/*
* Copyright © 2009 Igalia S.L.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*/
/* Portions of this file based on Chromium code.
* License block as follows:
*
* Copyright (c) 2009 The Chromium Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* The LICENSE file from Chromium can be found in the LICENSE.chromium
* file.
*/
#include "config.h"
#include "ephy-nss-glue.h"
#include "ephy-file-helpers.h"
#include <nss.h>
#include <pk11pub.h>
#include <pk11sdr.h>
#include <glib/gi18n.h>
static gboolean nss_initialized = FALSE;
static PK11SlotInfo *db_slot = NULL;
static char*
ask_for_nss_password (PK11SlotInfo *slot,
PRBool retry,
void *arg)
{
GtkWidget *dialog;
GtkWidget *entry;
gint result;
char *password = NULL;
if (retry)
return NULL;
dialog = gtk_message_dialog_new (NULL,
0,
GTK_MESSAGE_QUESTION,
GTK_BUTTONS_OK_CANCEL,
_("Master password needed"));
gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog),
_("The passwords from the previous version (Gecko) are locked with a master password. If you want Epiphany to import them, please enter your master password below."));
entry = gtk_entry_new ();
gtk_entry_set_visibility (GTK_ENTRY (entry), FALSE);
gtk_container_add (GTK_CONTAINER (GTK_DIALOG (dialog)->vbox), entry);
gtk_widget_show (entry);
result = gtk_dialog_run (GTK_DIALOG (dialog));
switch (result) {
case GTK_RESPONSE_OK:
password = PL_strdup (gtk_entry_get_text (GTK_ENTRY (entry)));
break;
default:
break;
}
gtk_widget_destroy (dialog);
return password;
}
gboolean ephy_nss_glue_init ()
{
char *config_dir, *modspec;
SECStatus rv;
config_dir = g_build_filename (ephy_dot_dir (),
"mozilla", "epiphany",
NULL);
rv = NSS_Init (config_dir);
if (rv < 0) {
g_free (config_dir);
return FALSE;
}
modspec = g_strdup_printf ("configDir='%s' tokenDescription='Firefox NSS database' "
"flags=readOnly", config_dir);
db_slot = SECMOD_OpenUserDB (modspec);
g_free (config_dir);
g_free (modspec);
if (!db_slot)
return FALSE;
/* It's possibly to set a master password for NSS through the
certificate manager extension, so we must support that too */
PK11_SetPasswordFunc (ask_for_nss_password);
nss_initialized = TRUE;
return TRUE;
}
void ephy_nss_glue_close ()
{
if (db_slot) {
PK11_FreeSlot (db_slot);
db_slot = NULL;
}
PK11_SetPasswordFunc (NULL);
NSS_Shutdown ();
nss_initialized = FALSE;
}
typedef struct SDRResult
{
SECItem keyid;
SECAlgorithmID alg;
SECItem data;
} SDRResult;
static SEC_ASN1Template g_template[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
{ SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(SDRResult, alg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
{ 0 }
};
static SECStatus
unpadBlock(SECItem *data, int blockSize, SECItem *result)
{
SECStatus rv = SECSuccess;
int padLength;
int i;
result->data = 0;
result->len = 0;
/* Remove the padding from the end if the input data */
if (data->len == 0 || data->len % blockSize != 0) { rv = SECFailure; goto loser; }
padLength = data->data[data->len-1];
if (padLength > blockSize) { rv = SECFailure; goto loser; }
/* verify padding */
for (i=data->len - padLength; (uint32)i < data->len; i++) {
if (data->data[i] != padLength) {
rv = SECFailure;
goto loser;
}
}
result->len = data->len - padLength;
result->data = (unsigned char *)PORT_Alloc(result->len);
if (!result->data) { rv = SECFailure; goto loser; }
PORT_Memcpy(result->data, data->data, result->len);
if (padLength < 2) {
/* Chromium returns an error here, but it seems to be harmless and
if we continue we'll be able to import the password
correctly */
/* return SECWouldBlock; */
}
loser:
return rv;
}
static SECStatus
pk11Decrypt (PK11SlotInfo *slot, PLArenaPool *arena,
CK_MECHANISM_TYPE type, PK11SymKey *key,
SECItem *params, SECItem *in, SECItem *result)
{
PK11Context *ctx = 0;
SECItem paddedResult;
SECStatus rv;
paddedResult.len = 0;
paddedResult.data = 0;
ctx = PK11_CreateContextBySymKey (type, CKA_DECRYPT, key, params);
if (!ctx) {
rv = SECFailure;
goto loser;
}
paddedResult.len = in->len;
paddedResult.data = (unsigned char*)PORT_ArenaAlloc (arena, paddedResult.len);
rv = PK11_CipherOp (ctx, paddedResult.data,
(int*)&paddedResult.len, paddedResult.len,
in->data, in->len);
if (rv != SECSuccess)
goto loser;
PK11_Finalize(ctx);
/* Remove the padding */
rv = unpadBlock (&paddedResult, PK11_GetBlockSize(type, 0), result);
if (rv)
goto loser;
loser:
if (ctx)
PK11_DestroyContext (ctx, PR_TRUE);
return rv;
}
static SECStatus
PK11SDR_DecryptWithSlot (PK11SlotInfo *slot, SECItem *data, SECItem *result, void *cx)
{
SECStatus rv = SECSuccess;
PK11SymKey *key = NULL;
CK_MECHANISM_TYPE type;
SDRResult sdrResult;
SECItem *params = NULL;
SECItem possibleResult = { (SECItemType)0, NULL, 0 };
PLArenaPool *arena = NULL;
arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
if (!arena) {
rv = SECFailure;
goto loser;
}
/* Decode the incoming data */
memset (&sdrResult, 0, sizeof sdrResult);
rv = SEC_QuickDERDecodeItem (arena, &sdrResult, g_template, data);
if (rv != SECSuccess)
goto loser; /* Invalid format */
/* Get the parameter values from the data */
params = PK11_ParamFromAlgid (&sdrResult.alg);
if (!params) {
rv = SECFailure;
goto loser;
}
/* Use triple-DES (Should look up the algorithm) */
type = CKM_DES3_CBC;
key = PK11_FindFixedKey (slot, type, &sdrResult.keyid, cx);
if (!key) {
rv = SECFailure;
} else {
rv = pk11Decrypt (slot, arena, type, key, params,
&sdrResult.data, result);
}
loser:
if (arena)
PORT_FreeArena (arena, PR_TRUE);
if (key)
PK11_FreeSymKey(key);
if (params)
SECITEM_ZfreeItem(params, PR_TRUE);
if (possibleResult.data)
SECITEM_ZfreeItem(&possibleResult, PR_FALSE);
return rv;
}
char * ephy_nss_glue_decrypt (const unsigned char *data, gsize length)
{
char *plain = NULL;
SECItem request, reply;
SECStatus result;
result = PK11_Authenticate (db_slot, PR_TRUE, NULL);
if (result != SECSuccess)
return NULL;
request.data = (unsigned char*)data;
request.len = length;
reply.data = NULL;
reply.len = 0;
result = PK11SDR_DecryptWithSlot (db_slot, &request, &reply, NULL);
if (result == SECSuccess)
plain = g_strndup ((const char*)reply.data, reply.len);
SECITEM_FreeItem (&reply, PR_FALSE);
return plain;
}