processmsg.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 2,164 行 · 第 1/5 页

    if (cert) {
        rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
                                cert,
                                ctrl,
                                &certID,
                                (SSMResource**)&certRes);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
        rv = SSM_ClientGetResourceReference(&certRes->super, &certID);
        SSM_FreeResource(&certRes->super);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
    } else {
        /* Not found. Return res id 0 */
        certID = 0;
    }

    SSM_DEBUG("Returning cert resource %d\n", certID);

    /* Pack the reply */
    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_CERT_ACTION | SSM_FIND_BY_KEY | SSM_REPLY_OK_MESSAGE);
    reply.value = certID;

    if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
  
    PR_Free(request.item.data);
    return PR_SUCCESS;
  
    /* something went wrong */
loser:
    if (request.item.data) {
        PR_Free(request.item.data);
    }
    return PR_FAILURE;
}

int LDAPCertSearch (const char * rcpt_address, const char * server_name,
                    const char * baseDN, int port, int connect_type,
                    const char * certdb_path, const char * auth_dn, 
                    const char * auth_password, const char * mail_attribs,
                    const char * cert_attribs, void ** cert, int * cert_len);

SSMStatus
SSMControlConnection_ProcessFindCertByEmailAddr(SSMControlConnection *ctrl,
                                                SECItem *msg)
{
    SSMStatus rv;
    CERTCertificate *cert = NULL;
    SSMResourceID certID = 0;
    SSMResourceCert * certRes = NULL;
    SingleStringMessage request;
    SingleNumMessage reply;

    SSM_DEBUG("Got a Find Cert By Email Addr request\n");

    /* Decode the request */
    if (CMT_DecodeMessage(SingleStringMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    /* Look for the cert in out db */
    cert = CERT_FindCertByEmailAddr(ctrl->m_certdb, request.string);

	/* If there is no search or the cert is not valid */
	if (!cert || (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) != secCertTimeValid)) {
        char* default_server = NULL;

        /* get the default server name */
        rv = PREF_GetStringPref(ctrl->m_prefs, "ldap_2.default", 
                                &default_server);
        if (rv != SSM_SUCCESS) {
            /* if there is no default server, bail */
            goto loser;
        }

        rv = SSM_CompleteLDAPLookup(ctrl, default_server, request.string);
        if (rv != SSM_SUCCESS) {
			cert = NULL;
            goto done;
        }

        cert = CERT_FindCertByEmailAddr(ctrl->m_certdb, request.string);
	    if (cert && (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) != secCertTimeValid)) {
			cert = NULL;
		}
	}

done:
	/* Create a resource for this cert and get an id */
    if (cert) {
        rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
                                cert,
                                ctrl,
                                &certID,
                                (SSMResource**)&certRes);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
        rv = SSM_ClientGetResourceReference(&certRes->super, &certID);
        SSM_FreeResource(&certRes->super);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
    } else {
        /* Not found. Return res id 0 */
        certID = 0;
    }

    SSM_DEBUG("Returning cert resource %d\n", certID);

    /* Pack the reply */
    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_CERT_ACTION | SSM_FIND_BY_EMAILADDR | SSM_REPLY_OK_MESSAGE);
    reply.value = certID;

    if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
    if (msg->data == NULL || msg->len == 0)  {
	    goto loser;
    }

    PR_Free(request.string);
    return PR_SUCCESS;
  
    /* something went wrong */
loser:
    if (request.string)
        PR_Free(request.string);
    return PR_FAILURE;
}

SSMStatus
SSMControlConnection_ProcessAddCertToDB(SSMControlConnection *ctrl, SECItem *msg)
{
    SSMStatus rv;
    SSMResourceCert *certRes;
    CERTCertificate *cert;
    CERTCertTrust trust;
    AddTempCertToDBRequest request;

    SSM_DEBUG("Add Cert to DB");

    /* Decode the request */
    if (CMT_DecodeMessage(AddTempCertToDBRequestTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    trust.sslFlags = request.sslFlags;
    trust.emailFlags = request.emailFlags;
    trust.objectSigningFlags = request.objSignFlags;

    /* Get the resource for this id */
    rv = SSMControlConnection_GetResource(ctrl, request.resID,
                                          (SSMResource**)&certRes);
    if (rv != PR_SUCCESS) {
        goto loser;
    }

    /* Get the CERTCertificate pointer for this resource */
    cert = certRes->cert;

    /* Add the certificate to the database */
    if (CERT_AddTempCertToPerm(cert, request.nickname, &trust) != SECSuccess) {
        goto loser;
    }

    /* Pack the reply */
    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_CERT_ACTION | SSM_ADD_TO_DB | SSM_REPLY_OK_MESSAGE);
  
    PR_Free(request.nickname);
    return PR_SUCCESS;

loser:
    if (request.nickname) {
        PR_Free(request.nickname);
    }
    return PR_FAILURE;
}

SSMStatus 
SSMControlConnection_ProcessDestroyCert(SSMControlConnection * ctrl, 
					SECItem * msg)
{
    SSMStatus rv = PR_FAILURE;
    SSMResource * resource;
    SingleNumMessage request;

    if (!msg || !msg->data)
      goto done;

    if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto done;
    }

    PR_Free(msg->data);
    msg->data = NULL;

    rv = SSMControlConnection_GetResource(ctrl, request.value, &resource);
    if (rv != PR_SUCCESS)
      goto done;

    rv = SSMResourceCert_Destroy(resource, PR_TRUE);
    if (rv == PR_SUCCESS) {
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_CERT_ACTION | SSM_DESTROY_CERT);
      msg->len = 0;
    }
done:
    return rv;
}

typedef struct MatchUserCertArgStr {
    PRBool isOwnThread;
    SSMControlConnection *ctrl;
    SECItem *msg;
} MatchUserCertArg;

static void
ssm_match_user_cert(void *arg)
{
    MatchUserCertArg *matchArgs = (MatchUserCertArg*)arg;
    SSMControlConnection *ctrl = matchArgs->ctrl;
    SECItem *msg = matchArgs->msg;
    SSMCertList *certList;
    CERTCertList *certs = NULL;
    CERTCertListNode *node = NULL;
    SSMResourceCert *certRes;
    SSMResourceID certResID;
    SSMStatus rv;
    int i;
    MatchUserCertRequest request;
    MatchUserCertReply reply;
    SingleNumMessage badReply;

#if DEBUG
    if (matchArgs->isOwnThread) {
        SSM_RegisterThread("match user cert", NULL);
    }
#endif
    /* Decode the request */
    if (CMT_DecodeMessage(MatchUserCertRequestTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    certList = PR_NEWZAP(SSMCertList);
    if (!certList) {
        goto loser;
    }

    PR_INIT_CLIST(&certList->certs);

    /* Find the certs */
    certs = CERT_MatchUserCert(ctrl->m_certdb, (SECCertUsage) request.certType,
                        request.numCANames, request.caNames, ctrl);
    if (!certs) {
		reply.numCerts = 0;
		reply.certs = NULL;
        goto done;
    }

    reply.numCerts = SSM_CertListCount(certs);
    reply.certs = (CMInt32*)malloc(sizeof(CMInt32)*reply.numCerts);
    node = (CERTCertListNode*)PR_LIST_HEAD(&certs->list);
    for (i = 0; i < reply.numCerts; i++) {

        /* Create the cert resource */
        rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
                                node->cert,
                                ctrl,
                                &certResID,
                                (SSMResource**)&certRes);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
        reply.certs[i] = certResID;
        node = (struct CERTCertListNodeStr *) node->links.next;
}

done:
    /* Generate the reply message */
    /* Pack the reply */
    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_CERT_ACTION | SSM_MATCH_USER_CERT | SSM_REPLY_OK_MESSAGE);
    if (CMT_EncodeMessage(MatchUserCertReplyTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
    if (msg->data == NULL || msg->len == 0)  {
	    goto loser;
    }
    SSM_DEBUG("queueing reply: type %lx, len %ld.\n", msg->type, msg->len);
    SSM_SendQMessage(ctrl->m_controlOutQ,
                     SSM_PRIORITY_NORMAL,
                     msg->type, msg->len,
                     (char *)msg->data, PR_TRUE);
    /* Clean up */
    /* Free the certs list */
    SSM_FreeResource(&ctrl->super.super);
    SECITEM_FreeItem(msg, PR_TRUE);
    PR_Free(arg);
    return;

loser:
    if (rv == SSM_SUCCESS)
        rv = SSM_FAILURE;

    badReply.value = rv;
    if (CMT_EncodeMessage(SingleNumMessageTemplate,
                          (CMTItem*)msg, &badReply) == CMTSuccess) {
        SSM_DEBUG("queueing reply: type %lx, len %ld.\n", 
                  msg->type, msg->len);
        SSM_SendQMessage(ctrl->m_controlOutQ,
                         SSM_PRIORITY_NORMAL,
                         msg->type, msg->len,
                         (char *)msg->data, PR_TRUE);        
    } else {
        /* We need to send something back here. */
        PR_ASSERT(0);
    }
    /* Clean up */
    SSM_FreeResource(&ctrl->super.super);
    SECITEM_FreeItem(msg, PR_TRUE);
    PR_Free(arg);
    return;
}

SSMStatus
SSMControlConnection_ProcessMatchUserCert(SSMControlConnection *ctrl, 
                                          SECItem *msg)
{
    MatchUserCertArg *arg;
    PK11SlotList *slotList;
    PK11SlotListElement *currSlot;
    PRBool externalTokenExists = PR_FALSE;

    /* This could potentially require authentication to an
     * external token which would cause Cartman to dead-lock 
     * waiting for the password reply.  So we spin off a separate
     * iff external tokens are installed.
     */
    arg = SSM_ZNEW(MatchUserCertArg);
    if (arg == NULL) {
        return SSM_FAILURE;
    }
    SSM_GetResourceReference(&ctrl->super.super);
    arg->ctrl = ctrl;
    arg->msg = SECITEM_DupItem(msg);
    /* Now let's figure out if there are external tokens installed.*/
    slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
                                 ctrl);
    PR_ASSERT(slotList);
    currSlot = slotList->head;
    do {
        if (!PK11_IsInternal(currSlot->slot)) {
            externalTokenExists = PR_TRUE;
            break;
        }
        currSlot = currSlot->next;
    } while (currSlot != slotList->head && currSlot != NULL);
    
    arg->isOwnThread = externalTokenExists;
    if (arg->isOwnThread) {
        SSM_CreateAndRegisterThread(PR_USER_THREAD, ssm_match_user_cert, (void*)arg,
                        PR_PRIORITY_NORMAL, PR_LOCAL_THREAD, 
                        PR_UNJOINABLE_THREAD, 0);
    } else {
        ssm_match_user_cert(arg);
    }
    PK11_FreeSlotList(slotList);
    return SSM_ERR_DEFER_RESPONSE;
        
}
SSMStatus
SSMControlConnection_ProcessConserveRequest(SSMControlConnection * ctrl, 
                                            SECItem * msg)
{
  SSMStatus rv = PR_SUCCESS;
  
  switch (msg->type & SSM_SPECIFIC_MASK) {
  case SSM_PICKLE_RESOURCE:
    rv = SSMControlConnection_ProcessPickleRequest(ctrl, msg);
    break;
  case SSM_UNPICKLE_RESOURCE:
    rv = SSMControlConnection_ProcessUnpickleRequest(ctrl, msg);
    break;
  case SSM_PICKLE_SECURITY_STATUS:
    rv = SSMControlConnection_ProcessPickleSecurityStatusRequest(ctrl, msg);
    break;
  default:
    rv = SSM_ERR_ATTRIBUTE_TYPE_MISMATCH;
    goto loser;
  }
  goto done;
loser:
  SSM_DEBUG("ProcessConserveResourceRequest: loser hit, rv = %ld.\n", rv);
  if (msg->data)
    {
      PR_Free(msg->data);
      msg->data = NULL;
      msg->len = 0;
    }
  if (rv == PR_SUCCESS) rv = PR_FAILURE;
done:
  return rv;
}  


SSMStatus 
SSMControlConnection_ProcessPickleRequest(SSMControlConnection * ctrl, 
                                          SECItem * msg)
{
  SSMResource *obj;
  SSMStatus rv;
  PRIntn len;
  void * dataBlob = NULL;
  SingleNumMessage request;
  PickleResourceReply reply;
  
  SSM_DEBUG("Got a PickleResource request.\n");

  /* Decode the request */
  if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
      goto loser;
  }