31#include <gnutls/gnutls.h>
32#include <gnutls/x509.h>
49#define CERTERR_VALID 0
50#define CERTERR_EXPIRED (1 << 0)
51#define CERTERR_NOTYETVALID (1 << 1)
52#define CERTERR_REVOKED (1 << 2)
53#define CERTERR_NOTTRUSTED (1 << 3)
54#define CERTERR_HOSTNAME (1 << 4)
55#define CERTERR_SIGNERNOTCA (1 << 5)
56#define CERTERR_INSECUREALG (1 << 6)
57#define CERTERR_OTHER (1 << 7)
62#define CERT_SEP "-----BEGIN"
64#ifndef HAVE_GNUTLS_PRIORITY_SET_DIRECT
83 gnutls_certificate_credentials_t
xcred;
93 static bool init_complete =
false;
99 err = gnutls_global_init();
102 mutt_error(
"gnutls_global_init: %s", gnutls_strerror(err));
106 init_complete =
true;
121static int tls_verify_peers(gnutls_session_t tlsstate, gnutls_certificate_status_t *certstat)
138 int rc = gnutls_certificate_verify_peers2(tlsstate, certstat);
144 if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
145 mutt_error(
_(
"Unable to get certificate from peer"));
147 mutt_error(
_(
"Certificate verification error (%s)"), gnutls_strerror(rc));
160 size_t buflen,
const gnutls_datum_t *data)
162 unsigned char md[64];
167 if (gnutls_fingerprint(algo, data, (
char *) md, &n) < 0)
169 snprintf(buf, buflen,
_(
"[unable to calculate]"));
173 for (
int i = 0; i < (int) n; i++)
176 snprintf(ch, 8,
"%02X%s", md[i], ((i % 2) ?
" " :
""));
179 buf[2 * n + n / 2 - 1] =
'\0';
192 char *linestr = NULL;
193 size_t linestrsize = 0;
201 char buf[80] = { 0 };
237 gnutls_datum_t cert = { 0 };
238 unsigned char *ptr = NULL;
239 gnutls_datum_t b64_data = { 0 };
240 unsigned char *b64_data_data = NULL;
241 struct stat st = { 0 };
244 if (stat(c_certificate_file, &st) == -1)
247 b64_data.size = st.st_size;
249 b64_data.data = b64_data_data;
255 b64_data.size = fread(b64_data.data, 1, b64_data.size, fp);
256 b64_data.data[b64_data.size] =
'\0';
261 const int rc = gnutls_pem_base64_decode_alloc(NULL, &b64_data, &cert);
264 FREE(&b64_data_data);
269 ptr = (
unsigned char *) strstr((
char *) b64_data.data,
CERT_SEP);
272 gnutls_free(cert.data);
273 FREE(&b64_data_data);
277 ptr = (
unsigned char *) strstr((
char *) ptr + 1,
CERT_SEP);
279 b64_data.size = b64_data.size - (ptr - b64_data.data);
282 if (cert.size == peercert->size)
284 if (memcmp(cert.data, peercert->data, cert.size) == 0)
287 gnutls_free(cert.data);
288 FREE(&b64_data_data);
293 gnutls_free(cert.data);
297 FREE(&b64_data_data);
313 gnutls_certificate_status_t certstat,
const char *hostname,
314 int chainidx,
int *certerr,
int *savedcert)
316 gnutls_x509_crt_t cert;
321 if (gnutls_x509_crt_init(&cert) < 0)
323 mutt_error(
_(
"Error initialising gnutls certificate data"));
327 if (gnutls_x509_crt_import(cert, certdata, GNUTLS_X509_FMT_DER) < 0)
329 mutt_error(
_(
"Error processing certificate data"));
330 gnutls_x509_crt_deinit(cert);
339 if (c_ssl_verify_dates !=
MUTT_NO)
348 if ((chainidx == 0) && (c_ssl_verify_host !=
MUTT_NO) &&
349 !gnutls_x509_crt_check_hostname(cert, hostname) &&
355 if (certstat & GNUTLS_CERT_REVOKED)
358 certstat ^= GNUTLS_CERT_REVOKED;
371 gnutls_x509_crt_deinit(cert);
376 if (certstat & GNUTLS_CERT_INVALID)
379 certstat ^= GNUTLS_CERT_INVALID;
382 if (certstat & GNUTLS_CERT_SIGNER_NOT_FOUND)
386 certstat ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
389 if (certstat & GNUTLS_CERT_SIGNER_NOT_CA)
393 certstat ^= GNUTLS_CERT_SIGNER_NOT_CA;
396 if (certstat & GNUTLS_CERT_INSECURE_ALGORITHM)
400 certstat ^= GNUTLS_CERT_INSECURE_ALGORITHM;
409 gnutls_x509_crt_deinit(cert);
424static void add_cert(
const char *title, gnutls_x509_crt_t cert,
bool issuer,
425 struct CertArray *carr)
427 static const char *part[] = {
428 GNUTLS_OID_X520_COMMON_NAME,
429 GNUTLS_OID_PKCS9_EMAIL,
430 GNUTLS_OID_X520_ORGANIZATION_NAME,
431 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
432 GNUTLS_OID_X520_LOCALITY_NAME,
433 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
434 GNUTLS_OID_X520_COUNTRY_NAME,
437 char buf[128] = { 0 };
445 size_t buflen =
sizeof(buf);
447 rc = gnutls_x509_crt_get_issuer_dn_by_oid(cert, part[i], 0, 0, buf, &buflen);
449 rc = gnutls_x509_crt_get_dn_by_oid(cert, part[i], 0, 0, buf, &buflen);
470 gnutls_certificate_status_t certstat,
471 const char *hostname,
int idx,
size_t len)
474 int certerr, savedcert;
475 gnutls_x509_crt_t cert;
476 char fpbuf[128] = { 0 };
478 char datestr[30] = { 0 };
479 char title[256] = { 0 };
480 gnutls_datum_t pemdata = { 0 };
482 if (
tls_check_preauth(certdata, certstat, hostname, idx, &certerr, &savedcert) == 0)
486 if (gnutls_x509_crt_init(&cert) < 0)
488 mutt_error(
_(
"Error initialising gnutls certificate data"));
492 if (gnutls_x509_crt_import(cert, certdata, GNUTLS_X509_FMT_DER) < 0)
494 mutt_error(
_(
"Error processing certificate data"));
495 gnutls_x509_crt_deinit(cert);
499 add_cert(
_(
"This certificate belongs to:"), cert,
false, &carr);
501 add_cert(
_(
"This certificate was issued by:"), cert,
true, &carr);
507 t = gnutls_x509_crt_get_activation_time(cert);
512 t = gnutls_x509_crt_get_expiration_time(cert);
560 snprintf(title,
sizeof(title),
561 _(
"SSL Certificate check (certificate %zu of %zu in chain)"), len - idx, len);
564 const bool allow_always = (c_certificate_file && !savedcert &&
577 fprintf(fp,
"#H %s %s\n", hostname, fpbuf);
582 int rc2 = gnutls_pem_base64_encode_alloc(
"CERTIFICATE", certdata, &pemdata);
585 if (fwrite(pemdata.data, pemdata.size, 1, fp) == 1)
589 gnutls_free(pemdata.data);
597 mutt_error(
_(
"Warning: Couldn't save certificate"));
602 gnutls_x509_crt_deinit(cert);
616 const gnutls_datum_t *cert_list = NULL;
617 unsigned int cert_list_size = 0;
618 gnutls_certificate_status_t certstat;
619 int certerr, savedcert, rc = 0;
620 int max_preauth_pass = -1;
631 cert_list = gnutls_certificate_get_peers(
state, &cert_list_size);
634 mutt_error(
_(
"Unable to get certificate from peer"));
642 for (
int i = 0; i < cert_list_size; i++)
645 &certerr, &savedcert);
648 max_preauth_pass = i;
659 for (
int i = cert_list_size - 1; i >= 0; i--)
671 int rcsettrust = gnutls_certificate_set_x509_trust_mem(data->
xcred, &cert_list[i],
672 GNUTLS_X509_FMT_DER);
681 if (!certstat && (max_preauth_pass >= (i - 1)))
699 gnutls_x509_crt_t clientcrt;
705 const gnutls_datum_t *crtdata = gnutls_certificate_get_ours(data->
state);
709 if (gnutls_x509_crt_init(&clientcrt) < 0)
715 if (gnutls_x509_crt_import(clientcrt, crtdata, GNUTLS_X509_FMT_DER) < 0)
722 rc = gnutls_x509_crt_get_dn_by_oid(clientcrt, GNUTLS_OID_X520_COMMON_NAME, 0,
724 if (((rc >= 0) || (rc == GNUTLS_E_SHORT_MEMORY_BUFFER)) && (cnlen > 0))
727 if (gnutls_x509_crt_get_dn_by_oid(clientcrt, GNUTLS_OID_X520_COMMON_NAME, 0,
741 gnutls_x509_crt_deinit(clientcrt);
744#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
765 if (!c_ssl_use_tlsv1_3)
771 if (!c_ssl_use_tlsv1_2)
777 if (!c_ssl_use_tlsv1_1)
783 if (!c_ssl_use_tlsv1)
789 if (!c_ssl_use_sslv3)
797 mutt_error(
_(
"All available protocols for TLS/SSL connection disabled"));
804 mutt_error(
"gnutls_priority_set_direct(%s): %s",
828 if (c_ssl_use_tlsv1_2)
831 if (c_ssl_use_tlsv1_1)
843 mutt_error(
_(
"All available protocols for TLS/SSL connection disabled"));
850 mutt_error(
_(
"Explicit ciphersuite selection via $ssl_ciphers not supported"));
855 gnutls_set_default_priority(
data->state);
874 int err = gnutls_certificate_allocate_credentials(&data->
xcred);
878 mutt_error(
"gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err));
883 gnutls_certificate_set_x509_trust_file(data->
xcred, c_certificate_file, GNUTLS_X509_FMT_PEM);
887 if (c_ssl_ca_certificates_file)
889 gnutls_certificate_set_x509_trust_file(data->
xcred, c_ssl_ca_certificates_file,
890 GNUTLS_X509_FMT_PEM);
894 if (c_ssl_client_cert)
897 gnutls_certificate_set_x509_key_file(data->
xcred, c_ssl_client_cert,
898 c_ssl_client_cert, GNUTLS_X509_FMT_PEM);
901#ifdef HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS
904 gnutls_certificate_set_verify_flags(data->
xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
907 err = gnutls_init(&data->
state, GNUTLS_CLIENT);
910 mutt_error(
"gnutls_init: %s", gnutls_strerror(err));
915 gnutls_transport_set_ptr(data->
state, (gnutls_transport_ptr_t) (
long) conn->
fd);
917 if (gnutls_server_name_set(data->
state, GNUTLS_NAME_DNS, conn->
account.
host,
920 mutt_error(
_(
"Warning: unable to set TLS SNI host name"));
929 if (c_ssl_min_dh_prime_bits > 0)
931 gnutls_dh_set_prime_bits(data->
state, c_ssl_min_dh_prime_bits);
934 gnutls_credentials_set(data->
state, GNUTLS_CRD_CERTIFICATE, data->
xcred);
938 err = gnutls_handshake(data->
state);
939 }
while ((err == GNUTLS_E_AGAIN) || (err == GNUTLS_E_INTERRUPTED));
943 if (err == GNUTLS_E_FATAL_ALERT_RECEIVED)
945 mutt_error(
"gnutls_handshake: %s(%s)", gnutls_strerror(err),
946 gnutls_alert_get_name(gnutls_alert_get(data->
state)));
950 mutt_error(
"gnutls_handshake: %s", gnutls_strerror(err));
960 conn->
ssf = gnutls_cipher_get_key_size(gnutls_cipher_get(data->
state)) * 8;
967 gnutls_protocol_get_name(gnutls_protocol_get_version(data->
state)),
968 gnutls_kx_get_name(gnutls_kx_get(data->
state)),
969 gnutls_cipher_get_name(gnutls_cipher_get(data->
state)),
970 gnutls_mac_get_name(gnutls_mac_get(data->
state)));
977 gnutls_certificate_free_credentials(data->
xcred);
978 gnutls_deinit(data->
state);
992 if (gnutls_record_check_pending(data->
state))
1013 gnutls_bye(data->
state, GNUTLS_SHUT_WR);
1015 gnutls_certificate_free_credentials(data->
xcred);
1016 gnutls_deinit(data->
state);
1055 rc = gnutls_record_recv(data->
state, buf, count);
1056 }
while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
1060 mutt_error(
"tls_socket_read (%s)", gnutls_strerror(rc));
1086 rc = gnutls_record_send(data->
state, buf + sent, count - sent);
1087 }
while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
1091 mutt_error(
"tls_socket_write (%s)", gnutls_strerror(rc));
1096 }
while (sent < count);
#define ARRAY_ADD(head, elem)
Add an element at the end of the array.
#define ARRAY_FREE(head)
Release all memory.
#define ARRAY_HEAD_INITIALIZER
Static initializer for arrays.
size_t mutt_buffer_strcpy(struct Buffer *buf, const char *s)
Copy a string into a Buffer.
size_t mutt_buffer_addstr(struct Buffer *buf, const char *s)
Add a string to a Buffer.
static const char * mutt_buffer_string(const struct Buffer *buf)
Convert a buffer to a const char * "string".
const char * cs_subset_string(const struct ConfigSubset *sub, const char *name)
Get a string config item by name.
short cs_subset_number(const struct ConfigSubset *sub, const char *name)
Get a number config item by name.
const char * cs_subset_path(const struct ConfigSubset *sub, const char *name)
Get a path config item by name.
bool cs_subset_bool(const struct ConfigSubset *sub, const char *name)
Get a boolean config item by name.
Convenience wrapper for the config headers.
int mutt_account_getuser(struct ConnAccount *cac)
Retrieve username into ConnAccount, if necessary.
Convenience wrapper for the core headers.
int mutt_date_make_tls(char *buf, size_t buflen, time_t timestamp)
Format date in TLS certificate verification style.
time_t mutt_date_epoch(void)
Return the number of seconds since the Unix epoch.
void cert_array_clear(struct CertArray *carr)
Free all memory of a CertArray.
int dlg_verify_certificate(const char *title, struct CertArray *carr, bool allow_always, bool allow_skip)
Ask the user to validate the certificate.
char * mutt_file_read_line(char *line, size_t *size, FILE *fp, int *line_num, ReadLineFlags flags)
Read a line from a file.
FILE * mutt_file_fopen(const char *path, const char *mode)
Call fopen() safely.
int mutt_file_fclose(FILE **fp)
Close a FILE handle (and NULL the pointer)
#define MUTT_RL_NO_FLAGS
No flags are set.
#define CERTERR_INSECUREALG
static int tls_check_preauth(const gnutls_datum_t *certdata, gnutls_certificate_status_t certstat, const char *hostname, int chainidx, int *certerr, int *savedcert)
Prepare a certificate for authentication.
static int tls_check_certificate(struct Connection *conn)
Check a connection's certificate.
int mutt_ssl_starttls(struct Connection *conn)
Negotiate TLS over an already opened connection.
static bool tls_check_stored_hostname(const gnutls_datum_t *cert, const char *hostname)
Does the hostname match a stored certificate?
#define CERTERR_NOTTRUSTED
static int tls_verify_peers(gnutls_session_t tlsstate, gnutls_certificate_status_t *certstat)
Wrapper for gnutls_certificate_verify_peers()
#define CERTERR_NOTYETVALID
static int tls_compare_certificates(const gnutls_datum_t *peercert)
Compare certificates against $certificate_file
static int protocol_priority[]
static int tls_init(void)
Set up Gnu TLS.
static void tls_fingerprint(gnutls_digest_algorithm_t algo, char *buf, size_t buflen, const gnutls_datum_t *data)
Create a fingerprint of a TLS Certificate.
static void tls_get_client_cert(struct Connection *conn)
Get the client certificate for a TLS connection.
static int tls_check_one_certificate(const gnutls_datum_t *certdata, gnutls_certificate_status_t certstat, const char *hostname, int idx, size_t len)
Check a GnuTLS certificate.
static int tls_negotiate(struct Connection *conn)
Negotiate TLS connection.
int mutt_ssl_socket_setup(struct Connection *conn)
Set up SSL socket mulitplexor.
#define CERTERR_SIGNERNOTCA
static void add_cert(const char *title, gnutls_x509_crt_t cert, bool issuer, struct CertArray *carr)
Look up certificate info and save it to a list.
static int tls_set_priority(struct TlsSockData *data)
Set the priority of various protocols.
static int tls_starttls_close(struct Connection *conn)
Close a TLS connection - Implements Connection::close() -.
static int tls_socket_close(struct Connection *conn)
Close a TLS socket - Implements Connection::close() -.
int raw_socket_close(struct Connection *conn)
Close a socket - Implements Connection::close() -.
static int tls_socket_open(struct Connection *conn)
Open a TLS socket - Implements Connection::open() -.
int raw_socket_open(struct Connection *conn)
Open a socket - Implements Connection::open() -.
static int tls_socket_poll(struct Connection *conn, time_t wait_secs)
Check whether a socket read would block - Implements Connection::poll() -.
int raw_socket_poll(struct Connection *conn, time_t wait_secs)
Checks whether reads would block - Implements Connection::poll() -.
static int tls_socket_read(struct Connection *conn, char *buf, size_t count)
Read data from a TLS socket - Implements Connection::read() -.
int raw_socket_read(struct Connection *conn, char *buf, size_t len)
Read data from a socket - Implements Connection::read() -.
int raw_socket_write(struct Connection *conn, const char *buf, size_t count)
Write data to a socket - Implements Connection::write() -.
static int tls_socket_write(struct Connection *conn, const char *buf, size_t count)
Write data to a TLS socket - Implements Connection::write() -.
#define mutt_message(...)
#define mutt_debug(LEVEL,...)
@ LL_DEBUG2
Log at debug level 2.
@ LL_DEBUG1
Log at debug level 1.
void * mutt_mem_calloc(size_t nmemb, size_t size)
Allocate zeroed memory on the heap.
#define mutt_array_size(x)
Convenience wrapper for the library headers.
char * mutt_str_dup(const char *str)
Copy a string, safely.
int mutt_str_asprintf(char **strp, const char *fmt,...)
size_t mutt_str_len(const char *a)
Calculate the length of a string, safely.
char * mutt_str_cat(char *buf, size_t buflen, const char *s)
Concatenate two strings.
void mutt_sleep(short s)
Sleep for a while.
Some miscellaneous functions.
Handling of global boolean variables.
bool OptNoCurses
(pseudo) when sending in batch mode
void mutt_buffer_pool_release(struct Buffer **pbuf)
Free a Buffer from the pool.
struct Buffer * mutt_buffer_pool_get(void)
Get a Buffer from the pool.
regmatch_t * mutt_prex_capture(enum Prex which, const char *str)
Match a precompiled regex against a string.
@ PREX_GNUTLS_CERT_HOST_HASH
[#H foo.com A76D 954B EB79 1F49 5B3A 0A0E 0681 65B1]
@ PREX_GNUTLS_CERT_HOST_HASH_MATCH_HASH
#H foo.com [A76D ... 65B1]
@ PREX_GNUTLS_CERT_HOST_HASH_MATCH_HOST
#H [foo.com] A76D ... 65B1
@ MUTT_NO
User answered 'No', or assume 'No'.
static regoff_t mutt_regmatch_end(const regmatch_t *match)
Return the end of a match.
static regoff_t mutt_regmatch_start(const regmatch_t *match)
Return the start of a match.
Handling of SSL encryption.
String manipulation buffer.
char * data
Pointer to data.
char host[128]
Server to login to.
void * sockdata
Backend-specific socket data.
int(* poll)(struct Connection *conn, time_t wait_secs)
int(* write)(struct Connection *conn, const char *buf, size_t count)
unsigned int ssf
Security strength factor, in bits (see notes)
int(* close)(struct Connection *conn)
struct ConnAccount account
Account details: username, password, etc.
int(* open)(struct Connection *conn)
int fd
Socket file descriptor.
int(* read)(struct Connection *conn, char *buf, size_t count)
Container for Accounts, Notifications.
struct ConfigSubset * sub
Inherited config items.
gnutls_certificate_credentials_t xcred