diff options
author | nelsonb%netscape.com <devnull@localhost> | 2002-10-08 03:39:50 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2002-10-08 03:39:50 +0000 |
commit | 19a0918dca2b9255aa49c68bab744ca3869bd8f0 (patch) | |
tree | e9353c9dc1e7745a1ad50498f8471baaacc9373b /security/nss/cmd/vfyserv | |
parent | 2eb5834d393d50e6edd527fac0a740d7cc56e9d8 (diff) | |
download | nss-hg-19a0918dca2b9255aa49c68bab744ca3869bd8f0.tar.gz |
Make indentation style self-consistent: 4 spaces per indent.
Save error code at the beginning of printCertProblems, and restore it at
the end, since CERT_VerifyCert nearly always sets the error code to
-8157 Certificate extension not found when building an error log.
Bug 172036.
Diffstat (limited to 'security/nss/cmd/vfyserv')
-rw-r--r-- | security/nss/cmd/vfyserv/vfyutil.c | 492 |
1 files changed, 246 insertions, 246 deletions
diff --git a/security/nss/cmd/vfyserv/vfyutil.c b/security/nss/cmd/vfyserv/vfyutil.c index db60ec13e..0e2c26f90 100644 --- a/security/nss/cmd/vfyserv/vfyutil.c +++ b/security/nss/cmd/vfyserv/vfyutil.c @@ -40,30 +40,30 @@ /* Declare SSL cipher suites. */ int ssl2CipherSuites[] = { - SSL_EN_RC4_128_WITH_MD5, /* A */ - SSL_EN_RC4_128_EXPORT40_WITH_MD5, /* B */ - SSL_EN_RC2_128_CBC_WITH_MD5, /* C */ - SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */ - SSL_EN_DES_64_CBC_WITH_MD5, /* E */ - SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ - 0 + SSL_EN_RC4_128_WITH_MD5, /* A */ + SSL_EN_RC4_128_EXPORT40_WITH_MD5, /* B */ + SSL_EN_RC2_128_CBC_WITH_MD5, /* C */ + SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */ + SSL_EN_DES_64_CBC_WITH_MD5, /* E */ + SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ + 0 }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ - SSL_RSA_WITH_RC4_128_MD5, /* c */ - SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - SSL_RSA_WITH_DES_CBC_SHA, /* e */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ - SSL_RSA_WITH_NULL_MD5, /* i */ - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ - SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - 0 + SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ + SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + SSL_RSA_WITH_RC4_128_MD5, /* c */ + SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + SSL_RSA_WITH_DES_CBC_SHA, /* e */ + SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ + SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ + SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + SSL_RSA_WITH_NULL_MD5, /* i */ + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ + SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ + 0 }; /************************************************************************** @@ -82,13 +82,12 @@ int ssl3CipherSuites[] = { char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg) { - char * passwd = NULL; + char * passwd = NULL; - if ( (!retry) && arg ) { - passwd = PORT_Strdup((char *)arg); - } - - return passwd; + if ( (!retry) && arg ) { + passwd = PORT_Strdup((char *)arg); + } + return passwd; } /* Function: SECStatus myAuthCertificate() @@ -103,60 +102,60 @@ myAuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer) { - SECCertUsage certUsage; - CERTCertificate * cert; - void * pinArg; - char * hostName; - SECStatus secStatus; + SECCertUsage certUsage; + CERTCertificate * cert; + void * pinArg; + char * hostName; + SECStatus secStatus; - if (!arg || !socket) { - errWarn("myAuthCertificate"); - return SECFailure; - } + if (!arg || !socket) { + errWarn("myAuthCertificate"); + return SECFailure; + } - /* Define how the cert is being used based upon the isServer flag. */ + /* Define how the cert is being used based upon the isServer flag. */ - certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; + certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; - cert = SSL_PeerCertificate(socket); + cert = SSL_PeerCertificate(socket); - pinArg = SSL_RevealPinArg(socket); - - secStatus = CERT_VerifyCertNow((CERTCertDBHandle *)arg, - cert, - checksig, - certUsage, - pinArg); - - /* If this is a server, we're finished. */ - if (isServer || secStatus != SECSuccess) { - printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, - checksig, certUsage, pinArg); - CERT_DestroyCertificate(cert); - return secStatus; - } + pinArg = SSL_RevealPinArg(socket); + + secStatus = CERT_VerifyCertNow((CERTCertDBHandle *)arg, + cert, + checksig, + certUsage, + pinArg); + + /* If this is a server, we're finished. */ + if (isServer || secStatus != SECSuccess) { + printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, + checksig, certUsage, pinArg); + CERT_DestroyCertificate(cert); + return secStatus; + } - /* Certificate is OK. Since this is the client side of an SSL - * connection, we need to verify that the name field in the cert - * matches the desired hostname. This is our defense against - * man-in-the-middle attacks. - */ + /* Certificate is OK. Since this is the client side of an SSL + * connection, we need to verify that the name field in the cert + * matches the desired hostname. This is our defense against + * man-in-the-middle attacks. + */ - /* SSL_RevealURL returns a hostName, not an URL. */ - hostName = SSL_RevealURL(socket); + /* SSL_RevealURL returns a hostName, not an URL. */ + hostName = SSL_RevealURL(socket); - if (hostName && hostName[0]) { - secStatus = CERT_VerifyCertName(cert, hostName); - } else { - PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0); - secStatus = SECFailure; - } + if (hostName && hostName[0]) { + secStatus = CERT_VerifyCertName(cert, hostName); + } else { + PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0); + secStatus = SECFailure; + } - if (hostName) - PR_Free(hostName); + if (hostName) + PR_Free(hostName); - CERT_DestroyCertificate(cert); - return secStatus; + CERT_DestroyCertificate(cert); + return secStatus; } /* Function: SECStatus myBadCertHandler() @@ -178,7 +177,7 @@ myBadCertHandler(void *arg, PRFileDesc *socket) /* log invalid cert here */ if (!arg) { - return secStatus; + return secStatus; } *(PRErrorCode *)arg = err = PORT_GetError(); @@ -202,10 +201,10 @@ myBadCertHandler(void *arg, PRFileDesc *socket) case SEC_ERROR_CA_CERT_INVALID: case SEC_ERROR_CERT_USAGES_INVALID: case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: - secStatus = SECSuccess; + secStatus = SECSuccess; break; default: - secStatus = SECFailure; + secStatus = SECFailure; break; } @@ -236,15 +235,15 @@ myGetClientAuthData(void *arg, proto_win = SSL_RevealPinArg(socket); if (chosenNickName) { - cert = PK11_FindCertFromNickname(chosenNickName, proto_win); - if (cert) { - privKey = PK11_FindKeyByAnyCert(cert, proto_win); - if (privKey) { - secStatus = SECSuccess; - } else { - CERT_DestroyCertificate(cert); - } - } + cert = PK11_FindCertFromNickname(chosenNickName, proto_win); + if (cert) { + privKey = PK11_FindKeyByAnyCert(cert, proto_win); + if (privKey) { + secStatus = SECSuccess; + } else { + CERT_DestroyCertificate(cert); + } + } } else { /* no nickname given, automatically find the right cert */ CERTCertNicknames *names; int i; @@ -283,8 +282,8 @@ myGetClientAuthData(void *arg, } if (secStatus == SECSuccess) { - *pRetCert = cert; - *pRetKey = privKey; + *pRetCert = cert; + *pRetKey = privKey; } return secStatus; @@ -357,54 +356,54 @@ disableAllSSLCiphers(void) void errWarn(char *function) { - PRErrorCode errorNumber = PR_GetError(); - const char * errorString = SECU_Strerror(errorNumber); + PRErrorCode errorNumber = PR_GetError(); + const char * errorString = SECU_Strerror(errorNumber); - fprintf(stderr, "Error in function %s: %d\n - %s\n", - function, errorNumber, errorString); + fprintf(stderr, "Error in function %s: %d\n - %s\n", + function, errorNumber, errorString); } void exitErr(char *function) { - errWarn(function); - /* Exit gracefully. */ - NSS_Shutdown(); - PR_Cleanup(); - exit(1); + errWarn(function); + /* Exit gracefully. */ + NSS_Shutdown(); + PR_Cleanup(); + exit(1); } void printSecurityInfo(FILE *outfile, PRFileDesc *fd) { - char * cp; /* bulk cipher name */ - char * ip; /* cert issuer DN */ - char * sp; /* cert subject DN */ - int op; /* High, Low, Off */ - int kp0; /* total key bits */ - int kp1; /* secret key bits */ - int result; - SSL3Statistics * ssl3stats = SSL_GetStatistics(); - - if (!outfile) { - outfile = stdout; - } + char * cp; /* bulk cipher name */ + char * ip; /* cert issuer DN */ + char * sp; /* cert subject DN */ + int op; /* High, Low, Off */ + int kp0; /* total key bits */ + int kp1; /* secret key bits */ + int result; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); + + if (!outfile) { + outfile = stdout; + } - result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); - if (result != SECSuccess) - return; - fprintf(outfile, - " bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" - " subject DN:\n %s\n" - " issuer DN:\n %s\n", cp, kp1, kp0, op, sp, ip); - PR_Free(cp); - PR_Free(ip); - PR_Free(sp); - - fprintf(outfile, - " %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, - ssl3stats->hch_sid_cache_not_ok); + result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); + if (result != SECSuccess) + return; + fprintf(outfile, + " bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" + " subject DN:\n %s\n" + " issuer DN:\n %s\n", cp, kp1, kp0, op, sp, ip); + PR_Free(cp); + PR_Free(ip); + PR_Free(sp); + + fprintf(outfile, + " %ld cache hits; %ld cache misses, %ld cache not reusable\n", + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } @@ -416,22 +415,22 @@ printSecurityInfo(FILE *outfile, PRFileDesc *fd) void thread_wrapper(void * arg) { - GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg; - perThread *slot = &threadMGR->threads[threadMGR->index]; + GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg; + perThread *slot = &threadMGR->threads[threadMGR->index]; - /* wait for parent to finish launching us before proceeding. */ - PR_Lock(threadMGR->threadLock); - PR_Unlock(threadMGR->threadLock); + /* wait for parent to finish launching us before proceeding. */ + PR_Lock(threadMGR->threadLock); + PR_Unlock(threadMGR->threadLock); - slot->rv = (* slot->startFunc)(slot->a, slot->b); + slot->rv = (* slot->startFunc)(slot->a, slot->b); - PR_Lock(threadMGR->threadLock); - slot->running = rs_zombie; + PR_Lock(threadMGR->threadLock); + slot->running = rs_zombie; - /* notify the thread exit handler. */ - PR_NotifyCondVar(threadMGR->threadEndQ); + /* notify the thread exit handler. */ + PR_NotifyCondVar(threadMGR->threadEndQ); - PR_Unlock(threadMGR->threadLock); + PR_Unlock(threadMGR->threadLock); } SECStatus @@ -440,116 +439,116 @@ launch_thread(GlobalThreadMgr *threadMGR, void *a, int b) { - perThread *slot; - int i; + perThread *slot; + int i; - if (!threadMGR->threadStartQ) { - threadMGR->threadLock = PR_NewLock(); - threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock); - threadMGR->threadEndQ = PR_NewCondVar(threadMGR->threadLock); - } - PR_Lock(threadMGR->threadLock); - while (threadMGR->numRunning >= MAX_THREADS) { - PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT); - } - for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running == rs_idle) - break; - } - if (i >= threadMGR->numUsed) { - if (i >= MAX_THREADS) { - /* something's really wrong here. */ - PORT_Assert(i < MAX_THREADS); - PR_Unlock(threadMGR->threadLock); - return SECFailure; - } - ++(threadMGR->numUsed); - PORT_Assert(threadMGR->numUsed == i + 1); - slot = &threadMGR->threads[i]; + if (!threadMGR->threadStartQ) { + threadMGR->threadLock = PR_NewLock(); + threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock); + threadMGR->threadEndQ = PR_NewCondVar(threadMGR->threadLock); + } + PR_Lock(threadMGR->threadLock); + while (threadMGR->numRunning >= MAX_THREADS) { + PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT); + } + for (i = 0; i < threadMGR->numUsed; ++i) { + slot = &threadMGR->threads[i]; + if (slot->running == rs_idle) + break; + } + if (i >= threadMGR->numUsed) { + if (i >= MAX_THREADS) { + /* something's really wrong here. */ + PORT_Assert(i < MAX_THREADS); + PR_Unlock(threadMGR->threadLock); + return SECFailure; } + ++(threadMGR->numUsed); + PORT_Assert(threadMGR->numUsed == i + 1); + slot = &threadMGR->threads[i]; + } - slot->a = a; - slot->b = b; - slot->startFunc = startFunc; - - threadMGR->index = i; + slot->a = a; + slot->b = b; + slot->startFunc = startFunc; - slot->prThread = PR_CreateThread(PR_USER_THREAD, - thread_wrapper, threadMGR, - PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_JOINABLE_THREAD, 0); + threadMGR->index = i; - if (slot->prThread == NULL) { - PR_Unlock(threadMGR->threadLock); - printf("Failed to launch thread!\n"); - return SECFailure; - } + slot->prThread = PR_CreateThread(PR_USER_THREAD, + thread_wrapper, threadMGR, + PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, + PR_JOINABLE_THREAD, 0); - slot->inUse = 1; - slot->running = 1; - ++(threadMGR->numRunning); + if (slot->prThread == NULL) { PR_Unlock(threadMGR->threadLock); + printf("Failed to launch thread!\n"); + return SECFailure; + } - return SECSuccess; + slot->inUse = 1; + slot->running = 1; + ++(threadMGR->numRunning); + PR_Unlock(threadMGR->threadLock); + + return SECSuccess; } SECStatus reap_threads(GlobalThreadMgr *threadMGR) { - perThread * slot; - int i; - - if (!threadMGR->threadLock) - return 0; - PR_Lock(threadMGR->threadLock); - while (threadMGR->numRunning > 0) { - PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); - for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running == rs_zombie) { - /* Handle cleanup of thread here. */ - - /* Now make sure the thread has ended OK. */ - PR_JoinThread(slot->prThread); - slot->running = rs_idle; - --threadMGR->numRunning; - - /* notify the thread launcher. */ - PR_NotifyCondVar(threadMGR->threadStartQ); - } + perThread * slot; + int i; + + if (!threadMGR->threadLock) + return SECSuccess; + PR_Lock(threadMGR->threadLock); + while (threadMGR->numRunning > 0) { + PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); + for (i = 0; i < threadMGR->numUsed; ++i) { + slot = &threadMGR->threads[i]; + if (slot->running == rs_zombie) { + /* Handle cleanup of thread here. */ + + /* Now make sure the thread has ended OK. */ + PR_JoinThread(slot->prThread); + slot->running = rs_idle; + --threadMGR->numRunning; + + /* notify the thread launcher. */ + PR_NotifyCondVar(threadMGR->threadStartQ); } } + } - /* Safety Sam sez: make sure count is right. */ - for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running != rs_idle) { - fprintf(stderr, "Thread in slot %d is in state %d!\n", - i, slot->running); - } + /* Safety Sam sez: make sure count is right. */ + for (i = 0; i < threadMGR->numUsed; ++i) { + slot = &threadMGR->threads[i]; + if (slot->running != rs_idle) { + fprintf(stderr, "Thread in slot %d is in state %d!\n", + i, slot->running); } - PR_Unlock(threadMGR->threadLock); - return 0; + } + PR_Unlock(threadMGR->threadLock); + return SECSuccess; } void destroy_thread_data(GlobalThreadMgr *threadMGR) { - PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads)); + PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads)); - if (threadMGR->threadEndQ) { - PR_DestroyCondVar(threadMGR->threadEndQ); - threadMGR->threadEndQ = NULL; - } - if (threadMGR->threadStartQ) { - PR_DestroyCondVar(threadMGR->threadStartQ); - threadMGR->threadStartQ = NULL; - } - if (threadMGR->threadLock) { - PR_DestroyLock(threadMGR->threadLock); - threadMGR->threadLock = NULL; - } + if (threadMGR->threadEndQ) { + PR_DestroyCondVar(threadMGR->threadEndQ); + threadMGR->threadEndQ = NULL; + } + if (threadMGR->threadStartQ) { + PR_DestroyCondVar(threadMGR->threadStartQ); + threadMGR->threadStartQ = NULL; + } + if (threadMGR->threadLock) { + PR_DestroyLock(threadMGR->threadLock); + threadMGR->threadLock = NULL; + } } /************************************************************************** @@ -559,44 +558,44 @@ destroy_thread_data(GlobalThreadMgr *threadMGR) void lockedVars_Init( lockedVars * lv) { - lv->count = 0; - lv->waiters = 0; - lv->lock = PR_NewLock(); - lv->condVar = PR_NewCondVar(lv->lock); + lv->count = 0; + lv->waiters = 0; + lv->lock = PR_NewLock(); + lv->condVar = PR_NewCondVar(lv->lock); } void lockedVars_Destroy( lockedVars * lv) { - PR_DestroyCondVar(lv->condVar); - lv->condVar = NULL; + PR_DestroyCondVar(lv->condVar); + lv->condVar = NULL; - PR_DestroyLock(lv->lock); - lv->lock = NULL; + PR_DestroyLock(lv->lock); + lv->lock = NULL; } void lockedVars_WaitForDone(lockedVars * lv) { - PR_Lock(lv->lock); - while (lv->count > 0) { - PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT); - } - PR_Unlock(lv->lock); + PR_Lock(lv->lock); + while (lv->count > 0) { + PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT); + } + PR_Unlock(lv->lock); } int /* returns count */ lockedVars_AddToCount(lockedVars * lv, int addend) { - int rv; + int rv; - PR_Lock(lv->lock); - rv = lv->count += addend; - if (rv <= 0) { + PR_Lock(lv->lock); + rv = lv->count += addend; + if (rv <= 0) { PR_NotifyCondVar(lv->condVar); - } - PR_Unlock(lv->lock); - return rv; + } + PR_Unlock(lv->lock); + return rv; } static char * @@ -615,17 +614,18 @@ printCertProblems(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, SECCertUsage certUsage, void *pinArg) { - CERTVerifyLog log; - CERTVerifyLogNode *node = NULL; - unsigned int depth = (unsigned int)-1; - unsigned int flags = 0; - char *errstr = NULL; + CERTVerifyLog log; + CERTVerifyLogNode *node = NULL; + unsigned int depth = (unsigned int)-1; + unsigned int flags = 0; + char * errstr = NULL; + PRErrorCode err = PORT_GetError(); log.arena = PORT_NewArena(512); log.head = log.tail = NULL; log.count = 0; CERT_VerifyCert(handle, cert, checksig, certUsage, - PR_Now(), pinArg, &log); + PR_Now(), pinArg, &log); if (log.count > 0) { fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); @@ -696,5 +696,5 @@ printCertProblems(FILE *outfile, CERTCertDBHandle *handle, CERT_DestroyCertificate(node->cert); } } - return ; + PR_SetError(err, 0); /* restore original error code */ } |