processmsg.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

{
    SSMStatus rv = PR_FAILURE;
    SSMResource * resource;
    SingleNumMessage request;

    if (!msg || !msg->data)
      goto done;

    if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto done;
    }

    PR_Free(msg->data);
    msg->data = NULL;

    rv = SSMControlConnection_GetResource(ctrl, request.value, &resource);
    if (rv != PR_SUCCESS)
      goto done;

    rv = SSMResourceCert_Destroy(resource, PR_TRUE);
    if (rv == PR_SUCCESS) {
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_CERT_ACTION | SSM_DESTROY_CERT);
      msg->len = 0;
    }
done:
    return rv;
}

typedef struct MatchUserCertArgStr {
    PRBool isOwnThread;
    SSMControlConnection *ctrl;
    SECItem *msg;
} MatchUserCertArg;

static void
ssm_match_user_cert(void *arg)
{
    MatchUserCertArg *matchArgs = (MatchUserCertArg*)arg;
    SSMControlConnection *ctrl = matchArgs->ctrl;
    SECItem *msg = matchArgs->msg;
    SSMCertList *certList;
    CERTCertList *certs = NULL;
    CERTCertListNode *node = NULL;
    SSMResourceCert *certRes;
    SSMResourceID certResID;
    SSMStatus rv;
    int i;
    MatchUserCertRequest request;
    MatchUserCertReply reply;
    SingleNumMessage badReply;

#if DEBUG
    if (matchArgs->isOwnThread) {
        SSM_RegisterThread("match user cert", NULL);
    }
#endif
    /* Decode the request */
    if (CMT_DecodeMessage(MatchUserCertRequestTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    certList = PR_NEWZAP(SSMCertList);
    if (!certList) {
        goto loser;
    }

    PR_INIT_CLIST(&certList->certs);

    /* Find the certs */
    certs = CERT_MatchUserCert(ctrl->m_certdb, (SECCertUsage) request.certType,
                        request.numCANames, request.caNames, ctrl);
    if (!certs) {
		reply.numCerts = 0;
		reply.certs = NULL;
        goto done;
    }

    reply.numCerts = SSM_CertListCount(certs);
    reply.certs = (CMInt32*)malloc(sizeof(CMInt32)*reply.numCerts);
    node = (CERTCertListNode*)PR_LIST_HEAD(&certs->list);
    for (i = 0; i < reply.numCerts; i++) {

        /* Create the cert resource */
        rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
                                node->cert,
                                ctrl,
                                &certResID,
                                (SSMResource**)&certRes);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
        reply.certs[i] = certResID;
        node = (struct CERTCertListNodeStr *) node->links.next;
}

done:
    /* Generate the reply message */
    /* Pack the reply */
    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_CERT_ACTION | SSM_MATCH_USER_CERT | SSM_REPLY_OK_MESSAGE);
    if (CMT_EncodeMessage(MatchUserCertReplyTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
    if (msg->data == NULL || msg->len == 0)  {
	    goto loser;
    }
    SSM_DEBUG("queueing reply: type %lx, len %ld.\n", msg->type, msg->len);
    SSM_SendQMessage(ctrl->m_controlOutQ,
                     SSM_PRIORITY_NORMAL,
                     msg->type, msg->len,
                     (char *)msg->data, PR_TRUE);
    /* Clean up */
    /* Free the certs list */
    SSM_FreeResource(&ctrl->super.super);
    SECITEM_FreeItem(msg, PR_TRUE);
    PR_Free(arg);
    return;

loser:
    if (rv == SSM_SUCCESS)
        rv = SSM_FAILURE;

    badReply.value = rv;
    if (CMT_EncodeMessage(SingleNumMessageTemplate,
                          (CMTItem*)msg, &badReply) == CMTSuccess) {
        SSM_DEBUG("queueing reply: type %lx, len %ld.\n", 
                  msg->type, msg->len);
        SSM_SendQMessage(ctrl->m_controlOutQ,
                         SSM_PRIORITY_NORMAL,
                         msg->type, msg->len,
                         (char *)msg->data, PR_TRUE);        
    } else {
        /* We need to send something back here. */
        PR_ASSERT(0);
    }
    /* Clean up */
    SSM_FreeResource(&ctrl->super.super);
    SECITEM_FreeItem(msg, PR_TRUE);
    PR_Free(arg);
    return;
}

SSMStatus
SSMControlConnection_ProcessMatchUserCert(SSMControlConnection *ctrl, 
                                          SECItem *msg)
{
    MatchUserCertArg *arg;
    PK11SlotList *slotList;
    PK11SlotListElement *currSlot;
    PRBool externalTokenExists = PR_FALSE;

    /* This could potentially require authentication to an
     * external token which would cause PSM to dead-lock 
     * waiting for the password reply.  So we spin off a separate
     * iff external tokens are installed.
     */
    arg = SSM_ZNEW(MatchUserCertArg);
    if (arg == NULL) {
        return SSM_FAILURE;
    }
    SSM_GetResourceReference(&ctrl->super.super);
    arg->ctrl = ctrl;
    arg->msg = SECITEM_DupItem(msg);
    /* Now let's figure out if there are external tokens installed.*/
    slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
                                 ctrl);
    PR_ASSERT(slotList);
    currSlot = slotList->head;
    do {
        if (!PK11_IsInternal(currSlot->slot)) {
            externalTokenExists = PR_TRUE;
            break;
        }
        currSlot = currSlot->next;
    } while (currSlot != slotList->head && currSlot != NULL);
    
    arg->isOwnThread = externalTokenExists;
    if (arg->isOwnThread) {
        PR_CreateThread(PR_USER_THREAD, ssm_match_user_cert, (void*)arg,
                        PR_PRIORITY_NORMAL, PR_LOCAL_THREAD, 
                        PR_UNJOINABLE_THREAD, 0);
    } else {
        ssm_match_user_cert(arg);
    }
    PK11_FreeSlotList(slotList);
    return SSM_ERR_DEFER_RESPONSE;
        
}
SSMStatus
SSMControlConnection_ProcessConserveRequest(SSMControlConnection * ctrl, 
                                            SECItem * msg)
{
  SSMStatus rv = PR_SUCCESS;
  
  switch (msg->type & SSM_SPECIFIC_MASK) {
  case SSM_PICKLE_RESOURCE:
    rv = SSMControlConnection_ProcessPickleRequest(ctrl, msg);
    break;
  case SSM_UNPICKLE_RESOURCE:
    rv = SSMControlConnection_ProcessUnpickleRequest(ctrl, msg);
    break;
  case SSM_PICKLE_SECURITY_STATUS:
    rv = SSMControlConnection_ProcessPickleSecurityStatusRequest(ctrl, msg);
    break;
  default:
    rv = SSM_ERR_ATTRIBUTE_TYPE_MISMATCH;
    goto loser;
  }
  goto done;
loser:
  SSM_DEBUG("ProcessConserveResourceRequest: loser hit, rv = %ld.\n", rv);
  if (msg->data)
    {
      PR_Free(msg->data);
      msg->data = NULL;
      msg->len = 0;
    }
  if (rv == PR_SUCCESS) rv = PR_FAILURE;
done:
  return rv;
}  


SSMStatus 
SSMControlConnection_ProcessPickleRequest(SSMControlConnection * ctrl, 
                                          SECItem * msg)
{
  SSMResource *obj;
  SSMStatus rv;
  PRIntn len;
  void * dataBlob = NULL;
  SingleNumMessage request;
  PickleResourceReply reply;
  
  SSM_DEBUG("Got a PickleResource request.\n");

  /* Decode the request */
  if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
      goto loser;
  }

  msg->data = NULL;
  SSM_DEBUG("Rsrc ID %ld.\n", request.value);
  
  rv = SSMControlConnection_GetResource(ctrl, request.value, &obj);
  if (rv != PR_SUCCESS) 
    goto loser;
  PR_ASSERT(obj != NULL);
  
  rv = SSM_PickleResource(obj, &len, &dataBlob);
  if (rv != PR_SUCCESS) 
    goto loser;
  msg->data = NULL;
  msg->len = 0;
  msg->type = (SECItemType) (SSM_RESOURCE_ACTION | SSM_PICKLE_RESOURCE 
                             | SSM_CONSERVE_RESOURCE | SSM_REPLY_OK_MESSAGE);
  reply.result = rv;
  reply.blob.len = len;
  reply.blob.data = (unsigned char *) dataBlob;
  if (CMT_EncodeMessage(PickleResourceReplyTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
      goto loser;
  }
  
  if (msg->data == NULL || msg->len == 0) goto loser;
  PR_Free(dataBlob);
  return PR_SUCCESS;
  
  /* something went wrong, could not pickle resource */
loser:
  if (dataBlob) 
    PR_Free(dataBlob);
  return PR_FAILURE;
}


SSMStatus
SSMControlConnection_ProcessUnpickleRequest(SSMControlConnection * ctrl, 
                                            SECItem * msg)
{
  SSMResource *obj;
  SSMStatus rv;
  void * dataBlob = NULL;
  UnpickleResourceRequest request;
  UnpickleResourceReply reply;

  
  SSM_DEBUG("Got an UnpickleResource request.\n");

  /* Decode the message */
  if (CMT_DecodeMessage(UnpickleResourceRequestTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
      goto loser;
  }
  msg->data = NULL;

  rv = SSM_UnpickleResource(&obj, (SSMResourceType) request.resourceType, ctrl, 
                            (unsigned int) request.resourceData.len, request.resourceData.data);
  if (rv != PR_SUCCESS)
    goto loser;
  SSM_DEBUG("Unpickled rsrc ID %ld.\n", obj->m_id);
    /* getting this far means success, send the resource ID */
  msg->data = NULL;
  msg->len = 0;
  msg->type = (SECItemType) (SSM_RESOURCE_ACTION | SSM_UNPICKLE_RESOURCE | 
    SSM_CONSERVE_RESOURCE | SSM_REPLY_OK_MESSAGE);
  reply.result = rv;
  reply.resID = obj->m_id;
  if (CMT_EncodeMessage(UnpickleResourceReplyTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
      goto loser;
  }
  if (msg->data == NULL || msg->len == 0) goto loser;
  PR_Free(request.resourceData.data);
  return PR_SUCCESS;
  
  /* something went wrong, could not unpickle cert */
loser:
  if (request.resourceData.data) 
    PR_Free(request.resourceData.data);
  return PR_FAILURE;
}


SSMStatus SSMControlConnection_ProcessPickleSecurityStatusRequest(SSMControlConnection* ctrl,
                                                                 SECItem* msg)
{
    SSMStatus rv;
    SSMResource* obj;
    PRIntn len;
    void* blob = NULL;
    PRIntn securityLevel;
    SingleNumMessage request;
    PickleSecurityStatusReply reply;

    SSM_DEBUG("Got an PickleSecurityStatus request.\n");

    /* decode the message */
    if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) !=
        CMTSuccess) {
        goto loser;
    }
    SSM_DEBUG("Rsrc ID %ld.\n", request.value);

    rv = SSMControlConnection_GetResource(ctrl, request.value, &obj);
    if (rv != PR_SUCCESS) { 
        goto loser;
    }
    PR_ASSERT(obj != NULL);
  
    /* the resource'd better be an SSMSSLDataConnection */
    if (SSM_IsA(obj, SSM_RESTYPE_SSL_DATA_CONNECTION) != PR_TRUE) {
        goto loser;
    }

    /* now have the SSL connection handle the action */
    rv = SSMSSLDataConnection_PickleSecurityStatus((SSMSSLDataConnection*)obj,
                                                   &len, &blob, 
                                                   &securityLevel);
    if (rv != PR_SUCCESS) {
        goto loser;
    }

    msg->data = NULL;
    msg->len = 0;
    msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_RESOURCE_ACTION | 
        SSM_CONSERVE_RESOURCE | SSM_PICKLE_SECURITY_STATUS);

    reply.result = rv;
    reply.securityLevel = securityLevel;
    reply.blob.len = len;
    reply.blob.data = (unsigned char *) blob;
    if (CMT_EncodeMessage(PickleSecurityStatusReplyTemplate, (CMTItem*)msg, 
                          &reply) != CMTSuccess) {
        goto loser;
    }
  
    if (msg->data == NULL || msg->len == 0) {
        goto loser;
    }
    PR_Free(blob);
    return PR_SUCCESS;
  
    /* something went wrong, could not pickle security status */
loser:
    if (blob != NULL) { 
        PR_Free(blob);
    }
    return PR_FAILURE;
}
                                                   

SECStatus
SSMControlConnection_AddNewSecurityModule(SSMControlConnection *ctrl, 
                                          SECItem              *msg)
{
    SECStatus      srv=SECFailure;
    AddNewSecurityModuleRequest request;

    if (CMT_DecodeMessage(AddNewSecurityModuleRequestTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }
    srv = SECMOD_AddNewModule(request.moduleName, request.libraryPath,
                              SECMOD_PubMechFlagstoInternal(request.pubMechFlags),
                              SECMOD_PubCipherFlagstoInternal(request.pubCipherFlags));
 loser:
    if (request.moduleName != NULL) {
        PR_Free(request.moduleName);
    }
    if (request.libraryPath != NULL) {
        PR_Free(request.libraryPath);
    }
    return srv;
}

SSMStatus
SSMControlConnection_DeleteSecurityModule(SSMControlConnection *ctrl, 
                                          SECItem              *msg, 
                                          PRInt32              *moduleType)
{
    char     *moduleName=NULL; 
    SECStatus srv;
    SingleStringMessage request;
    
    if (moduleType == NULL) {
        goto loser;
    } 

    if (CMT_DecodeMessage(SingleStringMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    /* To avoid any possible addition of data due to differing data types.*/