Attachment #2427 for bug #14373

View | Details | Raw Unified | Return to bug 14373
Collapse All | Expand All

Lines 427-435 Link Here

(-)gnubiff-2.2.9.orig/src/gnubiff_options.cc (-2 / +2 lines)
427	"address_entry"));	427	"address_entry"));
428	// AUTHENTICATION	428	// AUTHENTICATION
429	const static guint i4[] = {AUTH_AUTODETECT, AUTH_USER_PASS, AUTH_APOP,	429	const static guint i4[] = {AUTH_AUTODETECT, AUTH_USER_PASS, AUTH_APOP,
430	AUTH_SSL, AUTH_CERTIFICATE, AUTH_NONE, 0};	430	AUTH_SSL, AUTH_CERTIFICATE, AUTH_TLS, AUTH_NONE, 0};
431	const static gchar *s4[] = {"autodetect", "user_pass", "apop", "ssl",	431	const static gchar *s4[] = {"autodetect", "user_pass", "apop", "ssl",
432	"certificate", "-", NULL};	432	"certificate", "tls", "-", NULL};
433	add_option (new Option_UInt ("authentication", OPTGRP_MAILBOX,	433	add_option (new Option_UInt ("authentication", OPTGRP_MAILBOX,
434	"Authentication to be used when connecting to the server via the "	434	"Authentication to be used when connecting to the server via the "
435	"internet.\n"	435	"internet.\n"

Lines 63-68 Link Here

(-)gnubiff-2.2.9.orig/src/gnubiff_options.h (+1 lines)
63	const guint AUTH_APOP = 2;	63	const guint AUTH_APOP = 2;
64	const guint AUTH_SSL = 3;	64	const guint AUTH_SSL = 3;
65	const guint AUTH_CERTIFICATE = 4;	65	const guint AUTH_CERTIFICATE = 4;
		66	const guint AUTH_TLS = 5;
66	const guint AUTH_NONE = (guint)-1;	67	const guint AUTH_NONE = (guint)-1;
67		68
68	const guint MAILBOX_ERROR = 0;	69	const guint MAILBOX_ERROR = 0;





	// CAPABILITY
	command_capability (true);
	
#ifdef HAVE_LIBSSL
	// Negotiate TLS encryption
	if (authentication() == AUTH_TLS) {
		if (can_starttls_) {
			sendline ("STARTTLS");
			readline (line);
			if (!socket_->starttls (certificate())) {
				throw imap_command_err();
			}
		} else {
			command_logout();
			throw imap_nologin_err();
		}
	}
#endif

	// LOGIN
	command_login();

 * The command "CAPABILITY" is sent to the server to get the supported
 * capabilities. Currently gnubiff recognizes the following capabilities:
 * \begin{itemize}
 *    \item STARTTLS: Server supports TLS encryption.
 *    \item IDLE: If the server has the IDLE capability, gnubiff uses the
 *          IDLE command instead of polling.
 *    \item LOGINDISABLED: The server wants us not to login.

	// Looking for supported capabilities
	idleable_ = use_idle () && (line.find (" IDLE ") != std::string::npos);

	// Some sites advertise LOGINDISABLED until STARTTLS is used
	if (line.find (" LOGINDISABLED ") != std::string::npos && line.find (" STARTTLS ") == std::string::npos) {
		command_logout();
		throw imap_nologin_err();
	}

	// CAPABILITY command, maybe the server sends additional capabilities
	if (((idleable_ == false) && use_idle()) && check_rc && !command_sent)
		command_capability (false);

	// Check for STARTTLS support
	can_starttls_ = (line.find (" STARTTLS ") != std::string::npos);
}

/**

Lines 47-52 Link Here

(-)gnubiff-2.2.9.orig/src/imap4.h (+3 lines)
47	/// Does the server support the IDLE capability?	47	/// Does the server support the IDLE capability?
48	gboolean idleable_;	48	gboolean idleable_;
49		49
		50	/// Does the server support STARTTLS?
		51	gboolean can_starttls_;
		52
50	/// Is the server currently idled?	53	/// Is the server currently idled?
51	gboolean idled_;	54	gboolean idled_;
52		55

Lines 231-236 Link Here

(-)gnubiff-2.2.9.orig/src/mailbox.cc (+1 lines)
231	return 993;	231	return 993;
232	return ((protocol == PROTOCOL_POP3) ? 995 : 0);	232	return ((protocol == PROTOCOL_POP3) ? 995 : 0);
233	case AUTH_USER_PASS:	233	case AUTH_USER_PASS:
		234	case AUTH_TLS:
234	if (protocol == PROTOCOL_IMAP4)	235	if (protocol == PROTOCOL_IMAP4)
235	return 143;	236	return 143;
236	return ((protocol == PROTOCOL_POP3) ? 110 : 0);	237	return ((protocol == PROTOCOL_POP3) ? 110 : 0);




	return 1;
}

gint
Socket::starttls (std::string certificate)
{
#ifdef HAVE_LIBSSL
	char *err_buf;
	
	err_buf = (char*) malloc (120);
	
	context_ = SSL_CTX_new (TLSv1_client_method());

		if (certificate_.size() > 0) {
			const gchar *capath = mailbox_->biff()->value_gchar ("dir_certificates");
			if (*capath == '\0')
				capath = NULL;
			if (!SSL_CTX_load_verify_locations (context_, certificate_.c_str(),
												capath)) {
				g_warning(_("[%d] Failed to load certificate (%s) for %s"),
						  uin_, certificate_.c_str(), hostname_.c_str());
				::close (sd_);
				sd_ = SD_CLOSE;
				return 0;
			}
			SSL_CTX_set_verify (context_, SSL_VERIFY_PEER, NULL);
		}
		else
			SSL_CTX_set_verify (context_, SSL_VERIFY_NONE, NULL);

		ssl_ = SSL_new (context_);
		if ((!ssl_) || (SSL_set_fd (ssl_, sd_) == 0)) {
			::close (sd_);
			sd_ = SD_CLOSE;
			g_warning (_("[%d] Unable to set file descriptor: %s"), uin_,
					   hostname_.c_str());
			return 0;
		}

		if (SSL_connect (ssl_) != 1) {
			ERR_error_string(ERR_get_error(), err_buf);
			SSL_free (ssl_);
			ssl_ = NULL;
			::close (sd_);
			sd_ = SD_CLOSE;
			g_warning (_("[%d] Unable to negotiate TLS connection: %s"), uin_, err_buf);
			return 0;
		}

		if ((certificate_.size() > 0) && (SSL_get_verify_result(ssl_) != X509_V_OK)) {
			g_static_mutex_lock (&ui_cert_mutex_);
			ui_cert_->select (this);
			g_static_mutex_unlock (&ui_cert_mutex_);
			if (!bypass_certificate_) {
				SSL_free (ssl_);
				ssl_ = NULL;
				::close (sd_);
				sd_ = SD_CLOSE;
				g_warning (_("[%d] Cannot identify remote host (%s on port %d)"), uin_, hostname_.c_str(), port_);
			}
		}

	use_ssl_ = true;
	
#endif
	status_ = SOCKET_STATUS_OK;
	return 1;
}

/**
 *  Close the socket.
 */

Lines 91-96 Link Here

(-)gnubiff-2.2.9.orig/src/socket.h (+1 lines)
91	guint authentication = AUTH_SSL,	91	guint authentication = AUTH_SSL,
92	std::string certificate = "",	92	std::string certificate = "",
93	guint timeout = 5);	93	guint timeout = 5);
		94	gint starttls (std::string certificate = "");
94	void close (void);	95	void close (void);
95	gint write (std::string line, gboolean print = true);	96	gint write (std::string line, gboolean print = true);
96	gint read (std::string &line,	97	gint read (std::string &line,

Lines 156-161 Link Here

(-)gnubiff-2.2.9.orig/src/ui-properties.cc (+7 lines)
156	{ "SSL", GTK_STOCK_DIALOG_AUTHENTICATION, "SSL",	156	{ "SSL", GTK_STOCK_DIALOG_AUTHENTICATION, "SSL",
157	0, 0, G_CALLBACK(PROPERTIES_on_auth_changed)},	157	0, 0, G_CALLBACK(PROPERTIES_on_auth_changed)},
158	{ "Certificate", GTK_STOCK_DIALOG_AUTHENTICATION, _("SSL with certificate"),	158	{ "Certificate", GTK_STOCK_DIALOG_AUTHENTICATION, _("SSL with certificate"),
		159	0, 0, G_CALLBACK(PROPERTIES_on_auth_changed)},
		160	{ "TLS", GTK_STOCK_DIALOG_AUTHENTICATION, "TLS",
159	0, 0, G_CALLBACK(PROPERTIES_on_auth_changed)}	161	0, 0, G_CALLBACK(PROPERTIES_on_auth_changed)}
160	};	162	};
161	static const char *auth_ui_description =	163	static const char *auth_ui_description =
Lines 166-171 Link Here
166	" <menuitem action='Apop'/>"	168	" <menuitem action='Apop'/>"
167	" <menuitem action='SSL'/>"	169	" <menuitem action='SSL'/>"
168	" <menuitem action='Certificate'/>"	170	" <menuitem action='Certificate'/>"
		171	" <menuitem action='TLS'/>"
169	" </popup>"	172	" </popup>"
170	"</ui>";	173	"</ui>";
171	action_group = gtk_action_group_new ("actions");	174	action_group = gtk_action_group_new ("actions");
Lines 302-307 Link Here
302	selected_auth_ = AUTH_CERTIFICATE;	305	selected_auth_ = AUTH_CERTIFICATE;
303	certificate_view (true);	306	certificate_view (true);
304	}	307	}
		308	else if (auth == "TLS") {
		309	selected_auth_ = AUTH_TLS;
		310	certificate_view (false);
		311	}
305	else {	312	else {
306	selected_auth_ = AUTH_AUTODETECT;	313	selected_auth_ = AUTH_AUTODETECT;
307	certificate_view (false);	314	certificate_view (false);

Return to bug 14373

Lines 263-268 Link Here

(-)gnubiff-2.2.9.orig/src/imap4.cc (-1 / +22 lines)
263		263
264	// CAPABILITY	264	// CAPABILITY
265	command_capability (true);	265	command_capability (true);
		266
		267	#ifdef HAVE_LIBSSL
		268	// Negotiate TLS encryption
		269	if (authentication() == AUTH_TLS) {
		270	if (can_starttls_) {
		271	sendline ("STARTTLS");
		272	readline (line);
		273	if (!socket_->starttls (certificate())) {
		274	throw imap_command_err();
		275	}
		276	} else {
		277	command_logout();
		278	throw imap_nologin_err();
		279	}
		280	}
		281	#endif
266		282
267	// LOGIN	283	// LOGIN
268	command_login();	284	command_login();
Lines 369-374 Link Here
369	* The command "CAPABILITY" is sent to the server to get the supported	385	* The command "CAPABILITY" is sent to the server to get the supported
370	* capabilities. Currently gnubiff recognizes the following capabilities:	386	* capabilities. Currently gnubiff recognizes the following capabilities:
371	* \begin{itemize}	387	* \begin{itemize}
		388	* \item STARTTLS: Server supports TLS encryption.
372	* \item IDLE: If the server has the IDLE capability, gnubiff uses the	389	* \item IDLE: If the server has the IDLE capability, gnubiff uses the
373	* IDLE command instead of polling.	390	* IDLE command instead of polling.
374	* \item LOGINDISABLED: The server wants us not to login.	391	* \item LOGINDISABLED: The server wants us not to login.
Lines 418-424 Link Here
418	// Looking for supported capabilities	435	// Looking for supported capabilities
419	idleable_ = use_idle () && (line.find (" IDLE ") != std::string::npos);	436	idleable_ = use_idle () && (line.find (" IDLE ") != std::string::npos);
420		437
421	if (line.find (" LOGINDISABLED ") != std::string::npos) {	438	// Some sites advertise LOGINDISABLED until STARTTLS is used
		439	if (line.find (" LOGINDISABLED ") != std::string::npos && line.find (" STARTTLS ") == std::string::npos) {
422	command_logout();	440	command_logout();
423	throw imap_nologin_err();	441	throw imap_nologin_err();
424	}	442	}
Lines 428-433 Link Here
428	// CAPABILITY command, maybe the server sends additional capabilities	446	// CAPABILITY command, maybe the server sends additional capabilities
429	if (((idleable_ == false) && use_idle()) && check_rc && !command_sent)	447	if (((idleable_ == false) && use_idle()) && check_rc && !command_sent)
430	command_capability (false);	448	command_capability (false);
		449
		450	// Check for STARTTLS support
		451	can_starttls_ = (line.find (" STARTTLS ") != std::string::npos);
431	}	452	}
432		453
433	/**	454	/**

Lines 267-272 Link Here

(-)gnubiff-2.2.9.orig/src/socket.cc (+66 lines)
267	return 1;	267	return 1;
268	}	268	}
269		269
		270	gint
		271	Socket::starttls (std::string certificate)
		272	{
		273	#ifdef HAVE_LIBSSL
		274	char *err_buf;
		275
		276	err_buf = (char*) malloc (120);
		277
		278	context_ = SSL_CTX_new (TLSv1_client_method());
		279
		280	if (certificate_.size() > 0) {
		281	const gchar *capath = mailbox_->biff()->value_gchar ("dir_certificates");
		282	if (*capath == '\0')
		283	capath = NULL;
		284	if (!SSL_CTX_load_verify_locations (context_, certificate_.c_str(),
		285	capath)) {
		286	g_warning(_("[%d] Failed to load certificate (%s) for %s"),
		287	uin_, certificate_.c_str(), hostname_.c_str());
		288	::close (sd_);
		289	sd_ = SD_CLOSE;
		290	return 0;
		291	}
		292	SSL_CTX_set_verify (context_, SSL_VERIFY_PEER, NULL);
		293	}
		294	else
		295	SSL_CTX_set_verify (context_, SSL_VERIFY_NONE, NULL);
		296
		297	ssl_ = SSL_new (context_);
		298	if ((!ssl_) \|\| (SSL_set_fd (ssl_, sd_) == 0)) {
		299	::close (sd_);
		300	sd_ = SD_CLOSE;
		301	g_warning (_("[%d] Unable to set file descriptor: %s"), uin_,
		302	hostname_.c_str());
		303	return 0;
		304	}
		305
		306	if (SSL_connect (ssl_) != 1) {
		307	ERR_error_string(ERR_get_error(), err_buf);
		308	SSL_free (ssl_);
		309	ssl_ = NULL;
		310	::close (sd_);
		311	sd_ = SD_CLOSE;
		312	g_warning (_("[%d] Unable to negotiate TLS connection: %s"), uin_, err_buf);
		313	return 0;
		314	}
		315
		316	if ((certificate_.size() > 0) && (SSL_get_verify_result(ssl_) != X509_V_OK)) {
		317	g_static_mutex_lock (&ui_cert_mutex_);
		318	ui_cert_->select (this);
		319	g_static_mutex_unlock (&ui_cert_mutex_);
		320	if (!bypass_certificate_) {
		321	SSL_free (ssl_);
		322	ssl_ = NULL;
		323	::close (sd_);
		324	sd_ = SD_CLOSE;
		325	g_warning (_("[%d] Cannot identify remote host (%s on port %d)"), uin_, hostname_.c_str(), port_);
		326	}
		327	}
		328
		329	use_ssl_ = true;
		330
		331	#endif
		332	status_ = SOCKET_STATUS_OK;
		333	return 1;
334	}
335
270	/**	336	/**
271	* Close the socket.	337	* Close the socket.
272	*/	338	*/