#include "empathy-server-tls-handler.h"
+#include <telepathy-glib/interfaces.h>
#include <telepathy-glib/util.h>
#define DEBUG_FLAG EMPATHY_DEBUG_TLS
PROP_CHANNEL = 1,
PROP_TLS_CERTIFICATE,
PROP_HOSTNAME,
+ PROP_REFERENCE_IDENTITIES,
LAST_PROPERTY,
};
EmpathyTLSCertificate *certificate;
gchar *hostname;
+ gchar **reference_identities;
GSimpleAsyncResult *async_init_res;
} EmpathyServerTLSHandlerPriv;
GHashTable *properties;
const gchar *cert_object_path;
const gchar *hostname;
+ const gchar * const *identities;
const gchar *bus_name;
TpDBusDaemon *dbus;
GError *error = NULL;
+ /*
+ * Used when channel doesn't implement ReferenceIdentities. A GStrv
+ * with [0] the hostname, and [1] a NULL terminator.
+ */
+ gchar *default_identities[2];
EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable);
EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self);
properties = tp_channel_borrow_immutable_properties (priv->channel);
hostname = tp_asv_get_string (properties,
- EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".Hostname");
+ TP_PROP_CHANNEL_TYPE_SERVER_TLS_CONNECTION_HOSTNAME);
priv->hostname = g_strdup (hostname);
DEBUG ("Received hostname: %s", hostname);
+ identities = tp_asv_get_strv (properties,
+ TP_PROP_CHANNEL_TYPE_SERVER_TLS_CONNECTION_REFERENCE_IDENTITIES);
+
+ /*
+ * If the channel doesn't implement the ReferenceIdentities parameter
+ * then fallback to the hostname.
+ */
+ if (identities == NULL)
+ {
+ default_identities[0] = (gchar *) hostname;
+ default_identities[1] = NULL;
+ identities = (const gchar **) default_identities;
+ }
+ else
+ {
+#ifdef ENABLE_DEBUG
+ gchar *output = g_strjoinv (", ", (gchar **) identities);
+ DEBUG ("Received reference identities: %s", output);
+ g_free (output);
+#endif /* ENABLE_DEBUG */
+ }
+
+ priv->reference_identities = g_strdupv ((gchar **) identities);
+
cert_object_path = tp_asv_get_object_path (properties,
EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".ServerCertificate");
bus_name = tp_proxy_get_bus_name (TP_PROXY (priv->channel));
tp_clear_object (&priv->channel);
tp_clear_object (&priv->certificate);
+ g_strfreev (priv->reference_identities);
g_free (priv->hostname);
G_OBJECT_CLASS (empathy_server_tls_handler_parent_class)->finalize (object);
case PROP_HOSTNAME:
g_value_set_string (value, priv->hostname);
break;
+ case PROP_REFERENCE_IDENTITIES:
+ g_value_set_boxed (value, priv->reference_identities);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
break;
g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
pspec = g_param_spec_string ("hostname", "The hostname",
- "The hostname which should be certified by the server certificate.",
+ "The hostname the user is expecting to connect to.",
NULL,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+
+ pspec = g_param_spec_boxed ("reference-identities", "Reference Identities",
+ "The server certificate should certify one of these identities",
+ G_TYPE_STRV, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+ g_object_class_install_property (oclass, PROP_REFERENCE_IDENTITIES, pspec);
+
}
static void
enum {
PROP_TLS_CERTIFICATE = 1,
PROP_HOSTNAME,
+ PROP_REFERENCE_IDENTITIES,
LAST_PROPERTY,
};
typedef struct {
EmpathyTLSCertificate *certificate;
gchar *hostname;
+ gchar **reference_identities;
GSimpleAsyncResult *verify_result;
GHashTable *details;
guint n_list, n_anchors;
guint verify_output;
gint res;
+ gint i;
+ gboolean matched;
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
DEBUG ("Performing verification");
goto out;
}
- /* now check if the certificate matches the hostname. */
- if (gnutls_x509_crt_check_hostname (list[0], priv->hostname) == 0)
+ /* now check if the certificate matches one of the reference identities. */
+ if (priv->reference_identities != NULL)
+ {
+ for (i = 0, matched = FALSE; priv->reference_identities[i] != NULL; ++i)
+ {
+ if (gnutls_x509_crt_check_hostname (list[0],
+ priv->reference_identities[i]) == 1)
+ {
+ matched = TRUE;
+ break;
+ }
+ }
+ }
+
+ if (!matched)
{
gchar *certified_hostname;
case PROP_HOSTNAME:
g_value_set_string (value, priv->hostname);
break;
+ case PROP_REFERENCE_IDENTITIES:
+ g_value_set_boxed (value, priv->reference_identities);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
break;
case PROP_HOSTNAME:
priv->hostname = g_value_dup_string (value);
break;
+ case PROP_REFERENCE_IDENTITIES:
+ priv->reference_identities = g_value_dup_boxed (value);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
break;
tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
g_free (priv->hostname);
+ g_strfreev (priv->reference_identities);
G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
}
g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
pspec = g_param_spec_string ("hostname", "The hostname",
- "The hostname which should be certified by the certificate.",
+ "The hostname which is certified by the certificate.",
NULL,
G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+
+ pspec = g_param_spec_boxed ("reference-identities",
+ "The reference identities",
+ "The certificate should certify one of these identities.",
+ G_TYPE_STRV,
+ G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+ g_object_class_install_property (oclass, PROP_REFERENCE_IDENTITIES, pspec);
}
EmpathyTLSVerifier *
empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
- const gchar *hostname)
+ const gchar *hostname, const gchar **reference_identities)
{
g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
g_assert (hostname != NULL);
+ g_assert (reference_identities != NULL);
return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
"certificate", certificate,
"hostname", hostname,
+ "reference-identities", reference_identities,
NULL);
}
EmpathyTLSVerifier * empathy_tls_verifier_new (
EmpathyTLSCertificate *certificate,
- const gchar *hostname);
+ const gchar *hostname,
+ const gchar **reference_identities);
void empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
GAsyncReadyCallback callback,
{
EmpathyTLSCertificate *certificate = NULL;
gchar *hostname = NULL;
+ gchar **reference_identities = NULL;
EmpathyTLSVerifier *verifier;
DEBUG ("New TLS server handler received from the factory");
g_object_get (handler,
"certificate", &certificate,
"hostname", &hostname,
+ "reference-identities", &reference_identities,
NULL);
- verifier = empathy_tls_verifier_new (certificate, hostname);
+ verifier = empathy_tls_verifier_new (certificate, hostname,
+ (const gchar **) reference_identities);
empathy_tls_verifier_verify_async (verifier,
verifier_verify_cb, NULL);
g_object_unref (verifier);
g_object_unref (certificate);
g_free (hostname);
+ g_strfreev (reference_identities);
}
static void
projects / empathy.git / commitdiff