src/core/sipe-crypt-nss.c

   1 /**
   2  * @file sipe-crypt-nss.c
   3  *
   4  * pidgin-sipe
   5  *
   6  * Copyright (C) 2011 SIPE Project <http://sipe.sourceforge.net/>
   7  * Copyright (C) 2010 pier11 <pier11@operamail.com>
   8  *
   9  * This program is free software; you can redistribute it and/or modify
  10  * it under the terms of the GNU General Public License as published by
  11  * the Free Software Foundation; either version 2 of the License, or
  12  * (at your option) any later version.
  13  *
  14  * This program is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  * GNU General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU General Public License
  20  * along with this program; if not, write to the Free Software
  21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22  */
  23
  24 /**
  25  * Cypher routines implementation based on NSS.
  26  * Includes: RC4, DES
  27  */
  28
  29 #include "glib.h"
  30
  31 #include "nss.h"
  32 /*
  33  * Work around a compiler error in NSS 3.13.x. Let's hope they fix it for
  34  * 3.14.x. See also: https://bugzilla.mozilla.org/show_bug.cgi?id=702090
  35  */
  36 #if (NSS_VMAJOR == 3) && (NSS_VMINOR == 13)
  37 #define __GNUC_MINOR __GNUC_MINOR__
  38 #endif
  39 #include "pk11pub.h"
  40
  41 #include "sipe-common.h"
  42 #include "sipe-backend.h"
  43 #include "sipe-crypt.h"
  44
  45 /* NSS specific initialization/shutdown */
  46 void sipe_crypto_init(SIPE_UNUSED_PARAMETER gboolean production_mode)
  47 {
  48         if (!NSS_IsInitialized()) {
  49                 /*
  50                  * I have a bad feeling about this: according to the NSS
  51                  * documentation, NSS can only be initialized once.
  52                  * Unfortunately there seems to be no way to initialize a
  53                  * "NSS context" that could then be used by the SIPE code
  54                  * to avoid colliding with other NSS users.
  55                  *
  56                  * This seems to work, so it'll have to do for now.
  57                  *
  58                  * It might also be required to move this to the backend
  59                  * so that the backend code can decide when it is OK to
  60                  * initialize NSS.
  61                  */
  62                 NSS_NoDB_Init(".");
  63                 SIPE_DEBUG_INFO_NOFORMAT("NSS initialised");
  64         }
  65 }
  66
  67 void sipe_crypto_shutdown(void)
  68 {
  69         /* do nothing for NSS.
  70          * We don't want accedently switch off NSS possibly used by other plugin -
  71          * ssl-nss in Pidgin for example.
  72          */
  73 }
  74
  75 /* PRIVATE methods */
  76
  77 static PK11Context*
  78 sipe_crypt_ctx_create(CK_MECHANISM_TYPE cipherMech, const guchar *key, gsize key_length)
  79 {
  80         PK11SlotInfo* slot;
  81         SECItem keyItem;
  82         SECItem ivItem;
  83         PK11SymKey* SymKey;
  84         SECItem *SecParam;
  85         PK11Context* EncContext;
  86
  87         /* For key */
  88         slot = PK11_GetBestSlot(cipherMech, NULL);
  89
  90         keyItem.type = siBuffer;
  91         keyItem.data = (unsigned char *)key;
  92         keyItem.len = key_length;
  93
  94         SymKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL);
  95
  96         /* Parameter for crypto context */
  97         ivItem.type = siBuffer;
  98         ivItem.data = NULL;
  99         ivItem.len = 0;
 100         SecParam = PK11_ParamFromIV(cipherMech, &ivItem);
 101
 102         EncContext = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, SymKey, SecParam);
 103
 104         PK11_FreeSymKey(SymKey);
 105         SECITEM_FreeItem(SecParam, PR_TRUE);
 106         PK11_FreeSlot(slot);
 107
 108         return EncContext;
 109 }
 110
 111 static void
 112 sipe_crypt_ctx_encrypt(PK11Context* EncContext, const guchar *in, gsize length, guchar *out)
 113 {
 114         int tmp1_outlen;
 115
 116         PK11_CipherOp(EncContext, out, &tmp1_outlen, length, (unsigned char *)in, length);
 117 }
 118
 119 static void
 120 sipe_crypt_ctx_destroy(PK11Context* EncContext)
 121 {
 122         PK11_DestroyContext(EncContext, PR_TRUE);
 123 }
 124
 125 static void
 126 sipe_crypt(CK_MECHANISM_TYPE cipherMech,
 127            const guchar *key, gsize key_length,
 128            const guchar *plaintext, gsize plaintext_length,
 129            guchar *encrypted_text)
 130 {
 131         void *EncContext;
 132
 133         EncContext = sipe_crypt_ctx_create(cipherMech, key, key_length);
 134         sipe_crypt_ctx_encrypt(EncContext, plaintext, plaintext_length, encrypted_text);
 135         sipe_crypt_ctx_destroy(EncContext);
 136 }
 137
 138
 139 /* PUBLIC methods */
 140
 141 void
 142 sipe_crypt_des(const guchar *key,
 143                const guchar *plaintext, gsize plaintext_length,
 144                guchar *encrypted_text)
 145 {
 146         sipe_crypt(CKM_DES_ECB, key, 8, plaintext, plaintext_length, encrypted_text);
 147 }
 148
 149 void
 150 sipe_crypt_rc4(const guchar *key, gsize key_length,
 151                const guchar *plaintext, gsize plaintext_length,
 152                guchar *encrypted_text)
 153 {
 154         sipe_crypt(CKM_RC4, key, key_length, plaintext, plaintext_length, encrypted_text);
 155 }
 156
 157 gboolean
 158 sipe_crypt_rsa_encrypt(gpointer public, gsize modulus_length,
 159                        const guchar *plaintext,
 160                        guchar *encrypted_text)
 161 {
 162   SECStatus result = PK11_PubEncryptRaw(public,
 163                                         encrypted_text, (guchar *) plaintext,
 164                                         modulus_length, NULL);
 165   return(result == SECSuccess);
 166 }
 167
 168 gboolean
 169 sipe_crypt_rsa_decrypt(gpointer private, gsize modulus_length,
 170                        const guchar *encrypted_text,
 171                        guchar *plaintext)
 172 {
 173   unsigned int length;
 174   SECStatus result = PK11_PubDecryptRaw(private,
 175                                         (guchar *) encrypted_text, &length, modulus_length,
 176                                         plaintext, modulus_length);
 177   return((result == SECSuccess) && (length == modulus_length));
 178 }
 179
 180 guchar *sipe_crypt_rsa_sign(gpointer private,
 181                             const guchar *digest, gsize digest_length,
 182                             gsize *signature_length)
 183 {
 184   SECItem digItem;
 185   SECItem sigItem;
 186   SECStatus length;
 187
 188   length = PK11_SignatureLen(private);
 189   if (length < 0) return(NULL);
 190
 191   /* digest to sign (= encrypt) with private key */
 192   digItem.data = (guchar *) digest;
 193   digItem.len  = digest_length;
 194
 195   /* signature */
 196   sigItem.data = g_malloc(length);
 197   sigItem.len  = length;
 198
 199   length = PK11_Sign(private, &sigItem, &digItem);
 200   if (length != SECSuccess) {
 201           g_free(sigItem.data);
 202           return(NULL);
 203   }
 204
 205   *signature_length = sigItem.len;
 206   return(sigItem.data);
 207 }
 208
 209 gboolean sipe_crypt_verify_rsa(gpointer public,
 210                                const guchar *digest, gsize digest_length,
 211                                const guchar *signature, gsize signature_length)
 212 {
 213   SECItem digItem;
 214   SECItem sigItem;
 215
 216   /* digest to verify against */
 217   digItem.data = (guchar *) digest;
 218   digItem.len  = digest_length;
 219
 220   /* signature to decrypt with public key -> digest to compare */
 221   sigItem.data = (guchar *) signature;
 222   sigItem.len  = signature_length;
 223
 224   return(PK11_Verify(public, &sigItem, &digItem, NULL) == SECSuccess);
 225 }
 226
 227
 228 /* Stream RC4 cipher for file transfer */
 229 gpointer
 230 sipe_crypt_ft_start(const guchar *key)
 231 {
 232         return sipe_crypt_ctx_create(CKM_RC4, key, 16);
 233 }
 234
 235 void
 236 sipe_crypt_ft_stream(gpointer context,
 237                      const guchar *in, gsize length,
 238                      guchar *out)
 239 {
 240         sipe_crypt_ctx_encrypt(context, in, length, out);
 241 }
 242
 243 void
 244 sipe_crypt_ft_destroy(gpointer context)
 245 {
 246         sipe_crypt_ctx_destroy(context);
 247 }
 248
 249 /*
 250  * Stream RC4 cipher for TLS
 251  *
 252  * basically the same as for FT, but with variable key length
 253  */
 254 gpointer sipe_crypt_tls_start(const guchar *key, gsize key_length)
 255 {
 256         return sipe_crypt_ctx_create(CKM_RC4, key, key_length);
 257 }
 258
 259 void sipe_crypt_tls_stream(gpointer context,
 260                            const guchar *in, gsize length,
 261                            guchar *out)
 262 {
 263         sipe_crypt_ctx_encrypt(context, in, length, out);
 264 }
 265
 266 void sipe_crypt_tls_destroy(gpointer context)
 267 {
 268         sipe_crypt_ctx_destroy(context);
 269 }
 270
 271 /*
 272   Local Variables:
 273   mode: c
 274   c-file-style: "bsd"
 275   indent-tabs-mode: t
 276   tab-width: 8
 277   End:
 278 */