Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(219)

Side by Side Diff: net/third_party/nss/ssl/sslauth.c

Issue 23621040: Make SSL False Start work with asynchronous certificate validation (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Define our own CanFalseStartCallback Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 /* This Source Code Form is subject to the terms of the Mozilla Public 1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 #include "cert.h" 4 #include "cert.h"
5 #include "secitem.h" 5 #include "secitem.h"
6 #include "ssl.h" 6 #include "ssl.h"
7 #include "sslimpl.h" 7 #include "sslimpl.h"
8 #include "sslproto.h" 8 #include "sslproto.h"
9 #include "pk11func.h" 9 #include "pk11func.h"
10 #include "ocsp.h" 10 #include "ocsp.h"
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
88 88
89 89
90 /* NEED LOCKS IN HERE. */ 90 /* NEED LOCKS IN HERE. */
91 SECStatus 91 SECStatus
92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, 92 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
93 char **ip, char **sp) 93 char **ip, char **sp)
94 { 94 {
95 sslSocket *ss; 95 sslSocket *ss;
96 const char *cipherName; 96 const char *cipherName;
97 PRBool isDes = PR_FALSE; 97 PRBool isDes = PR_FALSE;
98 PRBool enoughFirstHsDone = PR_FALSE;
99 98
100 ss = ssl_FindSocket(fd); 99 ss = ssl_FindSocket(fd);
101 if (!ss) { 100 if (!ss) {
102 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", 101 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
103 SSL_GETPID(), fd)); 102 SSL_GETPID(), fd));
104 return SECFailure; 103 return SECFailure;
105 } 104 }
106 105
107 if (cp) *cp = 0; 106 if (cp) *cp = 0;
108 if (kp0) *kp0 = 0; 107 if (kp0) *kp0 = 0;
109 if (kp1) *kp1 = 0; 108 if (kp1) *kp1 = 0;
110 if (ip) *ip = 0; 109 if (ip) *ip = 0;
111 if (sp) *sp = 0; 110 if (sp) *sp = 0;
112 if (op) { 111 if (op) {
113 *op = SSL_SECURITY_STATUS_OFF; 112 *op = SSL_SECURITY_STATUS_OFF;
114 } 113 }
115 114
116 if (ss->firstHsDone) { 115 if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
117 » enoughFirstHsDone = PR_TRUE;
118 } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
119 » ssl3_CanFalseStart(ss)) {
120 » enoughFirstHsDone = PR_TRUE;
121 }
122
123 if (ss->opt.useSecurity && enoughFirstHsDone) {
124 if (ss->version < SSL_LIBRARY_VERSION_3_0) { 116 if (ss->version < SSL_LIBRARY_VERSION_3_0) {
125 cipherName = ssl_cipherName[ss->sec.cipherType]; 117 cipherName = ssl_cipherName[ss->sec.cipherType];
126 } else { 118 } else {
127 cipherName = ssl3_cipherName[ss->sec.cipherType]; 119 cipherName = ssl3_cipherName[ss->sec.cipherType];
128 } 120 }
129 PORT_Assert(cipherName); 121 PORT_Assert(cipherName);
130 if (cipherName) { 122 if (cipherName) {
131 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; 123 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
132 124
133 if (cp) { 125 if (cp) {
134 *cp = PORT_Strdup(cipherName); 126 *cp = PORT_Strdup(cipherName);
135 } 127 }
136 } 128 }
137 129
138 if (kp0) { 130 if (kp0) {
139 *kp0 = ss->sec.keyBits; 131 *kp0 = ss->sec.keyBits;
140 if (isDes) *kp0 = (*kp0 * 7) / 8; 132 if (isDes) *kp0 = (*kp0 * 7) / 8;
141 } 133 }
142 if (kp1) { 134 if (kp1) {
143 *kp1 = ss->sec.secretKeyBits; 135 *kp1 = ss->sec.secretKeyBits;
144 if (isDes) *kp1 = (*kp1 * 7) / 8; 136 if (isDes) *kp1 = (*kp1 * 7) / 8;
145 } 137 }
146 if (op) { 138 if (op) {
147 if (ss->sec.keyBits == 0) { 139 if (ss->sec.keyBits == 0) {
148 *op = SSL_SECURITY_STATUS_OFF; 140 *op = SSL_SECURITY_STATUS_OFF;
149 } else if (ss->sec.secretKeyBits < 90) { 141 } else if (ss->sec.secretKeyBits < 90) {
wtc 2013/09/18 22:57:23 This doesn't really matter because we don't have a
agl 2013/09/19 16:59:32 That seems reasonable, although then I think it sh
150 *op = SSL_SECURITY_STATUS_ON_LOW; 142 *op = SSL_SECURITY_STATUS_ON_LOW;
151 143
152 } else { 144 } else {
153 *op = SSL_SECURITY_STATUS_ON_HIGH; 145 *op = SSL_SECURITY_STATUS_ON_HIGH;
154 } 146 }
155 } 147 }
156 148
157 if (ip || sp) { 149 if (ip || sp) {
158 CERTCertificate *cert; 150 CERTCertificate *cert;
159 151
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after
323 hostname = ss->url; 315 hostname = ss->url;
324 if (hostname && hostname[0]) 316 if (hostname && hostname[0])
325 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); 317 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
326 else 318 else
327 rv = SECFailure; 319 rv = SECFailure;
328 if (rv != SECSuccess) 320 if (rv != SECSuccess)
329 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); 321 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
330 322
331 return rv; 323 return rv;
332 } 324 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698