/pidgin/main: fa725d4d41ab: Merge release-2.x.y into default.
Mark Doliner
mark at kingant.net
Sun Nov 2 14:05:26 EST 2014
Changeset: fa725d4d41ab26156134562b2108acf72e8952b9
Author: Mark Doliner <mark at kingant.net>
Date: 2014-11-02 11:06 -0800
Branch: default
URL: https://hg.pidgin.im/pidgin/main/rev/fa725d4d41ab
Description:
Merge release-2.x.y into default.
Fairly easy manual merges in ChangeLog and gtkplugin.c (just one line).
diffstat:
ChangeLog | 7 ++-
libpurple/plugins/ssl/ssl-nss.c | 70 +++++++++++++++++++++++---
pidgin/gtkplugin.c | 8 ++-
pidgin/plugins/spellchk.c | 2 +-
pidgin/win32/nsis/create_nsis_translations.pl | 24 ++++++--
5 files changed, 90 insertions(+), 21 deletions(-)
diffs (232 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -75,6 +75,11 @@ version 3.0.0 (??/??/????):
* The Offline Message Emulation plugin now adds a note that the message
was an offline message. (Flavius Anton) (#2497)
+version 2.10.11 (?/?/?):
+ General:
+ * Fix handling of Self-Signed SSL/TLS Certificates when using the NSS
+ plugin (#16412)
+
version 2.10.10 (10/22/14):
General:
* Check the basic constraints extension when validating SSL/TLS
@@ -1550,7 +1555,7 @@ version 2.6.4 (11/29/2009):
Finch:
* The TinyURL plugin now creates shorter URLs for long non-conversation
URLs, e.g. URLs to open Inbox in Yahoo/MSN protocols, or the Yahoo
- CAPTCHA when joining chat rooms.
+ Captcha when joining chat rooms.
* Fix displaying umlauts etc. in non-utf8 locale (fix in libgnt).
Pidgin:
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -139,6 +139,37 @@ static gchar *get_error_text(void)
return ret;
}
+static void ssl_nss_log_ciphers(void) {
+ const PRUint16 *cipher;
+ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
+ const PRUint16 suite = *cipher;
+ SECStatus rv;
+ PRBool enabled;
+ PRErrorCode err;
+ SSLCipherSuiteInfo info;
+
+ rv = SSL_CipherPrefGetDefault(suite, &enabled);
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ purple_debug_warning("nss",
+ "SSL_CipherPrefGetDefault didn't like value 0x%04x: %s\n",
+ suite, PORT_ErrorToString(err));
+ continue;
+ }
+ rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ purple_debug_warning("nss",
+ "SSL_GetCipherSuiteInfo didn't like value 0x%04x: %s\n",
+ suite, PORT_ErrorToString(err));
+ continue;
+ }
+ purple_debug_info("nss", "Cipher - %s: %s\n",
+ info.cipherSuiteName,
+ enabled ? "Enabled" : "Disabled");
+ }
+}
+
static void
ssl_nss_init_nss(void)
{
@@ -148,7 +179,9 @@ ssl_nss_init_nss(void)
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
NSS_NoDB_Init(".");
+#if (NSS_VMAJOR == 3 && (NSS_VMINOR < 15 || (NSS_VMINOR == 15 && NSS_VMICRO < 2)))
NSS_SetDomesticPolicy();
+#endif /* NSS < 3.15.2 */
SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
@@ -195,6 +228,8 @@ ssl_nss_init_nss(void)
_identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();
+
+ ssl_nss_log_ciphers();
}
static SECStatus
@@ -1034,9 +1069,10 @@ static void x509_verify_cert(PurpleCerti
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
CERTCertificate *crt_dat;
PRTime now = PR_Now();
- SECStatus rv;
+ SECStatus rv;
PurpleCertificate *first_cert = vrq->cert_chain->data;
CERTVerifyLog log;
+ gboolean self_signed = FALSE;
crt_dat = X509_NSS_DATA(first_cert);
@@ -1049,6 +1085,14 @@ static void x509_verify_cert(PurpleCerti
CERTVerifyLogNode *node = NULL;
unsigned int depth = (unsigned int)-1;
+ if (crt_dat->isRoot) {
+ self_signed = TRUE;
+ *flags |= PURPLE_CERTIFICATE_SELF_SIGNED;
+ }
+
+ /* Handling of untrusted, etc. modeled after
+ * source/security/manager/ssl/src/TransportSecurityInfo.cpp in Firefox
+ */
for (node = log.head; node; node = node->next) {
if (depth != node->depth) {
depth = node->depth;
@@ -1065,14 +1109,20 @@ static void x509_verify_cert(PurpleCerti
case SEC_ERROR_REVOKED_CERTIFICATE:
*flags |= PURPLE_CERTIFICATE_REVOKED;
break;
+ case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_UNTRUSTED_ISSUER:
- if (crt_dat->isRoot) {
- *flags |= PURPLE_CERTIFICATE_SELF_SIGNED;
- } else {
+ if (!self_signed) {
*flags |= PURPLE_CERTIFICATE_CA_UNKNOWN;
}
break;
+ case SEC_ERROR_CA_CERT_INVALID:
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ case SEC_ERROR_UNTRUSTED_CERT:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+ if (!self_signed) {
+ *flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
+ }
+ break;
case SEC_ERROR_BAD_SIGNATURE:
default:
*flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
@@ -1080,12 +1130,12 @@ static void x509_verify_cert(PurpleCerti
if (node->cert)
CERT_DestroyCertificate(node->cert);
}
- } else {
- rv = CERT_VerifyCertName(crt_dat, vrq->subject_name);
- if (rv != SECSuccess) {
- purple_debug_error("nss", "Cert chain valid, but name not verified\n");
- *flags |= PURPLE_CERTIFICATE_NAME_MISMATCH;
- }
+ }
+
+ rv = CERT_VerifyCertName(crt_dat, vrq->subject_name);
+ if (rv != SECSuccess) {
+ purple_debug_error("nss", "subject name not verified\n");
+ *flags |= PURPLE_CERTIFICATE_NAME_MISMATCH;
}
PORT_FreeArena(log.arena, PR_FALSE);
diff --git a/pidgin/gtkplugin.c b/pidgin/gtkplugin.c
--- a/pidgin/gtkplugin.c
+++ b/pidgin/gtkplugin.c
@@ -248,8 +248,12 @@ pidgin_plugin_open_config(PurplePlugin *
g_signal_connect(G_OBJECT(dialog), "response",
G_CALLBACK(pref_dialog_response_cb), plugin);
+
gtk_container_add(GTK_CONTAINER(
- gtk_dialog_get_content_area(GTK_DIALOG(dialog))), box);
+ gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
+ pidgin_make_scrollable(box, GTK_POLICY_AUTOMATIC,
+ GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, 400, 400));
+
gtk_window_set_role(GTK_WINDOW(dialog), "plugin_config");
gtk_window_set_title(GTK_WINDOW(dialog),
_(purple_plugin_get_name(plugin)));
@@ -880,7 +884,7 @@ void pidgin_plugin_dialog_show()
gtk_tree_view_column_set_sort_column_id(col, 1);
g_object_unref(G_OBJECT(ls));
gtk_box_pack_start(GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(plugin_dialog))),
- pidgin_make_scrollable(event_view, GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, -1, -1),
+ pidgin_make_scrollable(event_view, GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, -1, -1),
TRUE, TRUE, 0);
gtk_tree_view_set_search_column(GTK_TREE_VIEW(event_view), 1);
gtk_tree_view_set_search_equal_func(GTK_TREE_VIEW(event_view),
diff --git a/pidgin/plugins/spellchk.c b/pidgin/plugins/spellchk.c
--- a/pidgin/plugins/spellchk.c
+++ b/pidgin/plugins/spellchk.c
@@ -1786,7 +1786,7 @@ static void load_conf(void)
gboolean case_sensitive = FALSE;
buf = g_build_filename(purple_user_dir(), "dict", NULL);
- if (g_file_get_contents(buf, &ibuf, &size, NULL) && ibuf) {
+ if (!(g_file_get_contents(buf, &ibuf, &size, NULL) && ibuf)) {
ibuf = g_strdup(defaultconf);
size = strlen(defaultconf);
}
diff --git a/pidgin/win32/nsis/create_nsis_translations.pl b/pidgin/win32/nsis/create_nsis_translations.pl
--- a/pidgin/win32/nsis/create_nsis_translations.pl
+++ b/pidgin/win32/nsis/create_nsis_translations.pl
@@ -175,19 +175,29 @@ my %result;
open (MYFILE, $translations);
while (<MYFILE>) {
chomp $_;
- if ($_ =~ /Encoding=UTF-8/)
+ if ($_ =~ /^Encoding=UTF-8/ || $_ =~ /^\s*$/ || $_ =~ /^\[Desktop Entry\]/ || $_ =~ /^#/)
{
- next;
+ next;
}
elsif ($_ =~ /^(\w+)=(.*)/)
{
- my $line = "!define $1 \"$2\"\n";
- $result{"en"}{"$1"} = $line;
+ my $key = $1;
+ my $lang = "en";
+ my $value = $2;
+ $value =~ s/["]/\$\\"/g;
+ $result{"$lang"}{"$key"} = "!define $key \"$value\"\n";
}
- elsif ($_ =~ /^(\w+)\[(\w+)\]=(.*)/)
+ elsif ($_ =~ /^(\w+)\[([\w@]+)\]=(.*)/)
{
- my $line = "!define $1 \"$3\"\n";
- $result{"$2"}{"$1"} = $line;
+ my $key = $1;
+ my $lang = $2;
+ my $value = $3;
+ $value =~ s/["]/\$\\"/g;
+ $result{"$lang"}{"$key"} = "!define $key \"$value\"\n";
+ }
+ else
+ {
+ print "Found unrecognized line: '$_'\n";
}
}
close (MYFILE);
More information about the Commits
mailing list