| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 #include "cert.h" | 4 #include "cert.h" |
| 5 #include "secitem.h" | 5 #include "secitem.h" |
| 6 #include "ssl.h" | 6 #include "ssl.h" |
| 7 #include "sslimpl.h" | 7 #include "sslimpl.h" |
| 8 #include "sslproto.h" | 8 #include "sslproto.h" |
| 9 #include "pk11func.h" | 9 #include "pk11func.h" |
| 10 #include "ocsp.h" | 10 #include "ocsp.h" |
| (...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 292 ss = ssl_FindSocket(fd); | 292 ss = ssl_FindSocket(fd); |
| 293 PORT_Assert(ss != NULL); | 293 PORT_Assert(ss != NULL); |
| 294 if (!ss) { | 294 if (!ss) { |
| 295 return SECFailure; | 295 return SECFailure; |
| 296 } | 296 } |
| 297 | 297 |
| 298 handle = (CERTCertDBHandle *)arg; | 298 handle = (CERTCertDBHandle *)arg; |
| 299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; | 299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; |
| 300 | 300 |
| 301 if (certStatusArray->len) { | 301 if (certStatusArray->len) { |
| 302 CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, | 302 » PORT_SetError(0); |
| 303 » » » » » now, &certStatusArray->items[0], | 303 » if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, |
| 304 » » » » » ss->pkcs11PinArg); | 304 » » » » » » &certStatusArray->items[0], |
| 305 » » » » » » ss->pkcs11PinArg) |
| 306 » » != SECSuccess) { |
| 307 » PRErrorCode error = PR_GetError(); |
| 308 » PORT_Assert(error != 0); |
| 309 » } |
| 305 } | 310 } |
| 306 | 311 |
| 307 /* this may seem backwards, but isn't. */ | 312 /* this may seem backwards, but isn't. */ |
| 308 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; | 313 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; |
| 309 | 314 |
| 310 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, | 315 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, |
| 311 now, ss->pkcs11PinArg, NULL); | 316 now, ss->pkcs11PinArg, NULL); |
| 312 | 317 |
| 313 if ( rv != SECSuccess || isServer ) | 318 if ( rv != SECSuccess || isServer ) |
| 314 return rv; | 319 return rv; |
| 315 | 320 |
| 316 /* cert is OK. This is the client side of an SSL connection. | 321 /* cert is OK. This is the client side of an SSL connection. |
| 317 * Now check the name field in the cert against the desired hostname. | 322 * Now check the name field in the cert against the desired hostname. |
| 318 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! | 323 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! |
| 319 */ | 324 */ |
| 320 hostname = ss->url; | 325 hostname = ss->url; |
| 321 if (hostname && hostname[0]) | 326 if (hostname && hostname[0]) |
| 322 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | 327 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
| 323 else | 328 else |
| 324 rv = SECFailure; | 329 rv = SECFailure; |
| 325 if (rv != SECSuccess) | 330 if (rv != SECSuccess) |
| 326 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 331 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
| 327 | 332 |
| 328 return rv; | 333 return rv; |
| 329 } | 334 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/