diff options
Diffstat (limited to 'nss/lib/ssl/sslauth.c')
-rw-r--r-- | nss/lib/ssl/sslauth.c | 251 |
1 files changed, 125 insertions, 126 deletions
diff --git a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c index b144336..5b5f672 100644 --- a/nss/lib/ssl/sslauth.c +++ b/nss/lib/ssl/sslauth.c @@ -1,3 +1,4 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ @@ -17,12 +18,12 @@ SSL_PeerCertificate(PRFileDesc *fd) ss = ssl_FindSocket(fd); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", - SSL_GETPID(), fd)); - return 0; + SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", + SSL_GETPID(), fd)); + return 0; } if (ss->opt.useSecurity && ss->sec.peerCert) { - return CERT_DupCertificate(ss->sec.peerCert); + return CERT_DupCertificate(ss->sec.peerCert); } return 0; } @@ -38,27 +39,27 @@ SSL_PeerCertificateChain(PRFileDesc *fd) ss = ssl_FindSocket(fd); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", - SSL_GETPID(), fd)); - return NULL; + SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", + SSL_GETPID(), fd)); + return NULL; } if (!ss->opt.useSecurity || !ss->sec.peerCert) { - PORT_SetError(SSL_ERROR_NO_CERTIFICATE); - return NULL; + PORT_SetError(SSL_ERROR_NO_CERTIFICATE); + return NULL; } chain = CERT_NewCertList(); if (!chain) { - return NULL; + return NULL; } cert = CERT_DupCertificate(ss->sec.peerCert); if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { - goto loser; + goto loser; } for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) { - cert = CERT_DupCertificate(cur->cert); - if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { - goto loser; - } + cert = CERT_DupCertificate(cur->cert); + if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { + goto loser; + } } return chain; @@ -75,102 +76,101 @@ SSL_LocalCertificate(PRFileDesc *fd) ss = ssl_FindSocket(fd); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", - SSL_GETPID(), fd)); - return NULL; + SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", + SSL_GETPID(), fd)); + return NULL; } if (ss->opt.useSecurity) { - if (ss->sec.localCert) { - return CERT_DupCertificate(ss->sec.localCert); - } - if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { - return CERT_DupCertificate(ss->sec.ci.sid->localCert); - } + if (ss->sec.localCert) { + return CERT_DupCertificate(ss->sec.localCert); + } + if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { + return CERT_DupCertificate(ss->sec.ci.sid->localCert); + } } return NULL; } - - /* NEED LOCKS IN HERE. */ SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, - char **ip, char **sp) + char **ip, char **sp) { sslSocket *ss; - const char *cipherName; - PRBool isDes = PR_FALSE; ss = ssl_FindSocket(fd); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", - SSL_GETPID(), fd)); - return SECFailure; + SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", + SSL_GETPID(), fd)); + return SECFailure; } - if (cp) *cp = 0; - if (kp0) *kp0 = 0; - if (kp1) *kp1 = 0; - if (ip) *ip = 0; - if (sp) *sp = 0; + if (cp) + *cp = 0; + if (kp0) + *kp0 = 0; + if (kp1) + *kp1 = 0; + if (ip) + *ip = 0; + if (sp) + *sp = 0; if (op) { - *op = SSL_SECURITY_STATUS_OFF; + *op = SSL_SECURITY_STATUS_OFF; } if (ss->opt.useSecurity && ss->enoughFirstHsDone) { - if (ss->version < SSL_LIBRARY_VERSION_3_0) { - cipherName = ssl_cipherName[ss->sec.cipherType]; - } else { - cipherName = ssl3_cipherName[ss->sec.cipherType]; - } - PORT_Assert(cipherName); - if (cipherName) { - if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; - - if (cp) { - *cp = PORT_Strdup(cipherName); + const ssl3BulkCipherDef *bulkCipherDef; + PRBool isDes = PR_FALSE; + + bulkCipherDef = ssl_GetBulkCipherDef(ss->ssl3.hs.suite_def); + if (cp) { + *cp = PORT_Strdup(bulkCipherDef->short_name); + } + if (PORT_Strstr(bulkCipherDef->short_name, "DES")) { + isDes = PR_TRUE; + } + + if (kp0) { + *kp0 = bulkCipherDef->key_size * 8; + if (isDes) + *kp0 = (*kp0 * 7) / 8; + } + if (kp1) { + *kp1 = bulkCipherDef->secret_key_size * 8; + if (isDes) + *kp1 = (*kp1 * 7) / 8; + } + if (op) { + if (bulkCipherDef->key_size == 0) { + *op = SSL_SECURITY_STATUS_OFF; + } else if (bulkCipherDef->secret_key_size * 8 < 90) { + *op = SSL_SECURITY_STATUS_ON_LOW; + } else { + *op = SSL_SECURITY_STATUS_ON_HIGH; } } - if (kp0) { - *kp0 = ss->sec.keyBits; - if (isDes) *kp0 = (*kp0 * 7) / 8; - } - if (kp1) { - *kp1 = ss->sec.secretKeyBits; - if (isDes) *kp1 = (*kp1 * 7) / 8; - } - if (op) { - if (ss->sec.keyBits == 0) { - *op = SSL_SECURITY_STATUS_OFF; - } else if (ss->sec.secretKeyBits < 90) { - *op = SSL_SECURITY_STATUS_ON_LOW; - - } else { - *op = SSL_SECURITY_STATUS_ON_HIGH; - } - } - - if (ip || sp) { - CERTCertificate *cert; - - cert = ss->sec.peerCert; - if (cert) { - if (ip) { - *ip = CERT_NameToAscii(&cert->issuer); - } - if (sp) { - *sp = CERT_NameToAscii(&cert->subject); - } - } else { - if (ip) { - *ip = PORT_Strdup("no certificate"); - } - if (sp) { - *sp = PORT_Strdup("no certificate"); - } - } - } + if (ip || sp) { + CERTCertificate *cert; + + cert = ss->sec.peerCert; + if (cert) { + if (ip) { + *ip = CERT_NameToAscii(&cert->issuer); + } + if (sp) { + *sp = CERT_NameToAscii(&cert->subject); + } + } else { + if (ip) { + *ip = PORT_Strdup("no certificate"); + } + if (sp) { + *sp = PORT_Strdup("no certificate"); + } + } + } } return SECSuccess; @@ -186,9 +186,9 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) ss = ssl_FindSocket(s); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", - SSL_GETPID(), s)); - return SECFailure; + SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", + SSL_GETPID(), s)); + return SECFailure; } ss->authCertificate = func; @@ -198,17 +198,17 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) } /* NEED LOCKS IN HERE. */ -SECStatus +SECStatus SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, - void *arg) + void *arg) { sslSocket *ss; ss = ssl_FindSocket(s); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", - SSL_GETPID(), s)); - return SECFailure; + SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", + SSL_GETPID(), s)); + return SECFailure; } ss->getClientAuthData = func; @@ -217,77 +217,76 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, } /* NEED LOCKS IN HERE. */ -SECStatus +SECStatus SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) { sslSocket *ss; ss = ssl_FindSocket(s); if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", - SSL_GETPID(), s)); - return SECFailure; + SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", + SSL_GETPID(), s)); + return SECFailure; } ss->pkcs11PinArg = arg; return SECSuccess; } - -/* This is the "default" authCert callback function. It is called when a +/* This is the "default" authCert callback function. It is called when a * certificate message is received from the peer and the local application * has not registered an authCert callback function. */ SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { - SECStatus rv; - CERTCertDBHandle * handle; - sslSocket * ss; - SECCertUsage certUsage; - const char * hostname = NULL; - PRTime now = PR_Now(); - SECItemArray * certStatusArray; - + SECStatus rv; + CERTCertDBHandle *handle; + sslSocket *ss; + SECCertUsage certUsage; + const char *hostname = NULL; + PRTime now = PR_Now(); + SECItemArray *certStatusArray; + ss = ssl_FindSocket(fd); PORT_Assert(ss != NULL); if (!ss) { - return SECFailure; + return SECFailure; } handle = (CERTCertDBHandle *)arg; certStatusArray = &ss->sec.ci.sid->peerCertStatus; if (certStatusArray->len) { - PORT_SetError(0); - if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, - &certStatusArray->items[0], - ss->pkcs11PinArg) - != SECSuccess) { - PORT_Assert(PR_GetError() != 0); - } + PORT_SetError(0); + if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, + &certStatusArray->items[0], + ss->pkcs11PinArg) != + SECSuccess) { + PORT_Assert(PR_GetError() != 0); + } } /* this may seem backwards, but isn't. */ certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, - now, ss->pkcs11PinArg, NULL); + now, ss->pkcs11PinArg, NULL); + + if (rv != SECSuccess || isServer) + return rv; - if ( rv != SECSuccess || isServer ) - return rv; - /* cert is OK. This is the client side of an SSL connection. * Now check the name field in the cert against the desired hostname. * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! */ hostname = ss->url; if (hostname && hostname[0]) - rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); - else - rv = SECFailure; + rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); + else + rv = SECFailure; if (rv != SECSuccess) - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return rv; } |