source: lib/ssl_nss.c @ b52e478

Last change on this file since b52e478 was 8a2221a7, checked in by Wilmer van der Gaast <wilmer@…>, at 2008-03-23T14:29:19Z

Fixed stalling issue with OpenSSL and Jabber (#368).

  • Property mode set to 100644
File size: 4.7 KB
Line 
1  /********************************************************************\
2  * BitlBee -- An IRC to other IM-networks gateway                     *
3  *                                                                    *
4  * Copyright 2002-2005 Wilmer van der Gaast and others                *
5  \********************************************************************/
6
7/* SSL module - NSS version                                             */
8
9/* Copyright 2005 Jelmer Vernooij                                       */
10
11/*
12  This program is free software; you can redistribute it and/or modify
13  it under the terms of the GNU General Public License as published by
14  the Free Software Foundation; either version 2 of the License, or
15  (at your option) any later version.
16
17  This program is distributed in the hope that it will be useful,
18  but WITHOUT ANY WARRANTY; without even the implied warranty of
19  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  GNU General Public License for more details.
21
22  You should have received a copy of the GNU General Public License with
23  the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
24  if not, write to the Free Software Foundation, Inc., 59 Temple Place,
25  Suite 330, Boston, MA  02111-1307  USA
26*/
27
28#include "bitlbee.h"
29#include "proxy.h"
30#include "ssl_client.h"
31#include "sock.h"
32#include <nspr.h>
33#include <prio.h>
34#include <sslproto.h>
35#include <nss.h>
36#include <private/pprio.h>
37#include <ssl.h>
38#include <secerr.h>
39#include <sslerr.h>
40
41int ssl_errno = 0;
42
43static gboolean initialized = FALSE;
44
45struct scd
46{
47        ssl_input_function func;
48        gpointer data;
49        int fd;
50        PRFileDesc *prfd;
51        gboolean established;
52};
53
54static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
55
56
57static SECStatus nss_auth_cert (void *arg, PRFileDesc *socket, PRBool checksig, PRBool isserver)
58{
59        return SECSuccess;
60}
61
62static SECStatus nss_bad_cert (void *arg, PRFileDesc *socket) 
63{
64        PRErrorCode err;
65
66        if(!arg) return SECFailure;
67
68        *(PRErrorCode *)arg = err = PORT_GetError();
69
70        switch(err) {
71        case SEC_ERROR_INVALID_AVA:
72        case SEC_ERROR_INVALID_TIME:
73        case SEC_ERROR_BAD_SIGNATURE:
74        case SEC_ERROR_EXPIRED_CERTIFICATE:
75        case SEC_ERROR_UNKNOWN_ISSUER:
76        case SEC_ERROR_UNTRUSTED_CERT:
77        case SEC_ERROR_CERT_VALID:
78        case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
79        case SEC_ERROR_CRL_EXPIRED:
80        case SEC_ERROR_CRL_BAD_SIGNATURE:
81        case SEC_ERROR_EXTENSION_VALUE_INVALID:
82        case SEC_ERROR_CA_CERT_INVALID:
83        case SEC_ERROR_CERT_USAGES_INVALID:
84        case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
85                return SECSuccess;
86
87        default:
88                return SECFailure;
89        }
90}
91
92
93void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
94{
95        struct scd *conn = g_new0( struct scd, 1 );
96       
97        conn->fd = proxy_connect( host, port, ssl_connected, conn );
98        conn->func = func;
99        conn->data = data;
100       
101        if( conn->fd < 0 )
102        {
103                g_free( conn );
104                return( NULL );
105        }
106       
107        if( !initialized )
108        {
109                PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
110                NSS_NoDB_Init(NULL);
111                NSS_SetDomesticPolicy();
112        }
113
114       
115        return( conn );
116}
117
118static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
119{
120        struct scd *conn = data;
121       
122        if( source == -1 )
123                goto ssl_connected_failure;
124       
125        /* Until we find out how to handle non-blocking I/O with NSS... */
126        sock_make_blocking( conn->fd );
127       
128        conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));
129        SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);
130        SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
131        SSL_BadCertHook(conn->prfd, (SSLBadCertHandler)nss_bad_cert, NULL);
132        SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate)nss_auth_cert, (void *)CERT_GetDefaultCertDB());
133        SSL_ResetHandshake(conn->prfd, PR_FALSE);
134
135        if (SSL_ForceHandshake(conn->prfd)) {
136                goto ssl_connected_failure;
137        }
138       
139       
140        conn->established = TRUE;
141        conn->func( conn->data, conn, cond );
142        return FALSE;
143       
144        ssl_connected_failure:
145       
146        conn->func( conn->data, NULL, cond );
147       
148        PR_Close( conn -> prfd );
149        if( source >= 0 ) closesocket( source );
150        g_free( conn );
151       
152        return FALSE;
153}
154
155int ssl_read( void *conn, char *buf, int len )
156{
157        if( !((struct scd*)conn)->established )
158                return( 0 );
159       
160        return( PR_Read( ((struct scd*)conn)->prfd, buf, len ) );
161}
162
163int ssl_write( void *conn, const char *buf, int len )
164{
165        if( !((struct scd*)conn)->established )
166                return( 0 );
167       
168        return( PR_Write ( ((struct scd*)conn)->prfd, buf, len ) );
169}
170
171/* See ssl_openssl.c for an explanation. */
172int ssl_pending( void *conn )
173{
174        return 0;
175}
176
177void ssl_disconnect( void *conn_ )
178{
179        struct scd *conn = conn_;
180       
181        PR_Close( conn->prfd );
182        closesocket( conn->fd );
183       
184        g_free( conn );
185}
186
187int ssl_getfd( void *conn )
188{
189        return( ((struct scd*)conn)->fd );
190}
191
192b_input_condition ssl_getdirection( void *conn )
193{
194        /* Just in case someone calls us, let's return the most likely case: */
195        return GAIM_INPUT_READ;
196}
Note: See TracBrowser for help on using the repository browser.