From 6a16791dc335fed6706352e1612893f312a80a3f Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Wed, 11 Aug 2010 18:33:08 +0200 Subject: Add EmpathyTLSVerifier This also introduces a dependency on GnuTLS --- libempathy/empathy-tls-verifier.c | 558 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 558 insertions(+) create mode 100644 libempathy/empathy-tls-verifier.c (limited to 'libempathy/empathy-tls-verifier.c') diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c new file mode 100644 index 000000000..55688f99c --- /dev/null +++ b/libempathy/empathy-tls-verifier.c @@ -0,0 +1,558 @@ +/* + * empathy-tls-verifier.c - Source for EmpathyTLSVerifier + * Copyright (C) 2010 Collabora Ltd. + * @author Cosimo Cecchi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include + +#include +#include + +#include + +#include "empathy-tls-verifier.h" + +#define DEBUG_FLAG EMPATHY_DEBUG_TLS +#include "empathy-debug.h" +#include "empathy-utils.h" + +G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier, + G_TYPE_OBJECT) + +#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier); + +enum { + PROP_TLS_CERTIFICATE = 1, + PROP_HOSTNAME, + + LAST_PROPERTY, +}; + +static const gchar* system_ca_paths[] = { + "/etc/ssl/certs/ca-certificates.crt", + NULL, +}; + +typedef struct { + GPtrArray *cert_chain; + + GPtrArray *trusted_ca_list; + GPtrArray *trusted_crl_list; + + EmpathyTLSCertificate *certificate; + gchar *hostname; + + GSimpleAsyncResult *verify_result; + + gboolean dispose_run; +} EmpathyTLSVerifierPriv; + +static gnutls_x509_crt_t * +ptr_array_to_x509_crt_list (GPtrArray *chain) +{ + gnutls_x509_crt_t *retval; + gint idx; + + retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len); + + for (idx = 0; idx < (gint) chain->len; idx++) + retval[idx] = g_ptr_array_index (chain, idx); + + return retval; +} + +static gboolean +verification_output_to_reason (gint res, + guint verify_output, + EmpTLSCertificateRejectReason *reason) +{ + gboolean retval = TRUE; + + if (res != GNUTLS_E_SUCCESS) + { + retval = FALSE; + + /* the certificate is not structurally valid */ + switch (res) + { + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + break; + case GNUTLS_E_CONSTRAINT_ERROR: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED; + break; + default: + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + break; + } + + goto out; + } + + /* the certificate is structurally valid, check for other errors. */ + if (verify_output & GNUTLS_CERT_INVALID) + { + retval = FALSE; + + if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED; + else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; + else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE; + else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED; + else if (verify_output & GNUTLS_CERT_EXPIRED) + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED; + else + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + + goto out; + } + + out: + return retval; +} + +static gboolean +verify_last_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + gnutls_x509_crt_t *trusted_ca_list; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list); + res = gnutls_x509_crt_verify (cert, trusted_ca_list, + priv->trusted_ca_list->len, 0, &verify_output); + + g_free (trusted_ca_list); + + return verification_output_to_reason (res, verify_output, reason); +} + +static gboolean +verify_certificate (EmpathyTLSVerifier *self, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, + EmpTLSCertificateRejectReason *reason) +{ + guint verify_output; + gint res; + + res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output); + + return verification_output_to_reason (res, verify_output, reason); +} + +static void +complete_verification (EmpathyTLSVerifier *self) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification successful, completing..."); + + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +abort_verification (EmpathyTLSVerifier *self, + EmpTLSCertificateRejectReason reason) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + DEBUG ("Verification error %u, aborting...", reason); + + g_simple_async_result_set_error (priv->verify_result, + G_IO_ERROR, reason, "TLS verification failed with reason %u", + reason); + g_simple_async_result_complete_in_idle (priv->verify_result); + + tp_clear_object (&priv->verify_result); +} + +static void +real_start_verification (EmpathyTLSVerifier *self) +{ + gnutls_x509_crt_t last_cert; + gint idx; + gboolean res = FALSE; + gint num_certs; + EmpTLSCertificateRejectReason reason = + EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + num_certs = priv->cert_chain->len; + + DEBUG ("Starting verification"); + + if (priv->trusted_ca_list->len > 0) + { + /* if the last certificate is self-signed, ignore it, as we want to check + * the chain against our trusted CA list first. + */ + last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); + + if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0) + num_certs--; + } + + for (idx = 1; idx < num_certs; idx++) + { + res = verify_certificate (self, + g_ptr_array_index (priv->cert_chain, idx -1), + g_ptr_array_index (priv->cert_chain, idx), + &reason); + + DEBUG ("Certificate verification %d gave result %d with reason %u", idx, + res, reason); + + if (!res) + { + abort_verification (self, reason); + return; + } + } + + if (priv->trusted_ca_list->len > 0) + { + res = verify_last_certificate (self, + g_ptr_array_index (priv->cert_chain, num_certs), + &reason); + } + + if (!res) + { + abort_verification (self, reason); + return; + } + + complete_verification (self); +} + +static gboolean +start_verification (gpointer user_data) +{ + EmpathyTLSVerifier *self = user_data; + + real_start_verification (self); + + return FALSE; +} + +static void +build_gnutls_cert_list (EmpathyTLSVerifier *self) +{ + guint num_certs; + guint idx; + GPtrArray *certificate_data = NULL; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, + "cert-data", &certificate_data, + NULL); + num_certs = certificate_data->len; + + priv->cert_chain = g_ptr_array_sized_new (num_certs); + + for (idx = 0; idx < num_certs; idx++) + { + gnutls_x509_crt_t cert; + GArray *one_cert; + gnutls_datum_t datum = { NULL, 0 }; + + one_cert = g_ptr_array_index (certificate_data, idx); + datum.data = (guchar *) one_cert->data; + datum.size = one_cert->len; + + gnutls_x509_crt_init (&cert); + gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); + + g_ptr_array_add (priv->cert_chain, cert); + } +} + +static gint +get_number_and_type_of_certificates (gnutls_datum_t *datum, + gnutls_x509_crt_fmt_t *format) +{ + gnutls_x509_crt_t fake; + gint retval = 1; + gint res; + + res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, + GNUTLS_X509_FMT_PEM, 0); + + if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0) + { + *format = GNUTLS_X509_FMT_PEM; + return retval; + } + + /* try DER */ + res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum, + GNUTLS_X509_FMT_DER, 0); + + if (res > 0) + { + *format = GNUTLS_X509_FMT_DER; + return retval; + } + + return res; +} + +static gboolean +build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job, + GCancellable *cancellable, + gpointer user_data) +{ + gint idx; + EmpathyTLSVerifier *self = user_data; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->trusted_ca_list = g_ptr_array_new (); + + for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++) + { + const gchar *path; + gchar *contents = NULL; + gsize length = 0; + gint res, n_certs; + gnutls_x509_crt_t *cert_list; + gnutls_datum_t datum = { NULL, 0 }; + gnutls_x509_crt_fmt_t format = 0; + GError *error = NULL; + + path = system_ca_paths[idx]; + g_file_get_contents (path, &contents, &length, &error); + + if (error != NULL) + { + DEBUG ("Unable to read system CAs from path %s", path); + g_error_free (error); + continue; + } + + datum.data = (guchar *) contents; + datum.size = length; + n_certs = get_number_and_type_of_certificates (&datum, &format); + + if (n_certs < 0) + { + DEBUG ("Unable to parse the system CAs from path %s: GnuTLS " + "returned error %d", path, n_certs); + + g_free (contents); + continue; + } + + cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs); + res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum, + format, 0); + + if (res < 0) + { + DEBUG ("Unable to import system CAs from path %s; " + "GnuTLS returned error %d", path, res); + + g_free (contents); + continue; + } + + DEBUG ("Successfully imported %d system CA certificates from path %s", + n_certs, path); + + /* append the newly created cert structutes into the global GPtrArray */ + for (idx = 0; idx < n_certs; idx++) + g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]); + + g_free (contents); + } + + /* TODO: do the CRL too */ + + g_io_scheduler_job_send_to_mainloop_async (job, + start_verification, self, NULL); + + return FALSE; +} + +static void +empathy_tls_verifier_get_property (GObject *object, + guint property_id, + GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + g_value_set_object (value, priv->certificate); + break; + case PROP_HOSTNAME: + g_value_set_string (value, priv->hostname); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_set_property (GObject *object, + guint property_id, + const GValue *value, + GParamSpec *pspec) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + switch (property_id) + { + case PROP_TLS_CERTIFICATE: + priv->certificate = g_value_dup_object (value); + break; + case PROP_HOSTNAME: + priv->hostname = g_value_dup_string (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); + break; + } +} + +static void +empathy_tls_verifier_dispose (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + if (priv->dispose_run) + return; + + priv->dispose_run = TRUE; + + tp_clear_object (&priv->certificate); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object); +} + +static void +empathy_tls_verifier_finalize (GObject *object) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (object); + + DEBUG ("%p", object); + + g_free (priv->hostname); + + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object); +} + +static void +empathy_tls_verifier_constructed (GObject *object) +{ + EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object); + + build_gnutls_cert_list (self); + + if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL) + G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object); +} + +static void +empathy_tls_verifier_init (EmpathyTLSVerifier *self) +{ + self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, + EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv); +} + +static void +empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass) +{ + GParamSpec *pspec; + GObjectClass *oclass = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv)); + + oclass->set_property = empathy_tls_verifier_set_property; + oclass->get_property = empathy_tls_verifier_get_property; + oclass->finalize = empathy_tls_verifier_finalize; + oclass->dispose = empathy_tls_verifier_dispose; + oclass->constructed = empathy_tls_verifier_constructed; + + pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate", + "The EmpathyTLSCertificate to be verified.", + EMPATHY_TYPE_TLS_CERTIFICATE, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec); + + pspec = g_param_spec_string ("hostname", "The hostname", + "The hostname which should be certified by the certificate.", + NULL, + G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS); + g_object_class_install_property (oclass, PROP_HOSTNAME, pspec); +} + +EmpathyTLSVerifier * +empathy_tls_verifier_new (EmpathyTLSCertificate *certificate, + const gchar *hostname) +{ + g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate)); + g_assert (hostname != NULL); + + return g_object_new (EMPATHY_TYPE_TLS_VERIFIER, + "certificate", certificate, + "hostname", hostname, + NULL); +} + +void +empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self, + GAsyncReadyCallback callback, + gpointer user_data) +{ + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + priv->verify_result = g_simple_async_result_new (G_OBJECT (self), + callback, user_data, NULL); + + g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists, + self, NULL, G_PRIORITY_DEFAULT, NULL); +} + +gboolean +empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, + GAsyncResult *res, + EmpTLSCertificateRejectReason *reason, + GError **error) +{ + if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res), + error)) + { + *reason = (*error)->code; + return FALSE; + } + + *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN; + return TRUE; +} -- cgit v1.2.3