From 486ddb53b93b6677dc3feeb4afaad2ea93a71a81 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 15:50:58 +0100 Subject: Initial merge of tls_verify patch from AopicieR. --- lib/ssl_nss.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'lib/ssl_nss.c') diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index ec524ca6..4dfa063d 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -51,6 +51,7 @@ struct scd int fd; PRFileDesc *prfd; gboolean established; + gboolean verify; }; static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ); @@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition return ssl_connected( conn, conn->fd, B_EV_IO_WRITE ); } -void *ssl_starttls( int fd, ssl_input_function func, gpointer data ) +void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); conn->fd = fd; conn->func = func; conn->data = data; + conn->verify = verify; /* This function should be called via a (short) timeout instead of directly from here, because these SSL calls are *supposed* to be @@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con { struct scd *conn = data; + /* Right now we don't have any verification functionality for nss so we + fail in case verification has been requested by the user. */ + + if( conn->verify ) + { + conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); + if( source >= 0 ) closesocket( source ); + g_free( conn ); + + return FALSE; + } + if( source == -1 ) goto ssl_connected_failure; @@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con conn->established = TRUE; - conn->func( conn->data, conn, cond ); + conn->func( conn->data, 0, conn, cond ); return FALSE; ssl_connected_failure: - conn->func( conn->data, NULL, cond ); + conn->func( conn->data, 0, NULL, cond ); PR_Close( conn -> prfd ); if( source >= 0 ) closesocket( source ); -- cgit v1.2.3 From 78b840187cc1e2d370dd758e6a73c21e510107b5 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:22:37 +0100 Subject: Move conversion of status codes to status messages into SSL libs. --- lib/ssl_nss.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/ssl_nss.c') diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 4dfa063d..3f26960c 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -251,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn ) /* Just in case someone calls us, let's return the most likely case: */ return B_EV_IO_READ; } + +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." ); +} -- cgit v1.2.3 From a72dc2bb447e754295f8efc6f44fc6572f0f8511 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:57:20 +0100 Subject: Add verify argument to ssl_connect() so HTTPS-based stuff is also secure. (Think of Twitter, but also MSN/Yahoo! authentication.) --- lib/ssl_nss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/ssl_nss.c') diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 3f26960c..5b573f9b 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -102,7 +102,7 @@ void ssl_init( void ) initialized = TRUE; } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); -- cgit v1.2.3