view src/sslconn.c @ 6703:36897b9e009f

[gaim-migrate @ 7229] Forgot the SSL wrapper code. committer: Tailor Script <tailor@pidgin.im>
author Christian Hammond <chipx86@chipx86.com>
date Tue, 02 Sep 2003 04:43:28 +0000
parents
children b0913ab92893
line wrap: on
line source

/**
 * @file sslconn.c SSL API
 * @ingroup core
 *
 * gaim
 *
 * Copyright (C) 2003 Christian Hammond <chipx86@gnupdate.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
#include "internal.h"

#include "debug.h"
#include "sslconn.h"

#ifdef HAVE_NSS
# include <nspr.h>
# include <nss.h>
# include <pk11func.h>
# include <prio.h>
# include <secerr.h>
# include <secmod.h>
# include <ssl.h>
# include <sslerr.h>
# include <sslproto.h>

typedef struct
{
	char *host;
	int port;
	void *user_data;
	GaimSslInputFunction input_func;

	int fd;
	int inpa;

	PRFileDesc *nss_fd;
	PRFileDesc *nss_in;

} GaimSslData;

static gboolean _nss_initialized = FALSE;
static const PRIOMethods *_nss_methods = NULL;
static PRDescIdentity _identity;

static void
destroy_ssl_data(GaimSslData *data)
{
	if (data->inpa)   gaim_input_remove(data->inpa);
	if (data->nss_in) PR_Close(data->nss_in);
	if (data->nss_fd) PR_Close(data->nss_fd);
	if (data->fd)     close(data->fd);

	if (data->host != NULL)
		g_free(data->host);

	g_free(data);
}

static void
init_nss(void)
{
	if (_nss_initialized)
		return;

	PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
	NSS_NoDB_Init(NULL);

	/* TODO: Fix this so autoconf does the work trying to find this lib. */
	SECMOD_AddNewModule("Builtins", LIBDIR "/libnssckbi.so", 0, 0);
	NSS_SetDomesticPolicy();

	_identity = PR_GetUniqueIdentity("Gaim");
	_nss_methods = PR_GetDefaultIOMethods();

	_nss_initialized = TRUE;
}

static SECStatus
ssl_auth_cert(void *arg, PRFileDesc *socket, PRBool checksig, PRBool is_server)
{
	return SECSuccess;

#if 0
	CERTCertificate *cert;
	void *pinArg;
	SECStatus status;

	cert = SSL_PeerCertificate(socket);
	pinArg = SSL_RevealPinArg(socket);

	status = CERT_VerifyCertNow((CERTCertDBHandle *)arg, cert, checksig,
								certUsageSSLClient, pinArg);

	if (status != SECSuccess) {
		gaim_debug(GAIM_DEBUG_ERROR, "msn", "CERT_VerifyCertNow failed\n");
		CERT_DestroyCertificate(cert);
		return status;
	}

	CERT_DestroyCertificate(cert);
	return SECSuccess;
#endif
}

SECStatus
ssl_bad_cert(void *arg, PRFileDesc *socket)
{
	SECStatus status = SECFailure;
	PRErrorCode err;

	if (arg == NULL)
		return status;

	*(PRErrorCode *)arg = err = PORT_GetError();

	switch (err)
	{
		case SEC_ERROR_INVALID_AVA:
		case SEC_ERROR_INVALID_TIME:
		case SEC_ERROR_BAD_SIGNATURE:
		case SEC_ERROR_EXPIRED_CERTIFICATE:
		case SEC_ERROR_UNKNOWN_ISSUER:
		case SEC_ERROR_UNTRUSTED_CERT:
		case SEC_ERROR_CERT_VALID:
		case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
		case SEC_ERROR_CRL_EXPIRED:
		case SEC_ERROR_CRL_BAD_SIGNATURE:
		case SEC_ERROR_EXTENSION_VALUE_INVALID:
		case SEC_ERROR_CA_CERT_INVALID:
		case SEC_ERROR_CERT_USAGES_INVALID:
		case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
			status = SECSuccess;
			break;

		default:
			status = SECFailure;
			break;
	}

	gaim_debug(GAIM_DEBUG_ERROR, "msn",
			   "Bad certificate: %d\n");

	return status;
}

static void
input_func(gpointer data, gint source, GaimInputCondition cond)
{
	GaimSslData *ssl_data = (GaimSslData *)data;
	char *cp, *ip, *sp;
	int op, kp0, kp1;
	int result;

	result = SSL_SecurityStatus(ssl_data->nss_in, &op, &cp, &kp0,
								&kp1, &ip, &sp);

	gaim_debug(GAIM_DEBUG_MISC, "msn",
		"bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
		"subject DN: %s\n"
		"issuer  DN: %s\n",
		cp, kp1, kp0, op, sp, ip);

	PR_Free(cp);
	PR_Free(ip);
	PR_Free(sp);

	ssl_data->input_func(ssl_data->user_data, (GaimSslConnection *)ssl_data,
						 cond);
}

static void
ssl_connect_cb(gpointer data, gint source, GaimInputCondition cond)
{
	PRSocketOptionData socket_opt;
	GaimSslData *ssl_data = (GaimSslData *)data;

	if (!_nss_initialized)
		init_nss();

	ssl_data->fd = source;

	ssl_data->nss_fd = PR_ImportTCPSocket(ssl_data->fd);

	if (ssl_data->nss_fd == NULL)
	{
		gaim_debug(GAIM_DEBUG_ERROR, "ssl", "nss_fd == NULL!\n");

		destroy_ssl_data(ssl_data);

		return;
	}

	socket_opt.option = PR_SockOpt_Nonblocking;
	socket_opt.value.non_blocking = PR_FALSE;

	PR_SetSocketOption(ssl_data->nss_fd, &socket_opt);

	ssl_data->nss_in = SSL_ImportFD(NULL, ssl_data->nss_fd);

	if (ssl_data->nss_in == NULL)
	{
		gaim_debug(GAIM_DEBUG_ERROR, "ssl", "nss_in == NUL!\n");

		destroy_ssl_data(ssl_data);

		return;
	}

	SSL_OptionSet(ssl_data->nss_in, SSL_SECURITY,            PR_TRUE);
	SSL_OptionSet(ssl_data->nss_in, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);

	SSL_AuthCertificateHook(ssl_data->nss_in,
							(SSLAuthCertificate)ssl_auth_cert,
							(void *)CERT_GetDefaultCertDB());
	SSL_BadCertHook(ssl_data->nss_in, (SSLBadCertHandler)ssl_bad_cert, NULL);

	SSL_SetURL(ssl_data->nss_in, ssl_data->host);

	SSL_ResetHandshake(ssl_data->nss_in, PR_FALSE);

	if (SSL_ForceHandshake(ssl_data->nss_in))
	{
		gaim_debug(GAIM_DEBUG_ERROR, "ssl", "Handshake failed\n");

		destroy_ssl_data(ssl_data);

		return;
	}

#if 0
	ssl_data->input_func(ssl_data->user_data, (GaimSslConnection *)ssl_data,
						 cond);
#endif

	input_func(ssl_data, source, cond);
}
#endif /* HAVE_NSS */

gboolean
gaim_ssl_is_supported(void)
{
#ifdef HAVE_NSS
	return TRUE;
#else
	return FALSE;
#endif
}

GaimSslConnection *
gaim_ssl_connect(GaimAccount *account, const char *host, int port,
				 GaimSslInputFunction func, void *data)
{
#ifdef HAVE_NSS
	int i;
	GaimSslData *ssl_data;

	g_return_val_if_fail(host != NULL,            NULL);
	g_return_val_if_fail(port != 0 && port != -1, NULL);
	g_return_val_if_fail(func != NULL,            NULL);
	g_return_val_if_fail(gaim_ssl_is_supported(), NULL);

	ssl_data = g_new0(GaimSslData, 1);

	ssl_data->host       = g_strdup(host);
	ssl_data->port       = port;
	ssl_data->user_data  = data;
	ssl_data->input_func = func;

	i = gaim_proxy_connect(account, host, port, ssl_connect_cb, ssl_data);

	if (i < 0)
	{
		g_free(ssl_data->host);
		g_free(ssl_data);

		return NULL;
	}

	return (GaimSslConnection)ssl_data;
#else
	g_return_val_if_fail(gaim_ssl_is_supported(), -1);
#endif
}

void
gaim_ssl_close(GaimSslConnection *gsc)
{
	g_return_if_fail(gsc != NULL);

#ifdef HAVE_NSS
	destroy_ssl_data((GaimSslData *)gsc);
#endif
}

size_t
gaim_ssl_read(GaimSslConnection *gsc, void *data, size_t len)
{
#ifdef HAVE_NSS
	GaimSslData *ssl_data = (GaimSslData *)gsc;

	g_return_val_if_fail(gsc  != NULL, 0);
	g_return_val_if_fail(data != NULL, 0);
	g_return_val_if_fail(len  >  0,    0);

	return PR_Read(ssl_data->nss_in, data, len);
#else
	return 0;
#endif
}

size_t
gaim_ssl_write(GaimSslConnection *gsc, const void *data, size_t len)
{
#ifdef HAVE_NSS
	GaimSslData *ssl_data = (GaimSslData *)gsc;

	g_return_val_if_fail(gsc  != NULL, 0);
	g_return_val_if_fail(data != NULL, 0);
	g_return_val_if_fail(len  >  0,    0);

	return PR_Write(ssl_data->nss_in, data, len);
#else
	return 0;
#endif
}

void
gaim_ssl_init(void)
{
}

void
gaim_ssl_uninit(void)
{
	if (!_nss_initialized)
		return;

#ifdef HAVE_NSS
	PR_Cleanup();
#endif

	_nss_initialized = FALSE;
	_nss_methods     = NULL;
}