~ubuntu-branches/ubuntu/karmic/libtinymail/karmic

accept = camel_session_alert_user_with_id (ssl->priv->session, CAMEL_SESSION_ALERT_WARNING, CAMEL_EXCEPTION_SERVICE_CERTIFICATE, prompt, TRUE, priv->service);

1206

g_free(prompt);

1207

if (accept) {

1208

camel_certdb_nss_cert_set(certdb, ccert, cert);

1209

camel_cert_set_trust(certdb, ccert, CAMEL_CERT_TRUST_FULLY);

1210

camel_certdb_touch(certdb);

1211

}

1212

} else {

1213

accept = ccert->trust != CAMEL_CERT_TRUST_NEVER;

1214

}

1215

1216

camel_certdb_cert_unref(certdb, ccert);

1217

camel_object_unref(certdb);

1218

1219

priv->accepted = accept;

1220

1221

return accept ? SECSuccess : SECFailure;

1222

1223

#if 0

1224

int i, error;

1225

CERTCertTrust trust;

1226

SECItem *certs[1];

1227

int go = 1;

1228

char *host, *nick;

1229

1230

error = PR_GetError();

1231

1232

/* This code is basically what mozilla does - however it doesn't seem to work here

1233

very reliably :-/ */

1234

while (go && status != SECSuccess) {

1235

char *prompt = NULL;

1236

1237

printf("looping, error '%d'\n", error);

1238

1239

switch(error) {

1240

case SEC_ERROR_UNKNOWN_ISSUER:

1241

case SEC_ERROR_CA_CERT_INVALID:

1242

case SEC_ERROR_UNTRUSTED_ISSUER:

1243

case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:

1244

/* add certificate */

1245

printf("unknown issuer, adding ... \n");

1246

prompt = g_strdup_printf(_("Certificate problem: %s\nIssuer: %s"), cert->subjectName, cert->issuerName);

1247

1248

CamelService *service = NULL; /* TODO: Is there a CamelService that we can use? */

1249

if (camel_session_alert_user_with_id(ssl->priv->session, CAMEL_SESSION_ALERT_WARNING, CAMEL_EXCEPTION_SERVICE_CERTIFICATE, prompt, TRUE, service)) {

1250

1251

nick = get_nickname(cert);

1252

if (NULL == nick) {

1253

g_free(prompt);

1254

status = SECFailure;

1255

break;

1256

}

1257

1258

printf("adding cert '%s'\n", nick);

1259

1260

if (!cert->trust) {

1261

cert->trust = (CERTCertTrust*)PORT_ArenaZAlloc(cert->arena, sizeof(CERTCertTrust));

1262

CERT_DecodeTrustString(cert->trust, "P");

1263

}

1264

1265

certs[0] = &cert->derCert;

1266

/*CERT_ImportCerts (cert->dbhandle, certUsageSSLServer, 1, certs, NULL, TRUE, FALSE, nick);*/

1267

CERT_ImportCerts(cert->dbhandle, certUsageUserCertImport, 1, certs, NULL, TRUE, FALSE, nick);

1268

g_free(nick);

1269

1270

printf(" cert type %08x\n", cert->nsCertType);

1271

1272

memset((void*)&trust, 0, sizeof(trust));

1273

if (CERT_GetCertTrust(cert, &trust) != SECSuccess) {

1274

CERT_DecodeTrustString(&trust, "P");

1275

}

1276

trust.sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;

1277

if (CERT_ChangeCertTrust(cert->dbhandle, cert, &trust) != SECSuccess) {

1278

printf("couldn't change cert trust?\n");

1279

}

1280

1281

/*status = SECSuccess;*/

1282

#if 1

1283

/* re-verify? */

1284

status = CERT_VerifyCertNow(cert->dbhandle, cert, TRUE, certUsageSSLServer, NULL);

1285

error = PR_GetError();

1286

printf("re-verify status %d, error %d\n", status, error);

1287

#endif

1288

1289

printf(" cert type %08x\n", cert->nsCertType);

1290

} else {

1291

printf("failed/cancelled\n");

1292

go = 0;

1293

}

1294

1295

break;

1296

case SSL_ERROR_BAD_CERT_DOMAIN:

1297

printf("bad domain\n");

1298

1299

prompt = g_strdup_printf(_("Bad certificate domain: %s\nIssuer: %s"), cert->subjectName, cert->issuerName);

1300

1301

CamelService *service = NULL; /* TODO: Is there a CamelService that we can use? */

1302

if (camel_session_alert_user_with_id (ssl->priv->session, CAMEL_SESSION_ALERT_WARNING, CAMEL_EXCEPTION_SERVICE_CERTIFICATE, prompt, TRUE, service)) {

1303

host = SSL_RevealURL(sockfd);

1304

status = CERT_AddOKDomainName(cert, host);

1305

printf("add ok domain name : %s\n", status == SECFailure?"fail":"ok");

1306

error = PR_GetError();

1307

if (status == SECFailure)

1308

go = 0;

1309

} else {

1310

go = 0;

1311

}

1312

1313

break;

1314

1315

case SEC_ERROR_EXPIRED_CERTIFICATE:

1316

printf("expired\n");

1317

1318

prompt = g_strdup_printf(_("Certificate expired: %s\nIssuer: %s"), cert->subjectName, cert->issuerName);

1319

1320

CamelService *service = NULL; /* TODO: Is there a CamelService that we can use? */

1321

if (camel_session_alert_user_with_id(ssl->priv->session, CAMEL_SESSION_ALERT_WARNING, CAMEL_EXCEPTION_SERVICE_CERTIFICATE, prompt, TRUE, service)) {

1322

cert->timeOK = PR_TRUE;

1323

status = CERT_VerifyCertNow(cert->dbhandle, cert, TRUE, certUsageSSLClient, NULL);

1324

error = PR_GetError();

1325

if (status == SECFailure)

1326

go = 0;

1327

} else {

1328

go = 0;

1329

}

1330

1331

break;

1332

1333

case SEC_ERROR_CRL_EXPIRED:

1334

printf("crl expired\n");

1335

1336

prompt = g_strdup_printf(_("Certificate revocation list expired: %s\nIssuer: %s"), cert->subjectName, cert->issuerName);

1337

1338

CamelService *service = NULL; /* TODO: Is there a CamelService that we can use? */

1339

if (camel_session_alert_user_with_id(ssl->priv->session, CAMEL_SESSION_ALERT_WARNING, CAMEL_EXCEPTION_SERVICE_CERTIFICATE, prompt, TRUE, service)) {

1340

host = SSL_RevealURL(sockfd);

1341

status = CERT_AddOKDomainName(cert, host);

1342

}

1343

1344

go = 0;

1345

break;

1346

1347

default:

1348

printf("generic error\n");

1349

go = 0;

1350

break;

1351

}

1352

1353

g_free(prompt);

1354

}

1355

1356

CERT_DestroyCertificate(cert);

1357

1358

return status;

1359

#endif

1360

}

1361

1362

static PRFileDesc *

1363

enable_ssl (CamelTcpStreamSSL *ssl, PRFileDesc *fd)

1364

{

1365

PRFileDesc *ssl_fd;

1366

1367

ssl_fd = SSL_ImportFD (NULL, fd ? fd : ssl->priv->sockfd);

1368

if (!ssl_fd)

1369

return NULL;

1370

1371

SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);

1372

1373

if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2)

1374

SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL2, PR_TRUE);

1375

else

1376

SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL2, PR_FALSE);

1377

1378

if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)

1379

SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE);

1380

else

1381

SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_FALSE);

1382

1383

if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS)

1384

SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_TRUE);

1385

else

1386

SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE);

1387

1388

SSL_SetURL (ssl_fd, ssl->priv->expected_host);

1389

1390

/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/

1391

/*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/

1392

SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl);

1393

1394

ssl->priv->ssl_mode = TRUE;

1395

1396

return ssl_fd;

1397

}

1398

1399

static int

1400

sockaddr_to_praddr(struct sockaddr *s, int len, PRNetAddr *addr)

1401

{

1402

/* We assume the ip addresses are the same size - they have to be anyway.

1403

We could probably just use memcpy *shrug* */

1404

1405

memset(addr, 0, sizeof(*addr));

1406

1407

if (s->sa_family == AF_INET) {

1408

struct sockaddr_in *sin = (struct sockaddr_in *)s;

1409

1410

if (len < sizeof(*sin))

1411

return -1;

1412

1413

addr->inet.family = PR_AF_INET;

1414

addr->inet.port = sin->sin_port;

1415

memcpy(&addr->inet.ip, &sin->sin_addr, sizeof(addr->inet.ip));

1416

1417

return 0;

1418

}

1419

#ifdef ENABLE_IPv6

1420

else if (s->sa_family == PR_AF_INET6) {

1421

struct sockaddr_in6 *sin = (struct sockaddr_in6 *)s;

1422

1423

if (len < sizeof(*sin))

1424

return -1;

1425

1426

addr->ipv6.family = PR_AF_INET6;

1427

addr->ipv6.port = sin->sin6_port;

1428

addr->ipv6.flowinfo = sin->sin6_flowinfo;

1429

memcpy(&addr->ipv6.ip, &sin->sin6_addr, sizeof(addr->ipv6.ip));

1430

addr->ipv6.scope_id = sin->sin6_scope_id;

1431

1432

return 0;

1433

}

1434

#endif

1435

1436

return -1;

1437

}

1438

1439

static int

1440

socket_connect(CamelTcpStream *stream, struct addrinfo *host)

1441

{

1442

CamelTcpStreamSSL *ssl = CAMEL_TCP_STREAM_SSL (stream);

1443

PRNetAddr netaddr;

1444

PRFileDesc *fd, *cancel_fd;

1445

1446

if (sockaddr_to_praddr(host->ai_addr, host->ai_addrlen, &netaddr) != 0) {

1447

errno = EINVAL;

1448

return -1;

1449

}

1450

1451

fd = PR_OpenTCPSocket(netaddr.raw.family);

1452

if (fd == NULL) {

1453

set_errno (PR_GetError ());

1454

return -1;

1455

}

1456

1457

if (ssl->priv->ssl_mode) {

1458

PRFileDesc *ssl_fd;

1459

1460

ssl_fd = enable_ssl (ssl, fd);

1461

if (ssl_fd == NULL) {

1462

int errnosave;

1463

1464

set_errno (PR_GetError ());

1465

errnosave = errno;

1466

PR_Close (fd);

1467

errno = errnosave;

1468

1469

return -1;

1470

}

1471

1472

fd = ssl_fd;

1473

}

1474

1475

cancel_fd = camel_operation_cancel_prfd(NULL);

1476

1477

if (PR_Connect (fd, &netaddr, cancel_fd?0:(CONNECT_TIMEOUT*1000)) == PR_FAILURE) {

1478

int errnosave;

1479

1480

set_errno (PR_GetError ());

1481

if (PR_GetError () == PR_IN_PROGRESS_ERROR ||

1482

(cancel_fd && (PR_GetError () == PR_CONNECT_TIMEOUT_ERROR ||

1483

PR_GetError () == PR_IO_TIMEOUT_ERROR))) {

1484

gboolean connected = FALSE;

1485

PRPollDesc poll[2];

1486

1487

poll[0].fd = fd;

1488

poll[0].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;

1489

poll[1].fd = cancel_fd;

1490

poll[1].in_flags = PR_POLL_READ;

1491

1492

do {

1493

poll[0].out_flags = 0;

1494

poll[1].out_flags = 0;

1495

1496

if (PR_Poll (poll, cancel_fd?2:1, (CONNECT_TIMEOUT*1000)) == PR_FAILURE) {

1497

set_errno (PR_GetError ());

1498

goto exception;

1499

}

1500

1501

if (poll[1].out_flags == PR_POLL_READ) {

1502

errno = EINTR;

1503

goto exception;

1504

}

1505

1506

if (PR_ConnectContinue(fd, poll[0].out_flags) == PR_FAILURE) {

1507

set_errno (PR_GetError ());

1508

if (PR_GetError () != PR_IN_PROGRESS_ERROR)

1509

goto exception;

1510

} else {

1511

connected = TRUE;

1512

}

1513

} while (!connected);

1514

} else {

1515

exception:

1516

errnosave = errno;

1517

PR_Close (fd);

1518

ssl->priv->sockfd = NULL;

1519

errno = errnosave;

1520

1521

return -1;

1522

}

1523

1524

errno = 0;

1525

}

1526

1527

ssl->priv->sockfd = fd;

1528

1529

return 0;

1530

}

1531

1532

static int

1533

stream_connect(CamelTcpStream *stream, struct addrinfo *host)

1534

{

1535

while (host) {

1536

if (socket_connect(stream, host) == 0)

1537

return 0;

1538

host = host->ai_next;

1539

}

1540

1541

return -1;

1542

}

1543

1544

static int

1545

stream_getsockopt (CamelTcpStream *stream, CamelSockOptData *data)

1546

{

1547

PRSocketOptionData sodata;

1548

1549

memset ((void *) &sodata, 0, sizeof (sodata));

1550

memcpy ((void *) &sodata, (void *) data, sizeof (CamelSockOptData));

1551

1552

if (PR_GetSocketOption (((CamelTcpStreamSSL *)stream)->priv->sockfd, &sodata) == PR_FAILURE)

1553

return -1;

1554

1555

memcpy ((void *) data, (void *) &sodata, sizeof (CamelSockOptData));

1556

1557

return 0;

1558

}

1559

1560

static int

1561

stream_setsockopt (CamelTcpStream *stream, const CamelSockOptData *data)

1562

{

1563

PRSocketOptionData sodata;

1564

1565

memset ((void *) &sodata, 0, sizeof (sodata));

1566

memcpy ((void *) &sodata, (void *) data, sizeof (CamelSockOptData));

1567

1568

if (PR_SetSocketOption (((CamelTcpStreamSSL *)stream)->priv->sockfd, &sodata) == PR_FAILURE)

1569

return -1;

1570

1571

return 0;

1572

}

1573

1574

static struct sockaddr *

1575

sockaddr_from_praddr(PRNetAddr *addr, socklen_t *len)

1576

{

1577

/* We assume the ip addresses are the same size - they have to be anyway */

1578

1579

if (addr->raw.family == PR_AF_INET) {

1580

struct sockaddr_in *sin = g_malloc0(sizeof(*sin));

1581

1582

sin->sin_family = AF_INET;

1583

sin->sin_port = addr->inet.port;

1584

memcpy(&sin->sin_addr, &addr->inet.ip, sizeof(sin->sin_addr));

1585

*len = sizeof(*sin);

1586

1587

return (struct sockaddr *)sin;

1588

}

1589

#ifdef ENABLE_IPv6

1590

else if (addr->raw.family == PR_AF_INET6) {

1591

struct sockaddr_in6 *sin = g_malloc0(sizeof(*sin));

1592

1593

sin->sin6_family = AF_INET6;

1594

sin->sin6_port = addr->ipv6.port;

1595

sin->sin6_flowinfo = addr->ipv6.flowinfo;

1596

memcpy(&sin->sin6_addr, &addr->ipv6.ip, sizeof(sin->sin6_addr));

1597

sin->sin6_scope_id = addr->ipv6.scope_id;

1598

*len = sizeof(*sin);

1599

1600

return (struct sockaddr *)sin;

1601

}

1602

#endif

1603

1604

return NULL;

1605

}

1606

1607

static struct sockaddr *

1608

stream_get_local_address(CamelTcpStream *stream, socklen_t *len)

1609

{

1610

PRFileDesc *sockfd = CAMEL_TCP_STREAM_SSL (stream)->priv->sockfd;

1611

PRNetAddr addr;

1612

1613

if (PR_GetSockName(sockfd, &addr) != PR_SUCCESS)

1614

return NULL;

1615

1616

return sockaddr_from_praddr(&addr, len);

1617

}

1618

1619

static struct sockaddr *

1620

stream_get_remote_address (CamelTcpStream *stream, socklen_t *len)

1621

{

1622

PRFileDesc *sockfd = CAMEL_TCP_STREAM_SSL (stream)->priv->sockfd;

1623

PRNetAddr addr;

1624

1625

if (PR_GetPeerName(sockfd, &addr) != PR_SUCCESS)

1626

return NULL;

1627

1628

return sockaddr_from_praddr(&addr, len);

1629

}

1630

1631

#endif /* HAVE_NSS */

Older »