Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(116)

Unified Diff: lib/ssl/sslauth.c

Issue 201830043: Bug 1118245 - Apply uniform style across NSS
Patch Set: Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « lib/ssl/ssl3prot.h ('k') | lib/ssl/sslcon.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: lib/ssl/sslauth.c
===================================================================
--- a/lib/ssl/sslauth.c
+++ b/lib/ssl/sslauth.c
@@ -5,290 +5,267 @@
#include "secitem.h"
#include "ssl.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "pk11func.h"
#include "ocsp.h"
/* NEED LOCKS IN HERE. */
-CERTCertificate *
-SSL_PeerCertificate(PRFileDesc *fd)
-{
- sslSocket *ss;
+CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd) {
+ sslSocket *ss;
- ss = ssl_FindSocket(fd);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
- SSL_GETPID(), fd));
- return 0;
- }
- if (ss->opt.useSecurity && ss->sec.peerCert) {
- return CERT_DupCertificate(ss->sec.peerCert);
- }
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", SSL_GETPID(), fd));
return 0;
+ }
+ if (ss->opt.useSecurity && ss->sec.peerCert) {
+ return CERT_DupCertificate(ss->sec.peerCert);
+ }
+ return 0;
}
/* NEED LOCKS IN HERE. */
-CERTCertList *
-SSL_PeerCertificateChain(PRFileDesc *fd)
-{
- sslSocket *ss;
- CERTCertList *chain = NULL;
- CERTCertificate *cert;
- ssl3CertNode *cur;
+CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd) {
+ sslSocket *ss;
+ CERTCertList *chain = NULL;
+ CERTCertificate *cert;
+ ssl3CertNode *cur;
- ss = ssl_FindSocket(fd);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
- SSL_GETPID(), fd));
- return NULL;
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(
+ ("%d: SSL[%d]: bad socket in PeerCertificateChain", SSL_GETPID(), fd));
+ return NULL;
+ }
+ if (!ss->opt.useSecurity || !ss->sec.peerCert) {
+ PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+ return NULL;
+ }
+ chain = CERT_NewCertList();
+ if (!chain) {
+ return NULL;
+ }
+ cert = CERT_DupCertificate(ss->sec.peerCert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
+ for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
+ cert = CERT_DupCertificate(cur->cert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
}
- if (!ss->opt.useSecurity || !ss->sec.peerCert) {
- PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
- return NULL;
- }
- chain = CERT_NewCertList();
- if (!chain) {
- return NULL;
- }
- cert = CERT_DupCertificate(ss->sec.peerCert);
- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
- goto loser;
- }
- for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
- cert = CERT_DupCertificate(cur->cert);
- if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
- goto loser;
- }
- }
- return chain;
+ }
+ return chain;
loser:
- CERT_DestroyCertList(chain);
- return NULL;
+ CERT_DestroyCertList(chain);
+ return NULL;
}
/* NEED LOCKS IN HERE. */
-CERTCertificate *
-SSL_LocalCertificate(PRFileDesc *fd)
-{
- sslSocket *ss;
+CERTCertificate *SSL_LocalCertificate(PRFileDesc *fd) {
+ sslSocket *ss;
- ss = ssl_FindSocket(fd);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
- SSL_GETPID(), fd));
- return NULL;
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", SSL_GETPID(), fd));
+ return NULL;
+ }
+ if (ss->opt.useSecurity) {
+ if (ss->sec.localCert) {
+ return CERT_DupCertificate(ss->sec.localCert);
}
- if (ss->opt.useSecurity) {
- if (ss->sec.localCert) {
- return CERT_DupCertificate(ss->sec.localCert);
- }
- if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
- return CERT_DupCertificate(ss->sec.ci.sid->localCert);
- }
+ if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
+ return CERT_DupCertificate(ss->sec.ci.sid->localCert);
}
- return NULL;
+ }
+ return NULL;
}
+/* NEED LOCKS IN HERE. */
+SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0,
+ int *kp1, char **ip, char **sp) {
+ sslSocket *ss;
+ const char *cipherName;
+ PRBool isDes = PR_FALSE;
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", SSL_GETPID(), fd));
+ return SECFailure;
+ }
-/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
- char **ip, char **sp)
-{
- sslSocket *ss;
- const char *cipherName;
- PRBool isDes = PR_FALSE;
+ if (cp) *cp = 0;
+ if (kp0) *kp0 = 0;
+ if (kp1) *kp1 = 0;
+ if (ip) *ip = 0;
+ if (sp) *sp = 0;
+ if (op) {
+ *op = SSL_SECURITY_STATUS_OFF;
+ }
- ss = ssl_FindSocket(fd);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
- SSL_GETPID(), fd));
- return SECFailure;
+ if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+ cipherName = ssl_cipherName[ss->sec.cipherType];
+ } else {
+ cipherName = ssl3_cipherName[ss->sec.cipherType];
+ }
+ PORT_Assert(cipherName);
+ if (cipherName) {
+ if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+
+ if (cp) {
+ *cp = PORT_Strdup(cipherName);
+ }
}
- if (cp) *cp = 0;
- if (kp0) *kp0 = 0;
- if (kp1) *kp1 = 0;
- if (ip) *ip = 0;
- if (sp) *sp = 0;
+ if (kp0) {
+ *kp0 = ss->sec.keyBits;
+ if (isDes) *kp0 = (*kp0 * 7) / 8;
+ }
+ if (kp1) {
+ *kp1 = ss->sec.secretKeyBits;
+ if (isDes) *kp1 = (*kp1 * 7) / 8;
+ }
if (op) {
- *op = SSL_SECURITY_STATUS_OFF;
+ if (ss->sec.keyBits == 0) {
+ *op = SSL_SECURITY_STATUS_OFF;
+ } else if (ss->sec.secretKeyBits < 90) {
+ *op = SSL_SECURITY_STATUS_ON_LOW;
+
+ } else {
+ *op = SSL_SECURITY_STATUS_ON_HIGH;
+ }
}
- if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
- if (ss->version < SSL_LIBRARY_VERSION_3_0) {
- cipherName = ssl_cipherName[ss->sec.cipherType];
- } else {
- cipherName = ssl3_cipherName[ss->sec.cipherType];
- }
- PORT_Assert(cipherName);
- if (cipherName) {
- if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+ if (ip || sp) {
+ CERTCertificate *cert;
- if (cp) {
- *cp = PORT_Strdup(cipherName);
- }
+ cert = ss->sec.peerCert;
+ if (cert) {
+ if (ip) {
+ *ip = CERT_NameToAscii(&cert->issuer);
}
+ if (sp) {
+ *sp = CERT_NameToAscii(&cert->subject);
+ }
+ } else {
+ if (ip) {
+ *ip = PORT_Strdup("no certificate");
+ }
+ if (sp) {
+ *sp = PORT_Strdup("no certificate");
+ }
+ }
+ }
+ }
- if (kp0) {
- *kp0 = ss->sec.keyBits;
- if (isDes) *kp0 = (*kp0 * 7) / 8;
- }
- if (kp1) {
- *kp1 = ss->sec.secretKeyBits;
- if (isDes) *kp1 = (*kp1 * 7) / 8;
- }
- if (op) {
- if (ss->sec.keyBits == 0) {
- *op = SSL_SECURITY_STATUS_OFF;
- } else if (ss->sec.secretKeyBits < 90) {
- *op = SSL_SECURITY_STATUS_ON_LOW;
-
- } else {
- *op = SSL_SECURITY_STATUS_ON_HIGH;
- }
- }
-
- if (ip || sp) {
- CERTCertificate *cert;
-
- cert = ss->sec.peerCert;
- if (cert) {
- if (ip) {
- *ip = CERT_NameToAscii(&cert->issuer);
- }
- if (sp) {
- *sp = CERT_NameToAscii(&cert->subject);
- }
- } else {
- if (ip) {
- *ip = PORT_Strdup("no certificate");
- }
- if (sp) {
- *sp = PORT_Strdup("no certificate");
- }
- }
- }
- }
-
- return SECSuccess;
+ return SECSuccess;
}
/************************************************************************/
/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
-{
- sslSocket *ss;
+SECStatus SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func,
+ void *arg) {
+ sslSocket *ss;
- ss = ssl_FindSocket(s);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
- SSL_GETPID(), s));
- return SECFailure;
- }
+ ss = ssl_FindSocket(s);
+ if (!ss) {
+ SSL_DBG(
+ ("%d: SSL[%d]: bad socket in AuthCertificateHook", SSL_GETPID(), s));
+ return SECFailure;
+ }
- ss->authCertificate = func;
- ss->authCertificateArg = arg;
+ ss->authCertificate = func;
+ ss->authCertificateArg = arg;
- return SECSuccess;
+ return SECSuccess;
}
/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
- void *arg)
-{
- sslSocket *ss;
+SECStatus SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
+ void *arg) {
+ sslSocket *ss;
- ss = ssl_FindSocket(s);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
- SSL_GETPID(), s));
- return SECFailure;
- }
+ ss = ssl_FindSocket(s);
+ if (!ss) {
+ SSL_DBG(
+ ("%d: SSL[%d]: bad socket in GetClientAuthDataHook", SSL_GETPID(), s));
+ return SECFailure;
+ }
- ss->getClientAuthData = func;
- ss->getClientAuthDataArg = arg;
- return SECSuccess;
+ ss->getClientAuthData = func;
+ ss->getClientAuthDataArg = arg;
+ return SECSuccess;
}
/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-{
- sslSocket *ss;
+SECStatus SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) {
+ sslSocket *ss;
- ss = ssl_FindSocket(s);
- if (!ss) {
- SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
- SSL_GETPID(), s));
- return SECFailure;
- }
+ ss = ssl_FindSocket(s);
+ if (!ss) {
+ SSL_DBG(
+ ("%d: SSL[%d]: bad socket in GetClientAuthDataHook", SSL_GETPID(), s));
+ return SECFailure;
+ }
- ss->pkcs11PinArg = arg;
- return SECSuccess;
+ ss->pkcs11PinArg = arg;
+ return SECSuccess;
}
-
-/* This is the "default" authCert callback function. It is called when a
+/* This is the "default" authCert callback function. It is called when a
* certificate message is received from the peer and the local application
* has not registered an authCert callback function.
*/
-SECStatus
-SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
-{
- SECStatus rv;
- CERTCertDBHandle * handle;
- sslSocket * ss;
- SECCertUsage certUsage;
- const char * hostname = NULL;
- PRTime now = PR_Now();
- SECItemArray * certStatusArray;
-
- ss = ssl_FindSocket(fd);
- PORT_Assert(ss != NULL);
- if (!ss) {
- return SECFailure;
+SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
+ PRBool isServer) {
+ SECStatus rv;
+ CERTCertDBHandle *handle;
+ sslSocket *ss;
+ SECCertUsage certUsage;
+ const char *hostname = NULL;
+ PRTime now = PR_Now();
+ SECItemArray *certStatusArray;
+
+ ss = ssl_FindSocket(fd);
+ PORT_Assert(ss != NULL);
+ if (!ss) {
+ return SECFailure;
+ }
+
+ handle = (CERTCertDBHandle *)arg;
+ certStatusArray = &ss->sec.ci.sid->peerCertStatus;
+
+ if (certStatusArray->len) {
+ PORT_SetError(0);
+ if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
+ &certStatusArray->items[0],
+ ss->pkcs11PinArg) != SECSuccess) {
+ PRErrorCode error = PR_GetError();
+ PORT_Assert(error != 0);
}
+ }
- handle = (CERTCertDBHandle *)arg;
- certStatusArray = &ss->sec.ci.sid->peerCertStatus;
+ /* this may seem backwards, but isn't. */
+ certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
- if (certStatusArray->len) {
- PORT_SetError(0);
- if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
- &certStatusArray->items[0],
- ss->pkcs11PinArg)
- != SECSuccess) {
- PRErrorCode error = PR_GetError();
- PORT_Assert(error != 0);
- }
- }
+ rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage, now,
+ ss->pkcs11PinArg, NULL);
- /* this may seem backwards, but isn't. */
- certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
+ if (rv != SECSuccess || isServer) return rv;
- rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
- now, ss->pkcs11PinArg, NULL);
+ /* cert is OK. This is the client side of an SSL connection.
+ * Now check the name field in the cert against the desired hostname.
+ * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
+ */
+ hostname = ss->url;
+ if (hostname && hostname[0])
+ rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
+ else
+ rv = SECFailure;
+ if (rv != SECSuccess) PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
- if ( rv != SECSuccess || isServer )
- return rv;
-
- /* cert is OK. This is the client side of an SSL connection.
- * Now check the name field in the cert against the desired hostname.
- * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
- */
- hostname = ss->url;
- if (hostname && hostname[0])
- rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
- else
- rv = SECFailure;
- if (rv != SECSuccess)
- PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-
- return rv;
+ return rv;
}
« no previous file with comments | « lib/ssl/ssl3prot.h ('k') | lib/ssl/sslcon.c » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b