net/third_party/nss/ssl/sslauth.c - Issue 14522022: Update NSS libSSL to NSS_3_15_BETA2.

Side by Side Diff: net/third_party/nss/ssl/sslauth.c

Issue 14522022: Update NSS libSSL to NSS_3_15_BETA2. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Sync README.chromium Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /* This Source Code Form is subject to the terms of the Mozilla Public	1 /* This Source Code Form is subject to the terms of the Mozilla Public

2 * License, v. 2.0. If a copy of the MPL was not distributed with this	2 * License, v. 2.0. If a copy of the MPL was not distributed with this

3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */	3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

4 /* $Id: sslauth.c,v 1.18 2012/04/25 14:50:12 gerv%gerv.net Exp $ */	4 /* $Id$ */

5 #include "cert.h"	5 #include "cert.h"

6 #include "secitem.h"	6 #include "secitem.h"

7 #include "ssl.h"	7 #include "ssl.h"

8 #include "sslimpl.h"	8 #include "sslimpl.h"

9 #include "sslproto.h"	9 #include "sslproto.h"

10 #include "pk11func.h"	10 #include "pk11func.h"

	11 #include "ocsp.h"

11	12

12 /* NEED LOCKS IN HERE. */	13 /* NEED LOCKS IN HERE. */

13 CERTCertificate *	14 CERTCertificate *

14 SSL_PeerCertificate(PRFileDesc *fd)	15 SSL_PeerCertificate(PRFileDesc *fd)

15 {	16 {

16 sslSocket *ss;	17 sslSocket *ss;

17	18

18 ss = ssl_FindSocket(fd);	19 ss = ssl_FindSocket(fd);

19 if (!ss) {	20 if (!ss) {

20 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",	21 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",

(...skipping 261 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
282 * has not registered an authCert callback function.	283 * has not registered an authCert callback function.

283 */	284 */

284 SECStatus	285 SECStatus

285 SSL_AuthCertificate(void arg, PRFileDesc fd, PRBool checkSig, PRBool isServer)	286 SSL_AuthCertificate(void arg, PRFileDesc fd, PRBool checkSig, PRBool isServer)

286 {	287 {

287 SECStatus rv;	288 SECStatus rv;

288 CERTCertDBHandle * handle;	289 CERTCertDBHandle * handle;

289 sslSocket * ss;	290 sslSocket * ss;

290 SECCertUsage certUsage;	291 SECCertUsage certUsage;

291 const char * hostname = NULL;	292 const char * hostname = NULL;

	293 PRTime now = PR_Now();

	294 SECItemArray *certStatusArray;
	Ryan Sleevi 2013/05/01 19:06:08 rant: inconsistent style = sad. rant: inconsistent style = sad. wtc 2013/05/01 21:52:16 I can fix this upstream. Show quoted text On 2013/05/01 19:06:08, Ryan Sleevi wrote: > rant: inconsistent style = sad. I can fix this upstream.
	295 unsigned int i;

292	296

293 ss = ssl_FindSocket(fd);	297 ss = ssl_FindSocket(fd);

294 PORT_Assert(ss != NULL);	298 PORT_Assert(ss != NULL);

295 if (!ss) {	299 if (!ss) {

296 return SECFailure;	300 return SECFailure;

297 }	301 }

298	302

299 handle = (CERTCertDBHandle *)arg;	303 handle = (CERTCertDBHandle *)arg;

	304 certStatusArray = &ss->sec.ci.sid->peerCertStatus;

	305

	306 for (i = 0; i < certStatusArray->len; ++i) {

	307 CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,

	308 now, &certStatusArray->items[i], arg);

	309 }

300	310

301 /* this may seem backwards, but isn't. */	311 /* this may seem backwards, but isn't. */

302 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;	312 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;

303	313

304 rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,	314 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,

305 » » » ss->pkcs11PinArg);	315 » » » now, ss->pkcs11PinArg, NULL);

306	316

307 if ( rv != SECSuccess \|\| isServer )	317 if ( rv != SECSuccess \|\| isServer )

308 return rv;	318 return rv;

309	319

310 /* cert is OK. This is the client side of an SSL connection.	320 /* cert is OK. This is the client side of an SSL connection.

311 * Now check the name field in the cert against the desired hostname.	321 * Now check the name field in the cert against the desired hostname.

312 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!	322 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!

313 */	323 */

314 hostname = ss->url;	324 hostname = ss->url;

315 if (hostname && hostname[0])	325 if (hostname && hostname[0])

316 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);	326 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);

317 else	327 else

318 rv = SECFailure;	328 rv = SECFailure;

319 if (rv != SECSuccess)	329 if (rv != SECSuccess)

320 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);	330 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);

321	331

322 return rv;	332 return rv;

323 }	333 }

OLD	NEW

« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/ssl3prot.h ('k') | net/third_party/nss/ssl/sslcon.c » ('j') | no next file with comments »