OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 #include "cert.h" | 4 #include "cert.h" |
5 #include "secitem.h" | 5 #include "secitem.h" |
6 #include "ssl.h" | 6 #include "ssl.h" |
7 #include "sslimpl.h" | 7 #include "sslimpl.h" |
8 #include "sslproto.h" | 8 #include "sslproto.h" |
9 #include "pk11func.h" | 9 #include "pk11func.h" |
10 #include "ocsp.h" | 10 #include "ocsp.h" |
(...skipping 286 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
297 | 297 |
298 handle = (CERTCertDBHandle *)arg; | 298 handle = (CERTCertDBHandle *)arg; |
299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; | 299 certStatusArray = &ss->sec.ci.sid->peerCertStatus; |
300 | 300 |
301 if (certStatusArray->len) { | 301 if (certStatusArray->len) { |
302 PORT_SetError(0); | 302 PORT_SetError(0); |
303 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, | 303 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, |
304 &certStatusArray->items[0], | 304 &certStatusArray->items[0], |
305 ss->pkcs11PinArg) | 305 ss->pkcs11PinArg) |
306 != SECSuccess) { | 306 != SECSuccess) { |
307 » PRErrorCode error = PR_GetError(); | 307 » PORT_Assert(PR_GetError() != 0); |
308 » PORT_Assert(error != 0); | |
309 } | 308 } |
310 } | 309 } |
311 | 310 |
312 /* this may seem backwards, but isn't. */ | 311 /* this may seem backwards, but isn't. */ |
313 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; | 312 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; |
314 | 313 |
315 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, | 314 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, |
316 now, ss->pkcs11PinArg, NULL); | 315 now, ss->pkcs11PinArg, NULL); |
317 | 316 |
318 if ( rv != SECSuccess || isServer ) | 317 if ( rv != SECSuccess || isServer ) |
319 return rv; | 318 return rv; |
320 | 319 |
321 /* cert is OK. This is the client side of an SSL connection. | 320 /* cert is OK. This is the client side of an SSL connection. |
322 * Now check the name field in the cert against the desired hostname. | 321 * Now check the name field in the cert against the desired hostname. |
323 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! | 322 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! |
324 */ | 323 */ |
325 hostname = ss->url; | 324 hostname = ss->url; |
326 if (hostname && hostname[0]) | 325 if (hostname && hostname[0]) |
327 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | 326 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
328 else | 327 else |
329 rv = SECFailure; | 328 rv = SECFailure; |
330 if (rv != SECSuccess) | 329 if (rv != SECSuccess) |
331 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 330 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
332 | 331 |
333 return rv; | 332 return rv; |
334 } | 333 } |
OLD | NEW |