Index: net/third_party/nss/ssl/sslauth.c |
diff --git a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslauth.c |
index 03b23b48d12c11b233ce352051088a58358aea29..e78a513a6ea6eb57d63677d2a1c2e02ae7c8a0b9 100644 |
--- a/net/third_party/nss/ssl/sslauth.c |
+++ b/net/third_party/nss/ssl/sslauth.c |
@@ -17,12 +17,12 @@ SSL_PeerCertificate(PRFileDesc *fd) |
ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", |
- SSL_GETPID(), fd)); |
- return 0; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", |
+ SSL_GETPID(), fd)); |
+ return 0; |
} |
if (ss->opt.useSecurity && ss->sec.peerCert) { |
- return CERT_DupCertificate(ss->sec.peerCert); |
+ return CERT_DupCertificate(ss->sec.peerCert); |
} |
return 0; |
} |
@@ -38,27 +38,27 @@ SSL_PeerCertificateChain(PRFileDesc *fd) |
ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", |
- SSL_GETPID(), fd)); |
- return NULL; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
} |
if (!ss->opt.useSecurity || !ss->sec.peerCert) { |
- PORT_SetError(SSL_ERROR_NO_CERTIFICATE); |
- return NULL; |
+ PORT_SetError(SSL_ERROR_NO_CERTIFICATE); |
+ return NULL; |
} |
chain = CERT_NewCertList(); |
if (!chain) { |
- return NULL; |
+ return NULL; |
} |
cert = CERT_DupCertificate(ss->sec.peerCert); |
if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { |
- goto loser; |
+ goto loser; |
} |
for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) { |
- cert = CERT_DupCertificate(cur->cert); |
- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { |
- goto loser; |
- } |
+ cert = CERT_DupCertificate(cur->cert); |
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { |
+ goto loser; |
+ } |
} |
return chain; |
@@ -75,27 +75,25 @@ SSL_LocalCertificate(PRFileDesc *fd) |
ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", |
- SSL_GETPID(), fd)); |
- return NULL; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
} |
if (ss->opt.useSecurity) { |
- if (ss->sec.localCert) { |
- return CERT_DupCertificate(ss->sec.localCert); |
- } |
- if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { |
- return CERT_DupCertificate(ss->sec.ci.sid->localCert); |
- } |
+ if (ss->sec.localCert) { |
+ return CERT_DupCertificate(ss->sec.localCert); |
+ } |
+ if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { |
+ return CERT_DupCertificate(ss->sec.ci.sid->localCert); |
+ } |
} |
return NULL; |
} |
- |
- |
/* NEED LOCKS IN HERE. */ |
SECStatus |
SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, |
- char **ip, char **sp) |
+ char **ip, char **sp) |
{ |
sslSocket *ss; |
const char *cipherName; |
@@ -103,74 +101,81 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, |
ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", |
- SSL_GETPID(), fd)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
} |
- if (cp) *cp = 0; |
- if (kp0) *kp0 = 0; |
- if (kp1) *kp1 = 0; |
- if (ip) *ip = 0; |
- if (sp) *sp = 0; |
+ if (cp) |
+ *cp = 0; |
+ if (kp0) |
+ *kp0 = 0; |
+ if (kp1) |
+ *kp1 = 0; |
+ if (ip) |
+ *ip = 0; |
+ if (sp) |
+ *sp = 0; |
if (op) { |
- *op = SSL_SECURITY_STATUS_OFF; |
+ *op = SSL_SECURITY_STATUS_OFF; |
} |
if (ss->opt.useSecurity && ss->enoughFirstHsDone) { |
- if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
- cipherName = ssl_cipherName[ss->sec.cipherType]; |
- } else { |
- cipherName = ssl3_cipherName[ss->sec.cipherType]; |
- } |
- PORT_Assert(cipherName); |
- if (cipherName) { |
- if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; |
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
+ cipherName = ssl_cipherName[ss->sec.cipherType]; |
+ } else { |
+ cipherName = ssl3_cipherName[ss->sec.cipherType]; |
+ } |
+ PORT_Assert(cipherName); |
+ if (cipherName) { |
+ if (PORT_Strstr(cipherName, "DES")) |
+ isDes = PR_TRUE; |
if (cp) { |
*cp = PORT_Strdup(cipherName); |
} |
} |
- if (kp0) { |
- *kp0 = ss->sec.keyBits; |
- if (isDes) *kp0 = (*kp0 * 7) / 8; |
- } |
- if (kp1) { |
- *kp1 = ss->sec.secretKeyBits; |
- if (isDes) *kp1 = (*kp1 * 7) / 8; |
- } |
- if (op) { |
- if (ss->sec.keyBits == 0) { |
- *op = SSL_SECURITY_STATUS_OFF; |
- } else if (ss->sec.secretKeyBits < 90) { |
- *op = SSL_SECURITY_STATUS_ON_LOW; |
- |
- } else { |
- *op = SSL_SECURITY_STATUS_ON_HIGH; |
- } |
- } |
- |
- if (ip || sp) { |
- CERTCertificate *cert; |
- |
- cert = ss->sec.peerCert; |
- if (cert) { |
- if (ip) { |
- *ip = CERT_NameToAscii(&cert->issuer); |
- } |
- if (sp) { |
- *sp = CERT_NameToAscii(&cert->subject); |
- } |
- } else { |
- if (ip) { |
- *ip = PORT_Strdup("no certificate"); |
- } |
- if (sp) { |
- *sp = PORT_Strdup("no certificate"); |
- } |
- } |
- } |
+ if (kp0) { |
+ *kp0 = ss->sec.keyBits; |
+ if (isDes) |
+ *kp0 = (*kp0 * 7) / 8; |
+ } |
+ if (kp1) { |
+ *kp1 = ss->sec.secretKeyBits; |
+ if (isDes) |
+ *kp1 = (*kp1 * 7) / 8; |
+ } |
+ if (op) { |
+ if (ss->sec.keyBits == 0) { |
+ *op = SSL_SECURITY_STATUS_OFF; |
+ } else if (ss->sec.secretKeyBits < 90) { |
+ *op = SSL_SECURITY_STATUS_ON_LOW; |
+ } else { |
+ *op = SSL_SECURITY_STATUS_ON_HIGH; |
+ } |
+ } |
+ |
+ if (ip || sp) { |
+ CERTCertificate *cert; |
+ |
+ cert = ss->sec.peerCert; |
+ if (cert) { |
+ if (ip) { |
+ *ip = CERT_NameToAscii(&cert->issuer); |
+ } |
+ if (sp) { |
+ *sp = CERT_NameToAscii(&cert->subject); |
+ } |
+ } else { |
+ if (ip) { |
+ *ip = PORT_Strdup("no certificate"); |
+ } |
+ if (sp) { |
+ *sp = PORT_Strdup("no certificate"); |
+ } |
+ } |
+ } |
} |
return SECSuccess; |
@@ -186,9 +191,9 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) |
ss = ssl_FindSocket(s); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", |
- SSL_GETPID(), s)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", |
+ SSL_GETPID(), s)); |
+ return SECFailure; |
} |
ss->authCertificate = func; |
@@ -198,17 +203,17 @@ SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) |
} |
/* NEED LOCKS IN HERE. */ |
-SECStatus |
+SECStatus |
SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, |
- void *arg) |
+ void *arg) |
{ |
sslSocket *ss; |
ss = ssl_FindSocket(s); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", |
- SSL_GETPID(), s)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", |
+ SSL_GETPID(), s)); |
+ return SECFailure; |
} |
ss->getClientAuthData = func; |
@@ -218,14 +223,15 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, |
SECStatus |
SSL_SetClientChannelIDCallback(PRFileDesc *fd, |
- SSLClientChannelIDCallback callback, |
- void *arg) { |
+ SSLClientChannelIDCallback callback, |
+ void *arg) |
+{ |
sslSocket *ss = ssl_FindSocket(fd); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", |
- SSL_GETPID(), fd)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", |
+ SSL_GETPID(), fd)); |
+ return SECFailure; |
} |
ss->getChannelID = callback; |
@@ -234,100 +240,77 @@ SSL_SetClientChannelIDCallback(PRFileDesc *fd, |
return SECSuccess; |
} |
-#ifdef NSS_PLATFORM_CLIENT_AUTH |
-/* NEED LOCKS IN HERE. */ |
-SECStatus |
-SSL_GetPlatformClientAuthDataHook(PRFileDesc *s, |
- SSLGetPlatformClientAuthData func, |
- void *arg) |
-{ |
- sslSocket *ss; |
- |
- ss = ssl_FindSocket(s); |
- if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook", |
- SSL_GETPID(), s)); |
- return SECFailure; |
- } |
- |
- ss->getPlatformClientAuthData = func; |
- ss->getPlatformClientAuthDataArg = arg; |
- return SECSuccess; |
-} |
-#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
- |
/* NEED LOCKS IN HERE. */ |
-SECStatus |
+SECStatus |
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) |
{ |
sslSocket *ss; |
ss = ssl_FindSocket(s); |
if (!ss) { |
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", |
- SSL_GETPID(), s)); |
- return SECFailure; |
+ SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", |
+ SSL_GETPID(), s)); |
+ return SECFailure; |
} |
ss->pkcs11PinArg = arg; |
return SECSuccess; |
} |
- |
-/* This is the "default" authCert callback function. It is called when a |
+/* This is the "default" authCert callback function. It is called when a |
* certificate message is received from the peer and the local application |
* has not registered an authCert callback function. |
*/ |
SECStatus |
SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) |
{ |
- SECStatus rv; |
- CERTCertDBHandle * handle; |
- sslSocket * ss; |
- SECCertUsage certUsage; |
- const char * hostname = NULL; |
- PRTime now = PR_Now(); |
- SECItemArray * certStatusArray; |
- |
+ SECStatus rv; |
+ CERTCertDBHandle *handle; |
+ sslSocket *ss; |
+ SECCertUsage certUsage; |
+ const char *hostname = NULL; |
+ PRTime now = PR_Now(); |
+ SECItemArray *certStatusArray; |
+ |
ss = ssl_FindSocket(fd); |
PORT_Assert(ss != NULL); |
if (!ss) { |
- return SECFailure; |
+ return SECFailure; |
} |
handle = (CERTCertDBHandle *)arg; |
certStatusArray = &ss->sec.ci.sid->peerCertStatus; |
if (certStatusArray->len) { |
- PORT_SetError(0); |
- if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, |
- &certStatusArray->items[0], |
- ss->pkcs11PinArg) |
- != SECSuccess) { |
- PORT_Assert(PR_GetError() != 0); |
- } |
+ PORT_SetError(0); |
+ if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, |
+ &certStatusArray->items[0], |
+ ss->pkcs11PinArg) != |
+ SECSuccess) { |
+ PORT_Assert(PR_GetError() != 0); |
+ } |
} |
/* this may seem backwards, but isn't. */ |
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; |
rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, |
- now, ss->pkcs11PinArg, NULL); |
+ now, ss->pkcs11PinArg, NULL); |
+ |
+ if (rv != SECSuccess || isServer) |
+ return rv; |
- if ( rv != SECSuccess || isServer ) |
- return rv; |
- |
/* cert is OK. This is the client side of an SSL connection. |
* Now check the name field in the cert against the desired hostname. |
* NB: This is our only defense against Man-In-The-Middle (MITM) attacks! |
*/ |
hostname = ss->url; |
if (hostname && hostname[0]) |
- rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
- else |
- rv = SECFailure; |
+ rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
+ else |
+ rv = SECFailure; |
if (rv != SECSuccess) |
- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
+ PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
return rv; |
} |