OLD | NEW |
---|---|
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 #include "cert.h" | 4 #include "cert.h" |
5 #include "secitem.h" | 5 #include "secitem.h" |
6 #include "ssl.h" | 6 #include "ssl.h" |
7 #include "sslimpl.h" | 7 #include "sslimpl.h" |
8 #include "sslproto.h" | 8 #include "sslproto.h" |
9 #include "pk11func.h" | 9 #include "pk11func.h" |
10 #include "ocsp.h" | 10 #include "ocsp.h" |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
88 | 88 |
89 | 89 |
90 /* NEED LOCKS IN HERE. */ | 90 /* NEED LOCKS IN HERE. */ |
91 SECStatus | 91 SECStatus |
92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, | 92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, |
93 char **ip, char **sp) | 93 char **ip, char **sp) |
94 { | 94 { |
95 sslSocket *ss; | 95 sslSocket *ss; |
96 const char *cipherName; | 96 const char *cipherName; |
97 PRBool isDes = PR_FALSE; | 97 PRBool isDes = PR_FALSE; |
98 PRBool enoughFirstHsDone = PR_FALSE; | |
99 | 98 |
100 ss = ssl_FindSocket(fd); | 99 ss = ssl_FindSocket(fd); |
101 if (!ss) { | 100 if (!ss) { |
102 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", | 101 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", |
103 SSL_GETPID(), fd)); | 102 SSL_GETPID(), fd)); |
104 return SECFailure; | 103 return SECFailure; |
105 } | 104 } |
106 | 105 |
107 if (cp) *cp = 0; | 106 if (cp) *cp = 0; |
108 if (kp0) *kp0 = 0; | 107 if (kp0) *kp0 = 0; |
109 if (kp1) *kp1 = 0; | 108 if (kp1) *kp1 = 0; |
110 if (ip) *ip = 0; | 109 if (ip) *ip = 0; |
111 if (sp) *sp = 0; | 110 if (sp) *sp = 0; |
112 if (op) { | 111 if (op) { |
113 *op = SSL_SECURITY_STATUS_OFF; | 112 *op = SSL_SECURITY_STATUS_OFF; |
114 } | 113 } |
115 | 114 |
116 if (ss->firstHsDone) { | 115 if (ss->opt.useSecurity && ss->enoughFirstHsDone) { |
117 » enoughFirstHsDone = PR_TRUE; | |
118 } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && | |
119 » ssl3_CanFalseStart(ss)) { | |
120 » enoughFirstHsDone = PR_TRUE; | |
121 } | |
122 | |
123 if (ss->opt.useSecurity && enoughFirstHsDone) { | |
124 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | 116 if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
125 cipherName = ssl_cipherName[ss->sec.cipherType]; | 117 cipherName = ssl_cipherName[ss->sec.cipherType]; |
126 } else { | 118 } else { |
127 cipherName = ssl3_cipherName[ss->sec.cipherType]; | 119 cipherName = ssl3_cipherName[ss->sec.cipherType]; |
128 } | 120 } |
129 PORT_Assert(cipherName); | 121 PORT_Assert(cipherName); |
130 if (cipherName) { | 122 if (cipherName) { |
131 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; | 123 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; |
132 | 124 |
133 if (cp) { | 125 if (cp) { |
134 *cp = PORT_Strdup(cipherName); | 126 *cp = PORT_Strdup(cipherName); |
135 } | 127 } |
136 } | 128 } |
137 | 129 |
138 if (kp0) { | 130 if (kp0) { |
139 *kp0 = ss->sec.keyBits; | 131 *kp0 = ss->sec.keyBits; |
140 if (isDes) *kp0 = (*kp0 * 7) / 8; | 132 if (isDes) *kp0 = (*kp0 * 7) / 8; |
141 } | 133 } |
142 if (kp1) { | 134 if (kp1) { |
143 *kp1 = ss->sec.secretKeyBits; | 135 *kp1 = ss->sec.secretKeyBits; |
144 if (isDes) *kp1 = (*kp1 * 7) / 8; | 136 if (isDes) *kp1 = (*kp1 * 7) / 8; |
145 } | 137 } |
146 if (op) { | 138 if (op) { |
147 if (ss->sec.keyBits == 0) { | 139 if (ss->sec.keyBits == 0) { |
148 *op = SSL_SECURITY_STATUS_OFF; | 140 *op = SSL_SECURITY_STATUS_OFF; |
149 } else if (ss->sec.secretKeyBits < 90) { | 141 } else if (ss->sec.secretKeyBits < 90) { |
wtc
2013/09/18 22:57:23
This doesn't really matter because we don't have a
agl
2013/09/19 16:59:32
That seems reasonable, although then I think it sh
| |
150 *op = SSL_SECURITY_STATUS_ON_LOW; | 142 *op = SSL_SECURITY_STATUS_ON_LOW; |
151 | 143 |
152 } else { | 144 } else { |
153 *op = SSL_SECURITY_STATUS_ON_HIGH; | 145 *op = SSL_SECURITY_STATUS_ON_HIGH; |
154 } | 146 } |
155 } | 147 } |
156 | 148 |
157 if (ip || sp) { | 149 if (ip || sp) { |
158 CERTCertificate *cert; | 150 CERTCertificate *cert; |
159 | 151 |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
323 hostname = ss->url; | 315 hostname = ss->url; |
324 if (hostname && hostname[0]) | 316 if (hostname && hostname[0]) |
325 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); | 317 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); |
326 else | 318 else |
327 rv = SECFailure; | 319 rv = SECFailure; |
328 if (rv != SECSuccess) | 320 if (rv != SECSuccess) |
329 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 321 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
330 | 322 |
331 return rv; | 323 return rv; |
332 } | 324 } |
OLD | NEW |