/pidgin/main: fa725d4d41ab: Merge release-2.x.y into default.

Sun Nov 2 14:05:26 EST 2014

Changeset: fa725d4d41ab26156134562b2108acf72e8952b9
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-11-02 11:06 -0800
Branch:	 default
URL: https://hg.pidgin.im/pidgin/main/rev/fa725d4d41ab

Description:

Merge release-2.x.y into default.

Fairly easy manual merges in ChangeLog and gtkplugin.c (just one line).

diffstat:

 ChangeLog                                     |   7 ++-
 libpurple/plugins/ssl/ssl-nss.c               |  70 +++++++++++++++++++++++---
 pidgin/gtkplugin.c                            |   8 ++-
 pidgin/plugins/spellchk.c                     |   2 +-
 pidgin/win32/nsis/create_nsis_translations.pl |  24 ++++++--
 5 files changed, 90 insertions(+), 21 deletions(-)

diffs (232 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -75,6 +75,11 @@ version 3.0.0 (??/??/????):
 	* The Offline Message Emulation plugin now adds a note that the message
 	  was an offline message. (Flavius Anton) (#2497)
 
+version 2.10.11 (?/?/?):
+	General:
+	* Fix handling of Self-Signed SSL/TLS Certificates when using the NSS
+          plugin (#16412)
+
 version 2.10.10 (10/22/14):
 	General:
 	* Check the basic constraints extension when validating SSL/TLS
@@ -1550,7 +1555,7 @@ version 2.6.4 (11/29/2009):
 	Finch:
 	* The TinyURL plugin now creates shorter URLs for long non-conversation
 	  URLs, e.g. URLs to open Inbox in Yahoo/MSN protocols, or the Yahoo
-	  CAPTCHA when joining chat rooms.
+	  Captcha when joining chat rooms.
 	* Fix displaying umlauts etc. in non-utf8 locale (fix in libgnt).
 
 	Pidgin:
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -139,6 +139,37 @@ static gchar *get_error_text(void)
 	return ret;
 }
 
+static void ssl_nss_log_ciphers(void) {
+	const PRUint16 *cipher;
+	for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
+		const PRUint16 suite = *cipher;
+		SECStatus rv;
+		PRBool enabled;
+		PRErrorCode err;
+		SSLCipherSuiteInfo info;
+
+		rv = SSL_CipherPrefGetDefault(suite, &enabled);
+		if (rv != SECSuccess) {
+			err = PR_GetError();
+			purple_debug_warning("nss",
+					"SSL_CipherPrefGetDefault didn't like value 0x%04x: %s\n",
+					suite, PORT_ErrorToString(err));
+			continue;
+		}
+		rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
+		if (rv != SECSuccess) {
+			err = PR_GetError();
+			purple_debug_warning("nss",
+					"SSL_GetCipherSuiteInfo didn't like value 0x%04x: %s\n",
+					suite, PORT_ErrorToString(err));
+			continue;
+		}
+		purple_debug_info("nss", "Cipher - %s: %s\n",
+				info.cipherSuiteName,
+				enabled ? "Enabled" : "Disabled");
+	}
+}
+
 static void
 ssl_nss_init_nss(void)
 {
@@ -148,7 +179,9 @@ ssl_nss_init_nss(void)
 
 	PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 	NSS_NoDB_Init(".");
+#if (NSS_VMAJOR == 3 && (NSS_VMINOR < 15 || (NSS_VMINOR == 15 && NSS_VMICRO < 2)))
 	NSS_SetDomesticPolicy();
+#endif /* NSS < 3.15.2 */
 
 	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
 	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
@@ -195,6 +228,8 @@ ssl_nss_init_nss(void)
 
 	_identity = PR_GetUniqueIdentity("Purple");
 	_nss_methods = PR_GetDefaultIOMethods();
+
+	ssl_nss_log_ciphers();
 }
 
 static SECStatus
@@ -1034,9 +1069,10 @@ static void x509_verify_cert(PurpleCerti
 	CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
 	CERTCertificate *crt_dat;
 	PRTime now = PR_Now();
-	SECStatus          rv;
+	SECStatus rv;
 	PurpleCertificate *first_cert = vrq->cert_chain->data;
 	CERTVerifyLog log;
+	gboolean self_signed = FALSE;
 
 	crt_dat = X509_NSS_DATA(first_cert);
 
@@ -1049,6 +1085,14 @@ static void x509_verify_cert(PurpleCerti
 		CERTVerifyLogNode *node   = NULL;
 		unsigned int depth = (unsigned int)-1;
 
+		if (crt_dat->isRoot) {
+			self_signed = TRUE;
+			*flags |= PURPLE_CERTIFICATE_SELF_SIGNED;
+		}
+
+		/* Handling of untrusted, etc. modeled after
+		 * source/security/manager/ssl/src/TransportSecurityInfo.cpp in Firefox
+		 */
 		for (node = log.head; node; node = node->next) {
 			if (depth != node->depth) {
 				depth = node->depth;
@@ -1065,14 +1109,20 @@ static void x509_verify_cert(PurpleCerti
 				case SEC_ERROR_REVOKED_CERTIFICATE:
 					*flags |= PURPLE_CERTIFICATE_REVOKED;
 					break;
+				case SEC_ERROR_UNKNOWN_ISSUER:
 				case SEC_ERROR_UNTRUSTED_ISSUER:
-					if (crt_dat->isRoot) {
-						*flags |= PURPLE_CERTIFICATE_SELF_SIGNED;
-					} else {
+					if (!self_signed) {
 						*flags |= PURPLE_CERTIFICATE_CA_UNKNOWN;
 					}
 					break;
+				case SEC_ERROR_CA_CERT_INVALID:
+				case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+				case SEC_ERROR_UNTRUSTED_CERT:
 				case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+					if (!self_signed) {
+						*flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
+					}
+					break;
 				case SEC_ERROR_BAD_SIGNATURE:
 				default:
 					*flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
@@ -1080,12 +1130,12 @@ static void x509_verify_cert(PurpleCerti
 			if (node->cert)
 				CERT_DestroyCertificate(node->cert);
 		}
-	} else {
-		rv = CERT_VerifyCertName(crt_dat, vrq->subject_name);
-		if (rv != SECSuccess) {
-			purple_debug_error("nss", "Cert chain valid, but name not verified\n");
-			*flags |= PURPLE_CERTIFICATE_NAME_MISMATCH;
-		}
+	}
+
+	rv = CERT_VerifyCertName(crt_dat, vrq->subject_name);
+	if (rv != SECSuccess) {
+		purple_debug_error("nss", "subject name not verified\n");
+		*flags |= PURPLE_CERTIFICATE_NAME_MISMATCH;
 	}
 
 	PORT_FreeArena(log.arena, PR_FALSE);
diff --git a/pidgin/gtkplugin.c b/pidgin/gtkplugin.c
--- a/pidgin/gtkplugin.c
+++ b/pidgin/gtkplugin.c
@@ -248,8 +248,12 @@ pidgin_plugin_open_config(PurplePlugin *
 
 		g_signal_connect(G_OBJECT(dialog), "response",
 			G_CALLBACK(pref_dialog_response_cb), plugin);
+
 		gtk_container_add(GTK_CONTAINER(
-			gtk_dialog_get_content_area(GTK_DIALOG(dialog))), box);
+			gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
+			pidgin_make_scrollable(box, GTK_POLICY_AUTOMATIC,
+				GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, 400, 400));
+
 		gtk_window_set_role(GTK_WINDOW(dialog), "plugin_config");
 		gtk_window_set_title(GTK_WINDOW(dialog),
 			_(purple_plugin_get_name(plugin)));
@@ -880,7 +884,7 @@ void pidgin_plugin_dialog_show()
 	gtk_tree_view_column_set_sort_column_id(col, 1);
 	g_object_unref(G_OBJECT(ls));
 	gtk_box_pack_start(GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(plugin_dialog))),
-		pidgin_make_scrollable(event_view, GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, -1, -1), 
+		pidgin_make_scrollable(event_view, GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC, GTK_SHADOW_IN, -1, -1),
 		TRUE, TRUE, 0);
 	gtk_tree_view_set_search_column(GTK_TREE_VIEW(event_view), 1);
 	gtk_tree_view_set_search_equal_func(GTK_TREE_VIEW(event_view),
diff --git a/pidgin/plugins/spellchk.c b/pidgin/plugins/spellchk.c
--- a/pidgin/plugins/spellchk.c
+++ b/pidgin/plugins/spellchk.c
@@ -1786,7 +1786,7 @@ static void load_conf(void)
 	gboolean case_sensitive = FALSE;
 
 	buf = g_build_filename(purple_user_dir(), "dict", NULL);
-	if (g_file_get_contents(buf, &ibuf, &size, NULL) && ibuf) {
+	if (!(g_file_get_contents(buf, &ibuf, &size, NULL) && ibuf)) {
 		ibuf = g_strdup(defaultconf);
 		size = strlen(defaultconf);
 	}
diff --git a/pidgin/win32/nsis/create_nsis_translations.pl b/pidgin/win32/nsis/create_nsis_translations.pl
--- a/pidgin/win32/nsis/create_nsis_translations.pl
+++ b/pidgin/win32/nsis/create_nsis_translations.pl
@@ -175,19 +175,29 @@ my %result;
 open (MYFILE, $translations);
 while (<MYFILE>) {
     chomp $_;
-    if ($_ =~ /Encoding=UTF-8/)
+    if ($_ =~ /^Encoding=UTF-8/ || $_ =~ /^\s*$/ || $_ =~ /^\[Desktop Entry\]/ || $_ =~ /^#/)
     {
-	next;
+        next;
     }
     elsif ($_ =~ /^(\w+)=(.*)/)
     {
-	my $line = "!define $1 \"$2\"\n";
-	$result{"en"}{"$1"} = $line;
+        my $key = $1;
+        my $lang = "en";
+        my $value = $2;
+        $value =~ s/["]/\$\\"/g;
+        $result{"$lang"}{"$key"} = "!define $key \"$value\"\n";
     }
-    elsif ($_ =~ /^(\w+)\[(\w+)\]=(.*)/)
+    elsif ($_ =~ /^(\w+)\[([\w@]+)\]=(.*)/)
     {
-	my $line = "!define $1 \"$3\"\n";
-	$result{"$2"}{"$1"} = $line;
+        my $key = $1;
+        my $lang = $2;
+        my $value = $3;
+        $value =~ s/["]/\$\\"/g;
+        $result{"$lang"}{"$key"} = "!define $key \"$value\"\n";
+    }
+    else
+    {
+        print "Found unrecognized line: '$_'\n";
     }
 }
 close (MYFILE);

