Bug 542538: Add the pwArg argument to CERT_CacheOCSPResponseFromSideChannel.
authorwtc%google.com
Mon, 01 Feb 2010 19:46:49 +0000
changeset 9528 9a1e1c2f5a8d48b998f415cd21ec7528458c02f7
parent 9527 493636cdceea13f88a8b7f48a3db1dee1eca4c2b
child 9529 1ca04759b6cebd1d1f97959d33808d1d038b25cd
push idunknown
push userunknown
push dateunknown
bugs542538
Bug 542538: Add the pwArg argument to CERT_CacheOCSPResponseFromSideChannel. r=rrelyea. Modified Files: ocsp.c ocsp.h
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -4825,25 +4825,28 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *h
  *   CERTCertDBHandle *handle
  *     certificate DB of the cert that is being checked
  *   CERTCertificate *cert
  *     the certificate being checked
  *   int64 time
  *     time for which status is to be determined
  *   SECItem *encodedResponse
  *     the DER encoded bytes of the OCSP response
+ *   void *pwArg
+ *     argument for password prompting, if needed
  * RETURN:
  *   SECSuccess if the cert was found in the cache, or if the OCSP response was
  *   found to be valid and inserted into the cache. SECFailure otherwise.
  */
 SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      int64 time,
-				      SECItem *encodedResponse)
+				      SECItem *encodedResponse,
+				      void *pwArg)
 {
     CERTOCSPCertID *certID;
     PRBool certIDWasConsumed = PR_FALSE;
     SECStatus rv = SECFailure;
     SECStatus rvOcsp;
     SECErrorCodes dummy_error_code; /* we ignore this */
 
     certID = CERT_CreateOCSPCertID(cert, time);
@@ -4861,19 +4864,18 @@ CERT_CacheOCSPResponseFromSideChannel(CE
 
     /* Since the OCSP response came from a side channel it is attacker
      * controlled. The attacker can have chosen any valid OCSP response,
      * including responses from the past. In this case,
      * ocsp_GetVerifiedSingleResponseForCertID will fail. If we recorded a
      * negative cache entry in this case, then the attacker would have
      * 'poisoned' our cache (denial of service), so we don't record negative
      * results. */
-    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time,
-                                       NULL /* no pwArg */, encodedResponse,
-                                       &certIDWasConsumed,
+    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
+                                       encodedResponse, &certIDWasConsumed,
                                        PR_FALSE /* don't cache failures */,
                                        &rvOcsp);
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
     }
     return rv == SECSuccess ? rvOcsp : rv;
 }
 
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -566,27 +566,30 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *h
  *
  * INPUTS:
  *   CERTCertDBHandle *handle
  *     certificate DB of the cert that is being checked
  *   CERTCertificate *cert
  *     the certificate being checked
  *   PRTime time
  *     time for which status is to be determined
- *   SECItem encodedResponse
+ *   SECItem *encodedResponse
  *     the DER encoded bytes of the OCSP response
+ *   void *pwArg
+ *     argument for password prompting, if needed
  * RETURN:
  *   SECSuccess if the cert was found in the cache, or if the OCSP response was
  *   found to be valid and inserted into the cache. SECFailure otherwise.
  */
 extern SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      PRTime time,
-				      SECItem *encodedResponse);
+				      SECItem *encodedResponse,
+				      void *pwArg);
 
 /*
  * FUNCTION: CERT_GetOCSPStatusForCertID
  *  Returns the OCSP status contained in the passed in paramter response
  *  that corresponds to the certID passed in.
  * INPUTS:
  *  CERTCertDBHandle *handle
  *    certificate DB of the cert that is being checked