| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 #include "cert.h" | 4 #include "cert.h" |
| 5 #include "secitem.h" | 5 #include "secitem.h" |
| 6 #include "ssl.h" | 6 #include "ssl.h" |
| 7 #include "sslimpl.h" | 7 #include "sslimpl.h" |
| 8 #include "sslproto.h" | 8 #include "sslproto.h" |
| 9 #include "pk11func.h" | 9 #include "pk11func.h" |
| 10 #include "ocsp.h" | 10 #include "ocsp.h" |
| (...skipping 286 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 297 | 297 |
| 298 handle = (CERTCertDBHandle *)arg; | 298 handle = (CERTCertDBHandle *)arg; |
| 299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; | 299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; |
| 300 | 300 |
| 301 if (certStatusArray->len) { | 301 if (certStatusArray->len) { |
| 302 PORT_SetError(0); | 302 PORT_SetError(0); |
| 303 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, | 303 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, |
| 304 &certStatusArray->items[0], | 304 &certStatusArray->items[0], |
| 305 ss->pkcs11PinArg) | 305 ss->pkcs11PinArg) |
| 306 != SECSuccess) { | 306 != SECSuccess) { |
| 307 » PRErrorCode error = PR_GetError(); | 307 » PORT_Assert(PR_GetError() != 0); |
| 308 » PORT_Assert(error != 0); | |
| 309 } | 308 } |
| 310 } | 309 } |
| 311 | 310 |
| 312 /* this may seem backwards, but isn't. */ | 311 /* this may seem backwards, but isn't. */ |
| 313 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; | 312 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; |
| 314 | 313 |
| 315 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, | 314 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, |
| 316 now, ss->pkcs11PinArg, NULL); | 315 now, ss->pkcs11PinArg, NULL); |
| 317 | 316 |
| 318 if ( rv != SECSuccess || isServer ) | 317 if ( rv != SECSuccess || isServer ) |
| 319 return rv; | 318 return rv; |
| 320 | 319 |
| 321 /* cert is OK. This is the client side of an SSL connection. | 320 /* cert is OK. This is the client side of an SSL connection. |
| 322 * Now check the name field in the cert against the desired hostname. | 321 * Now check the name field in the cert against the desired hostname. |
| 323 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! | 322 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! |
| 324 */ | 323 */ |
| 325 hostname = ss->url; | 324 hostname = ss->url; |
| 326 if (hostname && hostname[0]) | 325 if (hostname && hostname[0]) |
| 327 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | 326 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
| 328 else | 327 else |
| 329 rv = SECFailure; | 328 rv = SECFailure; |
| 330 if (rv != SECSuccess) | 329 if (rv != SECSuccess) |
| 331 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 330 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
| 332 | 331 |
| 333 return rv; | 332 return rv; |
| 334 } | 333 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1511123006:
Uprev NSS (in libssl) to NSS 3.21 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master