Context Navigation

source: lib/ssl_nss.c @ e7434db

Last change on this file since e7434db was 0db6618, checked in by dequis <dx@…>, at 2015-10-26T08:28:10Z

Use proxy_disconnect() in http, ssl, jabber, oscar

Twitter and MSN are all HTTP/SSL, so they don't need it either.

The out of tree facebook and steam plugins are also covered by the
HTTP/SSL changes.

Yahoo is written in a weird way and doesn't seem to need it (it seems it
doesn't immediately stop connections when you tell it to logout)

Property mode set to 100644

File size: 10.4 KB

Rev	Line
[5ebff60]	1	/********************************************************************\
[b7d3cc34]	2	* BitlBee -- An IRC to other IM-networks gateway *
	3	* *
[0e788f5]	4	* Copyright 2002-2012 Wilmer van der Gaast and others *
[b7d3cc34]	5	\********************************************************************/
	6
	7	/* SSL module - NSS version */
	8
[c92e6801]	9	/* Copyright 2005 Jelmer Vernooij */
[b7d3cc34]	10
	11	/*
	12	This program is free software; you can redistribute it and/or modify
	13	it under the terms of the GNU General Public License as published by
	14	the Free Software Foundation; either version 2 of the License, or
	15	(at your option) any later version.
	16
	17	This program is distributed in the hope that it will be useful,
	18	but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	GNU General Public License for more details.
	21
	22	You should have received a copy of the GNU General Public License with
	23	the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
[6f10697]	24	if not, write to the Free Software Foundation, Inc., 51 Franklin St.,
	25	Fifth Floor, Boston, MA 02110-1301 USA
[b7d3cc34]	26	*/
	27
	28	#include "bitlbee.h"
	29	#include "proxy.h"
	30	#include "ssl_client.h"
	31	#include "sock.h"
	32	#include <nspr.h>
	33	#include <prio.h>
	34	#include <sslproto.h>
	35	#include <nss.h>
[ef043d3]	36	#include <pk11pub.h>
[b7d3cc34]	37	#include <private/pprio.h>
	38	#include <ssl.h>
[ef043d3]	39	#include <seccomon.h>
[b7d3cc34]	40	#include <secerr.h>
	41	#include <sslerr.h>
[68709f5]	42	#include <assert.h>
	43	#include <unistd.h>
[b7d3cc34]	44
[701acdd4]	45	int ssl_errno = 0;
	46
[b7d3cc34]	47	static gboolean initialized = FALSE;
	48
[68709f5]	49	#define SSLDEBUG 0
	50
	51	struct scd {
[3d64e5b]	52	ssl_input_function func;
[b7d3cc34]	53	gpointer data;
	54	int fd;
[68709f5]	55	char *hostname;
[b7d3cc34]	56	PRFileDesc *prfd;
	57	gboolean established;
[486ddb5]	58	gboolean verify;
[b7d3cc34]	59	};
	60
[68709f5]	61	static gboolean ssl_connected(gpointer data, gint source,
[5ebff60]	62	b_input_condition cond);
[68709f5]	63	static gboolean ssl_starttls_real(gpointer data, gint source,
[5ebff60]	64	b_input_condition cond);
[b7d3cc34]	65
[68709f5]	66	static SECStatus nss_auth_cert(void arg, PRFileDesc socket, PRBool checksig,
[5ebff60]	67	PRBool isserver)
[b7d3cc34]	68	{
	69	return SECSuccess;
	70	}
	71
[68709f5]	72	static SECStatus nss_bad_cert(void arg, PRFileDesc socket)
[b7d3cc34]	73	{
	74	PRErrorCode err;
	75
[5ebff60]	76	if (!arg) {
[68709f5]	77	return SECFailure;
[5ebff60]	78	}
[b7d3cc34]	79
[68709f5]	80	(PRErrorCode ) arg = err = PORT_GetError();
[b7d3cc34]	81
[68709f5]	82	switch (err) {
[b7d3cc34]	83	case SEC_ERROR_INVALID_AVA:
	84	case SEC_ERROR_INVALID_TIME:
	85	case SEC_ERROR_BAD_SIGNATURE:
	86	case SEC_ERROR_EXPIRED_CERTIFICATE:
	87	case SEC_ERROR_UNKNOWN_ISSUER:
	88	case SEC_ERROR_UNTRUSTED_CERT:
	89	case SEC_ERROR_CERT_VALID:
	90	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
	91	case SEC_ERROR_CRL_EXPIRED:
	92	case SEC_ERROR_CRL_BAD_SIGNATURE:
	93	case SEC_ERROR_EXTENSION_VALUE_INVALID:
	94	case SEC_ERROR_CA_CERT_INVALID:
	95	case SEC_ERROR_CERT_USAGES_INVALID:
	96	case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
	97	return SECSuccess;
	98
	99	default:
	100	return SECFailure;
	101	}
	102	}
	103
[68709f5]	104	void ssl_init(void)
[ba5add7]	105	{
[68709f5]	106	PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
	107	// https://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1234224
	108	// This NSS function is not intended for use with SSL, which
	109	// requires that the certificate and key database files be
	110	// opened. Relates to whole non-verification of servers for now.
[ba5add7]	111	NSS_NoDB_Init(NULL);
	112	NSS_SetDomesticPolicy();
	113	initialized = TRUE;
	114	}
	115
[68709f5]	116	void ssl_connect(char host, int port, gboolean verify,
[5ebff60]	117	ssl_input_function func, gpointer data)
[b7d3cc34]	118	{
[68709f5]	119	struct scd *conn = g_new0(struct scd, 1);
	120
	121	conn->fd = proxy_connect(host, port, ssl_connected, conn);
[b7d3cc34]	122	conn->func = func;
	123	conn->data = data;
[68709f5]	124	conn->hostname = g_strdup(host);
	125
	126	if (conn->fd < 0) {
	127	g_free(conn->hostname);
	128	g_free(conn);
	129	return (NULL);
[b7d3cc34]	130	}
[68709f5]	131
	132	if (!initialized) {
[ba5add7]	133	ssl_init();
[b7d3cc34]	134	}
	135
[68709f5]	136	return (conn);
[b7d3cc34]	137	}
	138
[68709f5]	139	static gboolean ssl_starttls_real(gpointer data, gint source,
[5ebff60]	140	b_input_condition cond)
[ef043d3]	141	{
	142	struct scd *conn = data;
	143
[68709f5]	144	return ssl_connected(conn, conn->fd, B_EV_IO_WRITE);
[ef043d3]	145	}
	146
[68709f5]	147	void ssl_starttls(int fd, char hostname, gboolean verify,
[5ebff60]	148	ssl_input_function func, gpointer data)
[ef043d3]	149	{
[68709f5]	150	struct scd *conn = g_new0(struct scd, 1);
[ef043d3]	151
	152	conn->fd = fd;
	153	conn->func = func;
	154	conn->data = data;
[420ddc00]	155	conn->hostname = g_strdup(hostname);
[68709f5]	156
	157	/* For now, SSL verification is globally enabled by setting the cafile
	158	setting in bitlbee.conf. Commented out by default because probably
	159	not everyone has this file in the same place and plenty of folks
	160	may not have the cert of their private Jabber server in it. */
[200e151]	161	conn->verify = verify && global.conf->cafile;
[ef043d3]	162
	163	/* This function should be called via a (short) timeout instead of
	164	directly from here, because these SSL calls are supposed to be
	165	completely asynchronous and not ready yet when this function
	166	(or *_connect, for examle) returns. Also, errors are reported via
	167	the callback function, not via this function's return value.
	168
	169	In short, doing things like this makes the rest of the code a lot
	170	simpler. */
	171
[68709f5]	172	b_timeout_add(1, ssl_starttls_real, conn);
[ef043d3]	173
	174	return conn;
	175	}
	176
[68709f5]	177	static gboolean ssl_connected(gpointer data, gint source,
[5ebff60]	178	b_input_condition cond)
[b7d3cc34]	179	{
	180	struct scd *conn = data;
[68709f5]	181
[200e151]	182	/* Right now we don't have any verification functionality for NSS. */
[486ddb5]	183
[68709f5]	184	if (conn->verify) {
	185	conn->func(conn->data, 1, NULL, cond);
[5ebff60]	186	if (source >= 0) {
[68709f5]	187	closesocket(source);
[5ebff60]	188	}
[68709f5]	189	g_free(conn->hostname);
	190	g_free(conn);
[486ddb5]	191
	192	return FALSE;
	193	}
[68709f5]	194
[5ebff60]	195	if (source == -1) {
[b7d3cc34]	196	goto ssl_connected_failure;
[5ebff60]	197	}
[68709f5]	198
[6e62132]	199	/* Until we find out how to handle non-blocking I/O with NSS... */
[68709f5]	200	sock_make_blocking(conn->fd);
	201
[b7d3cc34]	202	conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));
[5ebff60]	203	if (!conn->prfd) {
[68709f5]	204	goto ssl_connected_failure;
[5ebff60]	205	}
[b7d3cc34]	206	SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);
	207	SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
[68709f5]	208	SSL_BadCertHook(conn->prfd, (SSLBadCertHandler) nss_bad_cert, NULL);
	209	SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate) nss_auth_cert,
[5ebff60]	210	(void *) CERT_GetDefaultCertDB());
[68709f5]	211	SSL_SetURL(conn->prfd, conn->hostname);
[b7d3cc34]	212	SSL_ResetHandshake(conn->prfd, PR_FALSE);
	213
	214	if (SSL_ForceHandshake(conn->prfd)) {
	215	goto ssl_connected_failure;
	216	}
[68709f5]	217
[b7d3cc34]	218	conn->established = TRUE;
[68709f5]	219	conn->func(conn->data, 0, conn, cond);
[ba9edaa]	220	return FALSE;
[68709f5]	221
[5ebff60]	222	ssl_connected_failure:
[68709f5]	223
	224	conn->func(conn->data, 0, NULL, cond);
	225
[5ebff60]	226	if (conn->prfd) {
[68709f5]	227	PR_Close(conn->prfd);
[0db6618]	228	} else if (source >= 0) {
	229	/* proxy_disconnect() would be redundant here */
[68709f5]	230	closesocket(source);
[5ebff60]	231	}
[68709f5]	232	g_free(conn->hostname);
	233	g_free(conn);
	234
[ba9edaa]	235	return FALSE;
[b7d3cc34]	236	}
	237
[68709f5]	238	int ssl_read(void conn, char buf, int len)
[b7d3cc34]	239	{
[68709f5]	240	int st;
	241	PRErrorCode PR_err;
	242
[5ebff60]	243	if (!((struct scd *) conn)->established) {
[68709f5]	244	ssl_errno = SSL_NOHANDSHAKE;
	245	return -1;
	246	}
	247
[5ebff60]	248	st = PR_Read(((struct scd *) conn)->prfd, buf, len);
[68709f5]	249	PR_err = PR_GetError();
	250
	251	ssl_errno = SSL_OK;
[5ebff60]	252	if (PR_err == PR_WOULD_BLOCK_ERROR) {
[68709f5]	253	ssl_errno = SSL_AGAIN;
[5ebff60]	254	}
[68709f5]	255
[5ebff60]	256	if (SSLDEBUG && getenv("BITLBEE_DEBUG") && st > 0) {
[68709f5]	257	len = write(STDERR_FILENO, buf, st);
[5ebff60]	258	}
[68709f5]	259
	260	return st;
[b7d3cc34]	261	}
	262
[68709f5]	263	int ssl_write(void conn, const char buf, int len)
[b7d3cc34]	264	{
[68709f5]	265	int st;
	266	PRErrorCode PR_err;
	267
[5ebff60]	268	if (!((struct scd *) conn)->established) {
[68709f5]	269	ssl_errno = SSL_NOHANDSHAKE;
	270	return -1;
	271	}
[5ebff60]	272	st = PR_Write(((struct scd *) conn)->prfd, buf, len);
[68709f5]	273	PR_err = PR_GetError();
	274
	275	ssl_errno = SSL_OK;
[5ebff60]	276	if (PR_err == PR_WOULD_BLOCK_ERROR) {
[68709f5]	277	ssl_errno = SSL_AGAIN;
[5ebff60]	278	}
[68709f5]	279
[5ebff60]	280	if (SSLDEBUG && getenv("BITLBEE_DEBUG") && st > 0) {
[68709f5]	281	len = write(2, buf, st);
[5ebff60]	282	}
[68709f5]	283
	284	return st;
[b7d3cc34]	285	}
	286
[68709f5]	287	int ssl_pending(void *conn)
[8a2221a7]	288	{
[5ebff60]	289	struct scd c = (struct scd ) conn;
[31c28a4]	290
[68709f5]	291	if (c == NULL) {
[31c28a4]	292	return 0;
	293	}
	294
[68709f5]	295	return (c->established && SSL_DataPending(c->prfd) > 0);
[8a2221a7]	296	}
	297
[68709f5]	298	void ssl_disconnect(void *conn_)
[b7d3cc34]	299	{
	300	struct scd *conn = conn_;
[68709f5]	301
	302	// When we swich to NSS_Init, we should have here
	303	// NSS_Shutdown();
	304
[5ebff60]	305	if (conn->prfd) {
[68709f5]	306	PR_Close(conn->prfd);
[0db6618]	307	} else if (conn->fd) {
	308	proxy_disconnect(conn->fd);
[5ebff60]	309	}
[68709f5]	310
[420ddc00]	311	g_free(conn->hostname);
[68709f5]	312	g_free(conn);
[b7d3cc34]	313	}
	314
[68709f5]	315	int ssl_getfd(void *conn)
[b7d3cc34]	316	{
[5ebff60]	317	return (((struct scd *) conn)->fd);
[b7d3cc34]	318	}
[6e62132]	319
[68709f5]	320	b_input_condition ssl_getdirection(void *conn)
[6e62132]	321	{
	322	/* Just in case someone calls us, let's return the most likely case: */
[e046390]	323	return B_EV_IO_READ;
[6e62132]	324	}
[78b8401]	325
[68709f5]	326	char *ssl_verify_strerror(int code)
	327	{
	328	return
[5ebff60]	329	g_strdup
	330	("SSL certificate verification not supported by BitlBee NSS code.");
[68709f5]	331	}
	332
	333	size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len,
[5ebff60]	334	const unsigned char *input, size_t input_len,
	335	const unsigned char iv, unsigned char *res)
[78b8401]	336	{
[68709f5]	337	#define CIPHER_MECH CKM_DES3_CBC
	338	#define MAX_OUTPUT_LEN 72
	339
	340	int len1;
	341	unsigned int len2;
	342
	343	PK11Context *ctx = NULL;
	344	PK11SlotInfo *slot = NULL;
	345	SECItem keyItem;
	346	SECItem ivItem;
	347	SECItem *secParam = NULL;
	348	PK11SymKey *symKey = NULL;
	349
	350	size_t rc;
	351	SECStatus rv;
	352
	353	if (!initialized) {
	354	ssl_init();
	355	}
	356
[5ebff60]	357	keyItem.data = (unsigned char *) key;
[68709f5]	358	keyItem.len = key_len;
	359
	360	slot = PK11_GetBestSlot(CIPHER_MECH, NULL);
	361	if (slot == NULL) {
	362	fprintf(stderr, "PK11_GetBestSlot failed (err %d)\n",
[5ebff60]	363	PR_GetError());
[68709f5]	364	rc = 0;
	365	goto out;
	366	}
	367
	368	symKey =
[5ebff60]	369	PK11_ImportSymKey(slot, CIPHER_MECH, PK11_OriginUnwrap, CKA_ENCRYPT,
	370	&keyItem, NULL);
[68709f5]	371	if (symKey == NULL) {
	372	fprintf(stderr, "PK11_ImportSymKey failed (err %d)\n",
[5ebff60]	373	PR_GetError());
[68709f5]	374	rc = 0;
	375	goto out;
	376	}
	377
[5ebff60]	378	ivItem.data = (unsigned char *) iv;
[68709f5]	379	/* See msn_soap_passport_sso_handle_response in protocols/msn/soap.c */
	380	ivItem.len = 8;
	381
	382	secParam = PK11_ParamFromIV(CIPHER_MECH, &ivItem);
	383	if (secParam == NULL) {
	384	fprintf(stderr, "PK11_ParamFromIV failed (err %d)\n",
[5ebff60]	385	PR_GetError());
[68709f5]	386	rc = 0;
	387	goto out;
	388	}
	389
	390	ctx =
[5ebff60]	391	PK11_CreateContextBySymKey(CIPHER_MECH, CKA_ENCRYPT, symKey,
	392	secParam);
[68709f5]	393	if (ctx == NULL) {
	394	fprintf(stderr, "PK11_CreateContextBySymKey failed (err %d)\n",
[5ebff60]	395	PR_GetError());
[68709f5]	396	rc = 0;
	397	goto out;
	398	}
	399
	400	*res = g_new0(unsigned char, MAX_OUTPUT_LEN);
	401
	402	rv = PK11_CipherOp(ctx, *res, &len1, MAX_OUTPUT_LEN,
[5ebff60]	403	(unsigned char *) input, input_len);
[68709f5]	404	if (rv != SECSuccess) {
	405	fprintf(stderr, "PK11_CipherOp failed (err %d)\n",
[5ebff60]	406	PR_GetError());
[68709f5]	407	rc = 0;
	408	goto out;
	409	}
	410
	411	assert(len1 <= MAX_OUTPUT_LEN);
	412
	413	rv = PK11_DigestFinal(ctx, *res + len1, &len2,
[5ebff60]	414	(unsigned int) MAX_OUTPUT_LEN - len1);
[68709f5]	415	if (rv != SECSuccess) {
	416	fprintf(stderr, "PK11_DigestFinal failed (err %d)\n",
[5ebff60]	417	PR_GetError());
[68709f5]	418	rc = 0;
	419	goto out;
	420	}
	421
	422	rc = len1 + len2;
	423
[5ebff60]	424	out:
	425	if (ctx) {
[68709f5]	426	PK11_DestroyContext(ctx, PR_TRUE);
[5ebff60]	427	}
	428	if (symKey) {
[68709f5]	429	PK11_FreeSymKey(symKey);
[5ebff60]	430	}
	431	if (secParam) {
[68709f5]	432	SECITEM_FreeItem(secParam, PR_TRUE);
[5ebff60]	433	}
	434	if (slot) {
[68709f5]	435	PK11_FreeSlot(slot);
[5ebff60]	436	}
[68709f5]	437
	438	return rc;
[78b8401]	439	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: lib/ssl_nss.c @ e7434db

Download in other formats: