From: Brendan Cully Date: Tue, 2 Aug 2005 16:10:41 +0000 (+0000) Subject: Put moribund NSS support out to pasture. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2ebe15b1c78dcece7f7dcfc4b4bb9957ef675ac2;p=neomutt Put moribund NSS support out to pasture. --- diff --git a/configure.in b/configure.in index 59714a368..e4a86f15c 100644 --- a/configure.in +++ b/configure.in @@ -586,31 +586,6 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl[=PFX]], [Compile in SSL support for fi ]) -AM_CONDITIONAL(USE_SSL, test x$need_ssl = xyes) - -dnl SSL support via NSS -AC_ARG_WITH(nss, AC_HELP_STRING([--with-nss[=PFX]], [Compile in SSL support for POP/IMAP via NSS]), -[ if test "$with_nss" != no - then - if test "$need_socket" != "yes"; then - AC_MSG_ERROR([SSL support is only useful with POP or IMAP support]) - fi - - if test "$with_nss" != "yes" - then - LDFLAGS="$LDFLAGS -L$withval/lib" - CPPFLAGS="$CPPFLAGS -I$withval/include -I$withval/public/security" - fi - - AC_DEFINE(USE_NSS,1,[ Define if you want support for SSL via the NSS library. ]) - MUTTLIBS="$MUTTLIBS -lssl -lnss -lcertdb -lcerthi -lcryptohi" - MUTTLIBS="$MUTTLIBS -lpk11wrap -lsoftoken -lsecutil -ldbm -lplds4 -lplc4 -lfreebl" - MUTTLIBS="$MUTTLIBS -lnspr4" - - MUTT_LIB_OBJECTS="$MUTT_LIB_OBJECTS mutt_ssl_nss.o" - need_ssl=yes - fi -]) AC_ARG_WITH([gnutls], AC_HELP_STRING([--with-gnutls[=PFX]], [Enable SSL support using gnutls]), [gnutls_prefix="$withval"], [gnutls_prefix="no"]) @@ -632,6 +607,7 @@ then AC_MSG_ERROR([could not find libgnutls]) ]) fi +AM_CONDITIONAL(USE_SSL, test x$need_ssl = xyes) AC_ARG_WITH(sasl, AC_HELP_STRING([--with-sasl[=PFX]], [Use Cyrus SASL library for POP/IMAP authentication]), [ diff --git a/globals.h b/globals.h index 00cfea5aa..7cdfe8bc9 100644 --- a/globals.h +++ b/globals.h @@ -110,14 +110,14 @@ WHERE char *Signature; WHERE char *SimpleSearch; WHERE char *Spoolfile; WHERE char *SpamSep; -#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_SSL) || defined(USE_GNUTLS) WHERE char *SslCertFile INITVAL (NULL); #endif #ifdef USE_SSL WHERE char *SslClientCert INITVAL (NULL); WHERE LIST *SslSessionCerts INITVAL (NULL); #endif -#if defined(USE_SSL) || defined(USE_NSS) +#if defined(USE_SSL) WHERE char *SslEntropyFile INITVAL (NULL); #endif #ifdef USE_GNUTLS diff --git a/init.c b/init.c index 3a5e31272..0694c0a85 100644 --- a/init.c +++ b/init.c @@ -31,7 +31,7 @@ #include "mutt_crypt.h" #include "mutt_idna.h" -#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_SSL) || defined(USE_GNUTLS) #include "mutt_ssl.h" #endif diff --git a/init.h b/init.h index 05d97f609..8bc74fddb 100644 --- a/init.h +++ b/init.h @@ -1878,7 +1878,7 @@ struct option_t MuttVars[] = { ** (S/MIME only) */ -#if defined(USE_SSL)||defined(USE_NSS)||defined(USE_GNUTLS) +#if defined(USE_SSL) || defined(USE_GNUTLS) #ifdef USE_SSL { "ssl_client_cert", DT_PATH, R_NONE, UL &SslClientCert, 0 }, /* diff --git a/mutt.h b/mutt.h index 7df4f644d..0fe838601 100644 --- a/mutt.h +++ b/mutt.h @@ -376,7 +376,7 @@ enum OPTIMAPFORCESSL, # endif #endif -#if defined(USE_SSL) || defined(USE_NSS) || defined(USE_GNUTLS) +#if defined(USE_SSL) || defined(USE_GNUTLS) # ifndef USE_GNUTLS OPTSSLV2, # endif diff --git a/mutt_sasl.c b/mutt_sasl.c index cd5c1aa9e..32aa29028 100644 --- a/mutt_sasl.c +++ b/mutt_sasl.c @@ -243,8 +243,7 @@ dprint(1,(debugfile, "local ip: %s, remote ip:%s\n", iplocalport, ipremoteport)) /*** set sasl IP properties, necessary for use with krb4 ***/ /* Do we need to fail if this fails? I would assume having these unset - * would just disable KRB4. Who wrote this code? I'm not sure how this - * interacts with the NSS code either, since that mucks with the fd. */ + * would just disable KRB4. Who wrote this code? */ #ifndef USE_SASL2 /* with SASLv2 this all happens in sasl_client_new */ { struct sockaddr_in local, remote; @@ -294,10 +293,6 @@ dprint(1,(debugfile, "local ip: %s, remote ip:%s\n", iplocalport, ipremoteport)) return -1; } - /* we currently don't have an SSF finder for NSS (I don't know the API). - * If someone does it'd probably be trivial to write mutt_nss_get_ssf(). - * I have a feeling more SSL code could be shared between those two files, - * but I haven't looked into it yet, since I still don't know the APIs. */ #if defined(USE_SSL) || defined(USE_GNUTLS) if (conn->ssf) { diff --git a/mutt_socket.c b/mutt_socket.c index e88e86e22..8d9f83917 100644 --- a/mutt_socket.c +++ b/mutt_socket.c @@ -26,7 +26,7 @@ #include "globals.h" #include "mutt_socket.h" #include "mutt_tunnel.h" -#if defined(USE_SSL) || defined(USE_GNUTLS) || defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_GNUTLS) # include "mutt_ssl.h" #endif @@ -259,8 +259,6 @@ CONNECTION* mutt_conn_find (const CONNECTION* start, const ACCOUNT* account) { #ifdef USE_SSL ssl_socket_setup (conn); -#elif USE_NSS - mutt_nss_socket_setup (conn); #elif USE_GNUTLS if (mutt_gnutls_socket_setup (conn) < 0) { diff --git a/mutt_ssl.h b/mutt_ssl.h index 985c61e35..c1019f06e 100644 --- a/mutt_ssl.h +++ b/mutt_ssl.h @@ -31,7 +31,4 @@ int mutt_gnutls_starttls (CONNECTION* conn); extern int mutt_gnutls_socket_setup (CONNECTION *conn); #endif -#ifdef USE_NSS -int mutt_nss_socket_setup (CONNECTION* conn); -#endif #endif /* _MUTT_SSL_H_ */ diff --git a/mutt_ssl_nss.c b/mutt_ssl_nss.c deleted file mode 100644 index 420215d89..000000000 --- a/mutt_ssl_nss.c +++ /dev/null @@ -1,382 +0,0 @@ -/* Copyright (C) 2000 Michael R. Elkins - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. - */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include -#include -#include -#include "nss.h" -#include "ssl.h" -#include "sechash.h" -#include "cert.h" -#include "cdbhdl.h" -#include "mutt.h" -#include "mutt_socket.h" -#include "mutt_curses.h" - -static int MuttNssInitialized = 0; - -/* internal data struct we use with the CONNECTION. this is where NSS-specific - * data gets stuffed so that the main mutt_socket.h doesn't have to be - * modified. - */ -typedef struct -{ - PRFileDesc *fd; - CERTCertDBHandle *db; -} -mutt_nss_t; - -/* nss callback to grab the user's password. */ -static char * -mutt_nss_password_func (PK11SlotInfo * slot, PRBool retry, void *arg) -{ - return NULL; -} - -static int -mutt_nss_error (const char *call) -{ - mutt_error (_("%s failed (error %d)"), call, PR_GetError ()); - return -1; -} - -/* initialize the NSS library for use. must be called prior to any other - * functions in this module. - */ -static int -mutt_nss_init (void) -{ - if (!MuttNssInitialized) - { - PK11_SetPasswordFunc (mutt_nss_password_func); - if (NSS_Init (SslCertFile) == SECFailure) - return mutt_nss_error ("NSS_Init"); - - /* always use strong crypto. */ - if (NSS_SetDomesticPolicy () == SECFailure) - return mutt_nss_error ("NSS_SetDomesticPolicy"); - - /* intialize the session cache */ - SSL_ClearSessionCache (); - - MuttNssInitialized = 1; - } - return 0; -} - -/* convert from int64 to a readable string and print on the screen */ -static void -mutt_nss_pretty_time (int64 usecs) -{ - struct tm t; - PRExplodedTime ex; - char timebuf[128]; - - PR_ExplodeTime (usecs, PR_LocalTimeParameters, &ex); - - t.tm_sec = ex.tm_sec; - t.tm_min = ex.tm_min; - t.tm_hour = ex.tm_hour; - t.tm_mday = ex.tm_mday; - t.tm_mon = ex.tm_month; - t.tm_year = ex.tm_year - 1900; /* PRExplodedTime uses the absolute year */ - t.tm_wday = ex.tm_wday; - t.tm_yday = ex.tm_yday; - - strfcpy (timebuf, asctime (&t), sizeof (timebuf)); - timebuf[strlen (timebuf) - 1] = 0; - - addstr (timebuf); -} - -/* this function is called by the default hook CERT_AuthCertificate when it - * can't verify a cert based upon the contents of the user's certificate - * database. we are given the option to override the decision and accept - * it anyway. - */ -static SECStatus -mutt_nss_bad_cert (void *arg, PRFileDesc * fd) -{ - PRErrorCode err; - CERTCertificate *cert, *issuer; - unsigned char hash[16]; - int i; - CERTCertTrust trust; - int64 not_before, not_after; - event_t ch; - char status[256]; - - /* first lets see why this certificate failed. we only want to override - * in the case where the cert was not found. - */ - err = PR_GetError (); - mutt_error (_("SSL_AuthCertificate failed (error %d)"), err); - - /* fetch the cert in question */ - cert = SSL_PeerCertificate (fd); - - move (LINES - 8, 0); - clrtoeol (); - move (LINES - 7, 0); - clrtoeol (); - addstr ("Issuer: "); - addstr (CERT_NameToAscii (&cert->issuer)); - move (LINES - 6, 0); - clrtoeol (); - addstr ("Subject: "); - addstr (CERT_NameToAscii (&cert->subject)); - - move (LINES - 5, 0); - clrtoeol (); - addstr ("Valid: "); - CERT_GetCertTimes (cert, ¬_before, ¬_after); - mutt_nss_pretty_time (not_before); - addstr (" to "); - mutt_nss_pretty_time (not_after); - - move (LINES - 4, 0); - clrtoeol (); - addstr ("Fingerprint: "); - - /* calculate the MD5 hash of the raw certificate */ - HASH_HashBuf (HASH_AlgMD5, hash, cert->derCert.data, cert->derCert.len); - for (i = 0; i < 16; i++) - { - printw ("%0x", hash[i]); - if (i != 15) - addch (':'); - } - - mvaddstr (LINES - 3, 0, "Signature: "); - clrtoeol (); - - /* find the cert which signed this cert */ - issuer = CERT_FindCertByName ((CERTCertDBHandle *) arg, &cert->derIssuer); - - /* verify the sig (only) if we have the issuer cert handy */ - if (issuer && - CERT_VerifySignedData (&cert->signatureWrap, issuer, PR_Now (), NULL) - == SECSuccess) - addstr ("GOOD"); - else - addstr ("BAD"); - - move (LINES - 2, 0); - SETCOLOR (MT_COLOR_STATUS); - memset (status, ' ', sizeof (status) - 1); - if (COLS < sizeof (status)) - status[COLS - 1] = 0; - else - status[sizeof (status) - 1] = 0; - memcpy (status, "--- SSL Certificate Check", - sizeof ("--- SSL Certificate Check") - 1); - addstr (status); - clrtoeol (); - SETCOLOR (MT_COLOR_NORMAL); - - for (;;) - { - mvaddstr (LINES - 1, 0, "(r)eject, accept (o)nce, (a)lways accept?"); - clrtoeol (); - ch = mutt_getch (); - if (ch.ch == -1) - { - i = SECFailure; - break; - } - else if (ascii_tolower (ch.ch) == 'r') - { - i = SECFailure; - break; - } - else if (ascii_tolower (ch.ch) == 'o') - { - i = SECSuccess; - break; - } - else if (ascii_tolower (ch.ch) == 'a') - { - /* push this certificate onto the user's certificate store so it - * automatically becomes valid next time we see it - */ - - /* set this certificate as a valid peer for SSL-auth ONLY. */ - CERT_DecodeTrustString (&trust, "P,,"); - - CERT_AddTempCertToPerm (cert, NULL, &trust); - i = SECSuccess; - break; - } - BEEP (); - } - - /* SSL_PeerCertificate() returns a copy with an updated ref count, so - * we have to destroy our copy here. - */ - CERT_DestroyCertificate (cert); - - return i; -} - -static int -mutt_nss_socket_open (CONNECTION * con) -{ - mutt_nss_t *sockdata; - PRNetAddr addr; - struct hostent *he; - - memset (&addr, 0, sizeof (addr)); - addr.inet.family = AF_INET; - addr.inet.port = PR_htons (con->account.port); - he = gethostbyname (con->account.host); - if (!he) - { - mutt_error (_("Unable to find ip for host %s"), con->account.host); - return -1; - } - addr.inet.ip = *((int *) he->h_addr_list[0]); - - sockdata = safe_calloc (1, sizeof (mutt_nss_t)); - - do - { - sockdata->fd = PR_NewTCPSocket (); - if (sockdata->fd == NULL) - { - mutt_error (_("PR_NewTCPSocket failed.")); - break; - } - /* make this a SSL socket */ - sockdata->fd = SSL_ImportFD (NULL, sockdata->fd); - - /* set SSL version options based upon user's preferences */ - if (!option (OPTTLSV1)) - SSL_OptionSet (sockdata->fd, SSL_ENABLE_TLS, PR_FALSE); - - if (!option (OPTSSLV2)) - SSL_OptionSet (sockdata->fd, SSL_ENABLE_SSL2, PR_FALSE); - - if (!option (OPTSSLV3)) - SSL_OptionSet (sockdata->fd, SSL_ENABLE_SSL3, PR_FALSE); - - /* set the host we were attempting to connect to in order to verify - * the name in the certificate we get back. - */ - if (SSL_SetURL (sockdata->fd, con->account.host)) - { - mutt_nss_error ("SSL_SetURL"); - break; - } - - /* we don't need no stinking pin. we don't authenticate ourself - * via SSL. - */ - SSL_SetPKCS11PinArg (sockdata->fd, 0); - - sockdata->db = CERT_GetDefaultCertDB (); - - /* use the default supplied hook. it takes an argument to our - * certificate database. the manual lies, you can't really specify - * NULL for the callback to get the default! - */ - SSL_AuthCertificateHook (sockdata->fd, SSL_AuthCertificate, - sockdata->db); - /* set the callback to be used when SSL_AuthCertificate() fails. this - * allows us to override and insert the cert back into the db - */ - SSL_BadCertHook (sockdata->fd, mutt_nss_bad_cert, sockdata->db); - - if (PR_Connect (sockdata->fd, &addr, PR_INTERVAL_NO_TIMEOUT) == - PR_FAILURE) - { - mutt_error (_("Unable to connect to host %s"), con->account.host); - break; - } - - /* store the extra info in the CONNECTION struct for later use. */ - con->sockdata = sockdata; - - /* HACK. some of the higher level calls in mutt_socket.c depend on this - * being >0 when we are in the connected state. we just set this to - * an arbitrary value to avoid hitting that bug, since we neve have the - * real fd. - */ - con->fd = 42; - - /* success */ - return 0; - } - while (0); - - /* we get here when we had an oops. clean up the mess. */ - - if (sockdata) - { - if (sockdata->fd) - PR_Close (sockdata->fd); - if (sockdata->db) - CERT_ClosePermCertDB (sockdata->db); - FREE (&sockdata); - } - return -1; -} - -static int -mutt_nss_socket_close (CONNECTION * con) -{ - mutt_nss_t *sockdata = (mutt_nss_t *) con->sockdata; - - if (PR_Close (sockdata->fd) == PR_FAILURE) - return -1; - - if (sockdata->db) - CERT_ClosePermCertDB (sockdata->db); - /* free up the memory we used for this connection specific to NSS. */ - FREE (&con->sockdata); - return 0; -} - -static int -mutt_nss_socket_read (CONNECTION* conn, char* buf, size_t len) -{ - return PR_Read (((mutt_nss_t*) conn->sockdata)->fd, buf, len); -} - -static int -mutt_nss_socket_write (CONNECTION * con, const char *buf, size_t count) -{ - return PR_Write (((mutt_nss_t *) con->sockdata)->fd, buf, count); -} - -/* initialize a new connection for use with NSS */ -int -mutt_nss_socket_setup (CONNECTION * con) -{ - if (mutt_nss_init ()) - return -1; - con->conn_open = mutt_nss_socket_open; - con->conn_read = mutt_nss_socket_read; - con->conn_write = mutt_nss_socket_write; - con->conn_close = mutt_nss_socket_close; - return 0; -} diff --git a/pop_lib.c b/pop_lib.c index aa11eaa0a..46d6138ed 100644 --- a/pop_lib.c +++ b/pop_lib.c @@ -274,7 +274,7 @@ int pop_open_connection (POP_DATA *pop_data) return -2; } -#if (defined(USE_SSL) || defined(USE_GNUTLS)) && !defined(USE_NSS) +#if defined(USE_SSL) || defined(USE_GNUTLS) /* Attempt STLS if available and desired. */ if (pop_data->cmd_stls && !pop_data->conn->ssf) {