diff options
Diffstat (limited to 'security/nss/lib/ssl/sslauth.c')
-rw-r--r-- | security/nss/lib/ssl/sslauth.c | 272 |
1 files changed, 0 insertions, 272 deletions
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c deleted file mode 100644 index 6be86ec9b..000000000 --- a/security/nss/lib/ssl/sslauth.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - * - * $Id$ - */ -#include "cert.h" -#include "secitem.h" -#include "ssl.h" -#include "sslimpl.h" -#include "sslproto.h" -#include "pk11func.h" - -/* NEED LOCKS IN HERE. */ -CERTCertificate * -SSL_PeerCertificate(PRFileDesc *fd) -{ - sslSocket *ss; - - ss = ssl_FindSocket(fd); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", - SSL_GETPID(), fd)); - return 0; - } - if (ss->useSecurity && ss->sec.peerCert) { - return CERT_DupCertificate(ss->sec.peerCert); - } - return 0; -} - -/* NEED LOCKS IN HERE. */ -CERTCertificate * -SSL_LocalCertificate(PRFileDesc *fd) -{ - sslSocket *ss; - - ss = ssl_FindSocket(fd); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate", - SSL_GETPID(), fd)); - return NULL; - } - if (ss->useSecurity) { - if (ss->sec.localCert) { - return CERT_DupCertificate(ss->sec.localCert); - } - if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { - return CERT_DupCertificate(ss->sec.ci.sid->localCert); - } - } - return NULL; -} - - - -/* NEED LOCKS IN HERE. */ -SECStatus -SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, - char **ip, char **sp) -{ - sslSocket *ss; - const char *cipherName; - PRBool isDes = PR_FALSE; - - ss = ssl_FindSocket(fd); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", - SSL_GETPID(), fd)); - return SECFailure; - } - - if (cp) *cp = 0; - if (kp0) *kp0 = 0; - if (kp1) *kp1 = 0; - if (ip) *ip = 0; - if (sp) *sp = 0; - if (op) { - *op = SSL_SECURITY_STATUS_OFF; - } - - if (ss->useSecurity && ss->firstHsDone) { - - if (ss->version < SSL_LIBRARY_VERSION_3_0) { - cipherName = ssl_cipherName[ss->sec.cipherType]; - } else { - cipherName = ssl3_cipherName[ss->sec.cipherType]; - } - if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; - /* do same key stuff for fortezza */ - - if (cp) { - *cp = PORT_Strdup(cipherName); - } - - if (kp0) { - *kp0 = ss->sec.keyBits; - if (isDes) *kp0 = (*kp0 * 7) / 8; - } - if (kp1) { - *kp1 = ss->sec.secretKeyBits; - if (isDes) *kp1 = (*kp1 * 7) / 8; - } - if (op) { - if (ss->sec.keyBits == 0) { - *op = SSL_SECURITY_STATUS_OFF; - } else if (ss->sec.secretKeyBits < 90) { - *op = SSL_SECURITY_STATUS_ON_LOW; - - } else { - *op = SSL_SECURITY_STATUS_ON_HIGH; - } - } - - if (ip || sp) { - CERTCertificate *cert; - - cert = ss->sec.peerCert; - if (cert) { - if (ip) { - *ip = CERT_NameToAscii(&cert->issuer); - } - if (sp) { - *sp = CERT_NameToAscii(&cert->subject); - } - } else { - if (ip) { - *ip = PORT_Strdup("no certificate"); - } - if (sp) { - *sp = PORT_Strdup("no certificate"); - } - } - } - } - - return SECSuccess; -} - -/************************************************************************/ - -/* NEED LOCKS IN HERE. */ -SECStatus -SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg) -{ - sslSocket *ss; - SECStatus rv; - - ss = ssl_FindSocket(s); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook", - SSL_GETPID(), s)); - return SECFailure; - } - - ss->authCertificate = func; - ss->authCertificateArg = arg; - - return SECSuccess; -} - -/* NEED LOCKS IN HERE. */ -SECStatus -SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, - void *arg) -{ - sslSocket *ss; - SECStatus rv; - - ss = ssl_FindSocket(s); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", - SSL_GETPID(), s)); - return SECFailure; - } - - ss->getClientAuthData = func; - ss->getClientAuthDataArg = arg; - return SECSuccess; -} - -/* NEED LOCKS IN HERE. */ -SECStatus -SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg) -{ - sslSocket *ss; - SECStatus rv; - - ss = ssl_FindSocket(s); - if (!ss) { - SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook", - SSL_GETPID(), s)); - return SECFailure; - } - - ss->pkcs11PinArg = arg; - return SECSuccess; -} - - -/* This is the "default" authCert callback function. It is called when a - * certificate message is received from the peer and the local application - * has not registered an authCert callback function. - */ -SECStatus -SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) -{ - SECStatus rv; - CERTCertDBHandle * handle; - sslSocket * ss; - SECCertUsage certUsage; - const char * hostname = NULL; - - ss = ssl_FindSocket(fd); - PORT_Assert(ss != NULL); - if (!ss) { - return SECFailure; - } - - handle = (CERTCertDBHandle *)arg; - - /* this may seem backwards, but isn't. */ - certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; - - rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage, - ss->pkcs11PinArg); - - if ( rv != SECSuccess || isServer ) - return rv; - - /* cert is OK. This is the client side of an SSL connection. - * Now check the name field in the cert against the desired hostname. - * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! - */ - hostname = ss->url; - if (hostname && hostname[0]) - rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); - else - rv = SECFailure; - if (rv != SECSuccess) - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); - - return rv; -} |