1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
12 /* NEED LOCKS IN HERE. */
14 SSL_PeerCertificate(PRFileDesc *fd)
18 ss = ssl_FindSocket(fd);
20 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
24 if (ss->opt.useSecurity && ss->sec.peerCert) {
25 return CERT_DupCertificate(ss->sec.peerCert);
30 /* NEED LOCKS IN HERE. */
32 SSL_PeerCertificateChain(PRFileDesc *fd)
35 CERTCertList *chain = NULL;
36 CERTCertificate *cert;
39 ss = ssl_FindSocket(fd);
41 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
45 if (!ss->opt.useSecurity || !ss->sec.peerCert) {
46 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
49 chain = CERT_NewCertList();
53 cert = CERT_DupCertificate(ss->sec.peerCert);
54 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
57 for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
58 cert = CERT_DupCertificate(cur->cert);
59 if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
66 CERT_DestroyCertList(chain);
70 /* NEED LOCKS IN HERE. */
72 SSL_LocalCertificate(PRFileDesc *fd)
76 ss = ssl_FindSocket(fd);
78 SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
82 if (ss->opt.useSecurity) {
83 if (ss->sec.localCert) {
84 return CERT_DupCertificate(ss->sec.localCert);
86 if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
87 return CERT_DupCertificate(ss->sec.ci.sid->localCert);
95 /* NEED LOCKS IN HERE. */
97 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
101 const char *cipherName;
102 PRBool isDes = PR_FALSE;
104 ss = ssl_FindSocket(fd);
106 SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
117 *op = SSL_SECURITY_STATUS_OFF;
120 if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
121 if (ss->version < SSL_LIBRARY_VERSION_3_0) {
122 cipherName = ssl_cipherName[ss->sec.cipherType];
124 cipherName = ssl3_cipherName[ss->sec.cipherType];
126 PORT_Assert(cipherName);
128 if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
131 *cp = PORT_Strdup(cipherName);
136 *kp0 = ss->sec.keyBits;
137 if (isDes) *kp0 = (*kp0 * 7) / 8;
140 *kp1 = ss->sec.secretKeyBits;
141 if (isDes) *kp1 = (*kp1 * 7) / 8;
144 if (ss->sec.keyBits == 0) {
145 *op = SSL_SECURITY_STATUS_OFF;
146 } else if (ss->sec.secretKeyBits < 90) {
147 *op = SSL_SECURITY_STATUS_ON_LOW;
150 *op = SSL_SECURITY_STATUS_ON_HIGH;
155 CERTCertificate *cert;
157 cert = ss->sec.peerCert;
160 *ip = CERT_NameToAscii(&cert->issuer);
163 *sp = CERT_NameToAscii(&cert->subject);
167 *ip = PORT_Strdup("no certificate");
170 *sp = PORT_Strdup("no certificate");
179 /************************************************************************/
181 /* NEED LOCKS IN HERE. */
183 SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
187 ss = ssl_FindSocket(s);
189 SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
194 ss->authCertificate = func;
195 ss->authCertificateArg = arg;
200 /* NEED LOCKS IN HERE. */
202 SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
207 ss = ssl_FindSocket(s);
209 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
214 ss->getClientAuthData = func;
215 ss->getClientAuthDataArg = arg;
220 SSL_SetClientChannelIDCallback(PRFileDesc *fd,
221 SSLClientChannelIDCallback callback,
223 sslSocket *ss = ssl_FindSocket(fd);
226 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
231 ss->getChannelID = callback;
232 ss->getChannelIDArg = arg;
237 #ifdef NSS_PLATFORM_CLIENT_AUTH
238 /* NEED LOCKS IN HERE. */
240 SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
241 SSLGetPlatformClientAuthData func,
246 ss = ssl_FindSocket(s);
248 SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
253 ss->getPlatformClientAuthData = func;
254 ss->getPlatformClientAuthDataArg = arg;
257 #endif /* NSS_PLATFORM_CLIENT_AUTH */
259 /* NEED LOCKS IN HERE. */
261 SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
265 ss = ssl_FindSocket(s);
267 SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
272 ss->pkcs11PinArg = arg;
277 /* This is the "default" authCert callback function. It is called when a
278 * certificate message is received from the peer and the local application
279 * has not registered an authCert callback function.
282 SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
285 CERTCertDBHandle * handle;
287 SECCertUsage certUsage;
288 const char * hostname = NULL;
289 PRTime now = PR_Now();
290 SECItemArray * certStatusArray;
292 ss = ssl_FindSocket(fd);
293 PORT_Assert(ss != NULL);
298 handle = (CERTCertDBHandle *)arg;
299 certStatusArray = &ss->sec.ci.sid->peerCertStatus;
301 if (certStatusArray->len) {
302 CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,
303 now, &certStatusArray->items[0],
307 /* this may seem backwards, but isn't. */
308 certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
310 rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
311 now, ss->pkcs11PinArg, NULL);
313 if ( rv != SECSuccess || isServer )
316 /* cert is OK. This is the client side of an SSL connection.
317 * Now check the name field in the cert against the desired hostname.
318 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
321 if (hostname && hostname[0])
322 rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
325 if (rv != SECSuccess)
326 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);