static size_t
ssl_gnutls_write(PurpleSslConnection *gsc, const void *data, size_t len)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
ssize_t s = 0;
/* XXX: when will gnutls_data be NULL? */
if(gnutls_data)
s = gnutls_record_send(gnutls_data->session, data, len);
if(s == GNUTLS_E_AGAIN || s == GNUTLS_E_INTERRUPTED) {
s = -1;
errno = EAGAIN;
} else if(s < 0) {
purple_debug_error("gnutls", "send failed: %s\n",
gnutls_strerror(s));
s = -1;
/*
* TODO: Set errno to something more appropriate. Or even
* better: allow ssl plugins to keep track of their
* own error message, then add a new ssl_ops function
* that returns the error message.
*/
errno = EIO;
}
return s;
}
static gboolean
start_handshake_cb(gpointer data)
{
PurpleSslConnection *gsc = data;
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
purple_debug_info("gnutls", "Starting handshake with %s\n", gsc->host);
gnutls_data->handshake_timer = 0;
ssl_gnutls_handshake_cb(gsc, gsc->fd, PURPLE_INPUT_READ);
return FALSE;
}
static GList *
ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
PurpleCertificate *prvcrt = NULL;
/* List of Certificate instances to return */
GList * peer_certs = NULL;
/* List of raw certificates as given by GnuTLS */
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
unsigned int i;
/* This should never, ever happen. */
g_return_val_if_fail( gnutls_certificate_type_get (gnutls_data->session) == GNUTLS_CRT_X509, NULL);
/* Get the certificate list from GnuTLS */
/* TODO: I am _pretty sure_ this doesn't block or do other exciting things */
cert_list = gnutls_certificate_get_peers(gnutls_data->session,
&cert_list_size);
/* Convert each certificate to a Certificate and append it to the list */
for (i = 0; i < cert_list_size; i++) {
PurpleCertificate * newcrt = x509_import_from_datum(cert_list[i],
GNUTLS_X509_FMT_DER);
/* Append is somewhat inefficient on linked lists, but is easy
to read. If someone complains, I'll change it.
TODO: Is anyone complaining? (Maybe elb?) */
/* only append if previous cert was actually signed by this one.
* Thanks Microsoft. */
if ((prvcrt == NULL) || x509_certificate_signed_by(prvcrt, newcrt)) {
peer_certs = g_list_append(peer_certs, newcrt);
prvcrt = newcrt;
} else {
x509_destroy_certificate(newcrt);
purple_debug_error("gnutls", "Dropping further peer certificates "
"because the chain is broken!\n");
break;
}
}
/* cert_list doesn't need free()-ing */
return peer_certs;
}
static void
ssl_gnutls_close(PurpleSslConnection *gsc)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
if(!gnutls_data)
return;
if(gnutls_data->handshake_handler)
purple_input_remove(gnutls_data->handshake_handler);
gnutls_bye(gnutls_data->session, GNUTLS_SHUT_RDWR);
gnutls_deinit(gnutls_data->session);
g_free(gnutls_data);
gsc->private_data = NULL;
}
static GList *
ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
/* List of Certificate instances to return */
GList * peer_certs = NULL;
/* List of raw certificates as given by GnuTLS */
const gnutls_datum *cert_list;
unsigned int cert_list_size = 0;
unsigned int i;
/* This should never, ever happen. */
g_return_val_if_fail( gnutls_certificate_type_get (gnutls_data->session) == GNUTLS_CRT_X509, NULL);
/* Get the certificate list from GnuTLS */
/* TODO: I am _pretty sure_ this doesn't block or do other exciting things */
cert_list = gnutls_certificate_get_peers(gnutls_data->session,
&cert_list_size);
/* Convert each certificate to a Certificate and append it to the list */
for (i = 0; i < cert_list_size; i++) {
PurpleCertificate * newcrt = x509_import_from_datum(cert_list[i],
GNUTLS_X509_FMT_DER);
/* Append is somewhat inefficient on linked lists, but is easy
to read. If someone complains, I'll change it.
TODO: Is anyone complaining? (Maybe elb?) */
peer_certs = g_list_append(peer_certs, newcrt);
}
/* cert_list doesn't need free()-ing */
return peer_certs;
}
static size_t
ssl_gnutls_read(PurpleSslConnection *gsc, void *data, size_t len)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
ssize_t s;
s = gnutls_record_recv(gnutls_data->session, data, len);
if(s == GNUTLS_E_AGAIN || s == GNUTLS_E_INTERRUPTED) {
s = -1;
errno = EAGAIN;
#ifdef GNUTLS_E_PREMATURE_TERMINATION
} else if (s == GNUTLS_E_PREMATURE_TERMINATION) {
purple_debug_warning("gnutls", "Received a FIN on the TCP socket "
"for %s. This either means that the remote server closed "
"the socket without sending us a Close Notify alert or a "
"man-in-the-middle injected a FIN into the TCP stream. "
"Assuming it's the former.\n", gsc->host);
#else
} else if (s == GNUTLS_E_UNEXPECTED_PACKET_LENGTH) {
purple_debug_warning("gnutls", "Received packet of unexpected "
"length on the TCP socket for %s. Among other "
"possibilities this might mean that the remote server "
"closed the socket without sending us a Close Notify alert. "
"Assuming that's the case for compatibility, however, note "
"that it's quite possible that we're incorrectly ignoing "
"a real error.\n", gsc->host);
#endif
/*
* Summary:
* Always treat a closed TCP connection as if the remote server cleanly
* terminated the SSL session.
*
* Background:
* Most TLS servers send a Close Notify alert before sending TCP FIN
* when closing a session. This informs us at the TLS layer that the
* connection is being cleanly closed. Without this it's more
* difficult for us to determine whether the session was closed
* cleanly (we would need to resort to having the application layer
* perform this check, e.g. by looking at the Content-Length HTTP
* header for HTTP connections).
*
* There ARE servers that don't send Close Notify and we want to be
* compatible with them. And so we don't require Close Notify. This
* seems to match the behavior of libnss. This is a slightly
* unfortunate situation. It means a malicious MITM can inject a FIN
* into our TCP stream and cause our encrypted session to termiate
* and we won't indicate any problem to the user.
*
* GnuTLS < 3.0.0 returned the UNEXPECTED_PACKET_LENGTH error on EOF.
* GnuTLS >= 3.0.0 added the PREMATURE_TERMINATION error to allow us
* to detect the problem more specifically.
*
* For historical discussion see:
* https://developer.pidgin.im/ticket/16172
* http://trac.adiumx.com/intertrac/ticket%3A16678
* https://bugzilla.mozilla.org/show_bug.cgi?id=508698#c4
* http://lists.gnu.org/archive/html/gnutls-devel/2008-03/msg00058.html
* Or search for GNUTLS_E_UNEXPECTED_PACKET_LENGTH or
* GNUTLS_E_PREMATURE_TERMINATION
*/
s = 0;
} else if(s < 0) {
purple_debug_error("gnutls", "receive failed: %s\n",
gnutls_strerror(s));
s = -1;
/*
* TODO: Set errno to something more appropriate. Or even
* better: allow ssl plugins to keep track of their
* own error message, then add a new ssl_ops function
* that returns the error message.
*/
errno = EIO;
}
return s;
}
static void ssl_gnutls_handshake_cb(gpointer data, gint source,
PurpleInputCondition cond)
{
PurpleSslConnection *gsc = data;
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
ssize_t ret;
/*purple_debug_info("gnutls", "Handshaking with %s\n", gsc->host);*/
ret = gnutls_handshake(gnutls_data->session);
if(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
return;
purple_input_remove(gnutls_data->handshake_handler);
gnutls_data->handshake_handler = 0;
if(ret != 0) {
purple_debug_error("gnutls", "Handshake failed. Error %s\n",
gnutls_strerror(ret));
if(gsc->error_cb != NULL)
gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
gsc->connect_cb_data);
purple_ssl_close(gsc);
} else {
/* Now we are cooking with gas! */
PurpleSslOps *ops = purple_ssl_get_ops();
GList * peers = ops->get_peer_certificates(gsc);
PurpleCertificateScheme *x509 =
purple_certificate_find_scheme("x509");
GList * l;
/* TODO: Remove all this debugging babble */
purple_debug_info("gnutls", "Handshake complete\n");
for (l=peers; l; l = l->next) {
PurpleCertificate *crt = l->data;
GByteArray *z =
x509->get_fingerprint_sha1(crt);
gchar * fpr =
purple_base16_encode_chunked(z->data,
z->len);
purple_debug_info("gnutls/x509",
"Key print: %s\n",
fpr);
/* Kill the cert! */
x509->destroy_certificate(crt);
g_free(fpr);
g_byte_array_free(z, TRUE);
}
g_list_free(peers);
{
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
gnutls_session_t session=gnutls_data->session;
guint i;
cert_list =
gnutls_certificate_get_peers(session, &cert_list_size);
purple_debug_info("gnutls",
"Peer provided %d certs\n",
cert_list_size);
for (i=0; i<cert_list_size; i++)
{
gchar fpr_bin[256];
gsize fpr_bin_sz = sizeof(fpr_bin);
gchar * fpr_asc = NULL;
gchar tbuf[256];
gsize tsz=sizeof(tbuf);
gchar * tasc = NULL;
gnutls_x509_crt_t cert;
gnutls_x509_crt_init(&cert);
gnutls_x509_crt_import (cert, &cert_list[i],
GNUTLS_X509_FMT_DER);
gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA,
fpr_bin, &fpr_bin_sz);
fpr_asc =
purple_base16_encode_chunked((const guchar *)fpr_bin, fpr_bin_sz);
purple_debug_info("gnutls",
"Lvl %d SHA1 fingerprint: %s\n",
i, fpr_asc);
tsz=sizeof(tbuf);
gnutls_x509_crt_get_serial(cert,tbuf,&tsz);
tasc=purple_base16_encode_chunked((const guchar *)tbuf, tsz);
purple_debug_info("gnutls",
"Serial: %s\n",
tasc);
g_free(tasc);
tsz=sizeof(tbuf);
gnutls_x509_crt_get_dn (cert, tbuf, &tsz);
purple_debug_info("gnutls",
"Cert DN: %s\n",
tbuf);
tsz=sizeof(tbuf);
gnutls_x509_crt_get_issuer_dn (cert, tbuf, &tsz);
purple_debug_info("gnutls",
"Cert Issuer DN: %s\n",
tbuf);
g_free(fpr_asc);
fpr_asc = NULL;
gnutls_x509_crt_deinit(cert);
}
}
/* TODO: The following logic should really be in libpurple */
/* If a Verifier was given, hand control over to it */
if (gsc->verifier) {
GList *peers;
/* First, get the peer cert chain */
peers = purple_ssl_get_peer_certificates(gsc);
/* Now kick off the verification process */
purple_certificate_verify(gsc->verifier,
gsc->host,
peers,
ssl_gnutls_verified_cb,
gsc);
purple_certificate_destroy_list(peers);
} else {
/* Otherwise, just call the "connection complete"
callback */
gsc->connect_cb(gsc->connect_cb_data, gsc, cond);
}
}
}
