net/third_party/nss/ssl/sslauth.c - Issue 1882433002: Removing NSS files and USE_OPENSSL flag

Unified Diff: net/third_party/nss/ssl/sslauth.c

Issue 1882433002: Removing NSS files and USE_OPENSSL flag (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Rebase. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/third_party/nss/ssl/sslauth.c

diff --git a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslauth.c

deleted file mode 100644

index e78a513a6ea6eb57d63677d2a1c2e02ae7c8a0b9..0000000000000000000000000000000000000000

--- a/net/third_party/nss/ssl/sslauth.c

+++ /dev/null

@@ -1,316 +0,0 @@

-/* This Source Code Form is subject to the terms of the Mozilla Public

- * License, v. 2.0. If a copy of the MPL was not distributed with this

- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

-#include "cert.h"

-#include "secitem.h"

-#include "ssl.h"

-#include "sslimpl.h"

-#include "sslproto.h"

-#include "pk11func.h"

-#include "ocsp.h"

-/* NEED LOCKS IN HERE. */

-CERTCertificate *

-SSL_PeerCertificate(PRFileDesc *fd)

- sslSocket *ss;

- ss = ssl_FindSocket(fd);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",

- SSL_GETPID(), fd));

- return 0;

- }

- if (ss->opt.useSecurity && ss->sec.peerCert) {

- return CERT_DupCertificate(ss->sec.peerCert);

- }

- return 0;

-/* NEED LOCKS IN HERE. */

-CERTCertList *

-SSL_PeerCertificateChain(PRFileDesc *fd)

- sslSocket *ss;

- CERTCertList *chain = NULL;

- CERTCertificate *cert;

- ssl3CertNode *cur;

- ss = ssl_FindSocket(fd);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",

- SSL_GETPID(), fd));

- return NULL;

- }

- if (!ss->opt.useSecurity || !ss->sec.peerCert) {

- PORT_SetError(SSL_ERROR_NO_CERTIFICATE);

- return NULL;

- }

- chain = CERT_NewCertList();

- if (!chain) {

- return NULL;

- }

- cert = CERT_DupCertificate(ss->sec.peerCert);

- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {

- goto loser;

- }

- for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {

- cert = CERT_DupCertificate(cur->cert);

- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {

- goto loser;

- }

- return chain;

-loser:

- CERT_DestroyCertList(chain);

- return NULL;

-/* NEED LOCKS IN HERE. */

-CERTCertificate *

-SSL_LocalCertificate(PRFileDesc *fd)

- sslSocket *ss;

- ss = ssl_FindSocket(fd);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",

- SSL_GETPID(), fd));

- return NULL;

- }

- if (ss->opt.useSecurity) {

- if (ss->sec.localCert) {

- return CERT_DupCertificate(ss->sec.localCert);

- }

- if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {

- return CERT_DupCertificate(ss->sec.ci.sid->localCert);

- }

- return NULL;

-/* NEED LOCKS IN HERE. */

-SECStatus

-SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,

- char **ip, char **sp)

- sslSocket *ss;

- const char *cipherName;

- PRBool isDes = PR_FALSE;

- ss = ssl_FindSocket(fd);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",

- SSL_GETPID(), fd));

- return SECFailure;

- }

- if (cp)

- *cp = 0;

- if (kp0)

- *kp0 = 0;

- if (kp1)

- *kp1 = 0;

- if (ip)

- *ip = 0;

- if (sp)

- *sp = 0;

- if (op) {

- *op = SSL_SECURITY_STATUS_OFF;

- }

- if (ss->opt.useSecurity && ss->enoughFirstHsDone) {

- if (ss->version < SSL_LIBRARY_VERSION_3_0) {

- cipherName = ssl_cipherName[ss->sec.cipherType];

- } else {

- cipherName = ssl3_cipherName[ss->sec.cipherType];

- }

- PORT_Assert(cipherName);

- if (cipherName) {

- if (PORT_Strstr(cipherName, "DES"))

- isDes = PR_TRUE;

- if (cp) {

- *cp = PORT_Strdup(cipherName);

- }

- if (kp0) {

- *kp0 = ss->sec.keyBits;

- if (isDes)

- *kp0 = (*kp0 * 7) / 8;

- }

- if (kp1) {

- *kp1 = ss->sec.secretKeyBits;

- if (isDes)

- *kp1 = (*kp1 * 7) / 8;

- }

- if (op) {

- if (ss->sec.keyBits == 0) {

- *op = SSL_SECURITY_STATUS_OFF;

- } else if (ss->sec.secretKeyBits < 90) {

- *op = SSL_SECURITY_STATUS_ON_LOW;

- } else {

- *op = SSL_SECURITY_STATUS_ON_HIGH;

- }

- if (ip || sp) {

- CERTCertificate *cert;

- cert = ss->sec.peerCert;

- if (cert) {

- if (ip) {

- *ip = CERT_NameToAscii(&cert->issuer);

- }

- if (sp) {

- *sp = CERT_NameToAscii(&cert->subject);

- }

- } else {

- if (ip) {

- *ip = PORT_Strdup("no certificate");

- }

- if (sp) {

- *sp = PORT_Strdup("no certificate");

- }

- return SECSuccess;

-/************************************************************************/

-/* NEED LOCKS IN HERE. */

-SECStatus

-SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)

- sslSocket *ss;

- ss = ssl_FindSocket(s);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",

- SSL_GETPID(), s));

- return SECFailure;

- }

- ss->authCertificate = func;

- ss->authCertificateArg = arg;

- return SECSuccess;

-/* NEED LOCKS IN HERE. */

-SECStatus

-SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,

- void *arg)

- sslSocket *ss;

- ss = ssl_FindSocket(s);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",

- SSL_GETPID(), s));

- return SECFailure;

- }

- ss->getClientAuthData = func;

- ss->getClientAuthDataArg = arg;

- return SECSuccess;

-SECStatus

-SSL_SetClientChannelIDCallback(PRFileDesc *fd,

- SSLClientChannelIDCallback callback,

- void *arg)

- sslSocket *ss = ssl_FindSocket(fd);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",

- SSL_GETPID(), fd));

- return SECFailure;

- }

- ss->getChannelID = callback;

- ss->getChannelIDArg = arg;

- return SECSuccess;

-/* NEED LOCKS IN HERE. */

-SECStatus

-SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)

- sslSocket *ss;

- ss = ssl_FindSocket(s);

- if (!ss) {

- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",

- SSL_GETPID(), s));

- return SECFailure;

- }

- ss->pkcs11PinArg = arg;

- return SECSuccess;

-/* This is the "default" authCert callback function. It is called when a

- * certificate message is received from the peer and the local application

- * has not registered an authCert callback function.

- */

-SECStatus

-SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)

- SECStatus rv;

- CERTCertDBHandle *handle;

- sslSocket *ss;

- SECCertUsage certUsage;

- const char *hostname = NULL;

- PRTime now = PR_Now();

- SECItemArray *certStatusArray;

- ss = ssl_FindSocket(fd);

- PORT_Assert(ss != NULL);

- if (!ss) {

- return SECFailure;

- }

- handle = (CERTCertDBHandle *)arg;

- certStatusArray = &ss->sec.ci.sid->peerCertStatus;

- if (certStatusArray->len) {

- PORT_SetError(0);

- if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,

- &certStatusArray->items[0],

- ss->pkcs11PinArg) !=

- SECSuccess) {

- PORT_Assert(PR_GetError() != 0);

- }

- /* this may seem backwards, but isn't. */

- certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;

- rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,

- now, ss->pkcs11PinArg, NULL);

- if (rv != SECSuccess || isServer)

- return rv;

- /* cert is OK. This is the client side of an SSL connection.

- * Now check the name field in the cert against the desired hostname.

- * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!

- */

- hostname = ss->url;

- if (hostname && hostname[0])

- rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);

- else

- rv = SECFailure;

- if (rv != SECSuccess)

- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);

- return rv;

« no previous file with comments | « net/third_party/nss/ssl/ssl3prot.h ('k') | net/third_party/nss/ssl/sslcon.c » ('j') | no next file with comments »