Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1087)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/ssl/sslauth.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: One more GN fix Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/third_party/nss/ssl/ssl3prot.h ('k') | net/third_party/nss/ssl/sslcon.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/ssl/sslauth.c
diff --git a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslauth.c
index 03b23b48d12c11b233ce352051088a58358aea29..e78a513a6ea6eb57d63677d2a1c2e02ae7c8a0b9 100644
--- a/net/third_party/nss/ssl/sslauth.c
+++ b/net/third_party/nss/ssl/sslauth.c
@@ -17,12 +17,12 @@ SSL_PeerCertificate(PRFileDesc *fd)
ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
- SSL_GETPID(), fd));
- return 0;
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+ SSL_GETPID(), fd));
+ return 0;
}
if (ss->opt.useSecurity && ss->sec.peerCert) {
- return CERT_DupCertificate(ss->sec.peerCert);
+ return CERT_DupCertificate(ss->sec.peerCert);
}
return 0;
}
@@ -38,27 +38,27 @@ SSL_PeerCertificateChain(PRFileDesc *fd)
ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
- SSL_GETPID(), fd));
- return NULL;
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
+ SSL_GETPID(), fd));
+ return NULL;
}
if (!ss->opt.useSecurity || !ss->sec.peerCert) {
- PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
- return NULL;
+ PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+ return NULL;
}
chain = CERT_NewCertList();
if (!chain) {
- return NULL;
+ return NULL;
}
cert = CERT_DupCertificate(ss->sec.peerCert);
if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
- goto loser;
+ goto loser;
}
for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
- cert = CERT_DupCertificate(cur->cert);
- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
- goto loser;
- }
+ cert = CERT_DupCertificate(cur->cert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
}
return chain;
@@ -75,27 +75,25 @@ SSL_LocalCertificate(PRFileDesc *fd)
ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
- SSL_GETPID(), fd));
- return NULL;
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+ SSL_GETPID(), fd));
+ return NULL;
}
if (ss->opt.useSecurity) {
- if (ss->sec.localCert) {
- return CERT_DupCertificate(ss->sec.localCert);
- }
- if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
- return CERT_DupCertificate(ss->sec.ci.sid->localCert);
- }
+ if (ss->sec.localCert) {
+ return CERT_DupCertificate(ss->sec.localCert);
+ }
+ if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
+ return CERT_DupCertificate(ss->sec.ci.sid->localCert);
+ }
}
return NULL;
}
-
-
/* NEED LOCKS IN HERE. */
SECStatus
SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
- char **ip, char **sp)
+ char **ip, char **sp)
{
sslSocket *ss;
const char *cipherName;
@@ -103,74 +101,81 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
- SSL_GETPID(), fd));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
+ SSL_GETPID(), fd));
+ return SECFailure;
}
- if (cp) *cp = 0;
- if (kp0) *kp0 = 0;
- if (kp1) *kp1 = 0;
- if (ip) *ip = 0;
- if (sp) *sp = 0;
+ if (cp)
+ *cp = 0;
+ if (kp0)
+ *kp0 = 0;
+ if (kp1)
+ *kp1 = 0;
+ if (ip)
+ *ip = 0;
+ if (sp)
+ *sp = 0;
if (op) {
- *op = SSL_SECURITY_STATUS_OFF;
+ *op = SSL_SECURITY_STATUS_OFF;
}
if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
- if (ss->version < SSL_LIBRARY_VERSION_3_0) {
- cipherName = ssl_cipherName[ss->sec.cipherType];
- } else {
- cipherName = ssl3_cipherName[ss->sec.cipherType];
- }
- PORT_Assert(cipherName);
- if (cipherName) {
- if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+ cipherName = ssl_cipherName[ss->sec.cipherType];
+ } else {
+ cipherName = ssl3_cipherName[ss->sec.cipherType];
+ }
+ PORT_Assert(cipherName);
+ if (cipherName) {
+ if (PORT_Strstr(cipherName, "DES"))
+ isDes = PR_TRUE;
if (cp) {
*cp = PORT_Strdup(cipherName);
}
}
- if (kp0) {
- *kp0 = ss->sec.keyBits;
- if (isDes) *kp0 = (*kp0 * 7) / 8;
- }
- if (kp1) {
- *kp1 = ss->sec.secretKeyBits;
- if (isDes) *kp1 = (*kp1 * 7) / 8;
- }
- if (op) {
- if (ss->sec.keyBits == 0) {
- *op = SSL_SECURITY_STATUS_OFF;
- } else if (ss->sec.secretKeyBits < 90) {
- *op = SSL_SECURITY_STATUS_ON_LOW;
-
- } else {
- *op = SSL_SECURITY_STATUS_ON_HIGH;
- }
- }
-
- if (ip || sp) {
- CERTCertificate *cert;
-
- cert = ss->sec.peerCert;
- if (cert) {
- if (ip) {
- *ip = CERT_NameToAscii(&cert->issuer);
- }
- if (sp) {
- *sp = CERT_NameToAscii(&cert->subject);
- }
- } else {
- if (ip) {
- *ip = PORT_Strdup("no certificate");
- }
- if (sp) {
- *sp = PORT_Strdup("no certificate");
- }
- }
- }
+ if (kp0) {
+ *kp0 = ss->sec.keyBits;
+ if (isDes)
+ *kp0 = (*kp0 * 7) / 8;
+ }
+ if (kp1) {
+ *kp1 = ss->sec.secretKeyBits;
+ if (isDes)
+ *kp1 = (*kp1 * 7) / 8;
+ }
+ if (op) {
+ if (ss->sec.keyBits == 0) {
+ *op = SSL_SECURITY_STATUS_OFF;
+ } else if (ss->sec.secretKeyBits < 90) {
+ *op = SSL_SECURITY_STATUS_ON_LOW;
+ } else {
+ *op = SSL_SECURITY_STATUS_ON_HIGH;
+ }
+ }
+
+ if (ip || sp) {
+ CERTCertificate *cert;
+
+ cert = ss->sec.peerCert;
+ if (cert) {
+ if (ip) {
+ *ip = CERT_NameToAscii(&cert->issuer);
+ }
+ if (sp) {
+ *sp = CERT_NameToAscii(&cert->subject);
+ }
+ } else {
+ if (ip) {
+ *ip = PORT_Strdup("no certificate");
+ }
+ if (sp) {
+ *sp = PORT_Strdup("no certificate");
+ }
+ }
+ }
}
return SECSuccess;
@@ -186,9 +191,9 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
ss = ssl_FindSocket(s);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
- SSL_GETPID(), s));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
+ SSL_GETPID(), s));
+ return SECFailure;
}
ss->authCertificate = func;
@@ -198,17 +203,17 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
}
/* NEED LOCKS IN HERE. */
-SECStatus
+SECStatus
SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
- void *arg)
+ void *arg)
{
sslSocket *ss;
ss = ssl_FindSocket(s);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
- SSL_GETPID(), s));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+ SSL_GETPID(), s));
+ return SECFailure;
}
ss->getClientAuthData = func;
@@ -218,14 +223,15 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
SECStatus
SSL_SetClientChannelIDCallback(PRFileDesc *fd,
- SSLClientChannelIDCallback callback,
- void *arg) {
+ SSLClientChannelIDCallback callback,
+ void *arg)
+{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
- SSL_GETPID(), fd));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
+ SSL_GETPID(), fd));
+ return SECFailure;
}
ss->getChannelID = callback;
@@ -234,100 +240,77 @@ SSL_SetClientChannelIDCallback(PRFileDesc *fd,
return SECSuccess;
}
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
- SSLGetPlatformClientAuthData func,
- void *arg)
-{
- sslSocket *ss;
-
- ss = ssl_FindSocket(s);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
- SSL_GETPID(), s));
- return SECFailure;
- }
-
- ss->getPlatformClientAuthData = func;
- ss->getPlatformClientAuthDataArg = arg;
- return SECSuccess;
-}
-#endif /* NSS_PLATFORM_CLIENT_AUTH */
-
/* NEED LOCKS IN HERE. */
-SECStatus
+SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
{
sslSocket *ss;
ss = ssl_FindSocket(s);
if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
- SSL_GETPID(), s));
- return SECFailure;
+ SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+ SSL_GETPID(), s));
+ return SECFailure;
}
ss->pkcs11PinArg = arg;
return SECSuccess;
}
-
-/* This is the "default" authCert callback function. It is called when a
+/* This is the "default" authCert callback function. It is called when a
* certificate message is received from the peer and the local application
* has not registered an authCert callback function.
*/
SECStatus
SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
{
- SECStatus rv;
- CERTCertDBHandle * handle;
- sslSocket * ss;
- SECCertUsage certUsage;
- const char * hostname = NULL;
- PRTime now = PR_Now();
- SECItemArray * certStatusArray;
-
+ SECStatus rv;
+ CERTCertDBHandle *handle;
+ sslSocket *ss;
+ SECCertUsage certUsage;
+ const char *hostname = NULL;
+ PRTime now = PR_Now();
+ SECItemArray *certStatusArray;
+
ss = ssl_FindSocket(fd);
PORT_Assert(ss != NULL);
if (!ss) {
- return SECFailure;
+ return SECFailure;
}
handle = (CERTCertDBHandle *)arg;
certStatusArray = &ss->sec.ci.sid->peerCertStatus;
if (certStatusArray->len) {
- PORT_SetError(0);
- if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
- &certStatusArray->items[0],
- ss->pkcs11PinArg)
- != SECSuccess) {
- PORT_Assert(PR_GetError() != 0);
- }
+ PORT_SetError(0);
+ if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
+ &certStatusArray->items[0],
+ ss->pkcs11PinArg) !=
+ SECSuccess) {
+ PORT_Assert(PR_GetError() != 0);
+ }
}
/* this may seem backwards, but isn't. */
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
- now, ss->pkcs11PinArg, NULL);
+ now, ss->pkcs11PinArg, NULL);
+
+ if (rv != SECSuccess || isServer)
+ return rv;
- if ( rv != SECSuccess || isServer )
- return rv;
-
/* cert is OK. This is the client side of an SSL connection.
* Now check the name field in the cert against the desired hostname.
* NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
*/
hostname = ss->url;
if (hostname && hostname[0])
- rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
- else
- rv = SECFailure;
+ rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
+ else
+ rv = SECFailure;
if (rv != SECSuccess)
- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+ PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
return rv;
}
« no previous file with comments | « net/third_party/nss/ssl/ssl3prot.h ('k') | net/third_party/nss/ssl/sslcon.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698