Context Navigation

source: lib/ssl_nss.c @ 5155570

Last change on this file since 5155570 was 31c28a4, checked in by Wilmer van der Gaast <wilmer@…>, at 2010-12-19T11:16:20Z
Implement ssl_pending() for NSS. This fixes bug #368 which so far only affected OpenSSL. Submitted by Ricky Zhou.
Property mode set to `100644`
File size: 5.9 KB

Rev	Line
[b7d3cc34]	1	/********************************************************************\
	2	* BitlBee -- An IRC to other IM-networks gateway *
	3	* *
[c92e6801]	4	* Copyright 2002-2005 Wilmer van der Gaast and others *
[b7d3cc34]	5	\********************************************************************/
	6
	7	/* SSL module - NSS version */
	8
[c92e6801]	9	/* Copyright 2005 Jelmer Vernooij */
[b7d3cc34]	10
	11	/*
	12	This program is free software; you can redistribute it and/or modify
	13	it under the terms of the GNU General Public License as published by
	14	the Free Software Foundation; either version 2 of the License, or
	15	(at your option) any later version.
	16
	17	This program is distributed in the hope that it will be useful,
	18	but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	GNU General Public License for more details.
	21
	22	You should have received a copy of the GNU General Public License with
	23	the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
	24	if not, write to the Free Software Foundation, Inc., 59 Temple Place,
	25	Suite 330, Boston, MA 02111-1307 USA
	26	*/
	27
	28	#include "bitlbee.h"
	29	#include "proxy.h"
	30	#include "ssl_client.h"
	31	#include "sock.h"
	32	#include <nspr.h>
	33	#include <prio.h>
	34	#include <sslproto.h>
	35	#include <nss.h>
[ef043d3]	36	#include <pk11pub.h>
[b7d3cc34]	37	#include <private/pprio.h>
	38	#include <ssl.h>
[ef043d3]	39	#include <seccomon.h>
[b7d3cc34]	40	#include <secerr.h>
	41	#include <sslerr.h>
	42
[701acdd4]	43	int ssl_errno = 0;
	44
[b7d3cc34]	45	static gboolean initialized = FALSE;
	46
	47	struct scd
	48	{
[3d64e5b]	49	ssl_input_function func;
[b7d3cc34]	50	gpointer data;
	51	int fd;
	52	PRFileDesc *prfd;
	53	gboolean established;
	54	};
	55
[ba9edaa]	56	static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
[ef043d3]	57	static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition cond );
[b7d3cc34]	58
	59
	60	static SECStatus nss_auth_cert (void arg, PRFileDesc socket, PRBool checksig, PRBool isserver)
	61	{
	62	return SECSuccess;
	63	}
	64
	65	static SECStatus nss_bad_cert (void arg, PRFileDesc socket)
	66	{
	67	PRErrorCode err;
	68
	69	if(!arg) return SECFailure;
	70
	71	(PRErrorCode )arg = err = PORT_GetError();
	72
	73	switch(err) {
	74	case SEC_ERROR_INVALID_AVA:
	75	case SEC_ERROR_INVALID_TIME:
	76	case SEC_ERROR_BAD_SIGNATURE:
	77	case SEC_ERROR_EXPIRED_CERTIFICATE:
	78	case SEC_ERROR_UNKNOWN_ISSUER:
	79	case SEC_ERROR_UNTRUSTED_CERT:
	80	case SEC_ERROR_CERT_VALID:
	81	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
	82	case SEC_ERROR_CRL_EXPIRED:
	83	case SEC_ERROR_CRL_BAD_SIGNATURE:
	84	case SEC_ERROR_EXTENSION_VALUE_INVALID:
	85	case SEC_ERROR_CA_CERT_INVALID:
	86	case SEC_ERROR_CERT_USAGES_INVALID:
	87	case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
	88	return SECSuccess;
	89
	90	default:
	91	return SECFailure;
	92	}
	93	}
	94
	95
[ba5add7]	96	void ssl_init( void )
	97	{
	98	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
	99	NSS_NoDB_Init(NULL);
	100	NSS_SetDomesticPolicy();
	101	initialized = TRUE;
	102	}
	103
[3d64e5b]	104	void ssl_connect( char host, int port, ssl_input_function func, gpointer data )
[b7d3cc34]	105	{
	106	struct scd *conn = g_new0( struct scd, 1 );
	107
	108	conn->fd = proxy_connect( host, port, ssl_connected, conn );
	109	conn->func = func;
	110	conn->data = data;
	111
	112	if( conn->fd < 0 )
	113	{
	114	g_free( conn );
	115	return( NULL );
	116	}
	117
	118	if( !initialized )
	119	{
[ba5add7]	120	ssl_init();
[b7d3cc34]	121	}
	122
	123
	124	return( conn );
	125	}
	126
[ef043d3]	127	static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition cond )
	128	{
	129	struct scd *conn = data;
	130
	131	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
	132	}
	133
	134	void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
	135	{
	136	struct scd *conn = g_new0( struct scd, 1 );
	137
	138	conn->fd = fd;
	139	conn->func = func;
	140	conn->data = data;
	141
	142	/* This function should be called via a (short) timeout instead of
	143	directly from here, because these SSL calls are supposed to be
	144	completely asynchronous and not ready yet when this function
	145	(or *_connect, for examle) returns. Also, errors are reported via
	146	the callback function, not via this function's return value.
	147
	148	In short, doing things like this makes the rest of the code a lot
	149	simpler. */
	150
	151	b_timeout_add( 1, ssl_starttls_real, conn );
	152
	153	return conn;
	154	}
	155
[ba9edaa]	156	static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
[b7d3cc34]	157	{
	158	struct scd *conn = data;
	159
	160	if( source == -1 )
	161	goto ssl_connected_failure;
	162
[6e62132]	163	/* Until we find out how to handle non-blocking I/O with NSS... */
	164	sock_make_blocking( conn->fd );
	165
[b7d3cc34]	166	conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));
	167	SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);
	168	SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
	169	SSL_BadCertHook(conn->prfd, (SSLBadCertHandler)nss_bad_cert, NULL);
	170	SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate)nss_auth_cert, (void *)CERT_GetDefaultCertDB());
	171	SSL_ResetHandshake(conn->prfd, PR_FALSE);
	172
	173	if (SSL_ForceHandshake(conn->prfd)) {
	174	goto ssl_connected_failure;
	175	}
	176
	177
	178	conn->established = TRUE;
	179	conn->func( conn->data, conn, cond );
[ba9edaa]	180	return FALSE;
[b7d3cc34]	181
	182	ssl_connected_failure:
	183
	184	conn->func( conn->data, NULL, cond );
	185
	186	PR_Close( conn -> prfd );
	187	if( source >= 0 ) closesocket( source );
	188	g_free( conn );
[ba9edaa]	189
	190	return FALSE;
[b7d3cc34]	191	}
	192
	193	int ssl_read( void conn, char buf, int len )
	194	{
	195	if( !((struct scd*)conn)->established )
	196	return( 0 );
	197
	198	return( PR_Read( ((struct scd*)conn)->prfd, buf, len ) );
	199	}
	200
	201	int ssl_write( void conn, const char buf, int len )
	202	{
	203	if( !((struct scd*)conn)->established )
	204	return( 0 );
	205
	206	return( PR_Write ( ((struct scd*)conn)->prfd, buf, len ) );
	207	}
	208
[8a2221a7]	209	/* See ssl_openssl.c for an explanation. */
	210	int ssl_pending( void *conn )
	211	{
[31c28a4]	212	struct scd c = (struct scd ) conn;
	213
	214	if( c == NULL ) {
	215	return 0;
	216	}
	217
	218	return ( c->established && SSL_DataPending( c->prfd ) > 0 );
[8a2221a7]	219	}
	220
[b7d3cc34]	221	void ssl_disconnect( void *conn_ )
	222	{
	223	struct scd *conn = conn_;
	224
	225	PR_Close( conn->prfd );
	226	closesocket( conn->fd );
	227
	228	g_free( conn );
	229	}
	230
	231	int ssl_getfd( void *conn )
	232	{
	233	return( ((struct scd*)conn)->fd );
	234	}
[6e62132]	235
[ba9edaa]	236	b_input_condition ssl_getdirection( void *conn )
[6e62132]	237	{
	238	/* Just in case someone calls us, let's return the most likely case: */
[e046390]	239	return B_EV_IO_READ;
[6e62132]	240	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: