Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 #include "cert.h" | 4 #include "cert.h" |
| 5 #include "secitem.h" | 5 #include "secitem.h" |
| 6 #include "ssl.h" | 6 #include "ssl.h" |
| 7 #include "sslimpl.h" | 7 #include "sslimpl.h" |
| 8 #include "sslproto.h" | 8 #include "sslproto.h" |
| 9 #include "pk11func.h" | 9 #include "pk11func.h" |
| 10 #include "ocsp.h" | 10 #include "ocsp.h" |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 88 | 88 |
| 89 | 89 |
| 90 /* NEED LOCKS IN HERE. */ | 90 /* NEED LOCKS IN HERE. */ |
| 91 SECStatus | 91 SECStatus |
| 92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, | 92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, |
| 93 char **ip, char **sp) | 93 char **ip, char **sp) |
| 94 { | 94 { |
| 95 sslSocket *ss; | 95 sslSocket *ss; |
| 96 const char *cipherName; | 96 const char *cipherName; |
| 97 PRBool isDes = PR_FALSE; | 97 PRBool isDes = PR_FALSE; |
| 98 PRBool enoughFirstHsDone = PR_FALSE; | |
| 99 | 98 |
| 100 ss = ssl_FindSocket(fd); | 99 ss = ssl_FindSocket(fd); |
| 101 if (!ss) { | 100 if (!ss) { |
| 102 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", | 101 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", |
| 103 SSL_GETPID(), fd)); | 102 SSL_GETPID(), fd)); |
| 104 return SECFailure; | 103 return SECFailure; |
| 105 } | 104 } |
| 106 | 105 |
| 107 if (cp) *cp = 0; | 106 if (cp) *cp = 0; |
| 108 if (kp0) *kp0 = 0; | 107 if (kp0) *kp0 = 0; |
| 109 if (kp1) *kp1 = 0; | 108 if (kp1) *kp1 = 0; |
| 110 if (ip) *ip = 0; | 109 if (ip) *ip = 0; |
| 111 if (sp) *sp = 0; | 110 if (sp) *sp = 0; |
| 112 if (op) { | 111 if (op) { |
| 113 *op = SSL_SECURITY_STATUS_OFF; | 112 *op = SSL_SECURITY_STATUS_OFF; |
| 114 } | 113 } |
| 115 | 114 |
| 116 if (ss->firstHsDone) { | 115 if (ss->opt.useSecurity && ss->enoughFirstHsDone) { |
| 117 » enoughFirstHsDone = PR_TRUE; | |
| 118 } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && | |
| 119 » ssl3_CanFalseStart(ss)) { | |
| 120 » enoughFirstHsDone = PR_TRUE; | |
| 121 } | |
| 122 | |
| 123 if (ss->opt.useSecurity && enoughFirstHsDone) { | |
| 124 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | 116 if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
| 125 cipherName = ssl_cipherName[ss->sec.cipherType]; | 117 cipherName = ssl_cipherName[ss->sec.cipherType]; |
| 126 } else { | 118 } else { |
| 127 cipherName = ssl3_cipherName[ss->sec.cipherType]; | 119 cipherName = ssl3_cipherName[ss->sec.cipherType]; |
| 128 } | 120 } |
| 129 PORT_Assert(cipherName); | 121 PORT_Assert(cipherName); |
| 130 if (cipherName) { | 122 if (cipherName) { |
| 131 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; | 123 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; |
| 132 | 124 |
| 133 if (cp) { | 125 if (cp) { |
| 134 *cp = PORT_Strdup(cipherName); | 126 *cp = PORT_Strdup(cipherName); |
| 135 } | 127 } |
| 136 } | 128 } |
| 137 | 129 |
| 138 if (kp0) { | 130 if (kp0) { |
| 139 *kp0 = ss->sec.keyBits; | 131 *kp0 = ss->sec.keyBits; |
| 140 if (isDes) *kp0 = (*kp0 * 7) / 8; | 132 if (isDes) *kp0 = (*kp0 * 7) / 8; |
| 141 } | 133 } |
| 142 if (kp1) { | 134 if (kp1) { |
| 143 *kp1 = ss->sec.secretKeyBits; | 135 *kp1 = ss->sec.secretKeyBits; |
| 144 if (isDes) *kp1 = (*kp1 * 7) / 8; | 136 if (isDes) *kp1 = (*kp1 * 7) / 8; |
| 145 } | 137 } |
| 146 if (op) { | 138 if (op) { |
| 147 if (ss->sec.keyBits == 0) { | 139 if (ss->sec.keyBits == 0) { |
| 148 *op = SSL_SECURITY_STATUS_OFF; | 140 *op = SSL_SECURITY_STATUS_OFF; |
| 149 } else if (ss->sec.secretKeyBits < 90) { | 141 } else if (ss->sec.secretKeyBits < 90) { |
|
wtc
2013/09/18 22:57:23
This doesn't really matter because we don't have a
agl
2013/09/19 16:59:32
That seems reasonable, although then I think it sh
| |
| 150 *op = SSL_SECURITY_STATUS_ON_LOW; | 142 *op = SSL_SECURITY_STATUS_ON_LOW; |
| 151 | 143 |
| 152 } else { | 144 } else { |
| 153 *op = SSL_SECURITY_STATUS_ON_HIGH; | 145 *op = SSL_SECURITY_STATUS_ON_HIGH; |
| 154 } | 146 } |
| 155 } | 147 } |
| 156 | 148 |
| 157 if (ip || sp) { | 149 if (ip || sp) { |
| 158 CERTCertificate *cert; | 150 CERTCertificate *cert; |
| 159 | 151 |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 323 hostname = ss->url; | 315 hostname = ss->url; |
| 324 if (hostname && hostname[0]) | 316 if (hostname && hostname[0]) |
| 325 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | 317 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
| 326 else | 318 else |
| 327 rv = SECFailure; | 319 rv = SECFailure; |
| 328 if (rv != SECSuccess) | 320 if (rv != SECSuccess) |
| 329 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 321 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
| 330 | 322 |
| 331 return rv; | 323 return rv; |
| 332 } | 324 } |
| OLD | NEW |