|
6738
|
1 /**
|
|
|
2 * @file ssl-nss.c SSL Operations for Mozilla NSS
|
|
|
3 * @ingroup core
|
|
|
4 *
|
|
|
5 * gaim
|
|
|
6 *
|
|
|
7 * Copyright (C) 2003 Christian Hammond <chipx86@gnupdate.org>
|
|
|
8 *
|
|
|
9 * This program is free software; you can redistribute it and/or modify
|
|
|
10 * it under the terms of the GNU General Public License as published by
|
|
|
11 * the Free Software Foundation; either version 2 of the License, or
|
|
|
12 * (at your option) any later version.
|
|
|
13 *
|
|
|
14 * This program is distributed in the hope that it will be useful,
|
|
|
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
17 * GNU General Public License for more details.
|
|
|
18 *
|
|
|
19 * You should have received a copy of the GNU General Public License
|
|
|
20 * along with this program; if not, write to the Free Software
|
|
|
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
22 */
|
|
|
23 #include "debug.h"
|
|
|
24 #include "sslconn.h"
|
|
|
25
|
|
|
26 #include <nspr.h>
|
|
|
27 #include <nss.h>
|
|
|
28 #include <pk11func.h>
|
|
|
29 #include <prio.h>
|
|
|
30 #include <secerr.h>
|
|
|
31 #include <secmod.h>
|
|
|
32 #include <ssl.h>
|
|
|
33 #include <sslerr.h>
|
|
|
34 #include <sslproto.h>
|
|
|
35
|
|
|
36 typedef struct
|
|
|
37 {
|
|
|
38 PRFileDesc *fd;
|
|
|
39 PRFileDesc *in;
|
|
|
40
|
|
|
41 } GaimSslNssData;
|
|
|
42
|
|
|
43 #define GAIM_SSL_NSS_DATA(gsc) ((GaimSslNssData *)gsc->private_data)
|
|
|
44
|
|
|
45 static const PRIOMethods *_nss_methods = NULL;
|
|
|
46 static PRDescIdentity _identity;
|
|
|
47
|
|
|
48 static SECStatus
|
|
|
49 ssl_auth_cert(void *arg, PRFileDesc *socket, PRBool checksig,
|
|
|
50 PRBool is_server)
|
|
|
51 {
|
|
|
52 return SECSuccess;
|
|
|
53
|
|
|
54 #if 0
|
|
|
55 CERTCertificate *cert;
|
|
|
56 void *pinArg;
|
|
|
57 SECStatus status;
|
|
|
58
|
|
|
59 cert = SSL_PeerCertificate(socket);
|
|
|
60 pinArg = SSL_RevealPinArg(socket);
|
|
|
61
|
|
|
62 status = CERT_VerifyCertNow((CERTCertDBHandle *)arg, cert, checksig,
|
|
|
63 certUsageSSLClient, pinArg);
|
|
|
64
|
|
|
65 if (status != SECSuccess) {
|
|
|
66 gaim_debug_error("nss", "CERT_VerifyCertNow failed\n");
|
|
|
67 CERT_DestroyCertificate(cert);
|
|
|
68 return status;
|
|
|
69 }
|
|
|
70
|
|
|
71 CERT_DestroyCertificate(cert);
|
|
|
72 return SECSuccess;
|
|
|
73 #endif
|
|
|
74 }
|
|
|
75
|
|
|
76 SECStatus
|
|
|
77 ssl_bad_cert(void *arg, PRFileDesc *socket)
|
|
|
78 {
|
|
|
79 SECStatus status = SECFailure;
|
|
|
80 PRErrorCode err;
|
|
|
81
|
|
|
82 if (arg == NULL)
|
|
|
83 return status;
|
|
|
84
|
|
|
85 *(PRErrorCode *)arg = err = PORT_GetError();
|
|
|
86
|
|
|
87 switch (err)
|
|
|
88 {
|
|
|
89 case SEC_ERROR_INVALID_AVA:
|
|
|
90 case SEC_ERROR_INVALID_TIME:
|
|
|
91 case SEC_ERROR_BAD_SIGNATURE:
|
|
|
92 case SEC_ERROR_EXPIRED_CERTIFICATE:
|
|
|
93 case SEC_ERROR_UNKNOWN_ISSUER:
|
|
|
94 case SEC_ERROR_UNTRUSTED_CERT:
|
|
|
95 case SEC_ERROR_CERT_VALID:
|
|
|
96 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
|
|
97 case SEC_ERROR_CRL_EXPIRED:
|
|
|
98 case SEC_ERROR_CRL_BAD_SIGNATURE:
|
|
|
99 case SEC_ERROR_EXTENSION_VALUE_INVALID:
|
|
|
100 case SEC_ERROR_CA_CERT_INVALID:
|
|
|
101 case SEC_ERROR_CERT_USAGES_INVALID:
|
|
|
102 case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
|
|
|
103 status = SECSuccess;
|
|
|
104 break;
|
|
|
105
|
|
|
106 default:
|
|
|
107 status = SECFailure;
|
|
|
108 break;
|
|
|
109 }
|
|
|
110
|
|
|
111 gaim_debug_error("nss", "Bad certificate: %d\n");
|
|
|
112
|
|
|
113 return status;
|
|
|
114 }
|
|
|
115
|
|
|
116 static void
|
|
|
117 input_func(gpointer data, gint source, GaimInputCondition cond)
|
|
|
118 {
|
|
|
119 GaimSslConnection *gsc = (GaimSslConnection *)data;
|
|
|
120 GaimSslNssData *nss_data = GAIM_SSL_NSS_DATA(gsc);
|
|
|
121 char *cp, *ip, *sp;
|
|
|
122 int op, kp0, kp1;
|
|
|
123 int result;
|
|
|
124
|
|
|
125 result = SSL_SecurityStatus(nss_data->in, &op, &cp, &kp0,
|
|
|
126 &kp1, &ip, &sp);
|
|
|
127
|
|
|
128 gaim_debug_misc("nss",
|
|
|
129 "bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
|
|
|
130 "subject DN: %s\n"
|
|
|
131 "issuer DN: %s\n",
|
|
|
132 cp, kp1, kp0, op, sp, ip);
|
|
|
133
|
|
|
134 PR_Free(cp);
|
|
|
135 PR_Free(ip);
|
|
|
136 PR_Free(sp);
|
|
|
137
|
|
|
138 gsc->input_func(gsc->user_data, gsc, cond);
|
|
|
139 }
|
|
|
140
|
|
|
141 static gboolean
|
|
|
142 ssl_nss_init(void)
|
|
|
143 {
|
|
|
144 PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
|
|
|
145 NSS_NoDB_Init(NULL);
|
|
|
146
|
|
|
147 /* TODO: Fix this so autoconf does the work trying to find this lib. */
|
|
|
148 SECMOD_AddNewModule("Builtins", LIBDIR "/libnssckbi.so", 0, 0);
|
|
|
149 NSS_SetDomesticPolicy();
|
|
|
150
|
|
|
151 _identity = PR_GetUniqueIdentity("Gaim");
|
|
|
152 _nss_methods = PR_GetDefaultIOMethods();
|
|
|
153
|
|
|
154 return TRUE;
|
|
|
155 }
|
|
|
156
|
|
|
157 static void
|
|
|
158 ssl_nss_uninit(void)
|
|
|
159 {
|
|
|
160 PR_Cleanup();
|
|
|
161
|
|
|
162 _nss_methods = NULL;
|
|
|
163 }
|
|
|
164
|
|
|
165 static void
|
|
|
166 ssl_nss_connect_cb(gpointer data, gint source, GaimInputCondition cond)
|
|
|
167 {
|
|
|
168 GaimSslConnection *gsc = (GaimSslConnection *)data;
|
|
|
169 GaimSslNssData *nss_data = g_new0(GaimSslNssData, 1);
|
|
|
170 PRSocketOptionData socket_opt;
|
|
|
171
|
|
|
172 gsc->private_data = nss_data;
|
|
|
173
|
|
|
174 gsc->fd = source;
|
|
|
175
|
|
|
176 nss_data->fd = PR_ImportTCPSocket(gsc->fd);
|
|
|
177
|
|
|
178 if (nss_data->fd == NULL)
|
|
|
179 {
|
|
|
180 gaim_debug_error("nss", "nss_data->fd == NULL!\n");
|
|
|
181
|
|
|
182 gaim_ssl_close((GaimSslConnection *)gsc);
|
|
|
183
|
|
|
184 return;
|
|
|
185 }
|
|
|
186
|
|
|
187 socket_opt.option = PR_SockOpt_Nonblocking;
|
|
|
188 socket_opt.value.non_blocking = PR_FALSE;
|
|
|
189
|
|
|
190 PR_SetSocketOption(nss_data->fd, &socket_opt);
|
|
|
191
|
|
|
192 nss_data->in = SSL_ImportFD(NULL, nss_data->fd);
|
|
|
193
|
|
|
194 if (nss_data->in == NULL)
|
|
|
195 {
|
|
|
196 gaim_debug_error("nss", "nss_data->in == NUL!\n");
|
|
|
197
|
|
|
198 gaim_ssl_close((GaimSslConnection *)gsc);
|
|
|
199
|
|
|
200 return;
|
|
|
201 }
|
|
|
202
|
|
|
203 SSL_OptionSet(nss_data->in, SSL_SECURITY, PR_TRUE);
|
|
|
204 SSL_OptionSet(nss_data->in, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
|
|
|
205
|
|
|
206 SSL_AuthCertificateHook(nss_data->in,
|
|
|
207 (SSLAuthCertificate)ssl_auth_cert,
|
|
|
208 (void *)CERT_GetDefaultCertDB());
|
|
|
209 SSL_BadCertHook(nss_data->in, (SSLBadCertHandler)ssl_bad_cert, NULL);
|
|
|
210
|
|
|
211 SSL_SetURL(nss_data->in, gsc->host);
|
|
|
212
|
|
|
213 SSL_ResetHandshake(nss_data->in, PR_FALSE);
|
|
|
214
|
|
|
215 if (SSL_ForceHandshake(nss_data->in))
|
|
|
216 {
|
|
|
217 gaim_debug_error("nss", "Handshake failed\n");
|
|
|
218
|
|
|
219 gaim_ssl_close((GaimSslConnection *)gsc);
|
|
|
220
|
|
|
221 return;
|
|
|
222 }
|
|
|
223
|
|
|
224 #if 0
|
|
|
225 gsc->input_func(gsc->user_data, (GaimSslConnection *)gsc,
|
|
|
226 cond);
|
|
|
227 #endif
|
|
|
228
|
|
|
229 input_func(gsc, source, cond);
|
|
|
230 }
|
|
|
231
|
|
|
232 static void
|
|
|
233 ssl_nss_close(GaimSslConnection *gsc)
|
|
|
234 {
|
|
|
235 GaimSslNssData *nss_data = GAIM_SSL_NSS_DATA(gsc);
|
|
|
236
|
|
|
237 if (nss_data->in) PR_Close(nss_data->in);
|
|
|
238 if (nss_data->fd) PR_Close(nss_data->fd);
|
|
|
239
|
|
|
240 g_free(nss_data);
|
|
|
241 }
|
|
|
242
|
|
|
243 static size_t
|
|
|
244 ssl_nss_read(GaimSslConnection *gsc, void *data, size_t len)
|
|
|
245 {
|
|
|
246 GaimSslNssData *nss_data = GAIM_SSL_NSS_DATA(gsc);
|
|
|
247
|
|
|
248 return PR_Read(nss_data->in, data, len);
|
|
|
249 }
|
|
|
250
|
|
|
251 static size_t
|
|
|
252 ssl_nss_write(GaimSslConnection *gsc, const void *data, size_t len)
|
|
|
253 {
|
|
|
254 GaimSslNssData *nss_data = GAIM_SSL_NSS_DATA(gsc);
|
|
|
255
|
|
|
256 return PR_Write(nss_data->in, data, len);
|
|
|
257 }
|
|
|
258
|
|
|
259 static GaimSslOps ssl_ops =
|
|
|
260 {
|
|
|
261 ssl_nss_init,
|
|
|
262 ssl_nss_uninit,
|
|
|
263 ssl_nss_connect_cb,
|
|
|
264 ssl_nss_close,
|
|
|
265 ssl_nss_read,
|
|
|
266 ssl_nss_write
|
|
|
267 };
|
|
|
268
|
|
|
269 GaimSslOps *
|
|
|
270 gaim_ssl_nss_get_ops()
|
|
|
271 {
|
|
|
272 return &ssl_ops;
|
|
|
273 }
|
