ssl/sslauth.c - chromium/src/net/third_party/nss - Git at Google

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "cert.h"
 #include "secitem.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "pk11func.h"
 #include "ocsp.h"

 /* NEED LOCKS IN HERE.  */
 CERTCertificate *
 SSL_PeerCertificate(PRFileDesc *fd)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
 		 SSL_GETPID(), fd));
 	return 0;
     }
     if (ss->opt.useSecurity && ss->sec.peerCert) {
 	return CERT_DupCertificate(ss->sec.peerCert);
     }
     return 0;
 }

 /* NEED LOCKS IN HERE.  */
 CERTCertList *
 SSL_PeerCertificateChain(PRFileDesc *fd)
 {
     sslSocket *ss;
     CERTCertList *chain = NULL;
     CERTCertificate *cert;
     ssl3CertNode *cur;

     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
 		 SSL_GETPID(), fd));
 	return NULL;
     }
     if (!ss->opt.useSecurity || !ss->sec.peerCert) {
 	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
 	return NULL;
     }
     chain = CERT_NewCertList();
     if (!chain) {
 	return NULL;
     }
     cert = CERT_DupCertificate(ss->sec.peerCert);
     if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
 	goto loser;
     }
     for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
 	cert = CERT_DupCertificate(cur->cert);
 	if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
 	    goto loser;
 	}
     }
     return chain;

 loser:
     CERT_DestroyCertList(chain);
     return NULL;
 }

 /* NEED LOCKS IN HERE.  */
 CERTCertificate *
 SSL_LocalCertificate(PRFileDesc *fd)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
 		 SSL_GETPID(), fd));
 	return NULL;
     }
     if (ss->opt.useSecurity) {
     	if (ss->sec.localCert) {
 	    return CERT_DupCertificate(ss->sec.localCert);
 	}
 	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
 	    return CERT_DupCertificate(ss->sec.ci.sid->localCert);
 	}
     }
     return NULL;
 }


 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
 		   char **ip, char **sp)
 {
     sslSocket *ss;
     const char *cipherName;
     PRBool isDes = PR_FALSE;

     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }

     if (cp) *cp = 0;
     if (kp0) *kp0 = 0;
     if (kp1) *kp1 = 0;
     if (ip) *ip = 0;
     if (sp) *sp = 0;
     if (op) {
 	*op = SSL_SECURITY_STATUS_OFF;
     }

     if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
 	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
 	    cipherName = ssl_cipherName[ss->sec.cipherType];
 	} else {
 	    cipherName = ssl3_cipherName[ss->sec.cipherType];
 	}
 	PORT_Assert(cipherName);
 	if (cipherName) {
             if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;

             if (cp) {
                 *cp = PORT_Strdup(cipherName);
             }
         }

 	if (kp0) {
 	    *kp0 = ss->sec.keyBits;
 	    if (isDes) *kp0 = (*kp0 * 7) / 8;
 	}
 	if (kp1) {
 	    *kp1 = ss->sec.secretKeyBits;
 	    if (isDes) *kp1 = (*kp1 * 7) / 8;
 	}
 	if (op) {
 	    if (ss->sec.keyBits == 0) {
 		*op = SSL_SECURITY_STATUS_OFF;
 	    } else if (ss->sec.secretKeyBits < 90) {
 		*op = SSL_SECURITY_STATUS_ON_LOW;

 	    } else {
 		*op = SSL_SECURITY_STATUS_ON_HIGH;
 	    }
 	}

 	if (ip || sp) {
 	    CERTCertificate *cert;

 	    cert = ss->sec.peerCert;
 	    if (cert) {
 		if (ip) {
 		    *ip = CERT_NameToAscii(&cert->issuer);
 		}
 		if (sp) {
 		    *sp = CERT_NameToAscii(&cert->subject);
 		}
 	    } else {
 		if (ip) {
 		    *ip = PORT_Strdup("no certificate");
 		}
 		if (sp) {
 		    *sp = PORT_Strdup("no certificate");
 		}
 	    }
 	}
     }

     return SECSuccess;
 }

 /************************************************************************/

 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(s);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
 		 SSL_GETPID(), s));
 	return SECFailure;
     }

     ss->authCertificate = func;
     ss->authCertificateArg = arg;

     return SECSuccess;
 }

 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
 			      void *arg)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(s);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
 		 SSL_GETPID(), s));
 	return SECFailure;
     }

     ss->getClientAuthData = func;
     ss->getClientAuthDataArg = arg;
     return SECSuccess;
 }

 SECStatus
 SSL_SetClientChannelIDCallback(PRFileDesc *fd,
 			       SSLClientChannelIDCallback callback,
 			       void *arg) {
     sslSocket *ss = ssl_FindSocket(fd);

     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }

     ss->getChannelID = callback;
     ss->getChannelIDArg = arg;

     return SECSuccess;
 }

 #ifdef NSS_PLATFORM_CLIENT_AUTH
 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
                                   SSLGetPlatformClientAuthData func,
                                   void *arg)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(s);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
 		 SSL_GETPID(), s));
 	return SECFailure;
     }

     ss->getPlatformClientAuthData = func;
     ss->getPlatformClientAuthDataArg = arg;
     return SECSuccess;
 }
 #endif   /* NSS_PLATFORM_CLIENT_AUTH */

 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
 {
     sslSocket *ss;

     ss = ssl_FindSocket(s);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
 		 SSL_GETPID(), s));
 	return SECFailure;
     }

     ss->pkcs11PinArg = arg;
     return SECSuccess;
 }


 /* This is the "default" authCert callback function.  It is called when a
  * certificate message is received from the peer and the local application
  * has not registered an authCert callback function.
  */
 SECStatus
 SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
 {
     SECStatus          rv;
     CERTCertDBHandle * handle;
     sslSocket *        ss;
     SECCertUsage       certUsage;
     const char *       hostname    = NULL;
     PRTime             now = PR_Now();
     SECItemArray *     certStatusArray;

     ss = ssl_FindSocket(fd);
     PORT_Assert(ss != NULL);
     if (!ss) {
 	return SECFailure;
     }

     handle = (CERTCertDBHandle *)arg;
     certStatusArray = &ss->sec.ci.sid->peerCertStatus;

     if (certStatusArray->len) {
 	PORT_SetError(0);
 	if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
 						  &certStatusArray->items[0],
 						  ss->pkcs11PinArg)
 		!= SECSuccess) {
 	    PORT_Assert(PR_GetError() != 0);
 	}
     }

     /* this may seem backwards, but isn't. */
     certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;

     rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
 			 now, ss->pkcs11PinArg, NULL);

     if ( rv != SECSuccess || isServer )
 	return rv;

     /* cert is OK.  This is the client side of an SSL connection.
      * Now check the name field in the cert against the desired hostname.
      * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
      */
     hostname = ss->url;
     if (hostname && hostname[0])
 	rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
     else
 	rv = SECFailure;
     if (rv != SECSuccess)
 	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);

     return rv;
 }
	/* This Source Code Form is subject to the terms of the Mozilla Public
	* License, v. 2.0. If a copy of the MPL was not distributed with this
	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
	#include "cert.h"
	#include "secitem.h"
	#include "ssl.h"
	#include "sslimpl.h"
	#include "sslproto.h"
	#include "pk11func.h"
	#include "ocsp.h"

	/* NEED LOCKS IN HERE. */
	CERTCertificate *
	SSL_PeerCertificate(PRFileDesc *fd)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(fd);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
	SSL_GETPID(), fd));
	return 0;
	}
	if (ss->opt.useSecurity && ss->sec.peerCert) {
	return CERT_DupCertificate(ss->sec.peerCert);
	}
	return 0;
	}

	/* NEED LOCKS IN HERE. */
	CERTCertList *
	SSL_PeerCertificateChain(PRFileDesc *fd)
	{
	sslSocket *ss;
	CERTCertList *chain = NULL;
	CERTCertificate *cert;
	ssl3CertNode *cur;

	ss = ssl_FindSocket(fd);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
	SSL_GETPID(), fd));
	return NULL;
	}
	if (!ss->opt.useSecurity \|\| !ss->sec.peerCert) {
	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
	return NULL;
	}
	chain = CERT_NewCertList();
	if (!chain) {
	return NULL;
	}
	cert = CERT_DupCertificate(ss->sec.peerCert);
	if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
	goto loser;
	}
	for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
	cert = CERT_DupCertificate(cur->cert);
	if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
	goto loser;
	}
	}
	return chain;

	loser:
	CERT_DestroyCertList(chain);
	return NULL;
	}

	/* NEED LOCKS IN HERE. */
	CERTCertificate *
	SSL_LocalCertificate(PRFileDesc *fd)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(fd);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
	SSL_GETPID(), fd));
	return NULL;
	}
	if (ss->opt.useSecurity) {
	if (ss->sec.localCert) {
	return CERT_DupCertificate(ss->sec.localCert);
	}
	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
	return CERT_DupCertificate(ss->sec.ci.sid->localCert);
	}
	}
	return NULL;
	}



	/* NEED LOCKS IN HERE. */
	SECStatus
	SSL_SecurityStatus(PRFileDesc fd, int op, char *cp, int kp0, int *kp1,
	char ip, char sp)
	{
	sslSocket *ss;
	const char *cipherName;
	PRBool isDes = PR_FALSE;

	ss = ssl_FindSocket(fd);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
	SSL_GETPID(), fd));
	return SECFailure;
	}

	if (cp) *cp = 0;
	if (kp0) *kp0 = 0;
	if (kp1) *kp1 = 0;
	if (ip) *ip = 0;
	if (sp) *sp = 0;
	if (op) {
	*op = SSL_SECURITY_STATUS_OFF;
	}

	if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
	cipherName = ssl_cipherName[ss->sec.cipherType];
	} else {
	cipherName = ssl3_cipherName[ss->sec.cipherType];
	}
	PORT_Assert(cipherName);
	if (cipherName) {
	if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;

	if (cp) {
	*cp = PORT_Strdup(cipherName);
	}
	}

	if (kp0) {
	*kp0 = ss->sec.keyBits;
	if (isDes) kp0 = (kp0 * 7) / 8;
	}
	if (kp1) {
	*kp1 = ss->sec.secretKeyBits;
	if (isDes) kp1 = (kp1 * 7) / 8;
	}
	if (op) {
	if (ss->sec.keyBits == 0) {
	*op = SSL_SECURITY_STATUS_OFF;
	} else if (ss->sec.secretKeyBits < 90) {
	*op = SSL_SECURITY_STATUS_ON_LOW;

	} else {
	*op = SSL_SECURITY_STATUS_ON_HIGH;
	}
	}

	if (ip \|\| sp) {
	CERTCertificate *cert;

	cert = ss->sec.peerCert;
	if (cert) {
	if (ip) {
	*ip = CERT_NameToAscii(&cert->issuer);
	}
	if (sp) {
	*sp = CERT_NameToAscii(&cert->subject);
	}
	} else {
	if (ip) {
	*ip = PORT_Strdup("no certificate");
	}
	if (sp) {
	*sp = PORT_Strdup("no certificate");
	}
	}
	}
	}

	return SECSuccess;
	}

	/************************************************************************/

	/* NEED LOCKS IN HERE. */
	SECStatus
	SSL_AuthCertificateHook(PRFileDesc s, SSLAuthCertificate func, void arg)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(s);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
	SSL_GETPID(), s));
	return SECFailure;
	}

	ss->authCertificate = func;
	ss->authCertificateArg = arg;

	return SECSuccess;
	}

	/* NEED LOCKS IN HERE. */
	SECStatus
	SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
	void *arg)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(s);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
	SSL_GETPID(), s));
	return SECFailure;
	}

	ss->getClientAuthData = func;
	ss->getClientAuthDataArg = arg;
	return SECSuccess;
	}

	SECStatus
	SSL_SetClientChannelIDCallback(PRFileDesc *fd,
	SSLClientChannelIDCallback callback,
	void *arg) {
	sslSocket *ss = ssl_FindSocket(fd);

	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
	SSL_GETPID(), fd));
	return SECFailure;
	}

	ss->getChannelID = callback;
	ss->getChannelIDArg = arg;

	return SECSuccess;
	}

	#ifdef NSS_PLATFORM_CLIENT_AUTH
	/* NEED LOCKS IN HERE. */
	SECStatus
	SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
	SSLGetPlatformClientAuthData func,
	void *arg)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(s);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
	SSL_GETPID(), s));
	return SECFailure;
	}

	ss->getPlatformClientAuthData = func;
	ss->getPlatformClientAuthDataArg = arg;
	return SECSuccess;
	}
	#endif /* NSS_PLATFORM_CLIENT_AUTH */

	/* NEED LOCKS IN HERE. */
	SECStatus
	SSL_SetPKCS11PinArg(PRFileDesc s, void arg)
	{
	sslSocket *ss;

	ss = ssl_FindSocket(s);
	if (!ss) {
	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
	SSL_GETPID(), s));
	return SECFailure;
	}

	ss->pkcs11PinArg = arg;
	return SECSuccess;
	}


	/* This is the "default" authCert callback function. It is called when a
	* certificate message is received from the peer and the local application
	* has not registered an authCert callback function.
	*/
	SECStatus
	SSL_AuthCertificate(void arg, PRFileDesc fd, PRBool checkSig, PRBool isServer)
	{
	SECStatus rv;
	CERTCertDBHandle * handle;
	sslSocket * ss;
	SECCertUsage certUsage;
	const char * hostname = NULL;
	PRTime now = PR_Now();
	SECItemArray * certStatusArray;

	ss = ssl_FindSocket(fd);
	PORT_Assert(ss != NULL);
	if (!ss) {
	return SECFailure;
	}

	handle = (CERTCertDBHandle *)arg;
	certStatusArray = &ss->sec.ci.sid->peerCertStatus;

	if (certStatusArray->len) {
	PORT_SetError(0);
	if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
	&certStatusArray->items[0],
	ss->pkcs11PinArg)
	!= SECSuccess) {
	PORT_Assert(PR_GetError() != 0);
	}
	}

	/* this may seem backwards, but isn't. */
	certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;

	rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
	now, ss->pkcs11PinArg, NULL);

	if ( rv != SECSuccess \|\| isServer )
	return rv;

	/* cert is OK. This is the client side of an SSL connection.
	* Now check the name field in the cert against the desired hostname.
	* NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
	*/
	hostname = ss->url;
	if (hostname && hostname[0])
	rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
	else
	rv = SECFailure;
	if (rv != SECSuccess)
	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);

	return rv;
	}