2 * Copyright (C) 1999-2001 Tommi Komulainen <Tommi.Komulainen@iki.fi>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 #include <openssl/ssl.h>
24 #include <openssl/x509.h>
25 #include <openssl/x509v3.h>
26 #include <openssl/err.h>
27 #include <openssl/rand.h>
34 #include "mutt_socket.h"
35 #include "mutt_menu.h"
36 #include "mutt_curses.h"
38 #include "mutt_idna.h"
40 #if OPENSSL_VERSION_NUMBER >= 0x00904000L
41 #define READ_X509_KEY(fp, key) PEM_read_X509(fp, key, NULL, NULL)
43 #define READ_X509_KEY(fp, key) PEM_read_X509(fp, key, NULL)
46 /* Just in case OpenSSL doesn't define DEVRANDOM */
48 #define DEVRANDOM "/dev/urandom"
51 /* This is ugly, but as RAND_status came in on OpenSSL version 0.9.5
52 * and the code has to support older versions too, this is seemed to
53 * be cleaner way compared to having even uglier #ifdefs all around.
55 #ifdef HAVE_RAND_STATUS
56 #define HAVE_ENTROPY() (RAND_status() == 1)
58 static int entropy_byte_count = 0;
59 /* OpenSSL fills the entropy pool from /dev/urandom if it exists */
60 #define HAVE_ENTROPY() (!access(DEVRANDOM, R_OK) || entropy_byte_count >= 16)
63 /* keep a handle on accepted certificates in case we want to
64 * open up another connection to the same server in this session */
65 static STACK_OF(X509) *SslSessionCerts = NULL;
67 typedef struct _sslsockdata
75 /* local prototypes */
76 static int ssl_init (void);
77 static int add_entropy (const char *file);
78 static int ssl_socket_read (CONNECTION* conn, char* buf, size_t len);
79 static int ssl_socket_write (CONNECTION* conn, const char* buf, size_t len);
80 static int ssl_socket_open (CONNECTION * conn);
81 static int ssl_socket_close (CONNECTION * conn);
82 static int tls_close (CONNECTION* conn);
83 static int ssl_cache_trusted_cert (X509 *cert);
84 static int ssl_check_certificate (CONNECTION *conn, sslsockdata * data);
85 static int interactive_check_cert (X509 *cert, int idx, int len);
86 static void ssl_get_client_cert(sslsockdata *ssldata, CONNECTION *conn);
87 static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);
88 static int ssl_negotiate (CONNECTION *conn, sslsockdata*);
90 /* mutt_ssl_starttls: Negotiate TLS over an already opened connection.
91 * TODO: Merge this code better with ssl_socket_open. */
92 int mutt_ssl_starttls (CONNECTION* conn)
100 ssldata = (sslsockdata*) safe_calloc (1, sizeof (sslsockdata));
101 /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
102 if (! (ssldata->ctx = SSL_CTX_new (TLSv1_client_method ())))
104 dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
108 ssl_get_client_cert(ssldata, conn);
110 if (! (ssldata->ssl = SSL_new (ssldata->ctx)))
112 dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL\n"));
116 if (SSL_set_fd (ssldata->ssl, conn->fd) != 1)
118 dprint (1, (debugfile, "mutt_ssl_starttls: Error setting fd\n"));
122 if (ssl_negotiate (conn, ssldata))
125 /* hmm. watch out if we're starting TLS over any method other than raw. */
126 conn->sockdata = ssldata;
127 conn->conn_read = ssl_socket_read;
128 conn->conn_write = ssl_socket_write;
129 conn->conn_close = tls_close;
131 conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (ssldata->ssl),
137 FREE (&ssldata->ssl);
139 FREE (&ssldata->ctx);
147 * OpenSSL library needs to be fed with sufficient entropy. On systems
148 * with /dev/urandom, this is done transparently by the library itself,
149 * on other systems we need to fill the entropy pool ourselves.
151 * Even though only OpenSSL 0.9.5 and later will complain about the
152 * lack of entropy, we try to our best and fill the pool with older
153 * versions also. (That's the reason for the ugly #ifdefs and macros,
154 * otherwise I could have simply #ifdef'd the whole ssl_init funcion)
156 static int ssl_init (void)
158 char path[_POSIX_PATH_MAX];
159 static unsigned char init_complete = 0;
164 if (! HAVE_ENTROPY())
166 /* load entropy from files */
167 add_entropy (SslEntropyFile);
168 add_entropy (RAND_file_name (path, sizeof (path)));
170 /* load entropy from egd sockets */
172 add_entropy (getenv ("EGDSOCKET"));
173 snprintf (path, sizeof(path), "%s/.entropy", NONULL(Homedir));
175 add_entropy ("/tmp/entropy");
178 /* shuffle $RANDFILE (or ~/.rnd if unset) */
179 RAND_write_file (RAND_file_name (path, sizeof (path)));
181 if (! HAVE_ENTROPY())
183 mutt_error (_("Failed to find enough entropy on your system"));
189 /* I don't think you can do this just before reading the error. The call
190 * itself might clobber the last SSL error. */
191 SSL_load_error_strings();
197 static int add_entropy (const char *file)
204 if (stat (file, &st) == -1)
205 return errno == ENOENT ? 0 : -1;
207 mutt_message (_("Filling entropy pool: %s...\n"),
210 /* check that the file permissions are secure */
211 if (st.st_uid != getuid () ||
212 ((st.st_mode & (S_IWGRP | S_IRGRP)) != 0) ||
213 ((st.st_mode & (S_IWOTH | S_IROTH)) != 0))
215 mutt_error (_("%s has insecure permissions!"), file);
224 n = RAND_load_file (file, -1);
226 #ifndef HAVE_RAND_STATUS
227 if (n > 0) entropy_byte_count += n;
232 static int ssl_socket_open_err (CONNECTION *conn)
234 mutt_error (_("SSL disabled due the lack of entropy"));
240 int mutt_ssl_socket_setup (CONNECTION * conn)
244 conn->conn_open = ssl_socket_open_err;
248 conn->conn_open = ssl_socket_open;
249 conn->conn_read = ssl_socket_read;
250 conn->conn_write = ssl_socket_write;
251 conn->conn_close = ssl_socket_close;
252 conn->conn_poll = raw_socket_poll;
257 static int ssl_socket_read (CONNECTION* conn, char* buf, size_t len)
259 sslsockdata *data = conn->sockdata;
260 return SSL_read (data->ssl, buf, len);
263 static int ssl_socket_write (CONNECTION* conn, const char* buf, size_t len)
265 sslsockdata *data = conn->sockdata;
266 return SSL_write (data->ssl, buf, len);
269 static int ssl_socket_open (CONNECTION * conn)
274 if (raw_socket_open (conn) < 0)
277 data = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
278 conn->sockdata = data;
280 data->ctx = SSL_CTX_new (SSLv23_client_method ());
282 /* disable SSL protocols as needed */
283 if (!option(OPTTLSV1))
285 SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
287 if (!option(OPTSSLV2))
289 SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
291 if (!option(OPTSSLV3))
293 SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv3);
296 ssl_get_client_cert(data, conn);
298 data->ssl = SSL_new (data->ctx);
299 SSL_set_fd (data->ssl, conn->fd);
301 if (ssl_negotiate(conn, data))
303 mutt_socket_close (conn);
307 conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (data->ssl),
313 /* ssl_negotiate: After SSL state has been initialised, attempt to negotiate
314 * SSL over the wire, including certificate checks. */
315 static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
320 #if OPENSSL_VERSION_NUMBER >= 0x00906000L
321 /* This only exists in 0.9.6 and above. Without it we may get interrupted
322 * reads or writes. Bummer. */
323 SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
326 if ((err = SSL_connect (ssldata->ssl)) != 1)
328 switch (SSL_get_error (ssldata->ssl, err))
330 case SSL_ERROR_SYSCALL:
331 errmsg = _("I/O error");
334 errmsg = ERR_error_string (ERR_get_error (), NULL);
337 errmsg = _("unknown error");
340 mutt_error (_("SSL failed: %s"), errmsg);
346 ssldata->cert = SSL_get_peer_certificate (ssldata->ssl);
349 mutt_error (_("Unable to get certificate from peer"));
354 if (!ssl_check_certificate (conn, ssldata))
357 mutt_message (_("SSL connection using %s (%s)"),
358 SSL_get_cipher_version (ssldata->ssl), SSL_get_cipher_name (ssldata->ssl));
364 static int ssl_socket_close (CONNECTION * conn)
366 sslsockdata *data = conn->sockdata;
369 SSL_shutdown (data->ssl);
371 /* hold onto this for the life of mutt, in case we want to reconnect.
372 * The purist in me wants a mutt_exit hook. */
374 X509_free (data->cert);
376 SSL_free (data->ssl);
377 SSL_CTX_free (data->ctx);
378 FREE (&conn->sockdata);
381 return raw_socket_close (conn);
384 static int tls_close (CONNECTION* conn)
388 rc = ssl_socket_close (conn);
389 conn->conn_read = raw_socket_read;
390 conn->conn_write = raw_socket_write;
391 conn->conn_close = raw_socket_close;
396 static char *x509_get_part (char *line, const char *ndx)
398 static char ret[SHORT_STRING];
401 strfcpy (ret, _("Unknown"), sizeof (ret));
403 c = strstr (line, ndx);
407 c2 = strchr (c, '/');
410 strfcpy (ret, c, sizeof (ret));
418 static void x509_fingerprint (char *s, int l, X509 * cert)
420 unsigned char md[EVP_MAX_MD_SIZE];
424 if (!X509_digest (cert, EVP_md5 (), md, &n))
426 snprintf (s, l, _("[unable to calculate]"));
430 for (j = 0; j < (int) n; j++)
433 snprintf (ch, 8, "%02X%s", md[j], (j % 2 ? " " : ""));
434 safe_strcat (s, l, ch);
439 static char *asn1time_to_string (ASN1_UTCTIME *tm)
444 strfcpy (buf, _("[invalid date]"), sizeof (buf));
446 bio = BIO_new (BIO_s_mem());
449 if (ASN1_TIME_print (bio, tm))
450 (void) BIO_read (bio, buf, sizeof (buf));
457 static int check_certificate_by_signer (X509 *peercert)
463 ctx = X509_STORE_new ();
464 if (ctx == NULL) return 0;
466 if (option (OPTSSLSYSTEMCERTS))
468 if (X509_STORE_set_default_paths (ctx))
471 dprint (2, (debugfile, "X509_STORE_set_default_paths failed\n"));
474 if (X509_STORE_load_locations (ctx, SslCertFile, NULL))
477 dprint (2, (debugfile, "X509_STORE_load_locations_failed\n"));
479 for (i = 0; i < sk_X509_num (SslSessionCerts); i++)
480 pass += (X509_STORE_add_cert (ctx, sk_X509_value (SslSessionCerts, i)) != 0);
485 X509_STORE_free (ctx);
489 X509_STORE_CTX_init (&xsc, ctx, peercert, SslSessionCerts);
491 pass = (X509_verify_cert (&xsc) > 0);
495 char buf[SHORT_STRING];
498 err = X509_STORE_CTX_get_error (&xsc);
499 snprintf (buf, sizeof (buf), "%s (%d)",
500 X509_verify_cert_error_string(err), err);
501 dprint (2, (debugfile, "X509_verify_cert: %s\n", buf));
502 dprint (2, (debugfile, " [%s]\n", peercert->name));
505 X509_STORE_CTX_cleanup (&xsc);
506 X509_STORE_free (ctx);
511 static int compare_certificates (X509 *cert, X509 *peercert,
512 unsigned char *peermd, unsigned int peermdlen)
514 unsigned char md[EVP_MAX_MD_SIZE];
517 /* Avoid CPU-intensive digest calculation if the certificates are
518 * not even remotely equal.
520 if (X509_subject_name_cmp (cert, peercert) != 0 ||
521 X509_issuer_name_cmp (cert, peercert) != 0)
524 if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
527 if (memcmp(peermd, md, mdlen) != 0)
533 static int check_certificate_cache (X509 *peercert)
535 unsigned char peermd[EVP_MAX_MD_SIZE];
536 unsigned int peermdlen;
540 if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)
546 for (i = sk_X509_num (SslSessionCerts); i-- > 0;)
548 cert = sk_X509_value (SslSessionCerts, i);
549 if (!compare_certificates (cert, peercert, peermd, peermdlen))
558 static int check_certificate_by_digest (X509 *peercert)
560 unsigned char peermd[EVP_MAX_MD_SIZE];
561 unsigned int peermdlen;
566 /* expiration check */
567 if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
569 dprint (2, (debugfile, "Server certificate is not yet valid\n"));
570 mutt_error (_("Server certificate is not yet valid"));
574 if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
576 dprint (2, (debugfile, "Server certificate has expired"));
577 mutt_error (_("Server certificate has expired"));
582 if ((fp = fopen (SslCertFile, "rt")) == NULL)
585 if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
591 while ((cert = READ_X509_KEY (fp, &cert)) != NULL)
593 pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1;
604 /* port to mutt from msmtp's tls.c */
605 static int hostname_match (const char *hostname, const char *certname)
607 const char *cmp1, *cmp2;
609 if (strncmp(certname, "*.", 2) == 0)
612 cmp2 = strchr(hostname, '.');
628 if (*cmp1 == '\0' || *cmp2 == '\0')
633 if (strcasecmp(cmp1, cmp2) != 0)
641 /* port to mutt from msmtp's tls.c */
642 static int check_host (X509 *x509cert, const char *hostname, char *err, size_t errlen)
645 /* hostname in ASCII format: */
646 char *hostname_ascii = NULL;
647 /* needed to get the common name: */
648 X509_NAME *x509_subject;
651 /* needed to get the DNS subjectAltNames: */
652 STACK *subj_alt_names;
653 int subj_alt_names_count;
654 GENERAL_NAME *subj_alt_name;
655 /* did we find a name matching hostname? */
658 /* Check if 'hostname' matches the one of the subjectAltName extensions of
659 * type DNS or the Common Name (CN). */
662 if (idna_to_ascii_lz(hostname, &hostname_ascii, 0) != IDNA_SUCCESS)
664 hostname_ascii = safe_strdup(hostname);
667 hostname_ascii = safe_strdup(hostname);
670 /* Try the DNS subjectAltNames. */
672 if ((subj_alt_names = X509_get_ext_d2i(x509cert, NID_subject_alt_name,
675 subj_alt_names_count = sk_GENERAL_NAME_num(subj_alt_names);
676 for (i = 0; i < subj_alt_names_count; i++)
678 subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
679 if (subj_alt_name->type == GEN_DNS)
681 if ((match_found = hostname_match(hostname_ascii,
682 (char *)(subj_alt_name->d.ia5->data))))
692 /* Try the common name */
693 if (!(x509_subject = X509_get_subject_name(x509cert)))
696 strfcpy (err, _("cannot get certificate subject"), errlen);
700 bufsize = X509_NAME_get_text_by_NID(x509_subject, NID_commonName,
703 buf = safe_malloc((size_t)bufsize);
704 if (X509_NAME_get_text_by_NID(x509_subject, NID_commonName,
708 strfcpy (err, _("cannot get certificate common name"), errlen);
711 match_found = hostname_match(hostname_ascii, buf);
717 snprintf (err, errlen, _("certificate owner does not match hostname %s"),
726 FREE(&hostname_ascii);
731 static int ssl_cache_trusted_cert (X509 *c)
733 dprint (1, (debugfile, "trusted: %s\n", c->name));
734 if (!SslSessionCerts)
735 SslSessionCerts = sk_new_null();
736 return (sk_X509_push (SslSessionCerts, X509_dup(c)));
739 /* check whether cert is preauthorized */
740 static int ssl_check_preauth (X509 *cert, CONNECTION *conn)
742 char buf[SHORT_STRING];
744 /* check session cache first */
745 if (check_certificate_cache (cert))
747 dprint (2, (debugfile, "ssl_check_preauth: using cached certificate\n"));
752 if (!check_host (cert, conn->account.host, buf, sizeof (buf)))
754 mutt_error (_("Certificate host check failed: %s"), buf);
758 dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
760 if (check_certificate_by_signer (cert))
762 dprint (2, (debugfile, "ssl_check_preauth: signer check passed\n"));
766 /* automatic check from user's database */
767 if (SslCertFile && check_certificate_by_digest (cert))
769 dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n"));
776 static int ssl_check_certificate (CONNECTION *conn, sslsockdata *data)
778 int i, preauthrc, chain_len;
779 STACK_OF(X509) *chain;
782 if ((preauthrc = ssl_check_preauth (data->cert, conn)) > 0)
785 chain = SSL_get_peer_cert_chain (data->ssl);
786 chain_len = sk_X509_num (chain);
787 if (!chain || (chain_len < 1))
788 return interactive_check_cert (data->cert, 0, 0);
790 /* check the chain from root to peer */
791 for (i = chain_len-1; i >= 0; i--)
793 cert = sk_X509_value (chain, i);
794 if (check_certificate_cache (cert))
795 dprint (2, (debugfile, "ssl chain: already cached: %s\n", cert->name));
796 else if (i /* 0 is the peer */ || !preauthrc)
798 if (check_certificate_by_signer (cert))
800 dprint (2, (debugfile, "ssl chain: checked by signer: %s\n", cert->name));
801 ssl_cache_trusted_cert (cert);
804 else if (SslCertFile && check_certificate_by_digest (cert))
806 dprint (2, (debugfile, "ssl chain: trusted with file: %s\n", cert->name));
807 ssl_cache_trusted_cert (cert);
810 else /* allow users to shoot their foot */
812 dprint (2, (debugfile, "ssl chain: check failed: %s\n", cert->name));
813 if (interactive_check_cert (cert, i, chain_len))
817 else /* highly suspicious because (i==0 && preauthrc < 0) */
818 if (interactive_check_cert (cert, i, chain_len))
825 static int interactive_check_cert (X509 *cert, int idx, int len)
828 {"/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C="};
829 char helpstr[LONG_STRING];
832 MUTTMENU *menu = mutt_new_menu (-1);
835 char *name = NULL, *c;
837 dprint (2, (debugfile, "interactive_check_cert: %s\n", cert->name));
840 menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
841 for (i = 0; i < menu->max; i++)
842 menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
845 strfcpy (menu->dialog[row], _("This certificate belongs to:"), SHORT_STRING);
847 name = X509_NAME_oneline (X509_get_subject_name (cert),
849 dprint (2, (debugfile, "oneline: %s\n", name));
851 for (i = 0; i < 5; i++)
853 c = x509_get_part (name, part[i]);
854 snprintf (menu->dialog[row++], SHORT_STRING, " %s", c);
858 strfcpy (menu->dialog[row], _("This certificate was issued by:"), SHORT_STRING);
860 name = X509_NAME_oneline (X509_get_issuer_name (cert),
862 for (i = 0; i < 5; i++)
864 c = x509_get_part (name, part[i]);
865 snprintf (menu->dialog[row++], SHORT_STRING, " %s", c);
869 snprintf (menu->dialog[row++], SHORT_STRING, _("This certificate is valid"));
870 snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"),
871 asn1time_to_string (X509_get_notBefore (cert)));
872 snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"),
873 asn1time_to_string (X509_get_notAfter (cert)));
877 x509_fingerprint (buf, sizeof (buf), cert);
878 snprintf (menu->dialog[row++], SHORT_STRING, _("Fingerprint: %s"), buf);
880 snprintf (title, sizeof (title),
881 _("SSL Certificate check (certificate %d of %d in chain)"),
884 if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
885 && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)
887 menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
888 menu->keys = _("roa");
892 menu->prompt = _("(r)eject, accept (o)nce");
893 menu->keys = _("ro");
897 mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT);
898 safe_strcat (helpstr, sizeof (helpstr), buf);
899 mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP);
900 safe_strcat (helpstr, sizeof (helpstr), buf);
901 menu->help = helpstr;
904 set_option(OPTUNBUFFEREDINPUT);
907 switch (mutt_menuLoop (menu))
910 case OP_MAX + 1: /* reject */
914 case OP_MAX + 3: /* accept always */
916 if ((fp = fopen (SslCertFile, "a")))
918 if (PEM_write_X509 (fp, cert))
924 mutt_error (_("Warning: Couldn't save certificate"));
929 mutt_message (_("Certificate saved"));
933 case OP_MAX + 2: /* accept once */
935 ssl_cache_trusted_cert (cert);
939 unset_option(OPTUNBUFFEREDINPUT);
940 mutt_menuDestroy (&menu);
941 dprint (2, (debugfile, "ssl interactive_check_cert: done=%d\n", done));
945 static void ssl_get_client_cert(sslsockdata *ssldata, CONNECTION *conn)
949 dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert));
950 SSL_CTX_set_default_passwd_cb_userdata(ssldata->ctx, &conn->account);
951 SSL_CTX_set_default_passwd_cb(ssldata->ctx, ssl_passwd_cb);
952 SSL_CTX_use_certificate_file(ssldata->ctx, SslClientCert, SSL_FILETYPE_PEM);
953 SSL_CTX_use_PrivateKey_file(ssldata->ctx, SslClientCert, SSL_FILETYPE_PEM);
955 /* if we are using a client cert, SASL may expect an external auth name */
956 mutt_account_getuser (&conn->account);
960 static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
962 ACCOUNT *account = (ACCOUNT*)userdata;
964 if (mutt_account_getuser (account))
967 dprint (2, (debugfile, "ssl_passwd_cb: getting password for %s@%s:%u\n",
968 account->user, account->host, account->port));
970 if (mutt_account_getpass (account))
973 return snprintf(buf, size, "%s", account->pass);