* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
-#include <config.h>
-
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#include <telepathy-glib/util.h>
-
+#include "config.h"
#include "empathy-tls-verifier.h"
#include <gcr/gcr.h>
+#include "empathy-utils.h"
+
#define DEBUG_FLAG EMPATHY_DEBUG_TLS
#include "empathy-debug.h"
-#include "empathy-utils.h"
G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
G_TYPE_OBJECT)
enum {
PROP_TLS_CERTIFICATE = 1,
PROP_HOSTNAME,
+ PROP_REFERENCE_IDENTITIES,
LAST_PROPERTY,
};
typedef struct {
- EmpathyTLSCertificate *certificate;
+ TpTLSCertificate *certificate;
gchar *hostname;
+ gchar **reference_identities;
GSimpleAsyncResult *verify_result;
GHashTable *details;
static gboolean
verification_output_to_reason (gint res,
guint verify_output,
- EmpTLSCertificateRejectReason *reason)
+ TpTLSCertificateRejectReason *reason)
{
gboolean retval = TRUE;
switch (res)
{
case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
break;
case GNUTLS_E_CONSTRAINT_ERROR:
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
break;
default:
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
break;
}
retval = FALSE;
if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
else if (verify_output & GNUTLS_CERT_EXPIRED)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
else
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
goto out;
}
static void
abort_verification (EmpathyTLSVerifier *self,
- EmpTLSCertificateRejectReason reason)
+ TpTLSCertificateRejectReason reason)
{
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
tp_clear_object (&priv->verify_result);
}
+static void
+debug_certificate (GcrCertificate *cert)
+{
+ gchar *subject = gcr_certificate_get_subject_dn (cert);
+ DEBUG ("Certificate: %s", subject);
+ g_free (subject);
+}
+
static void
debug_certificate_chain (GcrCertificateChain *chain)
{
GEnumValue *enum_value;
gint idx, length;
GcrCertificate *cert;
- gchar *subject;
enum_class = G_ENUM_CLASS
(g_type_class_peek (GCR_TYPE_CERTIFICATE_CHAIN_STATUS));
for (idx = 0; idx < length; ++idx)
{
cert = gcr_certificate_chain_get_certificate (chain, idx);
- subject = gcr_certificate_get_subject_dn (cert);
- DEBUG (" Certificate: %s", subject);
- g_free (subject);
+ debug_certificate (cert);
}
}
GcrCertificateChain *chain)
{
gboolean ret = FALSE;
- EmpTLSCertificateRejectReason reason =
- EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ TpTLSCertificateRejectReason reason =
+ TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
gnutls_x509_crt_t *list, *anchors;
guint n_list, n_anchors;
guint verify_output;
gint res;
+ gint i;
+ gboolean matched = FALSE;
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
DEBUG ("Performing verification");
debug_certificate_chain (chain);
+ list = anchors = NULL;
+ n_list = n_anchors = 0;
+
/*
* If the first certificate is an pinned certificate then we completely
* ignore the rest of the verification process.
&anchors, &n_anchors);
if (list == NULL || n_list == 0) {
g_warn_if_reached ();
- abort_verification (self, EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);
+ abort_verification (self, TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);
goto out;
}
goto out;
}
- /* now check if the certificate matches the hostname. */
- if (gnutls_x509_crt_check_hostname (list[0], priv->hostname) == 0)
+ /* now check if the certificate matches one of the reference identities. */
+ if (priv->reference_identities != NULL)
+ {
+ for (i = 0, matched = FALSE; priv->reference_identities[i] != NULL; ++i)
+ {
+ if (gnutls_x509_crt_check_hostname (list[0],
+ priv->reference_identities[i]) == 1)
+ {
+ matched = TRUE;
+ break;
+ }
+ }
+ }
+
+ if (!matched)
{
gchar *certified_hostname;
g_free (certified_hostname);
abort_verification (self,
- EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
+ TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
goto out;
}
case PROP_HOSTNAME:
g_value_set_string (value, priv->hostname);
break;
+ case PROP_REFERENCE_IDENTITIES:
+ g_value_set_boxed (value, priv->reference_identities);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
break;
case PROP_HOSTNAME:
priv->hostname = g_value_dup_string (value);
break;
+ case PROP_REFERENCE_IDENTITIES:
+ priv->reference_identities = g_value_dup_boxed (value);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
break;
tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
g_free (priv->hostname);
+ g_strfreev (priv->reference_identities);
G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
}
oclass->finalize = empathy_tls_verifier_finalize;
oclass->dispose = empathy_tls_verifier_dispose;
- pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
- "The EmpathyTLSCertificate to be verified.",
- EMPATHY_TYPE_TLS_CERTIFICATE,
+ pspec = g_param_spec_object ("certificate", "The TpTLSCertificate",
+ "The TpTLSCertificate to be verified.",
+ TP_TYPE_TLS_CERTIFICATE,
G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
pspec = g_param_spec_string ("hostname", "The hostname",
- "The hostname which should be certified by the certificate.",
+ "The hostname which is certified by the certificate.",
NULL,
G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+
+ pspec = g_param_spec_boxed ("reference-identities",
+ "The reference identities",
+ "The certificate should certify one of these identities.",
+ G_TYPE_STRV,
+ G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+ g_object_class_install_property (oclass, PROP_REFERENCE_IDENTITIES, pspec);
}
EmpathyTLSVerifier *
-empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
- const gchar *hostname)
+empathy_tls_verifier_new (TpTLSCertificate *certificate,
+ const gchar *hostname,
+ const gchar **reference_identities)
{
- g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
+ g_assert (TP_IS_TLS_CERTIFICATE (certificate));
g_assert (hostname != NULL);
+ g_assert (reference_identities != NULL);
return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
"certificate", certificate,
"hostname", hostname,
+ "reference-identities", reference_identities,
NULL);
}
{
GcrCertificateChain *chain;
GcrCertificate *cert;
- GPtrArray *certs = NULL;
- GArray *cert_data;
+ GPtrArray *cert_data;
+ GArray *data;
guint idx;
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
g_return_if_fail (priv->verify_result == NULL);
- g_object_get (priv->certificate, "cert-data", &certs, NULL);
- g_return_if_fail (certs);
+ cert_data = tp_tls_certificate_get_cert_data (priv->certificate);
+ g_return_if_fail (cert_data);
priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
callback, user_data, NULL);
/* Create a certificate chain */
chain = gcr_certificate_chain_new ();
- for (idx = 0; idx < certs->len; ++idx) {
- cert_data = g_ptr_array_index (certs, idx);
- cert = gcr_simple_certificate_new_static (cert_data->data, cert_data->len);
+ for (idx = 0; idx < cert_data->len; ++idx) {
+ data = g_ptr_array_index (cert_data, idx);
+ cert = gcr_simple_certificate_new ((guchar *) data->data, data->len);
gcr_certificate_chain_add (chain, cert);
g_object_unref (cert);
}
- gcr_certificate_chain_build_async (chain, GCR_PURPOSE_CLIENT_AUTH, priv->hostname, 0,
+ gcr_certificate_chain_build_async (chain, GCR_PURPOSE_SERVER_AUTH, priv->hostname, 0,
NULL, perform_verification_cb, g_object_ref (self));
g_object_unref (chain);
- g_ptr_array_unref (certs);
}
gboolean
empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
GAsyncResult *res,
- EmpTLSCertificateRejectReason *reason,
+ TpTLSCertificateRejectReason *reason,
GHashTable **details,
GError **error)
{
}
if (reason != NULL)
- *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+ *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
return TRUE;
}
void
empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self)
{
- GArray *last_cert;
+ GArray *data;
GcrCertificate *cert;
- GPtrArray *certs;
+ GPtrArray *cert_data;
GError *error = NULL;
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
- g_object_get (priv->certificate, "cert-data", &certs, NULL);
- last_cert = g_ptr_array_index (certs, certs->len - 1);
- cert = gcr_simple_certificate_new_static ((gpointer)last_cert->data,
- last_cert->len);
+ cert_data = tp_tls_certificate_get_cert_data (priv->certificate);
+ g_return_if_fail (cert_data);
+
+ if (!cert_data->len)
+ {
+ DEBUG ("No certificate to pin.");
+ return;
+ }
+
+ /* The first certificate in the chain is for the host */
+ data = g_ptr_array_index (cert_data, 0);
+ cert = gcr_simple_certificate_new ((gpointer)data->data, data->len);
+
+ DEBUG ("Storing pinned certificate:");
+ debug_certificate (cert);
- if (!gcr_trust_add_pinned_certificate (cert, GCR_PURPOSE_CLIENT_AUTH,
+ if (!gcr_trust_add_pinned_certificate (cert, GCR_PURPOSE_SERVER_AUTH,
priv->hostname, NULL, &error))
- DEBUG ("Can't store the certificate exeption: %s", error->message);
+ DEBUG ("Can't store the pinned certificate: %s", error->message);
g_object_unref (cert);
- g_ptr_array_unref (certs);
}