/soc/2013/ankitkv/gobjectification: 5902dd574c6e: Merged default...

Ankit Vani a at nevitus.org
Wed Jul 9 02:12:54 EDT 2014


Changeset: 5902dd574c6e3c292e9462bf58baa5af5746f404
Author:	 Ankit Vani <a at nevitus.org>
Date:	 2014-07-09 11:42 +0530
Branch:	 soc.2013.gobjectification.plugins
URL: https://hg.pidgin.im/soc/2013/ankitkv/gobjectification/rev/5902dd574c6e

Description:

Merged default branch

diffstat:

 ChangeLog                          |    3 +
 libpurple/certificate.c            |   72 ++++++++++++++++++++--
 libpurple/certificate.h            |   11 +--
 libpurple/plugins/ssl/ssl-gnutls.c |  117 +++++++++++++++---------------------
 libpurple/plugins/ssl/ssl-nss.c    |   63 -------------------
 libpurple/protocols/jabber/iq.c    |   12 +++-
 6 files changed, 130 insertions(+), 148 deletions(-)

diffs (truncated from 400 to 300 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -107,6 +107,9 @@ version 2.10.10 (?/?/?):
 	XMPP:
 	* Fix Facebook XMPP roster quirks. (#15041, #15957)
 
+	Yahoo:
+	* Fix login when using the GnuTLS library for TLS connections. (#16172)
+
 version 2.10.9 (2/2/2014):
 	XMPP:
 	* Fix problems logging into some servers including jabber.org and
diff --git a/libpurple/certificate.c b/libpurple/certificate.c
--- a/libpurple/certificate.c
+++ b/libpurple/certificate.c
@@ -491,21 +491,79 @@ purple_certificate_get_der_data(PurpleCe
 gchar *
 purple_certificate_get_display_string(PurpleCertificate *crt)
 {
-	PurpleCertificateScheme *scheme;
-	gchar *str;
+	gchar *sha_asc;
+	GByteArray *sha_bin;
+	gchar *cn, *issuer_id;
+	gint64 activation, expiration;
+	gchar *activ_str, *expir_str;
+	gboolean self_signed;
+	gchar *text;
+#if GLIB_CHECK_VERSION(2,26,0)
+	GDateTime *act_dt, *exp_dt;
+#endif
 
 	g_return_val_if_fail(crt, NULL);
-	g_return_val_if_fail(crt->scheme, NULL);
 
-	scheme = crt->scheme;
+	/* Pull out the SHA1 checksum */
+	sha_bin = purple_certificate_get_fingerprint_sha1(crt);
+	g_return_val_if_fail(sha_bin != NULL, NULL);
+	sha_asc = purple_base16_encode_chunked(sha_bin->data, sha_bin->len);
 
-	g_return_val_if_fail(scheme->get_display_string, NULL);
+	/* Get the cert Common Name */
+	/* TODO: Will break on CA certs */
+	cn = purple_certificate_get_subject_name(crt);
 
-	str = (scheme->get_display_string)(crt);
+	issuer_id = purple_certificate_get_issuer_unique_id(crt);
 
-	return str;
+	/* Get the certificate times */
+	/* TODO: Check the times against localtime */
+	/* TODO: errorcheck? */
+	if (!purple_certificate_get_times(crt, &activation, &expiration)) {
+		purple_debug_error("certificate",
+				   "Failed to get certificate times!\n");
+		activation = expiration = 0;
+	}
+
+#if GLIB_CHECK_VERSION(2,26,0)
+	act_dt = g_date_time_new_from_unix_local(activation);
+	activ_str = g_date_time_format(act_dt, "%c");
+	g_date_time_unref(act_dt);
+
+	exp_dt = g_date_time_new_from_unix_local(expiration);
+	expir_str = g_date_time_format(exp_dt, "%c");
+	g_date_time_unref(exp_dt);
+#else
+	activ_str = g_strdup(ctime(&activation));
+	expir_str = g_strdup(ctime(&expiration));
+#endif
+
+	self_signed = purple_certificate_signed_by(crt, crt);
+
+	/* Make messages */
+	text = g_strdup_printf(
+			_("Common name: %s\n\n"
+			  "Issued by: %s\n\n"
+			  "Fingerprint (SHA1): %s\n\n"
+			  "Activation date: %s\n"
+			  "Expiration date: %s\n"),
+			cn ? cn : "(null)",
+			self_signed ? _("(self-signed)") : (issuer_id ? issuer_id : "(null)"),
+			sha_asc ? sha_asc : "(null)",
+			activ_str ? activ_str : "(null)",
+			expir_str ? expir_str : "(null)");
+
+	/* Cleanup */
+	g_free(cn);
+	g_free(issuer_id);
+	g_free(sha_asc);
+	g_free(activ_str);
+	g_free(expir_str);
+	g_byte_array_free(sha_bin, TRUE);
+
+	return text;
 }
 
+
 GType
 purple_certificate_get_type(void)
 {
diff --git a/libpurple/certificate.h b/libpurple/certificate.h
--- a/libpurple/certificate.h
+++ b/libpurple/certificate.h
@@ -236,12 +236,6 @@ struct _PurpleCertificatePool
  *                <sbr/>@crt:    Certificate instance
  *                <sbr/>Returns: Binary DER representation of certificate - must
  *                               be freed using g_byte_array_free().
- * @get_display_string: Retrieves a string representation of the certificate
- *                      suitable for display
- *                      <sbr/>@crt:   Certificate instance
- *                      <sbr/>Returns: User-displayable string representation of
- *                                     certificate - must be freed using
- *                                     g_free().
  *
  * A certificate type.
  *
@@ -275,8 +269,6 @@ struct _PurpleCertificateScheme
 	GSList * (* import_certificates)(const gchar * filename);
 	GByteArray * (* get_der_data)(PurpleCertificate *crt);
 
-	gchar * (* get_display_string)(PurpleCertificate *crt);
-
 	/*< private >*/
 	void (*_purple_reserved1)(void);
 };
@@ -697,7 +689,8 @@ purple_certificate_pool_contains(PurpleC
  *
  * Retrieve a certificate from a pool.
  *
- * Returns: Retrieved certificate, or NULL if it wasn't there
+ * Returns: Retrieved certificate (to be freed with
+ *         purple_certificate_destroy), or NULL if it wasn't there
  */
 PurpleCertificate *
 purple_certificate_pool_retrieve(PurpleCertificatePool *pool, const gchar *id);
diff --git a/libpurple/plugins/ssl/ssl-gnutls.c b/libpurple/plugins/ssl/ssl-gnutls.c
--- a/libpurple/plugins/ssl/ssl-gnutls.c
+++ b/libpurple/plugins/ssl/ssl-gnutls.c
@@ -473,11 +473,59 @@ ssl_gnutls_read(PurpleSslConnection *gsc
 	if(s == GNUTLS_E_AGAIN || s == GNUTLS_E_INTERRUPTED) {
 		s = -1;
 		errno = EAGAIN;
+
 #ifdef GNUTLS_E_PREMATURE_TERMINATION
 	} else if (s == GNUTLS_E_PREMATURE_TERMINATION) {
-		purple_debug_warning("gnutls", "premature termination\n");
+		purple_debug_warning("gnutls", "Received a FIN on the TCP socket "
+				"for %s. This either means that the remote server closed "
+				"the socket without sending us a Close Notify alert or a "
+				"man-in-the-middle injected a FIN into the TCP stream. "
+				"Assuming it's the former.\n", gsc->host);
+#else
+	} else if (s == GNUTLS_E_UNEXPECTED_PACKET_LENGTH) {
+		purple_debug_warning("gnutls", "Received packet of unexpected "
+				"length on the TCP socket for %s. Among other "
+				"possibilities this might mean that the remote server "
+				"closed the socket without sending us a Close Notify alert. "
+				"Assuming that's the case for compatibility, however, note "
+				"that it's quite possible that we're incorrectly ignoing "
+				"a real error.\n", gsc->host);
+#endif
+		/*
+		 * Summary:
+		 * Always treat a closed TCP connection as if the remote server cleanly
+		 * terminated the SSL session.
+		 *
+		 * Background:
+		 * Most TLS servers send a Close Notify alert before sending TCP FIN
+		 * when closing a session. This informs us at the TLS layer that the
+		 * connection is being cleanly closed. Without this it's more
+		 * difficult for us to determine whether the session was closed
+		 * cleanly (we would need to resort to having the application layer
+		 * perform this check, e.g. by looking at the Content-Length HTTP
+		 * header for HTTP connections).
+		 *
+		 * There ARE servers that don't send Close Notify and we want to be
+		 * compatible with them. And so we don't require Close Notify. This
+		 * seems to match the behavior of libnss. This is a slightly
+		 * unfortunate situation. It means a malicious MITM can inject a FIN
+		 * into our TCP stream and cause our encrypted session to termiate
+		 * and we won't indicate any problem to the user.
+		 *
+		 * GnuTLS < 3.0.0 returned the UNEXPECTED_PACKET_LENGTH error on EOF.
+		 * GnuTLS >= 3.0.0 added the PREMATURE_TERMINATION error to allow us
+		 * to detect the problem more specifically.
+		 *
+		 * For historical discussion see:
+		 * https://developer.pidgin.im/ticket/16172
+		 * http://trac.adiumx.com/intertrac/ticket%3A16678
+		 * https://bugzilla.mozilla.org/show_bug.cgi?id=508698#c4
+		 * http://lists.gnu.org/archive/html/gnutls-devel/2008-03/msg00058.html
+		 * Or search for GNUTLS_E_UNEXPECTED_PACKET_LENGTH or
+		 * GNUTLS_E_PREMATURE_TERMINATION
+		 */
 		s = 0;
-#endif
+
 	} else if(s < 0) {
 		purple_debug_error("gnutls", "receive failed: %s\n",
 				gnutls_strerror(s));
@@ -1179,70 +1227,6 @@ x509_get_der_data(PurpleCertificate *crt
 	return data;
 }
 
-static gchar *
-x509_display_string(PurpleCertificate *crt)
-{
-	gchar *sha_asc;
-	GByteArray *sha_bin;
-	gchar *cn;
-	gint64 activation, expiration;
-	gchar *activ_str, *expir_str;
-	gchar *text;
-#if GLIB_CHECK_VERSION(2,26,0)
-	GDateTime *act_dt, *exp_dt;
-#endif
-
-	/* Pull out the SHA1 checksum */
-	sha_bin = x509_sha1sum(crt);
-	g_return_val_if_fail(sha_bin != NULL, NULL);
-	sha_asc = purple_base16_encode_chunked(sha_bin->data, sha_bin->len);
-
-	/* Get the cert Common Name */
-	/* TODO: Will break on CA certs */
-	cn = x509_common_name(crt);
-
-	/* Get the certificate times */
-	/* TODO: Check the times against localtime */
-	/* TODO: errorcheck? */
-	if (!x509_times(crt, &activation, &expiration)) {
-		purple_debug_error("certificate",
-				   "Failed to get certificate times!\n");
-		activation = expiration = 0;
-	}
-
-#if GLIB_CHECK_VERSION(2,26,0)
-	act_dt = g_date_time_new_from_unix_local(activation);
-	activ_str = g_date_time_format(act_dt, "%c");
-	g_date_time_unref(act_dt);
-
-	exp_dt = g_date_time_new_from_unix_local(expiration);
-	expir_str = g_date_time_format(exp_dt, "%c");
-	g_date_time_unref(exp_dt);
-#else
-	activ_str = g_strdup(ctime(&activation));
-	expir_str = g_strdup(ctime(&expiration));
-#endif
-
-	/* Make messages */
-	text = g_strdup_printf(_("Common name: %s\n\n"
-	                         "Fingerprint (SHA1): %s\n\n"
-	                         "Activation date: %s\n"
-	                         "Expiration date: %s\n"),
-	                       cn ? cn : "(null)",
-	                       sha_asc ? sha_asc : "(null)",
-	                       activ_str ? activ_str : "(null)",
-	                       expir_str ? expir_str : "(null)");
-
-	/* Cleanup */
-	g_free(cn);
-	g_free(sha_asc);
-	g_free(activ_str);
-	g_free(expir_str);
-	g_byte_array_free(sha_bin, TRUE);
-
-	return text;
-}
-
 /* X.509 certificate operations provided by this plugin */
 static PurpleCertificateScheme x509_gnutls = {
 	"x509",                          /* Scheme name */
@@ -1260,7 +1244,6 @@ static PurpleCertificateScheme x509_gnut
 	x509_times,                      /* Activation/Expiration time */
 	x509_importcerts_from_file,      /* Multiple certificates import function */
 	x509_get_der_data,               /* Binary DER data */
-	x509_display_string,             /* Display representation */
 
 	NULL
 
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -946,68 +946,6 @@ x509_get_der_data(PurpleCertificate *crt
 	return data;
 }
 
-static gchar *
-x509_display_string(PurpleCertificate *crt)
-{
-	gchar *sha_asc;
-	GByteArray *sha_bin;
-	gchar *cn;
-	gint64 activation, expiration;
-	gchar *activ_str, *expir_str;
-	gchar *text;
-#if GLIB_CHECK_VERSION(2,26,0)
-	GDateTime *act_dt, *exp_dt;



More information about the Commits mailing list