| OLD | NEW |
|---|
| (Empty) |
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 4 #include "cert.h" | |
| 5 #include "secitem.h" | |
| 6 #include "ssl.h" | |
| 7 #include "sslimpl.h" | |
| 8 #include "sslproto.h" | |
| 9 #include "pk11func.h" | |
| 10 #include "ocsp.h" | |
| 11 | |
| 12 /* NEED LOCKS IN HERE. */ | |
| 13 CERTCertificate * | |
| 14 SSL_PeerCertificate(PRFileDesc *fd) | |
| 15 { | |
| 16 sslSocket *ss; | |
| 17 | |
| 18 ss = ssl_FindSocket(fd); | |
| 19 if (!ss) { | |
| 20 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", | |
| 21 SSL_GETPID(), fd)); | |
| 22 return 0; | |
| 23 } | |
| 24 if (ss->opt.useSecurity && ss->sec.peerCert) { | |
| 25 return CERT_DupCertificate(ss->sec.peerCert); | |
| 26 } | |
| 27 return 0; | |
| 28 } | |
| 29 | |
| 30 /* NEED LOCKS IN HERE. */ | |
| 31 CERTCertList * | |
| 32 SSL_PeerCertificateChain(PRFileDesc *fd) | |
| 33 { | |
| 34 sslSocket *ss; | |
| 35 CERTCertList *chain = NULL; | |
| 36 CERTCertificate *cert; | |
| 37 ssl3CertNode *cur; | |
| 38 | |
| 39 ss = ssl_FindSocket(fd); | |
| 40 if (!ss) { | |
| 41 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain", | |
| 42 SSL_GETPID(), fd)); | |
| 43 return NULL; | |
| 44 } | |
| 45 if (!ss->opt.useSecurity || !ss->sec.peerCert) { | |
| 46 PORT_SetError(SSL_ERROR_NO_CERTIFICATE); | |
| 47 return NULL; | |
| 48 } | |
| 49 chain = CERT_NewCertList(); | |
| 50 if (!chain) { | |
| 51 return NULL; | |
| 52 } | |
| 53 cert = CERT_DupCertificate(ss->sec.peerCert); | |
| 54 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { | |
| 55 goto loser; | |
| 56 } | |
| 57 for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) { | |
| 58 cert = CERT_DupCertificate(cur->cert); | |
| 59 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) { | |
| 60 goto loser; | |
| 61 } | |
| 62 } | |
| 63 return chain; | |
| 64 | |
| 65 loser: | |
| 66 CERT_DestroyCertList(chain); | |
| 67 return NULL; | |
| 68 } | |
| 69 | |
| 70 /* NEED LOCKS IN HERE. */ | |
| 71 CERTCertificate * | |
| 72 SSL_LocalCertificate(PRFileDesc *fd) | |
| 73 { | |
| 74 sslSocket *ss; | |
| 75 | |
| 76 ss = ssl_FindSocket(fd); | |
| 77 if (!ss) { | |
| 78 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", | |
| 79 SSL_GETPID(), fd)); | |
| 80 return NULL; | |
| 81 } | |
| 82 if (ss->opt.useSecurity) { | |
| 83 if (ss->sec.localCert) { | |
| 84 return CERT_DupCertificate(ss->sec.localCert); | |
| 85 } | |
| 86 if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { | |
| 87 return CERT_DupCertificate(ss->sec.ci.sid->localCert); | |
| 88 } | |
| 89 } | |
| 90 return NULL; | |
| 91 } | |
| 92 | |
| 93 /* NEED LOCKS IN HERE. */ | |
| 94 SECStatus | |
| 95 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, | |
| 96 char **ip, char **sp) | |
| 97 { | |
| 98 sslSocket *ss; | |
| 99 const char *cipherName; | |
| 100 PRBool isDes = PR_FALSE; | |
| 101 | |
| 102 ss = ssl_FindSocket(fd); | |
| 103 if (!ss) { | |
| 104 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", | |
| 105 SSL_GETPID(), fd)); | |
| 106 return SECFailure; | |
| 107 } | |
| 108 | |
| 109 if (cp) | |
| 110 *cp = 0; | |
| 111 if (kp0) | |
| 112 *kp0 = 0; | |
| 113 if (kp1) | |
| 114 *kp1 = 0; | |
| 115 if (ip) | |
| 116 *ip = 0; | |
| 117 if (sp) | |
| 118 *sp = 0; | |
| 119 if (op) { | |
| 120 *op = SSL_SECURITY_STATUS_OFF; | |
| 121 } | |
| 122 | |
| 123 if (ss->opt.useSecurity && ss->enoughFirstHsDone) { | |
| 124 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | |
| 125 cipherName = ssl_cipherName[ss->sec.cipherType]; | |
| 126 } else { | |
| 127 cipherName = ssl3_cipherName[ss->sec.cipherType]; | |
| 128 } | |
| 129 PORT_Assert(cipherName); | |
| 130 if (cipherName) { | |
| 131 if (PORT_Strstr(cipherName, "DES")) | |
| 132 isDes = PR_TRUE; | |
| 133 | |
| 134 if (cp) { | |
| 135 *cp = PORT_Strdup(cipherName); | |
| 136 } | |
| 137 } | |
| 138 | |
| 139 if (kp0) { | |
| 140 *kp0 = ss->sec.keyBits; | |
| 141 if (isDes) | |
| 142 *kp0 = (*kp0 * 7) / 8; | |
| 143 } | |
| 144 if (kp1) { | |
| 145 *kp1 = ss->sec.secretKeyBits; | |
| 146 if (isDes) | |
| 147 *kp1 = (*kp1 * 7) / 8; | |
| 148 } | |
| 149 if (op) { | |
| 150 if (ss->sec.keyBits == 0) { | |
| 151 *op = SSL_SECURITY_STATUS_OFF; | |
| 152 } else if (ss->sec.secretKeyBits < 90) { | |
| 153 *op = SSL_SECURITY_STATUS_ON_LOW; | |
| 154 } else { | |
| 155 *op = SSL_SECURITY_STATUS_ON_HIGH; | |
| 156 } | |
| 157 } | |
| 158 | |
| 159 if (ip || sp) { | |
| 160 CERTCertificate *cert; | |
| 161 | |
| 162 cert = ss->sec.peerCert; | |
| 163 if (cert) { | |
| 164 if (ip) { | |
| 165 *ip = CERT_NameToAscii(&cert->issuer); | |
| 166 } | |
| 167 if (sp) { | |
| 168 *sp = CERT_NameToAscii(&cert->subject); | |
| 169 } | |
| 170 } else { | |
| 171 if (ip) { | |
| 172 *ip = PORT_Strdup("no certificate"); | |
| 173 } | |
| 174 if (sp) { | |
| 175 *sp = PORT_Strdup("no certificate"); | |
| 176 } | |
| 177 } | |
| 178 } | |
| 179 } | |
| 180 | |
| 181 return SECSuccess; | |
| 182 } | |
| 183 | |
| 184 /************************************************************************/ | |
| 185 | |
| 186 /* NEED LOCKS IN HERE. */ | |
| 187 SECStatus | |
| 188 SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) | |
| 189 { | |
| 190 sslSocket *ss; | |
| 191 | |
| 192 ss = ssl_FindSocket(s); | |
| 193 if (!ss) { | |
| 194 SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", | |
| 195 SSL_GETPID(), s)); | |
| 196 return SECFailure; | |
| 197 } | |
| 198 | |
| 199 ss->authCertificate = func; | |
| 200 ss->authCertificateArg = arg; | |
| 201 | |
| 202 return SECSuccess; | |
| 203 } | |
| 204 | |
| 205 /* NEED LOCKS IN HERE. */ | |
| 206 SECStatus | |
| 207 SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, | |
| 208 void *arg) | |
| 209 { | |
| 210 sslSocket *ss; | |
| 211 | |
| 212 ss = ssl_FindSocket(s); | |
| 213 if (!ss) { | |
| 214 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", | |
| 215 SSL_GETPID(), s)); | |
| 216 return SECFailure; | |
| 217 } | |
| 218 | |
| 219 ss->getClientAuthData = func; | |
| 220 ss->getClientAuthDataArg = arg; | |
| 221 return SECSuccess; | |
| 222 } | |
| 223 | |
| 224 SECStatus | |
| 225 SSL_SetClientChannelIDCallback(PRFileDesc *fd, | |
| 226 SSLClientChannelIDCallback callback, | |
| 227 void *arg) | |
| 228 { | |
| 229 sslSocket *ss = ssl_FindSocket(fd); | |
| 230 | |
| 231 if (!ss) { | |
| 232 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", | |
| 233 SSL_GETPID(), fd)); | |
| 234 return SECFailure; | |
| 235 } | |
| 236 | |
| 237 ss->getChannelID = callback; | |
| 238 ss->getChannelIDArg = arg; | |
| 239 | |
| 240 return SECSuccess; | |
| 241 } | |
| 242 | |
| 243 /* NEED LOCKS IN HERE. */ | |
| 244 SECStatus | |
| 245 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) | |
| 246 { | |
| 247 sslSocket *ss; | |
| 248 | |
| 249 ss = ssl_FindSocket(s); | |
| 250 if (!ss) { | |
| 251 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", | |
| 252 SSL_GETPID(), s)); | |
| 253 return SECFailure; | |
| 254 } | |
| 255 | |
| 256 ss->pkcs11PinArg = arg; | |
| 257 return SECSuccess; | |
| 258 } | |
| 259 | |
| 260 /* This is the "default" authCert callback function. It is called when a | |
| 261 * certificate message is received from the peer and the local application | |
| 262 * has not registered an authCert callback function. | |
| 263 */ | |
| 264 SECStatus | |
| 265 SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) | |
| 266 { | |
| 267 SECStatus rv; | |
| 268 CERTCertDBHandle *handle; | |
| 269 sslSocket *ss; | |
| 270 SECCertUsage certUsage; | |
| 271 const char *hostname = NULL; | |
| 272 PRTime now = PR_Now(); | |
| 273 SECItemArray *certStatusArray; | |
| 274 | |
| 275 ss = ssl_FindSocket(fd); | |
| 276 PORT_Assert(ss != NULL); | |
| 277 if (!ss) { | |
| 278 return SECFailure; | |
| 279 } | |
| 280 | |
| 281 handle = (CERTCertDBHandle *)arg; | |
| 282 certStatusArray = &ss->sec.ci.sid->peerCertStatus; | |
| 283 | |
| 284 if (certStatusArray->len) { | |
| 285 PORT_SetError(0); | |
| 286 if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now, | |
| 287 &certStatusArray->items[0], | |
| 288 ss->pkcs11PinArg) != | |
| 289 SECSuccess) { | |
| 290 PORT_Assert(PR_GetError() != 0); | |
| 291 } | |
| 292 } | |
| 293 | |
| 294 /* this may seem backwards, but isn't. */ | |
| 295 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; | |
| 296 | |
| 297 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, | |
| 298 now, ss->pkcs11PinArg, NULL); | |
| 299 | |
| 300 if (rv != SECSuccess || isServer) | |
| 301 return rv; | |
| 302 | |
| 303 /* cert is OK. This is the client side of an SSL connection. | |
| 304 * Now check the name field in the cert against the desired hostname. | |
| 305 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! | |
| 306 */ | |
| 307 hostname = ss->url; | |
| 308 if (hostname && hostname[0]) | |
| 309 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | |
| 310 else | |
| 311 rv = SECFailure; | |
| 312 if (rv != SECSuccess) | |
| 313 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | |
| 314 | |
| 315 return rv; | |
| 316 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1882433002:
Removing NSS files and USE_OPENSSL flag (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master