Context Navigation

source: lib/ssl_nss.c @ 7de784c

Last change on this file since 7de784c was 200e151, checked in by Wilmer van der Gaast <wilmer@…>, at 2011-12-23T22:40:17Z
tls_verify correction: Don't fail cert verification in non-GnuTLS modules unless "cafile" setting is enabled.
Property mode set to `100644`
File size: 6.3 KB

Rev	Line
[b7d3cc34]	1	/********************************************************************\
	2	* BitlBee -- An IRC to other IM-networks gateway *
	3	* *
[c92e6801]	4	* Copyright 2002-2005 Wilmer van der Gaast and others *
[b7d3cc34]	5	\********************************************************************/
	6
	7	/* SSL module - NSS version */
	8
[c92e6801]	9	/* Copyright 2005 Jelmer Vernooij */
[b7d3cc34]	10
	11	/*
	12	This program is free software; you can redistribute it and/or modify
	13	it under the terms of the GNU General Public License as published by
	14	the Free Software Foundation; either version 2 of the License, or
	15	(at your option) any later version.
	16
	17	This program is distributed in the hope that it will be useful,
	18	but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	GNU General Public License for more details.
	21
	22	You should have received a copy of the GNU General Public License with
	23	the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
	24	if not, write to the Free Software Foundation, Inc., 59 Temple Place,
	25	Suite 330, Boston, MA 02111-1307 USA
	26	*/
	27
	28	#include "bitlbee.h"
	29	#include "proxy.h"
	30	#include "ssl_client.h"
	31	#include "sock.h"
	32	#include <nspr.h>
	33	#include <prio.h>
	34	#include <sslproto.h>
	35	#include <nss.h>
[ef043d3]	36	#include <pk11pub.h>
[b7d3cc34]	37	#include <private/pprio.h>
	38	#include <ssl.h>
[ef043d3]	39	#include <seccomon.h>
[b7d3cc34]	40	#include <secerr.h>
	41	#include <sslerr.h>
	42
[701acdd4]	43	int ssl_errno = 0;
	44
[b7d3cc34]	45	static gboolean initialized = FALSE;
	46
	47	struct scd
	48	{
[3d64e5b]	49	ssl_input_function func;
[b7d3cc34]	50	gpointer data;
	51	int fd;
	52	PRFileDesc *prfd;
	53	gboolean established;
[486ddb5]	54	gboolean verify;
[b7d3cc34]	55	};
	56
[ba9edaa]	57	static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
[ef043d3]	58	static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition cond );
[b7d3cc34]	59
	60
	61	static SECStatus nss_auth_cert (void arg, PRFileDesc socket, PRBool checksig, PRBool isserver)
	62	{
	63	return SECSuccess;
	64	}
	65
	66	static SECStatus nss_bad_cert (void arg, PRFileDesc socket)
	67	{
	68	PRErrorCode err;
	69
	70	if(!arg) return SECFailure;
	71
	72	(PRErrorCode )arg = err = PORT_GetError();
	73
	74	switch(err) {
	75	case SEC_ERROR_INVALID_AVA:
	76	case SEC_ERROR_INVALID_TIME:
	77	case SEC_ERROR_BAD_SIGNATURE:
	78	case SEC_ERROR_EXPIRED_CERTIFICATE:
	79	case SEC_ERROR_UNKNOWN_ISSUER:
	80	case SEC_ERROR_UNTRUSTED_CERT:
	81	case SEC_ERROR_CERT_VALID:
	82	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
	83	case SEC_ERROR_CRL_EXPIRED:
	84	case SEC_ERROR_CRL_BAD_SIGNATURE:
	85	case SEC_ERROR_EXTENSION_VALUE_INVALID:
	86	case SEC_ERROR_CA_CERT_INVALID:
	87	case SEC_ERROR_CERT_USAGES_INVALID:
	88	case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
	89	return SECSuccess;
	90
	91	default:
	92	return SECFailure;
	93	}
	94	}
	95
	96
[ba5add7]	97	void ssl_init( void )
	98	{
	99	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
	100	NSS_NoDB_Init(NULL);
	101	NSS_SetDomesticPolicy();
	102	initialized = TRUE;
	103	}
	104
[a72dc2b]	105	void ssl_connect( char host, int port, gboolean verify, ssl_input_function func, gpointer data )
[b7d3cc34]	106	{
	107	struct scd *conn = g_new0( struct scd, 1 );
	108
	109	conn->fd = proxy_connect( host, port, ssl_connected, conn );
	110	conn->func = func;
	111	conn->data = data;
	112
	113	if( conn->fd < 0 )
	114	{
	115	g_free( conn );
	116	return( NULL );
	117	}
	118
	119	if( !initialized )
	120	{
[ba5add7]	121	ssl_init();
[b7d3cc34]	122	}
	123
	124
	125	return( conn );
	126	}
	127
[ef043d3]	128	static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition cond )
	129	{
	130	struct scd *conn = data;
	131
	132	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
	133	}
	134
[486ddb5]	135	void ssl_starttls( int fd, char hostname, gboolean verify, ssl_input_function func, gpointer data )
[ef043d3]	136	{
	137	struct scd *conn = g_new0( struct scd, 1 );
	138
	139	conn->fd = fd;
	140	conn->func = func;
	141	conn->data = data;
[200e151]	142	conn->verify = verify && global.conf->cafile;
[ef043d3]	143
	144	/* This function should be called via a (short) timeout instead of
	145	directly from here, because these SSL calls are supposed to be
	146	completely asynchronous and not ready yet when this function
	147	(or *_connect, for examle) returns. Also, errors are reported via
	148	the callback function, not via this function's return value.
	149
	150	In short, doing things like this makes the rest of the code a lot
	151	simpler. */
	152
	153	b_timeout_add( 1, ssl_starttls_real, conn );
	154
	155	return conn;
	156	}
	157
[ba9edaa]	158	static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
[b7d3cc34]	159	{
	160	struct scd *conn = data;
	161
[200e151]	162	/* Right now we don't have any verification functionality for NSS. */
[486ddb5]	163
	164	if( conn->verify )
	165	{
[200e151]	166	conn->func( conn->data, 1, NULL, cond );
[486ddb5]	167	if( source >= 0 ) closesocket( source );
	168	g_free( conn );
	169
	170	return FALSE;
	171	}
	172
[b7d3cc34]	173	if( source == -1 )
	174	goto ssl_connected_failure;
	175
[6e62132]	176	/* Until we find out how to handle non-blocking I/O with NSS... */
	177	sock_make_blocking( conn->fd );
	178
[b7d3cc34]	179	conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));
	180	SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);
	181	SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
	182	SSL_BadCertHook(conn->prfd, (SSLBadCertHandler)nss_bad_cert, NULL);
	183	SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate)nss_auth_cert, (void *)CERT_GetDefaultCertDB());
	184	SSL_ResetHandshake(conn->prfd, PR_FALSE);
	185
	186	if (SSL_ForceHandshake(conn->prfd)) {
	187	goto ssl_connected_failure;
	188	}
	189
	190
	191	conn->established = TRUE;
[486ddb5]	192	conn->func( conn->data, 0, conn, cond );
[ba9edaa]	193	return FALSE;
[b7d3cc34]	194
	195	ssl_connected_failure:
	196
[486ddb5]	197	conn->func( conn->data, 0, NULL, cond );
[b7d3cc34]	198
	199	PR_Close( conn -> prfd );
	200	if( source >= 0 ) closesocket( source );
	201	g_free( conn );
[ba9edaa]	202
	203	return FALSE;
[b7d3cc34]	204	}
	205
	206	int ssl_read( void conn, char buf, int len )
	207	{
	208	if( !((struct scd*)conn)->established )
	209	return( 0 );
	210
	211	return( PR_Read( ((struct scd*)conn)->prfd, buf, len ) );
	212	}
	213
	214	int ssl_write( void conn, const char buf, int len )
	215	{
	216	if( !((struct scd*)conn)->established )
	217	return( 0 );
	218
	219	return( PR_Write ( ((struct scd*)conn)->prfd, buf, len ) );
	220	}
	221
[8a2221a7]	222	int ssl_pending( void *conn )
	223	{
[31c28a4]	224	struct scd c = (struct scd ) conn;
	225
	226	if( c == NULL ) {
	227	return 0;
	228	}
	229
	230	return ( c->established && SSL_DataPending( c->prfd ) > 0 );
[8a2221a7]	231	}
	232
[b7d3cc34]	233	void ssl_disconnect( void *conn_ )
	234	{
	235	struct scd *conn = conn_;
	236
	237	PR_Close( conn->prfd );
	238	closesocket( conn->fd );
	239
	240	g_free( conn );
	241	}
	242
	243	int ssl_getfd( void *conn )
	244	{
	245	return( ((struct scd*)conn)->fd );
	246	}
[6e62132]	247
[ba9edaa]	248	b_input_condition ssl_getdirection( void *conn )
[6e62132]	249	{
	250	/* Just in case someone calls us, let's return the most likely case: */
[e046390]	251	return B_EV_IO_READ;
[6e62132]	252	}
[78b8401]	253
	254	char *ssl_verify_strerror( int code )
	255	{
	256	return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
	257	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: