --git a/libempathy-gtk/Makefile.am b/libempathy-gtk/Makefile.am index 59119dfaf..09cc9ca22 100644 --- a/libempathy-gtk/Makefile.am +++ b/libempathy-gtk/Makefile.am @@ -145,6 +145,7 @@ libempathy_gtk_headers = \ libempathy_gtk_la_SOURCES = \ $(libempathy_gtk_handwritten_source) \ $(libempathy_gtk_headers) \ + gcr-simple-certificate.c gcr-simple-certificate.h \ totem-subtitle-encoding.c totem-subtitle-encoding.h # do not distribute generated files diff --git a/libempathy-gtk/gcr-simple-certificate.c b/libempathy-gtk/gcr-simple-certificate.c new file mode 100644 index 000000000..048fd5022 --- /dev/null +++ b/libempathy-gtk/gcr-simple-certificate.c @@ -0,0 +1,131 @@ +/* + * gnome-keyring + * + * Copyright (C) 2008 Stefan Walter + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + */ + +#include "config.h" + +#include +#include "gcr-simple-certificate.h" + +#include + +struct _GcrSimpleCertificatePrivate { + guchar *owned_data; + gsize n_owned_data; +}; + +static void gcr_certificate_iface (GcrCertificateIface *iface); +G_DEFINE_TYPE_WITH_CODE (GcrSimpleCertificate, gcr_simple_certificate, G_TYPE_OBJECT, + G_IMPLEMENT_INTERFACE (GCR_TYPE_CERTIFICATE, gcr_certificate_iface)); + +/* ----------------------------------------------------------------------------- + * OBJECT + */ + +static void +gcr_simple_certificate_init (GcrSimpleCertificate *self) +{ + self->pv = G_TYPE_INSTANCE_GET_PRIVATE (self, GCR_TYPE_SIMPLE_CERTIFICATE, GcrSimpleCertificatePrivate); +} + +static void +gcr_simple_certificate_finalize (GObject *obj) +{ + GcrSimpleCertificate *self = GCR_SIMPLE_CERTIFICATE (obj); + + g_free (self->pv->owned_data); + self->pv->owned_data = NULL; + self->pv->n_owned_data = 0; + + G_OBJECT_CLASS (gcr_simple_certificate_parent_class)->finalize (obj); +} + +static void +gcr_simple_certificate_set_property (GObject *obj, guint prop_id, const GValue *value, + GParamSpec *pspec) +{ + switch (prop_id) { + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec); + break; + } +} + +static void +gcr_simple_certificate_get_property (GObject *obj, guint prop_id, GValue *value, + GParamSpec *pspec) +{ + switch (prop_id) { + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec); + break; + } +} + +static void +gcr_simple_certificate_class_init (GcrSimpleCertificateClass *klass) +{ + GObjectClass *gobject_class = G_OBJECT_CLASS (klass); + + gobject_class->finalize = gcr_simple_certificate_finalize; + gobject_class->set_property = gcr_simple_certificate_set_property; + gobject_class->get_property = gcr_simple_certificate_get_property; + + g_type_class_add_private (gobject_class, sizeof (GcrSimpleCertificatePrivate)); +} + +static const guchar* +gcr_simple_certificate_real_get_der_data (GcrCertificate *base, gsize *n_data) +{ + GcrSimpleCertificate *self = GCR_SIMPLE_CERTIFICATE (base); + + g_return_val_if_fail (GCR_IS_CERTIFICATE (self), NULL); + g_return_val_if_fail (n_data, NULL); + g_return_val_if_fail (self->pv->owned_data, NULL); + + /* This is called when we're not a base class */ + *n_data = self->pv->n_owned_data; + return self->pv->owned_data; +} + +static void +gcr_certificate_iface (GcrCertificateIface *iface) +{ + iface->get_der_data = (gpointer)gcr_simple_certificate_real_get_der_data; +} + +/* ----------------------------------------------------------------------------- + * PUBLIC + */ + +GcrCertificate* +gcr_simple_certificate_new (const guchar *data, gsize n_data) +{ + GcrSimpleCertificate *cert; + + g_return_val_if_fail (data, NULL); + g_return_val_if_fail (n_data, NULL); + + cert = g_object_new (GCR_TYPE_SIMPLE_CERTIFICATE, NULL); + + cert->pv->owned_data = g_memdup (data, n_data); + cert->pv->n_owned_data = n_data; + return GCR_CERTIFICATE (cert); +} diff --git a/libempathy-gtk/gcr-simple-certificate.h b/libempathy-gtk/gcr-simple-certificate.h new file mode 100644 index 000000000..6b9fb9618 --- /dev/null +++ b/libempathy-gtk/gcr-simple-certificate.h @@ -0,0 +1,58 @@ +/* + * gnome-keyring + * + * Copyright (C) 2008 Stefan Walter + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + */ + +#ifndef __GCR_SIMPLE_CERTIFICATE_H__ +#define __GCR_SIMPLE_CERTIFICATE_H__ + +#include + +#include + +G_BEGIN_DECLS + +#define GCR_TYPE_SIMPLE_CERTIFICATE (gcr_simple_certificate_get_type ()) +#define GCR_SIMPLE_CERTIFICATE(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GCR_TYPE_CERTIFICATE, GcrSimpleCertificate)) +#define GCR_SIMPLE_CERTIFICATE_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), GCR_TYPE_CERTIFICATE, GcrSimpleCertificateClass)) +#define GCR_IS_SIMPLE_CERTIFICATE(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GCR_TYPE_CERTIFICATE)) +#define GCR_IS_SIMPLE_CERTIFICATE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), GCR_TYPE_CERTIFICATE)) +#define GCR_SIMPLE_CERTIFICATE_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GCR_TYPE_CERTIFICATE, GcrSimpleCertificateClass)) + +typedef struct _GcrSimpleCertificate GcrSimpleCertificate; +typedef struct _GcrSimpleCertificateClass GcrSimpleCertificateClass; +typedef struct _GcrSimpleCertificatePrivate GcrSimpleCertificatePrivate; + +struct _GcrSimpleCertificate { + GObject parent; + GcrSimpleCertificatePrivate *pv; +}; + +struct _GcrSimpleCertificateClass { + GObjectClass parent_class; +}; + +GType gcr_simple_certificate_get_type (void); + +GcrCertificate* gcr_simple_certificate_new (const guchar *data, + gsize n_data); + +G_END_DECLS + +#endif /* __GCR_SIMPLE_CERTIFICATE_H__ */ -- cgit v1.2.3 From c61bb1765e65369933a571b6dccb07ec338cb515 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 12:32:43 +0200 Subject: Integrate the dialog into the auth helper --- src/empathy-auth-helper.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index 6cbffea94..065fc8ded 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -32,12 +32,52 @@ #include #include +#include #include #include #include +static void +tls_dialog_response_cb (GtkDialog *dialog, + gint response_id, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = NULL; + EmpTLSCertificateRejectReason reason = 0; + EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); + + DEBUG ("Response %d", response_id); + + g_object_get (tls_dialog, + "certificate", &certificate, + "reason", &reason, + NULL); + + gtk_widget_destroy (GTK_WIDGET (dialog)); + + if (response_id == GTK_RESPONSE_YES) + empathy_tls_certificate_accept (certificate); + else + empathy_tls_certificate_reject (certificate, reason, TRUE); + + g_object_unref (certificate); +} + +static void +display_interactive_dialog (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason) +{ + GtkWidget *tls_dialog; + + tls_dialog = empathy_tls_dialog_new (certificate, reason); + g_signal_connect (tls_dialog, "response", + G_CALLBACK (tls_dialog_response_cb), NULL); + + gtk_widget_show (tls_dialog); +} + static void verifier_verify_cb (GObject *source, GAsyncResult *result, @@ -58,7 +98,7 @@ verifier_verify_cb (GObject *source, if (error != NULL) { DEBUG ("Error: %s", error->message); - empathy_tls_certificate_reject (certificate, reason, FALSE); + display_interactive_dialog (certificate, reason); g_error_free (error); } -- cgit v1.2.3 From dd57dd21018ac62e2cc89f5aa5e24d682d4c9886 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 16:14:09 +0200 Subject: Add a method to store the CA certificate --- libempathy/empathy-tls-certificate.c | 119 +++++++++++++++++++++++++++++++++++ libempathy/empathy-tls-certificate.h | 2 + 2 files changed, 121 insertions(+) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index a9e323cc0..a6ee3b966 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -22,6 +22,13 @@ #include "empathy-tls-certificate.h" +#include + +#include + +#include +#include + #include #define DEBUG_FLAG EMPATHY_DEBUG_TLS @@ -436,3 +443,115 @@ empathy_tls_certificate_reject (EmpathyTLSCertificate *self, g_hash_table_unref (details); } + +static gsize +get_exported_size (gnutls_x509_crt_t cert) +{ + gsize retval; + guchar fake; + + /* fake an export so we get the size to allocate */ + gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, + &fake, &retval); + + DEBUG ("Should allocate %lu bytes", (gulong) retval); + + return retval; +} + +void +empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self) +{ + GArray *last_cert; + gnutls_x509_crt_t cert; + gnutls_datum_t datum = { NULL, 0 }; + gsize exported_len; + guchar *exported_cert = NULL; + gint res; + gchar *user_certs_dir = NULL, *filename = NULL, *path = NULL; + GError *error = NULL; + EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + + last_cert = g_ptr_array_index (priv->cert_data, priv->cert_data->len - 1); + datum.data = (guchar *) last_cert->data; + datum.size = last_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + /* make sure it's self-signed, otherwise it's not a CA */ + if (gnutls_x509_crt_check_issuer (cert, cert) <= 0) + { + DEBUG ("Can't import the CA, as it's not self-signed"); + gnutls_x509_crt_deinit (cert); + + return; + } + + if (gnutls_x509_crt_get_ca_status (cert, NULL) <= 0) + { + DEBUG ("Can't import the CA, it's not a valid CA certificate"); + gnutls_x509_crt_deinit (cert); + + goto out; + } + + exported_len = get_exported_size (cert); + exported_cert = g_malloc (sizeof (guchar) * exported_len); + + res = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, + exported_cert, &exported_len); + + if (res < 0) + { + DEBUG ("Failed to export the CA certificate; GnuTLS returned %d", res); + gnutls_x509_crt_deinit (cert); + + goto out; + } + + gnutls_x509_crt_deinit (cert); + + /* write the file */ + user_certs_dir = g_build_filename (g_get_user_config_dir (), + "telepathy", "certs", NULL); + + res = g_mkdir_with_parents (user_certs_dir, S_IRWXU | S_IRWXG); + + if (res < 0) + { + DEBUG ("Failed to create the user certificate directory: %s", + g_strerror (errno)); + + goto out; + } + + do + { + g_free (path); + + filename = g_strdup_printf ("cert-%p", cert); + path = g_build_filename (user_certs_dir, filename, NULL); + + g_free (filename); + } + while (g_file_test (path, G_FILE_TEST_EXISTS)); + + DEBUG ("Will save to %s", path); + + g_file_set_contents (path, (const gchar *) exported_cert, exported_len, + &error); + + if (error != NULL) + { + DEBUG ("Can't save the CA certificate to %s: %s", + path, error->message); + + g_error_free (error); + } + + out: + g_free (path); + g_free (exported_cert); + g_free (user_certs_dir); +} diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index c79c26abd..4bf5c188a 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -71,6 +71,8 @@ void empathy_tls_certificate_reject (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, gboolean user_requested); +void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self); + G_END_DECLS #endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/ -- cgit v1.2.3 From 48973a29e5016c9e88b3b19fdfe8e31856ce9cf5 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 16:14:28 +0200 Subject: Add a 'remember' checkbox and property to the dialog --- libempathy-gtk/empathy-tls-dialog.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c index d149dedbf..0fe0093b6 100644 --- a/libempathy-gtk/empathy-tls-dialog.c +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -40,6 +40,7 @@ G_DEFINE_TYPE (EmpathyTLSDialog, empathy_tls_dialog, enum { PROP_TLS_CERTIFICATE = 1, PROP_REASON, + PROP_REMEMBER, LAST_PROPERTY, }; @@ -48,6 +49,8 @@ typedef struct { EmpathyTLSCertificate *certificate; EmpTLSCertificateRejectReason reason; + gboolean remember; + gboolean dispose_run; } EmpathyTLSDialogPriv; @@ -67,6 +70,9 @@ empathy_tls_dialog_get_property (GObject *object, case PROP_REASON: g_value_set_uint (value, priv->reason); break; + case PROP_REMEMBER: + g_value_set_boolean (value, priv->remember); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -188,10 +194,21 @@ build_gcr_widget (EmpathyTLSDialog *self) return GTK_WIDGET (widget); } +static void +checkbox_toggled_cb (GtkToggleButton *checkbox, + gpointer user_data) +{ + EmpathyTLSDialog *self = user_data; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); + + priv->remember = gtk_toggle_button_get_active (checkbox); + g_object_notify (G_OBJECT (self), "remember"); +} + static void empathy_tls_dialog_constructed (GObject *object) { - GtkWidget *content_area, *expander, *details; + GtkWidget *content_area, *expander, *details, *checkbox; gchar *text; EmpathyTLSDialog *self = EMPATHY_TLS_DIALOG (object); GtkMessageDialog *message_dialog = GTK_MESSAGE_DIALOG (self); @@ -214,10 +231,18 @@ empathy_tls_dialog_constructed (GObject *object) g_free (text); content_area = gtk_dialog_get_content_area (dialog); + + checkbox = gtk_check_button_new_with_label (_("Remember this choice")); + gtk_box_pack_end (GTK_BOX (content_area), checkbox, FALSE, FALSE, 0); + gtk_widget_show (checkbox); + + g_signal_connect (checkbox, "toggled", + G_CALLBACK (checkbox_toggled_cb), self); + text = g_strdup_printf ("%s", _("Certificate Details")); expander = gtk_expander_new (text); gtk_expander_set_use_markup (GTK_EXPANDER (expander), TRUE); - gtk_box_pack_end (GTK_BOX (content_area), expander, TRUE, TRUE, 6); + gtk_box_pack_end (GTK_BOX (content_area), expander, TRUE, TRUE, 0); gtk_widget_show (expander); g_free (text); @@ -259,6 +284,12 @@ empathy_tls_dialog_class_init (EmpathyTLSDialogClass *klass) EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN, G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_REASON, pspec); + + pspec = g_param_spec_boolean ("remember", "Whether to remember the decision", + "Whether we should remember the decision for this certificate.", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_REMEMBER, pspec); } GtkWidget * -- cgit v1.2.3 From 2d6a216618624813b28495701d50c184c9934d77 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 16:15:00 +0200 Subject: Build the right path when looking at user certs --- libempathy/empathy-tls-verifier.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index e85d8a750..b71e54828 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -484,16 +484,18 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, } else { - const gchar *cert_path; + const gchar *cert_name; - while ((cert_path = g_dir_read_name (dir)) != NULL) + while ((cert_name = g_dir_read_name (dir)) != NULL) { - gchar *contents = NULL; + gchar *contents = NULL, *cert_path = NULL; gsize length = 0; gint res; gnutls_datum_t datum = { NULL, 0 }; gnutls_x509_crt_t cert; + cert_path = g_build_filename (user_certs_dir, cert_name, NULL); + g_file_get_contents (cert_path, &contents, &length, &error); if (error != NULL) @@ -502,6 +504,7 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, cert_path, error->message); g_clear_error (&error); + g_free (cert_path); continue; } @@ -522,6 +525,7 @@ build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, } g_free (contents); + g_free (cert_path); } g_dir_close (dir); -- cgit v1.2.3 From 1937b83032ff55814c27176c22e4184d0d30e045 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 16:15:17 +0200 Subject: Save the certificate when we are told to remember --- src/empathy-auth-helper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index 065fc8ded..7ed4596c2 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -47,12 +47,14 @@ tls_dialog_response_cb (GtkDialog *dialog, EmpathyTLSCertificate *certificate = NULL; EmpTLSCertificateRejectReason reason = 0; EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); + gboolean remember = FALSE; DEBUG ("Response %d", response_id); g_object_get (tls_dialog, "certificate", &certificate, "reason", &reason, + "remember", &remember, NULL); gtk_widget_destroy (GTK_WIDGET (dialog)); @@ -62,6 +64,9 @@ tls_dialog_response_cb (GtkDialog *dialog, else empathy_tls_certificate_reject (certificate, reason, TRUE); + if (remember) + empathy_tls_certificate_store_ca (certificate); + g_object_unref (certificate); } -- cgit v1.2.3 From 2c95c1dd40e651b5f565e027b1a07cae251f87b2 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Fri, 13 Aug 2010 16:20:07 +0200 Subject: Add the checkbox only if the reason is SelfSigned Also, add a comment to explain why. --- libempathy-gtk/empathy-tls-dialog.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c index 0fe0093b6..b61d5cacc 100644 --- a/libempathy-gtk/empathy-tls-dialog.c +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -232,12 +232,21 @@ empathy_tls_dialog_constructed (GObject *object) content_area = gtk_dialog_get_content_area (dialog); - checkbox = gtk_check_button_new_with_label (_("Remember this choice")); - gtk_box_pack_end (GTK_BOX (content_area), checkbox, FALSE, FALSE, 0); - gtk_widget_show (checkbox); + /* FIXME: right now we do this only if the error is SelfSigned, as we can + * easily store the new CA cert in $XDG_CONFIG_DIR/telepathy/certs in that + * case. For the other errors, we probably need a smarter/more powerful + * certificate storage. + */ + if (priv->reason == EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED) + { + checkbox = gtk_check_button_new_with_label ( + _("Remember this choice for future connections")); + gtk_box_pack_end (GTK_BOX (content_area), checkbox, FALSE, FALSE, 0); + gtk_widget_show (checkbox); - g_signal_connect (checkbox, "toggled", - G_CALLBACK (checkbox_toggled_cb), self); + g_signal_connect (checkbox, "toggled", + G_CALLBACK (checkbox_toggled_cb), self); + } text = g_strdup_printf ("%s", _("Certificate Details")); expander = gtk_expander_new (text); -- cgit v1.2.3 From 1f436c6ef319671d80b1c35bd498dd4893c6919b Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 11:03:07 +0200 Subject: Require GnuTLS >= 2.8.5 --- configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 97ea195ff..4031e949d 100644 --- a/configure.ac +++ b/configure.ac @@ -34,6 +34,7 @@ AC_COPYRIGHT([ FOLKS_REQUIRED=0.1.13 GCONF_REQUIRED=1.2.0 GLIB_REQUIRED=2.25.9 +GNUTLS_REQUIRED=2.8.5 GTK_REQUIRED=2.21.2 KEYRING_REQUIRED=2.26.0 LIBCANBERRA_GTK_REQUIRED=0.4 @@ -154,7 +155,7 @@ PKG_CHECK_MODULES(EMPATHY, gio-2.0 >= $GLIB_REQUIRED gio-unix-2.0 >= $GLIB_REQUIRED gnome-keyring-1 >= $KEYRING_REQUIRED - gnutls + gnutls >= $GNUTLS_REQUIRED gobject-2.0 gstreamer-0.10 gstreamer-interfaces-0.10 -- cgit v1.2.3 From 1fba1db04fde57223ace7332111d146a124a643a Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 11:09:11 +0200 Subject: Add reference to the original gnome-keyring repo --- libempathy-gtk/gcr-simple-certificate.c | 3 +++ libempathy-gtk/gcr-simple-certificate.h | 3 +++ 2 files changed, 6 insertions(+) diff --git a/libempathy-gtk/gcr-simple-certificate.c b/libempathy-gtk/gcr-simple-certificate.c index 048fd5022..072cbac97 100644 --- a/libempathy-gtk/gcr-simple-certificate.c +++ b/libempathy-gtk/gcr-simple-certificate.c @@ -2,6 +2,9 @@ * gnome-keyring * * Copyright (C) 2008 Stefan Walter + * + * This file is copied from the gnome-keyring gcr library, which can be + * found at git://git.gnome.org/gnome-keyring * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as diff --git a/libempathy-gtk/gcr-simple-certificate.h b/libempathy-gtk/gcr-simple-certificate.h index 6b9fb9618..ee46b4817 100644 --- a/libempathy-gtk/gcr-simple-certificate.h +++ b/libempathy-gtk/gcr-simple-certificate.h @@ -2,6 +2,9 @@ * gnome-keyring * * Copyright (C) 2008 Stefan Walter + * + * This file is copied from the gnome-keyring gcr library, which can be + * found at git://git.gnome.org/gnome-keyring * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as -- cgit v1.2.3 From d9428d22891d01b25b08f23278317daa78871274 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 15:41:01 +0200 Subject: Properly use errors when handling channels --- libempathy/empathy-auth-factory.c | 70 +++++++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 14 deletions(-) diff --git a/libempathy/empathy-auth-factory.c b/libempathy/empathy-auth-factory.c index 9d8e16e21..5a8f9f9f7 100644 --- a/libempathy/empathy-auth-factory.c +++ b/libempathy/empathy-auth-factory.c @@ -22,6 +22,7 @@ #include #include +#include #define DEBUG_FLAG EMPATHY_DEBUG_TLS #include "empathy-debug.h" @@ -34,6 +35,9 @@ G_DEFINE_TYPE (EmpathyAuthFactory, empathy_auth_factory, G_TYPE_OBJECT); typedef struct { TpBaseClient *handler; + TpHandleChannelsContext *context; + + gboolean dispose_run; } EmpathyAuthFactoryPriv; enum { @@ -52,9 +56,10 @@ server_tls_handler_ready_cb (GObject *source, GAsyncResult *res, gpointer user_data) { - EmpathyAuthFactory *self = user_data; - GError *error = NULL; EmpathyServerTLSHandler *handler; + GError *error = NULL; + EmpathyAuthFactory *self = user_data; + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); handler = empathy_server_tls_handler_new_finish (res, &error); @@ -62,14 +67,20 @@ server_tls_handler_ready_cb (GObject *source, { DEBUG ("Failed to create a server TLS handler; error %s", error->message); + tp_handle_channels_context_fail (priv->context, error); + g_error_free (error); } else { + tp_handle_channels_context_accept (priv->context); g_signal_emit (self, signals[NEW_SERVER_TLS_HANDLER], 0, handler); + g_object_unref (handler); } + + tp_clear_object (&priv->context); } static void @@ -83,30 +94,56 @@ handle_channels_cb (TpSimpleHandler *handler, gpointer user_data) { TpChannel *channel; + const GError *dbus_error; + GError *error = NULL; EmpathyAuthFactory *self = user_data; + EmpathyAuthFactoryPriv *priv = GET_PRIV (self); DEBUG ("Handle TLS carrier channels."); /* there can't be more than one ServerTLSConnection channels * at the same time, for the same connection/account. */ - g_assert (g_list_length (channels) == 1); + if (g_list_length (channels) != 1) + { + g_set_error_literal (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT, + "Can't handle more than one ServerTLSConnection channel " + "for the same connection."); - channel = channels->data; + goto error; + } - if (tp_proxy_get_invalidated (channel) != NULL) - goto out; + channel = channels->data; if (tp_channel_get_channel_type_id (channel) != EMP_IFACE_QUARK_CHANNEL_TYPE_SERVER_TLS_CONNECTION) - goto out; + { + g_set_error (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT, + "Can only handle ServerTLSConnection channels, this was a %s " + "channel", tp_channel_get_channel_type (channel)); + + goto error; + } + + dbus_error = tp_proxy_get_invalidated (channel); + + if (dbus_error != NULL) + { + error = g_error_copy (dbus_error); + goto error; + } /* create a handler */ + priv->context = g_object_ref (context); + tp_handle_channels_context_delay (context); empathy_server_tls_handler_new_async (channel, server_tls_handler_ready_cb, self); - out: - tp_handle_channels_context_accept (context); + return; + + error: + tp_handle_channels_context_fail (context, error); + g_clear_error (&error); } static GObject * @@ -163,14 +200,19 @@ empathy_auth_factory_init (EmpathyAuthFactory *self) } static void -empathy_auth_factory_finalize (GObject *object) +empathy_auth_factory_dispose (GObject *object) { EmpathyAuthFactoryPriv *priv = GET_PRIV (object); - if (priv->handler != NULL) - g_object_unref (priv->handler); + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->handler); + tp_clear_object (&priv->context); - G_OBJECT_CLASS (empathy_auth_factory_parent_class)->finalize (object); + G_OBJECT_CLASS (empathy_auth_factory_parent_class)->dispose (object); } static void @@ -179,7 +221,7 @@ empathy_auth_factory_class_init (EmpathyAuthFactoryClass *klass) GObjectClass *oclass = G_OBJECT_CLASS (klass); oclass->constructor = empathy_auth_factory_constructor; - oclass->finalize = empathy_auth_factory_finalize; + oclass->dispose = empathy_auth_factory_dispose; g_type_class_add_private (klass, sizeof (EmpathyAuthFactoryPriv)); -- cgit v1.2.3 From 92c282488352fd9067fdfbd1d9e96b668a2ff19c Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 15:41:49 +0200 Subject: Use _borrow_immutable_properties instead of GetAll() This also simplifies the code somewhat --- libempathy/empathy-server-tls-handler.c | 65 +++++++++++---------------------- 1 file changed, 21 insertions(+), 44 deletions(-) diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c index 10a2daf20..a207dffcf 100644 --- a/libempathy/empathy-server-tls-handler.c +++ b/libempathy/empathy-server-tls-handler.c @@ -79,45 +79,6 @@ tls_certificate_constructed_cb (GObject *source, g_object_unref (priv->async_init_res); } -static void -server_tls_channel_got_all_cb (TpProxy *proxy, - GHashTable *properties, - const GError *error, - gpointer user_data, - GObject *weak_object) -{ - EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (weak_object); - EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); - - if (error != NULL) - { - g_simple_async_result_set_from_error (priv->async_init_res, error); - g_simple_async_result_complete_in_idle (priv->async_init_res); - g_object_unref (priv->async_init_res); - } - else - { - const gchar *cert_object_path; - const gchar *hostname; - - cert_object_path = tp_asv_get_object_path (properties, - "ServerCertificate"); - - DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s", - cert_object_path, tp_proxy_get_bus_name (proxy)); - - empathy_tls_certificate_new_async ( - tp_proxy_get_bus_name (proxy), - cert_object_path, - tls_certificate_constructed_cb, self); - - hostname = tp_asv_get_string (properties, "Hostname"); - priv->hostname = g_strdup (hostname); - - DEBUG ("Received hostname: %s", hostname); - } -} - static gboolean tls_handler_init_finish (GAsyncInitable *initable, GAsyncResult *res, @@ -140,18 +101,34 @@ tls_handler_init_async (GAsyncInitable *initable, GAsyncReadyCallback callback, gpointer user_data) { + GHashTable *properties; + const gchar *cert_object_path; + const gchar *hostname; + const gchar *bus_name; EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); g_assert (priv->channel != NULL); priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), - callback, user_data, NULL); + callback, user_data, empathy_tls_certificate_new_async); + properties = tp_channel_borrow_immutable_properties (priv->channel); + + hostname = tp_asv_get_string (properties, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".Hostname"); + priv->hostname = g_strdup (hostname); + + DEBUG ("Received hostname: %s", hostname); + + cert_object_path = tp_asv_get_object_path (properties, + EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".ServerCertificate"); + bus_name = tp_proxy_get_bus_name (TP_PROXY (priv->channel)); + + DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s", + cert_object_path, bus_name); - /* call GetAll() on the channel properties */ - tp_cli_dbus_properties_call_get_all (priv->channel, - -1, EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION, - server_tls_channel_got_all_cb, NULL, NULL, G_OBJECT (self)); + empathy_tls_certificate_new_async (bus_name, cert_object_path, + tls_certificate_constructed_cb, self); } static void -- cgit v1.2.3 From d20fcc3aedd0b76b3ea0307bb69324121f49b555 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:08:49 +0200 Subject: Make _accept/_reject real async methods --- libempathy/empathy-tls-certificate.c | 69 +++++++++++++++++++++++++++++++----- libempathy/empathy-tls-certificate.h | 17 +++++++-- 2 files changed, 74 insertions(+), 12 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index a6ee3b966..d758b4c48 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -153,7 +153,7 @@ tls_certificate_init_async (GAsyncInitable *initable, g_assert (priv->bus_name != NULL); priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), - callback, user_data, NULL); + callback, user_data, empathy_tls_certificate_new_async); dbus = tp_dbus_daemon_dup (&error); if (error != NULL) @@ -314,10 +314,17 @@ cert_proxy_accept_cb (TpProxy *proxy, gpointer user_data, GObject *weak_object) { + GSimpleAsyncResult *accept_result = user_data; + DEBUG ("Callback for accept(), error %p", error); if (error != NULL) - DEBUG ("Error was %s", error->message); + { + DEBUG ("Error was %s", error->message); + g_simple_async_result_set_from_error (accept_result, error); + } + + g_simple_async_result_complete (accept_result); } static void @@ -326,10 +333,17 @@ cert_proxy_reject_cb (TpProxy *proxy, gpointer user_data, GObject *weak_object) { + GSimpleAsyncResult *reject_result = user_data; + DEBUG ("Callback for reject(), error %p", error); if (error != NULL) - DEBUG ("Error was %s", error->message); + { + DEBUG ("Error was %s", error->message); + g_simple_async_result_set_from_error (reject_result, error); + } + + g_simple_async_result_complete (reject_result); } static const gchar * @@ -408,25 +422,48 @@ empathy_tls_certificate_new_finish (GAsyncResult *res, } void -empathy_tls_certificate_accept (EmpathyTLSCertificate *self) +empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data) { + GSimpleAsyncResult *accept_result; EmpathyTLSCertificatePriv *priv = GET_PRIV (self); g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); DEBUG ("Accepting TLS certificate"); + accept_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_accept_async); + emp_cli_authentication_tls_certificate_call_accept (priv->proxy, - -1, cert_proxy_accept_cb, NULL, NULL, G_OBJECT (self)); + -1, cert_proxy_accept_cb, + accept_result, g_object_unref, + G_OBJECT (self)); +} + +gboolean +empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + return FALSE; + + return TRUE; } void -empathy_tls_certificate_reject (EmpathyTLSCertificate *self, +empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, - gboolean user_requested) + gboolean user_requested, + GAsyncReadyCallback callback, + gpointer user_data) { GHashTable *details; const gchar *dbus_error; + GSimpleAsyncResult *reject_result; EmpathyTLSCertificatePriv *priv = GET_PRIV (self); g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); @@ -436,14 +473,28 @@ empathy_tls_certificate_reject (EmpathyTLSCertificate *self, dbus_error = reject_reason_get_dbus_error (reason); details = tp_asv_new ("user-requested", G_TYPE_BOOLEAN, user_requested, NULL); + reject_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_reject_async); emp_cli_authentication_tls_certificate_call_reject (priv->proxy, - -1, reason, dbus_error, details, - cert_proxy_reject_cb, NULL, NULL, G_OBJECT (self)); + -1, reason, dbus_error, details, cert_proxy_reject_cb, + reject_result, g_object_unref, G_OBJECT (self)); g_hash_table_unref (details); } +gboolean +empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + return FALSE; + + return TRUE; +} + static gsize get_exported_size (gnutls_x509_crt_t cert) { diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index 4bf5c188a..3a606c602 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -66,10 +66,21 @@ void empathy_tls_certificate_new_async (const gchar *bus_name, EmpathyTLSCertificate * empathy_tls_certificate_new_finish (GAsyncResult * res, GError **error); -void empathy_tls_certificate_accept (EmpathyTLSCertificate *self); -void empathy_tls_certificate_reject (EmpathyTLSCertificate *self, +void empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, + GAsyncReadyCallback callback, + gpointer user_data); +gboolean empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error); + +void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, - gboolean user_requested); + gboolean user_requested, + GAsyncReadyCallback callback, + gpointer user_data); +gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error); void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self); -- cgit v1.2.3 From 69983e8165de21075d7e9102fa855c99ffa2290b Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:09:22 +0200 Subject: Update to the new EmpathyTLSCertificate async API --- src/empathy-auth-helper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index 7ed4596c2..b2ea4ebc0 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -60,9 +60,10 @@ tls_dialog_response_cb (GtkDialog *dialog, gtk_widget_destroy (GTK_WIDGET (dialog)); if (response_id == GTK_RESPONSE_YES) - empathy_tls_certificate_accept (certificate); + empathy_tls_certificate_accept_async (certificate, NULL, NULL); else - empathy_tls_certificate_reject (certificate, reason, TRUE); + empathy_tls_certificate_reject_async (certificate, reason, TRUE, + NULL, NULL); if (remember) empathy_tls_certificate_store_ca (certificate); @@ -109,7 +110,7 @@ verifier_verify_cb (GObject *source, } else { - empathy_tls_certificate_accept (certificate); + empathy_tls_certificate_accept_async (certificate, NULL, NULL); } g_object_unref (certificate); -- cgit v1.2.3 From f735801461c5748ee212eaba80c894f33ecf3f10 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:11:20 +0200 Subject: Assert when we have an invalid pointer --- libempathy/empathy-tls-verifier.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index b71e54828..5ed9bb996 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -83,6 +83,8 @@ verification_output_to_reason (gint res, { gboolean retval = TRUE; + g_assert (reason != NULL); + if (res != GNUTLS_E_SUCCESS) { retval = FALSE; -- cgit v1.2.3 From 0a173bc247669513992889723e93eb2de4cc0de9 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:18:10 +0200 Subject: Make it more clear which snippets are taken from GnuTLS --- libempathy/empathy-tls-verifier.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 5ed9bb996..55afb4087 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -16,6 +16,10 @@ * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the + * same GNU Lesser General Public License 2.1 (or later) version. See + * get_certified_hostname (). */ #include @@ -225,7 +229,9 @@ get_certified_hostname (gnutls_x509_crt_t cert) gint idx; gint res = 0; - /* this is taken from GnuTLS */ + /* this snippet is taken from GnuTLS. + * see gnutls/lib/x509/rfc2818_hostname.c + */ for (idx = 0; res >= 0; idx++) { dns_name_size = sizeof (dns_name); -- cgit v1.2.3 From f0793af4b460ffcde3df89f77590f6130c2b8b9e Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:40:21 +0200 Subject: Add a details hash table as an out param of the verification --- libempathy/empathy-tls-verifier.c | 35 +++++++++++++++++++++++++++++------ libempathy/empathy-tls-verifier.h | 1 + 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 55afb4087..cd76a8917 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -62,6 +62,7 @@ typedef struct { gchar *hostname; GSimpleAsyncResult *verify_result; + GHashTable *details; gboolean dispose_run; } EmpathyTLSVerifierPriv; @@ -271,13 +272,16 @@ real_start_verification (EmpathyTLSVerifier *self) { gchar *certified_hostname; + reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH; certified_hostname = get_certified_hostname (first_cert); + tp_asv_set_string (priv->details, + "expected-hostname", priv->hostname); + tp_asv_set_string (priv->details, + "certificate-hostname", certified_hostname); + DEBUG ("Hostname mismatch: got %s but expected %s", certified_hostname, priv->hostname); - /* TODO: pass-through the expected hostname in the reject details */ - reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH; - g_free (certified_hostname); goto out; } @@ -622,6 +626,7 @@ empathy_tls_verifier_finalize (GObject *object) g_ptr_array_unref (priv->cert_chain); g_free (priv->hostname); + tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); } @@ -640,8 +645,11 @@ empathy_tls_verifier_constructed (GObject *object) static void empathy_tls_verifier_init (EmpathyTLSVerifier *self) { - self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EmpathyTLSVerifierPriv *priv; + + priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv); + priv->details = tp_asv_new (NULL, NULL); } static void @@ -702,15 +710,30 @@ gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, GAsyncResult *res, EmpTLSCertificateRejectReason *reason, + GHashTable **details, GError **error) { + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), error)) { - *reason = (*error)->code; + if (reason != NULL) + *reason = (*error)->code; + + if (details != NULL) + { + *details = tp_asv_new (NULL, NULL); + tp_g_hash_table_update (*details, priv->details, + (GBoxedCopyFunc) g_strdup, + (GBoxedCopyFunc) tp_g_value_slice_dup); + } + return FALSE; } - *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + if (reason != NULL) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + return TRUE; } diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h index b4cc1fcb7..e73a71aeb 100644 --- a/libempathy/empathy-tls-verifier.h +++ b/libempathy/empathy-tls-verifier.h @@ -71,6 +71,7 @@ void empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, GAsyncResult *res, EmpTLSCertificateRejectReason *reason, + GHashTable **details, GError **error); G_END_DECLS -- cgit v1.2.3 From 86eac228724f7a4c45b8bc58254af77bdad1e766 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:40:50 +0200 Subject: Add a details hash table to the dialog properties --- libempathy-gtk/empathy-tls-dialog.c | 29 ++++++++++++++++++++++++++++- libempathy-gtk/empathy-tls-dialog.h | 3 ++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c index b61d5cacc..9a2dfd6fc 100644 --- a/libempathy-gtk/empathy-tls-dialog.c +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -41,6 +41,7 @@ enum { PROP_TLS_CERTIFICATE = 1, PROP_REASON, PROP_REMEMBER, + PROP_DETAILS, LAST_PROPERTY, }; @@ -48,6 +49,7 @@ enum { typedef struct { EmpathyTLSCertificate *certificate; EmpTLSCertificateRejectReason reason; + GHashTable *details; gboolean remember; @@ -73,6 +75,9 @@ empathy_tls_dialog_get_property (GObject *object, case PROP_REMEMBER: g_value_set_boolean (value, priv->remember); break; + case PROP_DETAILS: + g_value_set_boxed (value, priv->details); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -95,6 +100,9 @@ empathy_tls_dialog_set_property (GObject *object, case PROP_REASON: priv->reason = g_value_get_uint (value); break; + case PROP_DETAILS: + priv->details = g_value_dup_boxed (value); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; @@ -116,6 +124,16 @@ empathy_tls_dialog_dispose (GObject *object) G_OBJECT_CLASS (empathy_tls_dialog_parent_class)->dispose (object); } +static void +empathy_tls_dialog_finalize (GObject *object) +{ + EmpathyTLSDialogPriv *priv = GET_PRIV (object); + + tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); + + G_OBJECT_CLASS (empathy_tls_dialog_parent_class)->finalize (object); +} + static gchar * reason_to_string (EmpTLSCertificateRejectReason reason) { @@ -279,6 +297,7 @@ empathy_tls_dialog_class_init (EmpathyTLSDialogClass *klass) oclass->set_property = empathy_tls_dialog_set_property; oclass->get_property = empathy_tls_dialog_get_property; oclass->dispose = empathy_tls_dialog_dispose; + oclass->finalize = empathy_tls_dialog_finalize; oclass->constructed = empathy_tls_dialog_constructed; pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", @@ -299,11 +318,18 @@ empathy_tls_dialog_class_init (EmpathyTLSDialogClass *klass) FALSE, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_REMEMBER, pspec); + + pspec = g_param_spec_boxed ("details", "Rejection details", + "Additional details about the rejection of this certificate.", + G_TYPE_HASH_TABLE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_DETAILS, pspec); } GtkWidget * empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, - EmpTLSCertificateRejectReason reason) + EmpTLSCertificateRejectReason reason, + GHashTable *details) { g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); @@ -311,5 +337,6 @@ empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, "message-type", GTK_MESSAGE_WARNING, "certificate", certificate, "reason", reason, + "details", details, NULL); } diff --git a/libempathy-gtk/empathy-tls-dialog.h b/libempathy-gtk/empathy-tls-dialog.h index c8e5e7662..fcf72fe9b 100644 --- a/libempathy-gtk/empathy-tls-dialog.h +++ b/libempathy-gtk/empathy-tls-dialog.h @@ -61,7 +61,8 @@ GType empathy_tls_dialog_get_type (void); EmpathyTLSDialogClass)) GtkWidget * empathy_tls_dialog_new (EmpathyTLSCertificate *certificate, - EmpTLSCertificateRejectReason reason); + EmpTLSCertificateRejectReason reason, + GHashTable *details); G_END_DECLS -- cgit v1.2.3 From 53966af9c627e5217fb247b64ef62bf40541c5f8 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:41:22 +0200 Subject: Push the details table to the dialog after verification --- src/empathy-auth-helper.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c index b2ea4ebc0..9e3a75e23 100644 --- a/src/empathy-auth-helper.c +++ b/src/empathy-auth-helper.c @@ -73,11 +73,12 @@ tls_dialog_response_cb (GtkDialog *dialog, static void display_interactive_dialog (EmpathyTLSCertificate *certificate, - EmpTLSCertificateRejectReason reason) + EmpTLSCertificateRejectReason reason, + GHashTable *details) { GtkWidget *tls_dialog; - tls_dialog = empathy_tls_dialog_new (certificate, reason); + tls_dialog = empathy_tls_dialog_new (certificate, reason, details); g_signal_connect (tls_dialog, "response", G_CALLBACK (tls_dialog_response_cb), NULL); @@ -93,18 +94,19 @@ verifier_verify_cb (GObject *source, EmpTLSCertificateRejectReason reason; GError *error = NULL; EmpathyTLSCertificate *certificate = NULL; + GHashTable *details = NULL; g_object_get (source, "certificate", &certificate, NULL); res = empathy_tls_verifier_verify_finish (EMPATHY_TLS_VERIFIER (source), - result, &reason, &error); + result, &reason, &details, &error); if (error != NULL) { DEBUG ("Error: %s", error->message); - display_interactive_dialog (certificate, reason); + display_interactive_dialog (certificate, reason, details); g_error_free (error); } -- cgit v1.2.3 From a272c04575698908bff1363f3d652cc67876e599 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:43:17 +0200 Subject: Use tp_clear_pointer() where possible --- libempathy/empathy-tls-verifier.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index cd76a8917..c2169f0fd 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -619,14 +619,10 @@ empathy_tls_verifier_finalize (GObject *object) DEBUG ("%p", object); - if (priv->trusted_ca_list != NULL) - g_ptr_array_unref (priv->trusted_ca_list); - - if (priv->cert_chain != NULL) - g_ptr_array_unref (priv->cert_chain); - - g_free (priv->hostname); + tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref); + tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref); tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details); + g_free (priv->hostname); G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); } -- cgit v1.2.3 From 9005c6a1357b612d9a3bce36dd6326da487ab728 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:44:30 +0200 Subject: Don't allow calling verify_async() twice --- libempathy/empathy-tls-verifier.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index c2169f0fd..01548b325 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -695,6 +695,8 @@ empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, { EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + g_return_if_fail (priv->verify_result == NULL); + priv->verify_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, NULL); -- cgit v1.2.3 From 5286587e932047f9b32001429a395d8caf193b26 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:47:02 +0200 Subject: Rename empathy-auth-helper->empathy-auth-client --- ...esktop.Telepathy.Client.Empathy.Auth.service.in | 2 +- src/Makefile.am | 6 +- src/empathy-auth-client.c | 198 +++++++++++++++++++++ src/empathy-auth-helper.c | 198 --------------------- 4 files changed, 202 insertions(+), 202 deletions(-) create mode 100644 src/empathy-auth-client.c delete mode 100644 src/empathy-auth-helper.c diff --git a/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in index 938b31df1..65c47d3e1 100644 --- a/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in +++ b/data/org.freedesktop.Telepathy.Client.Empathy.Auth.service.in @@ -1,3 +1,3 @@ [D-BUS Service] Name=org.freedesktop.Telepathy.Client.Empathy.Auth -Exec=@libexecdir@/empathy-auth-helper \ No newline at end of file +Exec=@libexecdir@/empathy-auth-client \ No newline at end of file diff --git a/src/Makefile.am b/src/Makefile.am index ec7b1a822..e21b348bb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -86,7 +86,7 @@ bin_PROGRAMS = \ libexec_PROGRAMS = \ empathy-av \ - empathy-auth-helper + empathy-auth-client BUILT_SOURCES= @@ -111,8 +111,8 @@ empathy_av_SOURCES = \ empathy-sidebar.c empathy-sidebar.h \ $(NULL) -empathy_auth_helper_SOURCES = \ - empathy-auth-helper.c +empathy_auth_client_SOURCES = \ + empathy-auth-client.c empathy_handwritten_source = \ empathy-about-dialog.c empathy-about-dialog.h \ diff --git a/src/empathy-auth-client.c b/src/empathy-auth-client.c new file mode 100644 index 000000000..45812e8e9 --- /dev/null +++ b/src/empathy-auth-client.c @@ -0,0 +1,198 @@ +/* + * Copyright (C) 2010 Collabora Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public + * License along with this program; if not, write to the + * Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, + * Boston, MA 02110-1301 USA + * + * Authors: Cosimo Cecchi + */ + +#include + +#include +#include +#include +#include + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include +#include +#include +#include + +#include +#include + +#include + +#include + +static void +tls_dialog_response_cb (GtkDialog *dialog, + gint response_id, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = NULL; + EmpTLSCertificateRejectReason reason = 0; + EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); + gboolean remember = FALSE; + + DEBUG ("Response %d", response_id); + + g_object_get (tls_dialog, + "certificate", &certificate, + "reason", &reason, + "remember", &remember, + NULL); + + gtk_widget_destroy (GTK_WIDGET (dialog)); + + if (response_id == GTK_RESPONSE_YES) + empathy_tls_certificate_accept_async (certificate, NULL, NULL); + else + empathy_tls_certificate_reject_async (certificate, reason, TRUE, + NULL, NULL); + + if (remember) + empathy_tls_certificate_store_ca (certificate); + + g_object_unref (certificate); +} + +static void +display_interactive_dialog (EmpathyTLSCertificate *certificate, + EmpTLSCertificateRejectReason reason, + GHashTable *details) +{ + GtkWidget *tls_dialog; + + tls_dialog = empathy_tls_dialog_new (certificate, reason, details); + g_signal_connect (tls_dialog, "response", + G_CALLBACK (tls_dialog_response_cb), NULL); + + gtk_widget_show (tls_dialog); +} + +static void +verifier_verify_cb (GObject *source, + GAsyncResult *result, + gpointer user_data) +{ + gboolean res; + EmpTLSCertificateRejectReason reason; + GError *error = NULL; + EmpathyTLSCertificate *certificate = NULL; + GHashTable *details = NULL; + + g_object_get (source, + "certificate", &certificate, + NULL); + + res = empathy_tls_verifier_verify_finish (EMPATHY_TLS_VERIFIER (source), + result, &reason, &details, &error); + + if (error != NULL) + { + DEBUG ("Error: %s", error->message); + display_interactive_dialog (certificate, reason, details); + + g_error_free (error); + } + else + { + empathy_tls_certificate_accept_async (certificate, NULL, NULL); + } + + g_object_unref (certificate); +} + +static void +auth_factory_new_handler_cb (EmpathyAuthFactory *factory, + EmpathyServerTLSHandler *handler, + gpointer user_data) +{ + EmpathyTLSCertificate *certificate = NULL; + gchar *hostname = NULL; + EmpathyTLSVerifier *verifier; + + DEBUG ("New TLS server handler received from the factory"); + + g_object_get (handler, + "certificate", &certificate, + "hostname", &hostname, + NULL); + + verifier = empathy_tls_verifier_new (certificate, hostname); + empathy_tls_verifier_verify_async (verifier, + verifier_verify_cb, NULL); + + g_object_unref (verifier); + g_object_unref (certificate); + g_free (hostname); +} + +int +main (int argc, + char **argv) +{ + GOptionContext *context; + GError *error = NULL; + EmpathyAuthFactory *factory; + + g_thread_init (NULL); + + context = g_option_context_new (N_(" - Empathy authentication client")); + g_option_context_add_group (context, gtk_get_option_group (TRUE)); + g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); + + if (!g_option_context_parse (context, &argc, &argv, &error)) + { + g_print ("%s\nRun '%s --help' to see a full list of available command " + "line options.\n", error->message, argv[0]); + g_warning ("Error in empathy-auth-client init: %s", error->message); + return EXIT_FAILURE; + } + + g_option_context_free (context); + + empathy_gtk_init (); + gnutls_global_init (); + g_set_application_name (_("Empathy authentication client")); + + gtk_window_set_default_icon_name ("empathy"); + textdomain (GETTEXT_PACKAGE); + + factory = empathy_auth_factory_dup_singleton (); + + g_signal_connect (factory, "new-server-tls-handler", + G_CALLBACK (auth_factory_new_handler_cb), NULL); + + if (!empathy_auth_factory_register (factory, &error)) + { + g_critical ("Failed to register the auth factory: %s\n", error->message); + g_error_free (error); + g_object_unref (factory); + + return EXIT_FAILURE; + } + + DEBUG ("Empathy auth client started."); + + gtk_main (); + + g_object_unref (factory); + + return EXIT_SUCCESS; +} diff --git a/src/empathy-auth-helper.c b/src/empathy-auth-helper.c deleted file mode 100644 index 9e3a75e23..000000000 --- a/src/empathy-auth-helper.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (C) 2010 Collabora Ltd. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public - * License along with this program; if not, write to the - * Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, - * Boston, MA 02110-1301 USA - * - * Authors: Cosimo Cecchi - */ - -#include - -#include -#include -#include -#include - -#define DEBUG_FLAG EMPATHY_DEBUG_TLS -#include -#include -#include -#include - -#include -#include - -#include - -#include - -static void -tls_dialog_response_cb (GtkDialog *dialog, - gint response_id, - gpointer user_data) -{ - EmpathyTLSCertificate *certificate = NULL; - EmpTLSCertificateRejectReason reason = 0; - EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); - gboolean remember = FALSE; - - DEBUG ("Response %d", response_id); - - g_object_get (tls_dialog, - "certificate", &certificate, - "reason", &reason, - "remember", &remember, - NULL); - - gtk_widget_destroy (GTK_WIDGET (dialog)); - - if (response_id == GTK_RESPONSE_YES) - empathy_tls_certificate_accept_async (certificate, NULL, NULL); - else - empathy_tls_certificate_reject_async (certificate, reason, TRUE, - NULL, NULL); - - if (remember) - empathy_tls_certificate_store_ca (certificate); - - g_object_unref (certificate); -} - -static void -display_interactive_dialog (EmpathyTLSCertificate *certificate, - EmpTLSCertificateRejectReason reason, - GHashTable *details) -{ - GtkWidget *tls_dialog; - - tls_dialog = empathy_tls_dialog_new (certificate, reason, details); - g_signal_connect (tls_dialog, "response", - G_CALLBACK (tls_dialog_response_cb), NULL); - - gtk_widget_show (tls_dialog); -} - -static void -verifier_verify_cb (GObject *source, - GAsyncResult *result, - gpointer user_data) -{ - gboolean res; - EmpTLSCertificateRejectReason reason; - GError *error = NULL; - EmpathyTLSCertificate *certificate = NULL; - GHashTable *details = NULL; - - g_object_get (source, - "certificate", &certificate, - NULL); - - res = empathy_tls_verifier_verify_finish (EMPATHY_TLS_VERIFIER (source), - result, &reason, &details, &error); - - if (error != NULL) - { - DEBUG ("Error: %s", error->message); - display_interactive_dialog (certificate, reason, details); - - g_error_free (error); - } - else - { - empathy_tls_certificate_accept_async (certificate, NULL, NULL); - } - - g_object_unref (certificate); -} - -static void -auth_factory_new_handler_cb (EmpathyAuthFactory *factory, - EmpathyServerTLSHandler *handler, - gpointer user_data) -{ - EmpathyTLSCertificate *certificate = NULL; - gchar *hostname = NULL; - EmpathyTLSVerifier *verifier; - - DEBUG ("New TLS server handler received from the factory"); - - g_object_get (handler, - "certificate", &certificate, - "hostname", &hostname, - NULL); - - verifier = empathy_tls_verifier_new (certificate, hostname); - empathy_tls_verifier_verify_async (verifier, - verifier_verify_cb, NULL); - - g_object_unref (verifier); - g_object_unref (certificate); - g_free (hostname); -} - -int -main (int argc, - char **argv) -{ - GOptionContext *context; - GError *error = NULL; - EmpathyAuthFactory *factory; - - g_thread_init (NULL); - - context = g_option_context_new (N_(" - Empathy authentication helper")); - g_option_context_add_group (context, gtk_get_option_group (TRUE)); - g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); - - if (!g_option_context_parse (context, &argc, &argv, &error)) - { - g_print ("%s\nRun '%s --help' to see a full list of available command " - "line options.\n", error->message, argv[0]); - g_warning ("Error in empathy-auth-helper init: %s", error->message); - return EXIT_FAILURE; - } - - g_option_context_free (context); - - empathy_gtk_init (); - gnutls_global_init (); - g_set_application_name (_("Empathy authentication helper")); - - gtk_window_set_default_icon_name ("empathy"); - textdomain (GETTEXT_PACKAGE); - - factory = empathy_auth_factory_dup_singleton (); - - g_signal_connect (factory, "new-server-tls-handler", - G_CALLBACK (auth_factory_new_handler_cb), NULL); - - if (!empathy_auth_factory_register (factory, &error)) - { - g_critical ("Failed to register the auth factory: %s\n", error->message); - g_error_free (error); - g_object_unref (factory); - - return EXIT_FAILURE; - } - - DEBUG ("Empathy auth client started."); - - gtk_main (); - - g_object_unref (factory); - - return EXIT_SUCCESS; -} -- cgit v1.2.3 From 526dbcddf5a3969a8714b49441e4dd62927837f3 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 16:55:03 +0200 Subject: Implement a timeout machinery for the auth client Similar to the one used in empathy-av.c --- src/empathy-auth-client.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/src/empathy-auth-client.c b/src/empathy-auth-client.c index 45812e8e9..7546164d3 100644 --- a/src/empathy-auth-client.c +++ b/src/empathy-auth-client.c @@ -39,6 +39,47 @@ #include +#define TIMEOUT 60 + +static gboolean use_timer = TRUE; +static guint timeout_id = 0; +static guint num_windows = 0; + +static gboolean +timeout_cb (gpointer p) +{ + DEBUG ("Timeout reached; exiting..."); + + gtk_main_quit (); + return FALSE; +} + +static void +start_timer (void) +{ + if (!use_timer) + return; + + if (timeout_id != 0) + return; + + DEBUG ("Start timer"); + + timeout_id = g_timeout_add_seconds (TIMEOUT, timeout_cb, NULL); +} + +static void +stop_timer (void) +{ + if (timeout_id == 0) + return; + + DEBUG ("Stop timer"); + + g_source_remove (timeout_id); + timeout_id = 0; +} + static void tls_dialog_response_cb (GtkDialog *dialog, gint response_id, @@ -69,6 +110,14 @@ tls_dialog_response_cb (GtkDialog *dialog, empathy_tls_certificate_store_ca (certificate); g_object_unref (certificate); + + /* restart the timeout */ + num_windows--; + + if (num_windows > 0) + return; + + start_timer (); } static void @@ -78,6 +127,10 @@ display_interactive_dialog (EmpathyTLSCertificate *certificate, { GtkWidget *tls_dialog; + /* stop the timeout */ + num_windows++; + stop_timer (); + tls_dialog = empathy_tls_dialog_new (certificate, reason, details); g_signal_connect (tls_dialog, "response", G_CALLBACK (tls_dialog_response_cb), NULL); @@ -188,7 +241,16 @@ main (int argc, return EXIT_FAILURE; } - DEBUG ("Empathy auth client started."); + DEBUG ("Empathy auth client started."); + + if (g_getenv ("EMPATHY_PERSIST") != NULL) + { + DEBUG ("Timed-exit disabled"); + + use_timer = FALSE; + } + + start_timer (); gtk_main (); -- cgit v1.2.3 From 709119042e1c45e0aafb38659ac6ea7396c8aa0c Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 17:53:29 +0200 Subject: Add new files to POTFILES.in --- po/POTFILES.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/po/POTFILES.in b/po/POTFILES.in index 209c8e547..1381fc501 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -57,6 +57,7 @@ libempathy-gtk/empathy-theme-adium.c libempathy-gtk/empathy-theme-boxes.c libempathy-gtk/empathy-theme-irc.c libempathy-gtk/empathy-theme-manager.c +libempathy-gtk/empathy-tls-dialog.c libempathy-gtk/empathy-ui-utils.c libempathy-gtk/totem-subtitle-encoding.c @@ -67,6 +68,7 @@ src/empathy-about-dialog.c src/empathy-account-assistant.c src/empathy-accounts-dialog.c [type: gettext/glade]src/empathy-accounts-dialog.ui +src/empathy-auth-client.c src/empathy-auto-salut-account-helper.c src/empathy-av.c src/empathy-call-window.c -- cgit v1.2.3 From 460043daa52d76ffdc90b2f9cf6432b12c850a0f Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 17:53:42 +0200 Subject: Add new files to extensions/Makefile.am --- extensions/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/Makefile.am b/extensions/Makefile.am index a60994b70..8f4c8e581 100644 --- a/extensions/Makefile.am +++ b/extensions/Makefile.am @@ -15,6 +15,8 @@ EXTRA_DIST = \ Debug.xml \ Channel_Interface_Conference.xml \ Logger.xml \ + Authentication_TLS_Certificate.xml \ + Channel_Type_Server_TLS_Connection.xml \ $(NULL) noinst_LTLIBRARIES = libemp-extensions.la -- cgit v1.2.3 From 37d64d2ec686d48a88db3f94b92e88df213b11b7 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 17:54:34 +0200 Subject: Remove whitespace --- libempathy/empathy-server-tls-handler.c | 2 +- libempathy/empathy-tls-certificate.c | 6 +++--- libempathy/empathy-tls-verifier.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c index a207dffcf..885a8ea25 100644 --- a/libempathy/empathy-server-tls-handler.c +++ b/libempathy/empathy-server-tls-handler.c @@ -270,6 +270,6 @@ empathy_server_tls_handler_get_certificate (EmpathyServerTLSHandler *self) EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); g_assert (priv->certificate != NULL); - + return priv->certificate; } diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index d758b4c48..acdbcec93 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -82,7 +82,7 @@ tls_certificate_init_finish (GAsyncInitable *initable, if (g_simple_async_result_propagate_error (priv->async_init_res, error)) retval = FALSE; - return retval; + return retval; } static GType @@ -273,7 +273,7 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) oclass->get_property = empathy_tls_certificate_get_property; oclass->set_property = empathy_tls_certificate_set_property; oclass->finalize = empathy_tls_certificate_finalize; - + g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); pspec = g_param_spec_string ("object-path", "The object path", @@ -576,7 +576,7 @@ empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self) goto out; } - + do { g_free (path); diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 01548b325..000c9a35b 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -203,7 +203,7 @@ complete_verification (EmpathyTLSVerifier *self) g_simple_async_result_complete_in_idle (priv->verify_result); - tp_clear_object (&priv->verify_result); + tp_clear_object (&priv->verify_result); } static void @@ -633,7 +633,7 @@ empathy_tls_verifier_constructed (GObject *object) EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object); build_gnutls_cert_list (self); - + if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL) G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object); } -- cgit v1.2.3 From 6c3c7278e4d1716342d1d222891c33e98d829691 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 18:01:15 +0200 Subject: Use the hash table directly as a parameter to reject () Clients will have to fill it anyway --- libempathy/empathy-tls-certificate.c | 7 +------ libempathy/empathy-tls-certificate.h | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index acdbcec93..bed01327c 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -457,11 +457,10 @@ empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, - gboolean user_requested, + GHashTable *details, GAsyncReadyCallback callback, gpointer user_data) { - GHashTable *details; const gchar *dbus_error; GSimpleAsyncResult *reject_result; EmpathyTLSCertificatePriv *priv = GET_PRIV (self); @@ -471,16 +470,12 @@ empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, DEBUG ("Rejecting TLS certificate with reason %u", reason); dbus_error = reject_reason_get_dbus_error (reason); - details = tp_asv_new ("user-requested", G_TYPE_BOOLEAN, user_requested, - NULL); reject_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_reject_async); emp_cli_authentication_tls_certificate_call_reject (priv->proxy, -1, reason, dbus_error, details, cert_proxy_reject_cb, reject_result, g_object_unref, G_OBJECT (self)); - - g_hash_table_unref (details); } gboolean diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index 3a606c602..7066e5119 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -75,7 +75,7 @@ gboolean empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, - gboolean user_requested, + GHashTable *details, GAsyncReadyCallback callback, gpointer user_data); gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, -- cgit v1.2.3 From d7d8916076c8dcca1b1d95f090444cc6e7a05cd6 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 18:01:45 +0200 Subject: Fill 'user-requested' when we reject the certificate --- src/empathy-auth-client.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/empathy-auth-client.c b/src/empathy-auth-client.c index 7546164d3..17b66a57d 100644 --- a/src/empathy-auth-client.c +++ b/src/empathy-auth-client.c @@ -87,6 +87,7 @@ tls_dialog_response_cb (GtkDialog *dialog, { EmpathyTLSCertificate *certificate = NULL; EmpTLSCertificateRejectReason reason = 0; + GHashTable *details = NULL; EmpathyTLSDialog *tls_dialog = EMPATHY_TLS_DIALOG (dialog); gboolean remember = FALSE; @@ -96,20 +97,27 @@ tls_dialog_response_cb (GtkDialog *dialog, "certificate", &certificate, "reason", &reason, "remember", &remember, + "details", &details, NULL); gtk_widget_destroy (GTK_WIDGET (dialog)); if (response_id == GTK_RESPONSE_YES) - empathy_tls_certificate_accept_async (certificate, NULL, NULL); + { + empathy_tls_certificate_accept_async (certificate, NULL, NULL); + } else - empathy_tls_certificate_reject_async (certificate, reason, TRUE, - NULL, NULL); + { + tp_asv_set_boolean (details, "user-requested", TRUE); + empathy_tls_certificate_reject_async (certificate, reason, details, + NULL, NULL); + } if (remember) empathy_tls_certificate_store_ca (certificate); g_object_unref (certificate); + g_hash_table_unref (details); /* restart the timeout */ num_windows--; -- cgit v1.2.3 From 61e8bd3c9fec6cef2aa65cdaef98a383f346dcf1 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 18:11:42 +0200 Subject: Use the hostname properties in the dialog --- libempathy-gtk/empathy-tls-dialog.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/libempathy-gtk/empathy-tls-dialog.c b/libempathy-gtk/empathy-tls-dialog.c index 9a2dfd6fc..bcfe92e65 100644 --- a/libempathy-gtk/empathy-tls-dialog.c +++ b/libempathy-gtk/empathy-tls-dialog.c @@ -135,12 +135,17 @@ empathy_tls_dialog_finalize (GObject *object) } static gchar * -reason_to_string (EmpTLSCertificateRejectReason reason) +reason_to_string (EmpathyTLSDialog *self) { GString *str; const gchar *reason_str; + EmpTLSCertificateRejectReason reason; + GHashTable *details; + EmpathyTLSDialogPriv *priv = GET_PRIV (self); str = g_string_new (NULL); + reason = priv->reason; + details = priv->details; g_string_append (str, _("The identity provided by the chat server cannot be " "verified.\n")); @@ -183,7 +188,27 @@ reason_to_string (EmpTLSCertificateRejectReason reason) break; } - g_string_append (str, reason_str); + g_string_append_printf (str, "%s.", reason_str); + + /* add more information in case of HOSTNAME_MISMATCH */ + if (reason == EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH) + { + const gchar *expected_hostname, *certificate_hostname; + + expected_hostname = tp_asv_get_string (details, "expected-hostname"); + certificate_hostname = tp_asv_get_string (details, + "certificate-hostname"); + + if (expected_hostname != NULL && certificate_hostname != NULL) + { + g_string_append (str, "\n"); + g_string_append_printf (str, _("Expected hostname: %s"), + expected_hostname); + g_string_append (str, "\n"); + g_string_append_printf (str, _("Certificate hostname: %s"), + certificate_hostname); + } + } return g_string_free (str, FALSE); } @@ -238,7 +263,7 @@ empathy_tls_dialog_constructed (GObject *object) _("Continue"), GTK_RESPONSE_YES, NULL); - text = reason_to_string (priv->reason); + text = reason_to_string (self); g_object_set (message_dialog, "text", _("This connection is untrusted, would you like to " -- cgit v1.2.3 From 5b7271c8f3c349637516c6b5bdb442aa9a480925 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 19:06:27 +0200 Subject: Add an usre_requested param to _account_get_error() --- libempathy/empathy-utils.c | 15 +++++++++++++-- libempathy/empathy-utils.h | 3 ++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/libempathy/empathy-utils.c b/libempathy/empathy-utils.c index 4ab367b42..579870f80 100644 --- a/libempathy/empathy-utils.c +++ b/libempathy/empathy-utils.c @@ -396,13 +396,24 @@ empathy_dbus_error_name_get_default_message (const gchar *error) } const gchar * -empathy_account_get_error_message (TpAccount *account) +empathy_account_get_error_message (TpAccount *account, + gboolean *user_requested) { const gchar *dbus_error; const gchar *message; + const GHashTable *details = NULL; TpConnectionStatusReason reason; - dbus_error = tp_account_get_detailed_error (account, NULL); + dbus_error = tp_account_get_detailed_error (account, &details); + + if (user_requested != NULL) + { + if (tp_asv_get_boolean (details, "user-requested", NULL)) + *user_requested = TRUE; + else + *user_requested = FALSE; + } + message = empathy_dbus_error_name_get_default_message (dbus_error); if (message != NULL) return message; diff --git a/libempathy/empathy-utils.h b/libempathy/empathy-utils.h index 47b9b84ad..f588479b4 100644 --- a/libempathy/empathy-utils.h +++ b/libempathy/empathy-utils.h @@ -76,7 +76,8 @@ gboolean empathy_check_available_state (void); gint empathy_uint_compare (gconstpointer a, gconstpointer b); -const gchar * empathy_account_get_error_message (TpAccount *account); +const gchar * empathy_account_get_error_message (TpAccount *account, + gboolean *user_requested); gchar *empathy_protocol_icon_name (const gchar *protocol); const gchar *empathy_protocol_name_to_display_name (const gchar *proto_name); -- cgit v1.2.3 From 92aee43c95f51aa828c34c828c18c38a3e1fdcb6 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 19:06:59 +0200 Subject: Use new API in EmpathyAccountsDialog --- src/empathy-accounts-dialog.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/empathy-accounts-dialog.c b/src/empathy-accounts-dialog.c index c41763d90..c753a9f20 100644 --- a/src/empathy-accounts-dialog.c +++ b/src/empathy-accounts-dialog.c @@ -310,7 +310,7 @@ accounts_dialog_update_status_infobar (EmpathyAccountsDialog *dialog, gchar *message; message = g_strdup_printf (_("Offline — %s"), - empathy_account_get_error_message (account)); + empathy_account_get_error_message (account, NULL)); gtk_info_bar_set_message_type (GTK_INFO_BAR (priv->infobar), GTK_MESSAGE_WARNING); @@ -322,7 +322,7 @@ accounts_dialog_update_status_infobar (EmpathyAccountsDialog *dialog, gchar *message; message = g_strdup_printf (_("Disconnected — %s"), - empathy_account_get_error_message (account)); + empathy_account_get_error_message (account, NULL)); gtk_info_bar_set_message_type (GTK_INFO_BAR (priv->infobar), GTK_MESSAGE_ERROR); -- cgit v1.2.3 From ea19d00b74b36acc40115a3b48218ccc6af54d04 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 19:07:17 +0200 Subject: Don't show the error if user-requested is set --- src/empathy-main-window.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/empathy-main-window.c b/src/empathy-main-window.c index ff8bb5e98..0efa4a97d 100644 --- a/src/empathy-main-window.c +++ b/src/empathy-main-window.c @@ -475,10 +475,19 @@ main_window_error_display (EmpathyMainWindow *window, GtkWidget *action_table; gchar *str; const gchar *icon_name; + const gchar *error_message; + gboolean user_requested; + + error_message = + empathy_account_get_error_message (account, &user_requested); + + if (user_requested) { + return; + } str = g_markup_printf_escaped ("%s\n%s", tp_account_get_display_name (account), - empathy_account_get_error_message (account)); + error_message); info_bar = g_hash_table_lookup (priv->errors, account); if (info_bar) { -- cgit v1.2.3 From 4472cbd53db695b41146ec4c9345ee4ab3197b04 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 18 Aug 2010 19:28:25 +0200 Subject: Use _complete instead of _complete_in_idle() --- libempathy/empathy-tls-certificate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index bed01327c..a03fa809f 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -114,7 +114,7 @@ tls_certificate_got_all_cb (TpProxy *proxy, if (error != NULL) { g_simple_async_result_set_from_error (priv->async_init_res, error); - g_simple_async_result_complete_in_idle (priv->async_init_res); + g_simple_async_result_complete (priv->async_init_res); g_object_unref (priv->async_init_res); @@ -133,7 +133,7 @@ tls_certificate_got_all_cb (TpProxy *proxy, DEBUG ("Got a certificate chain long %u, of type %s", priv->cert_data->len, priv->cert_type); - g_simple_async_result_complete_in_idle (priv->async_init_res); + g_simple_async_result_complete (priv->async_init_res); g_object_unref (priv->async_init_res); } -- cgit v1.2.3 From 1426cd161d371c161e1e6e66ed7b66a163d5bdaa Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Tue, 24 Aug 2010 11:53:11 +0200 Subject: Make EmpathyTLSCertificate a TpProxy subclass --- libempathy/empathy-tls-certificate.c | 201 ++++++++++------------------------- libempathy/empathy-tls-certificate.h | 16 ++- 2 files changed, 65 insertions(+), 152 deletions(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index a03fa809f..9b8e5ae15 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -29,7 +29,7 @@ #include #include -#include +#include #define DEBUG_FLAG EMPATHY_DEBUG_TLS #include "empathy-debug.h" @@ -37,26 +37,16 @@ #include "extensions/extensions.h" -static void async_initable_iface_init (GAsyncInitableIface *iface); - enum { - PROP_OBJECT_PATH = 1, - PROP_BUS_NAME, - /* proxy properties */ - PROP_CERT_TYPE, + PROP_CERT_TYPE = 1, PROP_CERT_DATA, PROP_STATE, LAST_PROPERTY, }; typedef struct { - gchar *object_path; - gchar *bus_name; - - TpProxy *proxy; - - GSimpleAsyncResult *async_init_res; + GSimpleAsyncResult *async_prepare_res; /* TLSCertificate properties */ gchar *cert_type; @@ -64,27 +54,11 @@ typedef struct { EmpTLSCertificateState state; } EmpathyTLSCertificatePriv; -G_DEFINE_TYPE_WITH_CODE (EmpathyTLSCertificate, empathy_tls_certificate, - G_TYPE_OBJECT, - G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init)); +G_DEFINE_TYPE (EmpathyTLSCertificate, empathy_tls_certificate, + TP_TYPE_PROXY); #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSCertificate); -static gboolean -tls_certificate_init_finish (GAsyncInitable *initable, - GAsyncResult *res, - GError **error) -{ - gboolean retval = TRUE; - EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (initable); - EmpathyTLSCertificatePriv *priv = GET_PRIV (self); - - if (g_simple_async_result_propagate_error (priv->async_init_res, error)) - retval = FALSE; - - return retval; -} - static GType array_of_ay_get_type (void) { @@ -113,10 +87,9 @@ tls_certificate_got_all_cb (TpProxy *proxy, if (error != NULL) { - g_simple_async_result_set_from_error (priv->async_init_res, error); - g_simple_async_result_complete (priv->async_init_res); - - g_object_unref (priv->async_init_res); + g_simple_async_result_set_from_error (priv->async_prepare_res, error); + g_simple_async_result_complete (priv->async_prepare_res); + tp_clear_object (&priv->async_prepare_res); return; } @@ -133,63 +106,39 @@ tls_certificate_got_all_cb (TpProxy *proxy, DEBUG ("Got a certificate chain long %u, of type %s", priv->cert_data->len, priv->cert_type); - g_simple_async_result_complete (priv->async_init_res); - g_object_unref (priv->async_init_res); + g_simple_async_result_complete (priv->async_prepare_res); + tp_clear_object (&priv->async_prepare_res); } -static void -tls_certificate_init_async (GAsyncInitable *initable, - gint io_priority, - GCancellable *cancellable, +void +empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, GAsyncReadyCallback callback, gpointer user_data) { - TpDBusDaemon *dbus; - GError *error = NULL; - EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (initable); EmpathyTLSCertificatePriv *priv = GET_PRIV (self); - g_assert (priv->object_path != NULL); - g_assert (priv->bus_name != NULL); - - priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), - callback, user_data, empathy_tls_certificate_new_async); - dbus = tp_dbus_daemon_dup (&error); - - if (error != NULL) - { - g_simple_async_result_set_from_error (priv->async_init_res, error); - g_simple_async_result_complete_in_idle (priv->async_init_res); - - g_error_free (error); - g_object_unref (priv->async_init_res); - return; - } - - DEBUG ("Creating a proxy for object at path %s, owned by %s", - priv->object_path, priv->bus_name); - - priv->proxy = g_object_new (TP_TYPE_PROXY, - "object-path", priv->object_path, - "bus-name", priv->bus_name, - "dbus-daemon", dbus, NULL); - - tp_proxy_add_interface_by_id (priv->proxy, - EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE); + priv->async_prepare_res = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_prepare_async); /* call GetAll() on the certificate */ - tp_cli_dbus_properties_call_get_all (priv->proxy, + tp_cli_dbus_properties_call_get_all (self, -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE, - tls_certificate_got_all_cb, NULL, NULL, G_OBJECT (self)); - - g_object_unref (dbus); + tls_certificate_got_all_cb, NULL, NULL, + G_OBJECT (self)); } -static void -async_initable_iface_init (GAsyncInitableIface *iface) +gboolean +empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, + GError **error) { - iface->init_async = tls_certificate_init_async; - iface->init_finish = tls_certificate_init_finish; + gboolean retval = TRUE; + + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), + error)) + retval = FALSE; + + return retval; } static void @@ -214,12 +163,6 @@ empathy_tls_certificate_get_property (GObject *object, switch (property_id) { - case PROP_OBJECT_PATH: - g_value_set_string (value, priv->object_path); - break; - case PROP_BUS_NAME: - g_value_set_string (value, priv->bus_name); - break; case PROP_CERT_TYPE: g_value_set_string (value, priv->cert_type); break; @@ -235,28 +178,6 @@ empathy_tls_certificate_get_property (GObject *object, } } -static void -empathy_tls_certificate_set_property (GObject *object, - guint property_id, - const GValue *value, - GParamSpec *pspec) -{ - EmpathyTLSCertificatePriv *priv = GET_PRIV (object); - - switch (property_id) - { - case PROP_OBJECT_PATH: - priv->object_path = g_value_dup_string (value); - break; - case PROP_BUS_NAME: - priv->bus_name = g_value_dup_string (value); - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); - break; - } -} - static void empathy_tls_certificate_init (EmpathyTLSCertificate *self) { @@ -269,24 +190,15 @@ empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) { GParamSpec *pspec; GObjectClass *oclass = G_OBJECT_CLASS (klass); + TpProxyClass *pclass = TP_PROXY_CLASS (klass); oclass->get_property = empathy_tls_certificate_get_property; - oclass->set_property = empathy_tls_certificate_set_property; oclass->finalize = empathy_tls_certificate_finalize; - g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); - - pspec = g_param_spec_string ("object-path", "The object path", - "The path on the bus where the object we proxy is living.", - NULL, - G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); - g_object_class_install_property (oclass, PROP_OBJECT_PATH, pspec); + pclass->interface = EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE; + pclass->must_have_unique_name = TRUE; - pspec = g_param_spec_string ("bus-name", "The bus name", - "The bus name owning this certificate.", - NULL, - G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); - g_object_class_install_property (oclass, PROP_BUS_NAME, pspec); + g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); pspec = g_param_spec_string ("cert-type", "Certificate type", "The type of this certificate.", @@ -389,36 +301,33 @@ reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) return retval; } -void -empathy_tls_certificate_new_async (const gchar *bus_name, +EmpathyTLSCertificate * +empathy_tls_certificate_new (TpDBusDaemon *dbus, + const gchar *bus_name, const gchar *object_path, - GAsyncReadyCallback callback, - gpointer user_data) + GError **error) { - g_assert (object_path != NULL); + EmpathyTLSCertificate *retval = NULL; - g_async_initable_new_async (EMPATHY_TYPE_TLS_CERTIFICATE, - G_PRIORITY_DEFAULT, NULL, callback, user_data, - "bus-name", bus_name, - "object-path", object_path, NULL); -} + if (!tp_dbus_check_valid_bus_name (bus_name, + TP_DBUS_NAME_TYPE_UNIQUE, error)) + goto finally; -EmpathyTLSCertificate * -empathy_tls_certificate_new_finish (GAsyncResult *res, - GError **error) -{ - GObject *object, *source_object; + if (!tp_dbus_check_valid_object_path (object_path, error)) + goto finally; - source_object = g_async_result_get_source_object (res); + retval = g_object_new (EMPATHY_TYPE_TLS_CERTIFICATE, + "dbus-daemon", dbus, + "bus-name", bus_name, + "object-path", object_path, + NULL); - object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object), - res, error); - g_object_unref (source_object); +finally: + if (*error != NULL) + DEBUG ("Error while creating the TLS certificate: %s", + (*error)->message); - if (object != NULL) - return EMPATHY_TLS_CERTIFICATE (object); - else - return NULL; + return retval; } void @@ -427,7 +336,6 @@ empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, gpointer user_data) { GSimpleAsyncResult *accept_result; - EmpathyTLSCertificatePriv *priv = GET_PRIV (self); g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); @@ -436,7 +344,7 @@ empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, accept_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_accept_async); - emp_cli_authentication_tls_certificate_call_accept (priv->proxy, + emp_cli_authentication_tls_certificate_call_accept (TP_PROXY (self), -1, cert_proxy_accept_cb, accept_result, g_object_unref, G_OBJECT (self)); @@ -463,7 +371,6 @@ empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, { const gchar *dbus_error; GSimpleAsyncResult *reject_result; - EmpathyTLSCertificatePriv *priv = GET_PRIV (self); g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); @@ -473,7 +380,7 @@ empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, reject_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_reject_async); - emp_cli_authentication_tls_certificate_call_reject (priv->proxy, + emp_cli_authentication_tls_certificate_call_reject (TP_PROXY (self), -1, reason, dbus_error, details, cert_proxy_reject_cb, reject_result, g_object_unref, G_OBJECT (self)); } diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index 7066e5119..d9dd07d44 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -24,6 +24,8 @@ #include #include +#include + #include G_BEGIN_DECLS @@ -32,11 +34,11 @@ typedef struct _EmpathyTLSCertificate EmpathyTLSCertificate; typedef struct _EmpathyTLSCertificateClass EmpathyTLSCertificateClass; struct _EmpathyTLSCertificateClass { - GObjectClass parent_class; + TpProxyClass parent_class; }; struct _EmpathyTLSCertificate { - GObject parent; + TpProxy parent; gpointer priv; }; @@ -58,12 +60,16 @@ GType empathy_tls_certificate_get_type (void); (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \ EmpathyTLSCertificateClass)) -void empathy_tls_certificate_new_async (const gchar *bus_name, +EmpathyTLSCertificate * empathy_tls_certificate_new (TpDBusDaemon *dbus, + const gchar *bus_name, const gchar *object_path, + GError **error); + +void empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, GAsyncReadyCallback callback, gpointer user_data); - -EmpathyTLSCertificate * empathy_tls_certificate_new_finish (GAsyncResult * res, +gboolean empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self, + GAsyncResult *result, GError **error); void empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, -- cgit v1.2.3 From b76f9bf45aca489bfe40c333a048be513410f36c Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Tue, 24 Aug 2010 11:53:59 +0200 Subject: Use new certificate API in EmpathyServerTLSHandler --- libempathy/empathy-server-tls-handler.c | 43 ++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c index 885a8ea25..6180fefea 100644 --- a/libempathy/empathy-server-tls-handler.c +++ b/libempathy/empathy-server-tls-handler.c @@ -54,29 +54,25 @@ G_DEFINE_TYPE_WITH_CODE (EmpathyServerTLSHandler, empathy_server_tls_handler, #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyServerTLSHandler); static void -tls_certificate_constructed_cb (GObject *source, +tls_certificate_prepared_cb (GObject *source, GAsyncResult *result, gpointer user_data) { - EmpathyTLSCertificate *certificate; + EmpathyTLSCertificate *certificate = EMPATHY_TLS_CERTIFICATE (source); EmpathyServerTLSHandler *self = user_data; GError *error = NULL; EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); - certificate = empathy_tls_certificate_new_finish (result, &error); + empathy_tls_certificate_prepare_finish (certificate, result, &error); if (error != NULL) { g_simple_async_result_set_from_error (priv->async_init_res, error); g_error_free (error); } - else - { - priv->certificate = certificate; - } g_simple_async_result_complete_in_idle (priv->async_init_res); - g_object_unref (priv->async_init_res); + tp_clear_object (&priv->async_init_res); } static gboolean @@ -85,10 +81,9 @@ tls_handler_init_finish (GAsyncInitable *initable, GError **error) { gboolean retval = TRUE; - EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); - EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); - if (g_simple_async_result_propagate_error (priv->async_init_res, error)) + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) retval = FALSE; return retval; @@ -105,13 +100,15 @@ tls_handler_init_async (GAsyncInitable *initable, const gchar *cert_object_path; const gchar *hostname; const gchar *bus_name; + TpDBusDaemon *dbus; + GError *error = NULL; EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable); EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self); g_assert (priv->channel != NULL); priv->async_init_res = g_simple_async_result_new (G_OBJECT (self), - callback, user_data, empathy_tls_certificate_new_async); + callback, user_data, empathy_server_tls_handler_new_async); properties = tp_channel_borrow_immutable_properties (priv->channel); hostname = tp_asv_get_string (properties, @@ -123,12 +120,30 @@ tls_handler_init_async (GAsyncInitable *initable, cert_object_path = tp_asv_get_object_path (properties, EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".ServerCertificate"); bus_name = tp_proxy_get_bus_name (TP_PROXY (priv->channel)); + dbus = tp_proxy_get_dbus_daemon (TP_PROXY (priv->channel)); DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s", cert_object_path, bus_name); - empathy_tls_certificate_new_async (bus_name, cert_object_path, - tls_certificate_constructed_cb, self); + priv->certificate = empathy_tls_certificate_new (dbus, bus_name, + cert_object_path, &error); + + if (error != NULL) + { + DEBUG ("Unable to create the EmpathyTLSCertificate: error %s", + error->message); + + g_simple_async_result_set_from_error (priv->async_init_res, error); + g_simple_async_result_complete_in_idle (priv->async_init_res); + + g_error_free (error); + tp_clear_object (&priv->async_init_res); + + return; + } + + empathy_tls_certificate_prepare_async (priv->certificate, + tls_certificate_prepared_cb, self); } static void -- cgit v1.2.3 From 76d38803e7992e50333c1054c48bb789ff63c699 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Tue, 24 Aug 2010 11:54:17 +0200 Subject: Don't leak certificate data --- libempathy/empathy-tls-certificate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 9b8e5ae15..00ff4d547 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -148,7 +148,8 @@ empathy_tls_certificate_finalize (GObject *object) DEBUG ("%p", object); - g_free (priv->object_path); + g_free (priv->cert_type); + tp_clear_boxed (array_of_ay_get_type (), &priv->cert_data); G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object); } -- cgit v1.2.3 From dc73f3d3e51958edaf3b0508c4205c387e735547 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Tue, 24 Aug 2010 15:20:06 +0200 Subject: Properly handle corner cases of _prepare_async() called twice - If it's called twice before the first call returned, emit an error. - If it's called twice on an already-prepared object, just successfully return. --- libempathy/empathy-tls-certificate.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 00ff4d547..acb94c79d 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -52,6 +52,8 @@ typedef struct { gchar *cert_type; GPtrArray *cert_data; EmpTLSCertificateState state; + + gboolean is_prepared; } EmpathyTLSCertificatePriv; G_DEFINE_TYPE (EmpathyTLSCertificate, empathy_tls_certificate, @@ -106,6 +108,8 @@ tls_certificate_got_all_cb (TpProxy *proxy, DEBUG ("Got a certificate chain long %u, of type %s", priv->cert_data->len, priv->cert_type); + priv->is_prepared = TRUE; + g_simple_async_result_complete (priv->async_prepare_res); tp_clear_object (&priv->async_prepare_res); } @@ -117,6 +121,28 @@ empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, { EmpathyTLSCertificatePriv *priv = GET_PRIV (self); + /* emit an error if we're already preparing the object */ + if (priv->async_prepare_res != NULL) + { + g_simple_async_report_error_in_idle (G_OBJECT (self), + callback, user_data, + G_IO_ERROR, G_IO_ERROR_PENDING, + "%s", + "Prepare operation already in progress on the TLS certificate."); + + return; + } + + + /* if the object is already prepared, just complete in idle */ + if (priv->is_prepared) + { + tp_simple_async_report_success_in_idle (G_OBJECT (self), + callback, user_data, empathy_tls_certificate_prepare_async); + + return; + } + priv->async_prepare_res = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_prepare_async); -- cgit v1.2.3