OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 #include "cert.h" | |
5 #include "secitem.h" | |
6 #include "ssl.h" | |
7 #include "sslimpl.h" | |
8 #include "sslproto.h" | |
9 #include "pk11func.h" | |
10 #include "ocsp.h" | |
11 | |
12 /* NEED LOCKS IN HERE. */ | |
13 CERTCertificate * | |
14 SSL_PeerCertificate(PRFileDesc *fd) | |
15 { | |
16 sslSocket *ss; | |
17 | |
18 ss = ssl_FindSocket(fd); | |
19 if (!ss) { | |
20 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", | |
21 SSL_GETPID(), fd)); | |
22 return 0; | |
23 } | |
24 if (ss->opt.useSecurity && ss->sec.peerCert) { | |
25 return CERT_DupCertificate(ss->sec.peerCert); | |
26 } | |
27 return 0; | |
28 } | |
29 | |
30 /* NEED LOCKS IN HERE. */ | |
31 CERTCertList * | |
32 SSL_PeerCertificateChain(PRFileDesc *fd) | |
33 { | |
34 sslSocket *ss; | |
35 CERTCertList *chain = NULL; | |
36 CERTCertificate *cert; | |
37 ssl3CertNode *cur; | |
38 | |
39 ss = ssl_FindSocket(fd); | |
40 if (!ss) { | |
41 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", | |
42 SSL_GETPID(), fd)); | |
43 return NULL; | |
44 } | |
45 if (!ss->opt.useSecurity || !ss->sec.peerCert) { | |
46 PORT_SetError(SSL_ERROR_NO_CERTIFICATE); | |
47 return NULL; | |
48 } | |
49 chain = CERT_NewCertList(); | |
50 if (!chain) { | |
51 return NULL; | |
52 } | |
53 cert = CERT_DupCertificate(ss->sec.peerCert); | |
54 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { | |
55 goto loser; | |
56 } | |
57 for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) { | |
58 cert = CERT_DupCertificate(cur->cert); | |
59 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { | |
60 goto loser; | |
61 } | |
62 } | |
63 return chain; | |
64 | |
65 loser: | |
66 CERT_DestroyCertList(chain); | |
67 return NULL; | |
68 } | |
69 | |
70 /* NEED LOCKS IN HERE. */ | |
71 CERTCertificate * | |
72 SSL_LocalCertificate(PRFileDesc *fd) | |
73 { | |
74 sslSocket *ss; | |
75 | |
76 ss = ssl_FindSocket(fd); | |
77 if (!ss) { | |
78 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", | |
79 SSL_GETPID(), fd)); | |
80 return NULL; | |
81 } | |
82 if (ss->opt.useSecurity) { | |
83 if (ss->sec.localCert) { | |
84 return CERT_DupCertificate(ss->sec.localCert); | |
85 } | |
86 if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { | |
87 return CERT_DupCertificate(ss->sec.ci.sid->localCert); | |
88 } | |
89 } | |
90 return NULL; | |
91 } | |
92 | |
93 /* NEED LOCKS IN HERE. */ | |
94 SECStatus | |
95 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, | |
96 char **ip, char **sp) | |
97 { | |
98 sslSocket *ss; | |
99 const char *cipherName; | |
100 PRBool isDes = PR_FALSE; | |
101 | |
102 ss = ssl_FindSocket(fd); | |
103 if (!ss) { | |
104 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", | |
105 SSL_GETPID(), fd)); | |
106 return SECFailure; | |
107 } | |
108 | |
109 if (cp) | |
110 *cp = 0; | |
111 if (kp0) | |
112 *kp0 = 0; | |
113 if (kp1) | |
114 *kp1 = 0; | |
115 if (ip) | |
116 *ip = 0; | |
117 if (sp) | |
118 *sp = 0; | |
119 if (op) { | |
120 *op = SSL_SECURITY_STATUS_OFF; | |
121 } | |
122 | |
123 if (ss->opt.useSecurity && ss->enoughFirstHsDone) { | |
124 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | |
125 cipherName = ssl_cipherName[ss->sec.cipherType]; | |
126 } else { | |
127 cipherName = ssl3_cipherName[ss->sec.cipherType]; | |
128 } | |
129 PORT_Assert(cipherName); | |
130 if (cipherName) { | |
131 if (PORT_Strstr(cipherName, "DES")) | |
132 isDes = PR_TRUE; | |
133 | |
134 if (cp) { | |
135 *cp = PORT_Strdup(cipherName); | |
136 } | |
137 } | |
138 | |
139 if (kp0) { | |
140 *kp0 = ss->sec.keyBits; | |
141 if (isDes) | |
142 *kp0 = (*kp0 * 7) / 8; | |
143 } | |
144 if (kp1) { | |
145 *kp1 = ss->sec.secretKeyBits; | |
146 if (isDes) | |
147 *kp1 = (*kp1 * 7) / 8; | |
148 } | |
149 if (op) { | |
150 if (ss->sec.keyBits == 0) { | |
151 *op = SSL_SECURITY_STATUS_OFF; | |
152 } else if (ss->sec.secretKeyBits < 90) { | |
153 *op = SSL_SECURITY_STATUS_ON_LOW; | |
154 } else { | |
155 *op = SSL_SECURITY_STATUS_ON_HIGH; | |
156 } | |
157 } | |
158 | |
159 if (ip || sp) { | |
160 CERTCertificate *cert; | |
161 | |
162 cert = ss->sec.peerCert; | |
163 if (cert) { | |
164 if (ip) { | |
165 *ip = CERT_NameToAscii(&cert->issuer); | |
166 } | |
167 if (sp) { | |
168 *sp = CERT_NameToAscii(&cert->subject); | |
169 } | |
170 } else { | |
171 if (ip) { | |
172 *ip = PORT_Strdup("no certificate"); | |
173 } | |
174 if (sp) { | |
175 *sp = PORT_Strdup("no certificate"); | |
176 } | |
177 } | |
178 } | |
179 } | |
180 | |
181 return SECSuccess; | |
182 } | |
183 | |
184 /************************************************************************/ | |
185 | |
186 /* NEED LOCKS IN HERE. */ | |
187 SECStatus | |
188 SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) | |
189 { | |
190 sslSocket *ss; | |
191 | |
192 ss = ssl_FindSocket(s); | |
193 if (!ss) { | |
194 SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", | |
195 SSL_GETPID(), s)); | |
196 return SECFailure; | |
197 } | |
198 | |
199 ss->authCertificate = func; | |
200 ss->authCertificateArg = arg; | |
201 | |
202 return SECSuccess; | |
203 } | |
204 | |
205 /* NEED LOCKS IN HERE. */ | |
206 SECStatus | |
207 SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, | |
208 void *arg) | |
209 { | |
210 sslSocket *ss; | |
211 | |
212 ss = ssl_FindSocket(s); | |
213 if (!ss) { | |
214 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", | |
215 SSL_GETPID(), s)); | |
216 return SECFailure; | |
217 } | |
218 | |
219 ss->getClientAuthData = func; | |
220 ss->getClientAuthDataArg = arg; | |
221 return SECSuccess; | |
222 } | |
223 | |
224 SECStatus | |
225 SSL_SetClientChannelIDCallback(PRFileDesc *fd, | |
226 SSLClientChannelIDCallback callback, | |
227 void *arg) | |
228 { | |
229 sslSocket *ss = ssl_FindSocket(fd); | |
230 | |
231 if (!ss) { | |
232 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", | |
233 SSL_GETPID(), fd)); | |
234 return SECFailure; | |
235 } | |
236 | |
237 ss->getChannelID = callback; | |
238 ss->getChannelIDArg = arg; | |
239 | |
240 return SECSuccess; | |
241 } | |
242 | |
243 /* NEED LOCKS IN HERE. */ | |
244 SECStatus | |
245 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | |
246 { | |
247 sslSocket *ss; | |
248 | |
249 ss = ssl_FindSocket(s); | |
250 if (!ss) { | |
251 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", | |
252 SSL_GETPID(), s)); | |
253 return SECFailure; | |
254 } | |
255 | |
256 ss->pkcs11PinArg = arg; | |
257 return SECSuccess; | |
258 } | |
259 | |
260 /* This is the "default" authCert callback function. It is called when a | |
261 * certificate message is received from the peer and the local application | |
262 * has not registered an authCert callback function. | |
263 */ | |
264 SECStatus | |
265 SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) | |
266 { | |
267 SECStatus rv; | |
268 CERTCertDBHandle *handle; | |
269 sslSocket *ss; | |
270 SECCertUsage certUsage; | |
271 const char *hostname = NULL; | |
272 PRTime now = PR_Now(); | |
273 SECItemArray *certStatusArray; | |
274 | |
275 ss = ssl_FindSocket(fd); | |
276 PORT_Assert(ss != NULL); | |
277 if (!ss) { | |
278 return SECFailure; | |
279 } | |
280 | |
281 handle = (CERTCertDBHandle *)arg; | |
282 certStatusArray = &ss->sec.ci.sid->peerCertStatus; | |
283 | |
284 if (certStatusArray->len) { | |
285 PORT_SetError(0); | |
286 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, | |
287 &certStatusArray->items[0], | |
288 ss->pkcs11PinArg) != | |
289 SECSuccess) { | |
290 PORT_Assert(PR_GetError() != 0); | |
291 } | |
292 } | |
293 | |
294 /* this may seem backwards, but isn't. */ | |
295 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; | |
296 | |
297 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, | |
298 now, ss->pkcs11PinArg, NULL); | |
299 | |
300 if (rv != SECSuccess || isServer) | |
301 return rv; | |
302 | |
303 /* cert is OK. This is the client side of an SSL connection. | |
304 * Now check the name field in the cert against the desired hostname. | |
305 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! | |
306 */ | |
307 hostname = ss->url; | |
308 if (hostname && hostname[0]) | |
309 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | |
310 else | |
311 rv = SECFailure; | |
312 if (rv != SECSuccess) | |
313 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | |
314 | |
315 return rv; | |
316 } | |
OLD | NEW |