Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(570)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 10399083: Make NetLog take in callbacks that return Values (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Fix merge error Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/net.gyp ('k') | net/spdy/spdy_proxy_client_socket.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 364 matching lines...) Expand 10 before | Expand all | Expand 10 after
375 // TODO(wtc,mattm): this is temporary while DBC support is changed into 375 // TODO(wtc,mattm): this is temporary while DBC support is changed into
376 // Channel ID. 376 // Channel ID.
377 return false; 377 return false;
378 } 378 }
379 379
380 void DestroyCertificates(CERTCertificate** certs, size_t len) { 380 void DestroyCertificates(CERTCertificate** certs, size_t len) {
381 for (size_t i = 0; i < len; i++) 381 for (size_t i = 0; i < len; i++)
382 CERT_DestroyCertificate(certs[i]); 382 CERT_DestroyCertificate(certs[i]);
383 } 383 }
384 384
385 // Helper function to make it possible to log events from within the
386 // SSLClientSocketNSS::Core. Can't use Bind with BoundNetLog::AddEntry directly
387 // on Windows because it is overloaded.
388 void AddLogEvent(BoundNetLog* net_log,
389 NetLog::EventType event_type,
390 const scoped_refptr<NetLog::EventParameters>& event_params) {
391 if (!net_log)
392 return;
393 net_log->AddEvent(event_type, event_params);
394 }
395
385 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent 396 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent
386 // from within the SSLClientSocketNSS::Core. 397 // from within the SSLClientSocketNSS::Core.
387 // AddByteTransferEvent expects to receive a const char*, which within the 398 // AddByteTransferEvent expects to receive a const char*, which within the
388 // Core is backed by an IOBuffer. If the "const char*" is bound via 399 // Core is backed by an IOBuffer. If the "const char*" is bound via
389 // base::Bind and posted to another thread, and the IOBuffer that backs that 400 // base::Bind and posted to another thread, and the IOBuffer that backs that
390 // pointer then goes out of scope on the origin thread, this would result in 401 // pointer then goes out of scope on the origin thread, this would result in
391 // an invalid read of a stale pointer. 402 // an invalid read of a stale pointer.
392 // Instead, provide a signature that accepts an IOBuffer*, so that a reference 403 // Instead, provide a signature that accepts an IOBuffer*, so that a reference
393 // to the owning IOBuffer can be bound to the Callback. This ensures that the 404 // to the owning IOBuffer can be bound to the Callback. This ensures that the
394 // IOBuffer will stay alive long enough to cross threads if needed. 405 // IOBuffer will stay alive long enough to cross threads if needed.
(...skipping 890 matching lines...) Expand 10 before | Expand all | Expand 10 after
1285 CERTDistNames* ca_names, 1296 CERTDistNames* ca_names,
1286 CERTCertList** result_certs, 1297 CERTCertList** result_certs,
1287 void** result_private_key, 1298 void** result_private_key,
1288 CERTCertificate** result_nss_certificate, 1299 CERTCertificate** result_nss_certificate,
1289 SECKEYPrivateKey** result_nss_private_key) { 1300 SECKEYPrivateKey** result_nss_private_key) {
1290 Core* core = reinterpret_cast<Core*>(arg); 1301 Core* core = reinterpret_cast<Core*>(arg);
1291 DCHECK(core->OnNSSTaskRunner()); 1302 DCHECK(core->OnNSSTaskRunner());
1292 1303
1293 core->PostOrRunCallback( 1304 core->PostOrRunCallback(
1294 FROM_HERE, 1305 FROM_HERE,
1295 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1306 base::Bind(&AddLogEvent, core->weak_net_log_,
1296 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, 1307 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED,
1297 scoped_refptr<NetLog::EventParameters>())); 1308 scoped_refptr<NetLog::EventParameters>()));
1298 1309
1299 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); 1310 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
1300 1311
1301 // Check if a domain-bound certificate is requested. 1312 // Check if a domain-bound certificate is requested.
1302 if (DomainBoundCertNegotiated(socket)) { 1313 if (DomainBoundCertNegotiated(socket)) {
1303 return core->DomainBoundClientAuthHandler(cert_types, 1314 return core->DomainBoundClientAuthHandler(cert_types,
1304 result_nss_certificate, 1315 result_nss_certificate,
1305 result_nss_private_key); 1316 result_nss_private_key);
(...skipping 26 matching lines...) Expand all
1332 1343
1333 // TODO(rsleevi): Error checking for NSS allocation errors. 1344 // TODO(rsleevi): Error checking for NSS allocation errors.
1334 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); 1345 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
1335 CERTCertificate* user_cert = CERT_NewTempCertificate( 1346 CERTCertificate* user_cert = CERT_NewTempCertificate(
1336 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); 1347 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
1337 if (!user_cert) { 1348 if (!user_cert) {
1338 // Importing the certificate can fail for reasons including a serial 1349 // Importing the certificate can fail for reasons including a serial
1339 // number collision. See crbug.com/97355. 1350 // number collision. See crbug.com/97355.
1340 core->PostOrRunCallback( 1351 core->PostOrRunCallback(
1341 FROM_HERE, 1352 FROM_HERE,
1342 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1353 base::Bind(&AddLogEvent, core->weak_net_log_,
1343 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1354 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1344 make_scoped_refptr( 1355 make_scoped_refptr(
1345 new NetLogIntegerParameter("cert_count", 0)))); 1356 new NetLogIntegerParameter("cert_count", 0))));
1346 return SECFailure; 1357 return SECFailure;
1347 } 1358 }
1348 CERTCertList* cert_chain = CERT_NewCertList(); 1359 CERTCertList* cert_chain = CERT_NewCertList();
1349 CERT_AddCertToListTail(cert_chain, user_cert); 1360 CERT_AddCertToListTail(cert_chain, user_cert);
1350 1361
1351 // Add the intermediates. 1362 // Add the intermediates.
1352 X509Certificate::OSCertHandles intermediates = 1363 X509Certificate::OSCertHandles intermediates =
1353 core->ssl_config_.client_cert->GetIntermediateCertificates(); 1364 core->ssl_config_.client_cert->GetIntermediateCertificates();
1354 for (X509Certificate::OSCertHandles::const_iterator it = 1365 for (X509Certificate::OSCertHandles::const_iterator it =
1355 intermediates.begin(); it != intermediates.end(); ++it) { 1366 intermediates.begin(); it != intermediates.end(); ++it) {
1356 der_cert.data = (*it)->pbCertEncoded; 1367 der_cert.data = (*it)->pbCertEncoded;
1357 der_cert.len = (*it)->cbCertEncoded; 1368 der_cert.len = (*it)->cbCertEncoded;
1358 1369
1359 CERTCertificate* intermediate = CERT_NewTempCertificate( 1370 CERTCertificate* intermediate = CERT_NewTempCertificate(
1360 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); 1371 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
1361 if (!intermediate) { 1372 if (!intermediate) {
1362 CERT_DestroyCertList(cert_chain); 1373 CERT_DestroyCertList(cert_chain);
1363 core->PostOrRunCallback( 1374 core->PostOrRunCallback(
1364 FROM_HERE, 1375 FROM_HERE,
1365 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1376 base::Bind(&AddLogEvent, core->weak_net_log_,
1366 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1377 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1367 make_scoped_refptr( 1378 make_scoped_refptr(
1368 new NetLogIntegerParameter("cert_count", 0)))); 1379 new NetLogIntegerParameter("cert_count", 0))));
1369 return SECFailure; 1380 return SECFailure;
1370 } 1381 }
1371 CERT_AddCertToListTail(cert_chain, intermediate); 1382 CERT_AddCertToListTail(cert_chain, intermediate);
1372 } 1383 }
1373 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>( 1384 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>(
1374 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT))); 1385 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT)));
1375 key_context->cbSize = sizeof(*key_context); 1386 key_context->cbSize = sizeof(*key_context);
1376 // NSS will free this context when no longer in use, but the 1387 // NSS will free this context when no longer in use, but the
1377 // |must_free| result from CryptAcquireCertificatePrivateKey was false 1388 // |must_free| result from CryptAcquireCertificatePrivateKey was false
1378 // so we increment the refcount to negate NSS's future decrement. 1389 // so we increment the refcount to negate NSS's future decrement.
1379 CryptContextAddRef(crypt_prov, NULL, 0); 1390 CryptContextAddRef(crypt_prov, NULL, 0);
1380 key_context->hCryptProv = crypt_prov; 1391 key_context->hCryptProv = crypt_prov;
1381 key_context->dwKeySpec = key_spec; 1392 key_context->dwKeySpec = key_spec;
1382 *result_private_key = key_context; 1393 *result_private_key = key_context;
1383 *result_certs = cert_chain; 1394 *result_certs = cert_chain;
1384 1395
1385 int cert_count = 1 + intermediates.size(); 1396 int cert_count = 1 + intermediates.size();
1386 core->PostOrRunCallback( 1397 core->PostOrRunCallback(
1387 FROM_HERE, 1398 FROM_HERE,
1388 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1399 base::Bind(&AddLogEvent, core->weak_net_log_,
1389 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1400 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1390 make_scoped_refptr( 1401 make_scoped_refptr(
1391 new NetLogIntegerParameter("cert_count", 1402 new NetLogIntegerParameter("cert_count",
1392 cert_count)))); 1403 cert_count))));
1393 return SECSuccess; 1404 return SECSuccess;
1394 } 1405 }
1395 LOG(WARNING) << "Client cert found without private key"; 1406 LOG(WARNING) << "Client cert found without private key";
1396 } 1407 }
1397 1408
1398 // Send no client certificate. 1409 // Send no client certificate.
1399 core->PostOrRunCallback( 1410 core->PostOrRunCallback(
1400 FROM_HERE, 1411 FROM_HERE,
1401 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1412 base::Bind(&AddLogEvent, core->weak_net_log_,
1402 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1413 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1403 make_scoped_refptr( 1414 make_scoped_refptr(
1404 new NetLogIntegerParameter("cert_count", 0)))); 1415 new NetLogIntegerParameter("cert_count", 0))));
1405 return SECFailure; 1416 return SECFailure;
1406 } 1417 }
1407 1418
1408 core->nss_handshake_state_.client_certs.clear(); 1419 core->nss_handshake_state_.client_certs.clear();
1409 1420
1410 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames); 1421 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
1411 for (int i = 0; i < ca_names->nnames; ++i) { 1422 for (int i = 0; i < ca_names->nnames; ++i) {
1412 issuer_list[i].cbData = ca_names->names[i].len; 1423 issuer_list[i].cbData = ca_names->names[i].len;
1413 issuer_list[i].pbData = ca_names->names[i].data; 1424 issuer_list[i].pbData = ca_names->names[i].data;
1414 } 1425 }
1415 1426
1416 // Client certificates of the user are in the "MY" system certificate store. 1427 // Client certificates of the user are in the "MY" system certificate store.
1417 HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY"); 1428 HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY");
1418 if (!my_cert_store) { 1429 if (!my_cert_store) {
1419 PLOG(ERROR) << "Could not open the \"MY\" system certificate store"; 1430 PLOG(ERROR) << "Could not open the \"MY\" system certificate store";
1420 1431
1421 core->PostOrRunCallback( 1432 core->PostOrRunCallback(
1422 FROM_HERE, 1433 FROM_HERE,
1423 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1434 base::Bind(&AddLogEvent, core->weak_net_log_,
1424 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1435 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1425 make_scoped_refptr( 1436 make_scoped_refptr(
1426 new NetLogIntegerParameter("cert_count", 0)))); 1437 new NetLogIntegerParameter("cert_count", 0))));
1427 return SECFailure; 1438 return SECFailure;
1428 } 1439 }
1429 1440
1430 // Enumerate the client certificates. 1441 // Enumerate the client certificates.
1431 CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para; 1442 CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para;
1432 memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para)); 1443 memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para));
1433 find_by_issuer_para.cbSize = sizeof(find_by_issuer_para); 1444 find_by_issuer_para.cbSize = sizeof(find_by_issuer_para);
(...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after
1558 } 1569 }
1559 } 1570 }
1560 if (os_error == noErr) { 1571 if (os_error == noErr) {
1561 int cert_count = 0; 1572 int cert_count = 0;
1562 if (chain) { 1573 if (chain) {
1563 cert_count = CFArrayGetCount(chain); 1574 cert_count = CFArrayGetCount(chain);
1564 CFRelease(chain); 1575 CFRelease(chain);
1565 } 1576 }
1566 core->PostOrRunCallback( 1577 core->PostOrRunCallback(
1567 FROM_HERE, 1578 FROM_HERE,
1568 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1579 base::Bind(&AddLogEvent, core->weak_net_log_,
1569 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1580 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1570 make_scoped_refptr( 1581 make_scoped_refptr(
1571 new NetLogIntegerParameter("cert_count", 1582 new NetLogIntegerParameter("cert_count",
1572 cert_count)))); 1583 cert_count))));
1573 return SECSuccess; 1584 return SECSuccess;
1574 } 1585 }
1575 OSSTATUS_LOG(WARNING, os_error) 1586 OSSTATUS_LOG(WARNING, os_error)
1576 << "Client cert found, but could not be used"; 1587 << "Client cert found, but could not be used";
1577 if (*result_certs) { 1588 if (*result_certs) {
1578 CERT_DestroyCertList(*result_certs); 1589 CERT_DestroyCertList(*result_certs);
1579 *result_certs = NULL; 1590 *result_certs = NULL;
1580 } 1591 }
1581 if (*result_private_key) 1592 if (*result_private_key)
1582 *result_private_key = NULL; 1593 *result_private_key = NULL;
1583 if (private_key) 1594 if (private_key)
1584 CFRelease(private_key); 1595 CFRelease(private_key);
1585 if (chain) 1596 if (chain)
1586 CFRelease(chain); 1597 CFRelease(chain);
1587 } 1598 }
1588 1599
1589 // Send no client certificate. 1600 // Send no client certificate.
1590 core->PostOrRunCallback( 1601 core->PostOrRunCallback(
1591 FROM_HERE, 1602 FROM_HERE,
1592 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1603 base::Bind(&AddLogEvent, core->weak_net_log_,
1593 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1604 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1594 make_scoped_refptr( 1605 make_scoped_refptr(
1595 new NetLogIntegerParameter("cert_count", 0)))); 1606 new NetLogIntegerParameter("cert_count", 0))));
1596 return SECFailure; 1607 return SECFailure;
1597 } 1608 }
1598 1609
1599 core->nss_handshake_state_.client_certs.clear(); 1610 core->nss_handshake_state_.client_certs.clear();
1600 1611
1601 // First, get the cert issuer names allowed by the server. 1612 // First, get the cert issuer names allowed by the server.
1602 std::vector<CertPrincipal> valid_issuers; 1613 std::vector<CertPrincipal> valid_issuers;
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
1637 void* arg, 1648 void* arg,
1638 PRFileDesc* socket, 1649 PRFileDesc* socket,
1639 CERTDistNames* ca_names, 1650 CERTDistNames* ca_names,
1640 CERTCertificate** result_certificate, 1651 CERTCertificate** result_certificate,
1641 SECKEYPrivateKey** result_private_key) { 1652 SECKEYPrivateKey** result_private_key) {
1642 Core* core = reinterpret_cast<Core*>(arg); 1653 Core* core = reinterpret_cast<Core*>(arg);
1643 DCHECK(core->OnNSSTaskRunner()); 1654 DCHECK(core->OnNSSTaskRunner());
1644 1655
1645 core->PostOrRunCallback( 1656 core->PostOrRunCallback(
1646 FROM_HERE, 1657 FROM_HERE,
1647 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1658 base::Bind(&AddLogEvent, core->weak_net_log_,
1648 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, 1659 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED,
1649 scoped_refptr<NetLog::EventParameters>())); 1660 scoped_refptr<NetLog::EventParameters>()));
1650 1661
1651 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); 1662 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
1652 1663
1653 // Check if a domain-bound certificate is requested. 1664 // Check if a domain-bound certificate is requested.
1654 if (DomainBoundCertNegotiated(socket)) { 1665 if (DomainBoundCertNegotiated(socket)) {
1655 return core->DomainBoundClientAuthHandler( 1666 return core->DomainBoundClientAuthHandler(
1656 cert_types, result_certificate, result_private_key); 1667 cert_types, result_certificate, result_private_key);
1657 } 1668 }
(...skipping 11 matching lines...) Expand all
1669 if (privkey) { 1680 if (privkey) {
1670 // TODO(jsorianopastor): We should wait for server certificate 1681 // TODO(jsorianopastor): We should wait for server certificate
1671 // verification before sending our credentials. See 1682 // verification before sending our credentials. See
1672 // http://crbug.com/13934. 1683 // http://crbug.com/13934.
1673 *result_certificate = cert; 1684 *result_certificate = cert;
1674 *result_private_key = privkey; 1685 *result_private_key = privkey;
1675 // A cert_count of -1 means the number of certificates is unknown. 1686 // A cert_count of -1 means the number of certificates is unknown.
1676 // NSS will construct the certificate chain. 1687 // NSS will construct the certificate chain.
1677 core->PostOrRunCallback( 1688 core->PostOrRunCallback(
1678 FROM_HERE, 1689 FROM_HERE,
1679 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1690 base::Bind(&AddLogEvent, core->weak_net_log_,
1680 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1691 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1681 make_scoped_refptr( 1692 make_scoped_refptr(
1682 new NetLogIntegerParameter("cert_count", -1)))); 1693 new NetLogIntegerParameter("cert_count", -1))));
1683 1694
1684 return SECSuccess; 1695 return SECSuccess;
1685 } 1696 }
1686 LOG(WARNING) << "Client cert found without private key"; 1697 LOG(WARNING) << "Client cert found without private key";
1687 } 1698 }
1688 // Send no client certificate. 1699 // Send no client certificate.
1689 core->PostOrRunCallback( 1700 core->PostOrRunCallback(
1690 FROM_HERE, 1701 FROM_HERE,
1691 base::Bind(&BoundNetLog::AddEvent, core->weak_net_log_, 1702 base::Bind(&AddLogEvent, core->weak_net_log_,
1692 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1703 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1693 make_scoped_refptr( 1704 make_scoped_refptr(
1694 new NetLogIntegerParameter("cert_count", 0)))); 1705 new NetLogIntegerParameter("cert_count", 0))));
1695 return SECFailure; 1706 return SECFailure;
1696 } 1707 }
1697 1708
1698 core->nss_handshake_state_.client_certs.clear(); 1709 core->nss_handshake_state_.client_certs.clear();
1699 1710
1700 // Iterate over all client certificates. 1711 // Iterate over all client certificates.
1701 CERTCertList* client_certs = CERT_FindUserCertsByUsage( 1712 CERTCertList* client_certs = CERT_FindUserCertsByUsage(
(...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after
1932 DCHECK_EQ(STATE_NONE, next_handshake_state_); 1943 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1933 1944
1934 if (result < 0) 1945 if (result < 0)
1935 return result; 1946 return result;
1936 1947
1937 if (!nss_bufs_) { 1948 if (!nss_bufs_) {
1938 LOG(DFATAL) << "!nss_bufs_"; 1949 LOG(DFATAL) << "!nss_bufs_";
1939 int rv = ERR_UNEXPECTED; 1950 int rv = ERR_UNEXPECTED;
1940 PostOrRunCallback( 1951 PostOrRunCallback(
1941 FROM_HERE, 1952 FROM_HERE,
1942 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 1953 base::Bind(&AddLogEvent, weak_net_log_,
1943 NetLog::TYPE_SSL_READ_ERROR, 1954 NetLog::TYPE_SSL_READ_ERROR,
1944 make_scoped_refptr(new SSLErrorParams(rv, 0)))); 1955 make_scoped_refptr(new SSLErrorParams(rv, 0))));
1945 return rv; 1956 return rv;
1946 } 1957 }
1947 1958
1948 bool network_moved; 1959 bool network_moved;
1949 int rv; 1960 int rv;
1950 do { 1961 do {
1951 rv = DoPayloadRead(); 1962 rv = DoPayloadRead();
1952 network_moved = DoTransportIO(); 1963 network_moved = DoTransportIO();
1953 } while (rv == ERR_IO_PENDING && network_moved); 1964 } while (rv == ERR_IO_PENDING && network_moved);
1954 1965
1955 return rv; 1966 return rv;
1956 } 1967 }
1957 1968
1958 int SSLClientSocketNSS::Core::DoWriteLoop(int result) { 1969 int SSLClientSocketNSS::Core::DoWriteLoop(int result) {
1959 DCHECK(OnNSSTaskRunner()); 1970 DCHECK(OnNSSTaskRunner());
1960 DCHECK(handshake_callback_called_); 1971 DCHECK(handshake_callback_called_);
1961 DCHECK_EQ(STATE_NONE, next_handshake_state_); 1972 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1962 1973
1963 if (result < 0) 1974 if (result < 0)
1964 return result; 1975 return result;
1965 1976
1966 if (!nss_bufs_) { 1977 if (!nss_bufs_) {
1967 LOG(DFATAL) << "!nss_bufs_"; 1978 LOG(DFATAL) << "!nss_bufs_";
1968 int rv = ERR_UNEXPECTED; 1979 int rv = ERR_UNEXPECTED;
1969 PostOrRunCallback( 1980 PostOrRunCallback(
1970 FROM_HERE, 1981 FROM_HERE,
1971 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 1982 base::Bind(&AddLogEvent, weak_net_log_,
1972 NetLog::TYPE_SSL_READ_ERROR, 1983 NetLog::TYPE_SSL_READ_ERROR,
1973 make_scoped_refptr(new SSLErrorParams(rv, 0)))); 1984 make_scoped_refptr(new SSLErrorParams(rv, 0))));
1974 return rv; 1985 return rv;
1975 } 1986 }
1976 1987
1977 bool network_moved; 1988 bool network_moved;
1978 int rv; 1989 int rv;
1979 do { 1990 do {
1980 rv = DoPayloadWrite(); 1991 rv = DoPayloadWrite();
1981 network_moved = DoTransportIO(); 1992 network_moved = DoTransportIO();
(...skipping 14 matching lines...) Expand all
1996 // code so that the higher level code will attempt to delete the socket and 2007 // code so that the higher level code will attempt to delete the socket and
1997 // redo the handshake. 2008 // redo the handshake.
1998 if (client_auth_cert_needed_) { 2009 if (client_auth_cert_needed_) {
1999 if (domain_bound_cert_xtn_negotiated_) { 2010 if (domain_bound_cert_xtn_negotiated_) {
2000 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); 2011 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
2001 net_error = ERR_IO_PENDING; 2012 net_error = ERR_IO_PENDING;
2002 } else { 2013 } else {
2003 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; 2014 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
2004 PostOrRunCallback( 2015 PostOrRunCallback(
2005 FROM_HERE, 2016 FROM_HERE,
2006 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2017 base::Bind(&AddLogEvent, weak_net_log_,
2007 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 2018 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
2008 make_scoped_refptr(new SSLErrorParams(net_error, 0)))); 2019 make_scoped_refptr(new SSLErrorParams(net_error, 0))));
2009 2020
2010 // If the handshake already succeeded (because the server requests but 2021 // If the handshake already succeeded (because the server requests but
2011 // doesn't require a client cert), we need to invalidate the SSL session 2022 // doesn't require a client cert), we need to invalidate the SSL session
2012 // so that we won't try to resume the non-client-authenticated session in 2023 // so that we won't try to resume the non-client-authenticated session in
2013 // the next handshake. This will cause the server to ask for a client 2024 // the next handshake. This will cause the server to ask for a client
2014 // cert again. 2025 // cert again.
2015 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) 2026 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
2016 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); 2027 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
2017 } 2028 }
2018 } else if (rv == SECSuccess) { 2029 } else if (rv == SECSuccess) {
2019 if (!handshake_callback_called_) { 2030 if (!handshake_callback_called_) {
2020 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - 2031 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 -
2021 // SSL_ForceHandshake returned SECSuccess prematurely. 2032 // SSL_ForceHandshake returned SECSuccess prematurely.
2022 rv = SECFailure; 2033 rv = SECFailure;
2023 net_error = ERR_SSL_PROTOCOL_ERROR; 2034 net_error = ERR_SSL_PROTOCOL_ERROR;
2024 PostOrRunCallback( 2035 PostOrRunCallback(
2025 FROM_HERE, 2036 FROM_HERE,
2026 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2037 base::Bind(&AddLogEvent, weak_net_log_,
2027 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 2038 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
2028 make_scoped_refptr( 2039 make_scoped_refptr(
2029 new SSLErrorParams(net_error, 0)))); 2040 new SSLErrorParams(net_error, 0))));
2030 } else { 2041 } else {
2031 #if defined(SSL_ENABLE_OCSP_STAPLING) 2042 #if defined(SSL_ENABLE_OCSP_STAPLING)
2032 // TODO(agl): figure out how to plumb an OCSP response into the Mac 2043 // TODO(agl): figure out how to plumb an OCSP response into the Mac
2033 // system library and update IsOCSPStaplingSupported for Mac. 2044 // system library and update IsOCSPStaplingSupported for Mac.
2034 if (!nss_handshake_state_.predicted_cert_chain_correct && 2045 if (!nss_handshake_state_.predicted_cert_chain_correct &&
2035 IsOCSPStaplingSupported()) { 2046 IsOCSPStaplingSupported()) {
2036 unsigned int len = 0; 2047 unsigned int len = 0;
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
2077 } else { 2088 } else {
2078 PRErrorCode prerr = PR_GetError(); 2089 PRErrorCode prerr = PR_GetError();
2079 net_error = HandleNSSError(prerr, true); 2090 net_error = HandleNSSError(prerr, true);
2080 2091
2081 // If not done, stay in this state 2092 // If not done, stay in this state
2082 if (net_error == ERR_IO_PENDING) { 2093 if (net_error == ERR_IO_PENDING) {
2083 GotoState(STATE_HANDSHAKE); 2094 GotoState(STATE_HANDSHAKE);
2084 } else { 2095 } else {
2085 PostOrRunCallback( 2096 PostOrRunCallback(
2086 FROM_HERE, 2097 FROM_HERE,
2087 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2098 base::Bind(&AddLogEvent, weak_net_log_,
2088 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 2099 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
2089 make_scoped_refptr( 2100 make_scoped_refptr(
2090 new SSLErrorParams(net_error, prerr)))); 2101 new SSLErrorParams(net_error, prerr))));
2091 } 2102 }
2092 } 2103 }
2093 2104
2094 return net_error; 2105 return net_error;
2095 } 2106 }
2096 2107
2097 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) { 2108 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) {
(...skipping 20 matching lines...) Expand all
2118 SECKEYPrivateKey* key; 2129 SECKEYPrivateKey* key;
2119 int error = ImportDBCertAndKey(&cert, &key); 2130 int error = ImportDBCertAndKey(&cert, &key);
2120 if (error != OK) 2131 if (error != OK)
2121 return error; 2132 return error;
2122 2133
2123 CERTCertificateList* cert_chain = 2134 CERTCertificateList* cert_chain =
2124 CERT_CertChainFromCert(cert, certUsageSSLClient, PR_FALSE); 2135 CERT_CertChainFromCert(cert, certUsageSSLClient, PR_FALSE);
2125 2136
2126 PostOrRunCallback( 2137 PostOrRunCallback(
2127 FROM_HERE, 2138 FROM_HERE,
2128 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2139 base::Bind(&AddLogEvent, weak_net_log_,
2129 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 2140 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
2130 make_scoped_refptr( 2141 make_scoped_refptr(
2131 new NetLogIntegerParameter("cert_count", 2142 new NetLogIntegerParameter("cert_count",
2132 cert_chain->len)))); 2143 cert_chain->len))));
2133 2144
2134 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); 2145 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain);
2135 if (rv != SECSuccess) 2146 if (rv != SECSuccess)
2136 return MapNSSError(PORT_GetError()); 2147 return MapNSSError(PORT_GetError());
2137 2148
2138 GotoState(STATE_HANDSHAKE); 2149 GotoState(STATE_HANDSHAKE);
2139 return OK; 2150 return OK;
2140 } 2151 }
2141 2152
2142 int SSLClientSocketNSS::Core::DoPayloadRead() { 2153 int SSLClientSocketNSS::Core::DoPayloadRead() {
2143 DCHECK(OnNSSTaskRunner()); 2154 DCHECK(OnNSSTaskRunner());
2144 DCHECK(user_read_buf_); 2155 DCHECK(user_read_buf_);
2145 DCHECK_GT(user_read_buf_len_, 0); 2156 DCHECK_GT(user_read_buf_len_, 0);
2146 2157
2147 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_); 2158 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_);
2148 if (client_auth_cert_needed_) { 2159 if (client_auth_cert_needed_) {
2149 // We don't need to invalidate the non-client-authenticated SSL session 2160 // We don't need to invalidate the non-client-authenticated SSL session
2150 // because the server will renegotiate anyway. 2161 // because the server will renegotiate anyway.
2151 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; 2162 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
2152 PostOrRunCallback( 2163 PostOrRunCallback(
2153 FROM_HERE, 2164 FROM_HERE,
2154 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2165 base::Bind(&AddLogEvent, weak_net_log_,
2155 NetLog::TYPE_SSL_READ_ERROR, 2166 NetLog::TYPE_SSL_READ_ERROR,
2156 make_scoped_refptr(new SSLErrorParams(rv, 0)))); 2167 make_scoped_refptr(new SSLErrorParams(rv, 0))));
2157 return rv; 2168 return rv;
2158 } 2169 }
2159 if (rv >= 0) { 2170 if (rv >= 0) {
2160 PostOrRunCallback( 2171 PostOrRunCallback(
2161 FROM_HERE, 2172 FROM_HERE,
2162 base::Bind(&LogByteTransferEvent, weak_net_log_, 2173 base::Bind(&LogByteTransferEvent, weak_net_log_,
2163 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, 2174 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
2164 scoped_refptr<IOBuffer>(user_read_buf_))); 2175 scoped_refptr<IOBuffer>(user_read_buf_)));
2165 return rv; 2176 return rv;
2166 } 2177 }
2167 PRErrorCode prerr = PR_GetError(); 2178 PRErrorCode prerr = PR_GetError();
2168 if (prerr == PR_WOULD_BLOCK_ERROR) 2179 if (prerr == PR_WOULD_BLOCK_ERROR)
2169 return ERR_IO_PENDING; 2180 return ERR_IO_PENDING;
2170 2181
2171 rv = HandleNSSError(prerr, false); 2182 rv = HandleNSSError(prerr, false);
2172 PostOrRunCallback( 2183 PostOrRunCallback(
2173 FROM_HERE, 2184 FROM_HERE,
2174 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2185 base::Bind(&AddLogEvent, weak_net_log_,
2175 NetLog::TYPE_SSL_READ_ERROR, 2186 NetLog::TYPE_SSL_READ_ERROR,
2176 make_scoped_refptr(new SSLErrorParams(rv, prerr)))); 2187 make_scoped_refptr(new SSLErrorParams(rv, prerr))));
2177 return rv; 2188 return rv;
2178 } 2189 }
2179 2190
2180 int SSLClientSocketNSS::Core::DoPayloadWrite() { 2191 int SSLClientSocketNSS::Core::DoPayloadWrite() {
2181 DCHECK(OnNSSTaskRunner()); 2192 DCHECK(OnNSSTaskRunner());
2182 2193
2183 DCHECK(user_write_buf_); 2194 DCHECK(user_write_buf_);
2184 2195
2185 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); 2196 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_);
2186 if (rv >= 0) { 2197 if (rv >= 0) {
2187 PostOrRunCallback( 2198 PostOrRunCallback(
2188 FROM_HERE, 2199 FROM_HERE,
2189 base::Bind(&LogByteTransferEvent, weak_net_log_, 2200 base::Bind(&LogByteTransferEvent, weak_net_log_,
2190 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, 2201 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
2191 scoped_refptr<IOBuffer>(user_write_buf_))); 2202 scoped_refptr<IOBuffer>(user_write_buf_)));
2192 return rv; 2203 return rv;
2193 } 2204 }
2194 PRErrorCode prerr = PR_GetError(); 2205 PRErrorCode prerr = PR_GetError();
2195 if (prerr == PR_WOULD_BLOCK_ERROR) 2206 if (prerr == PR_WOULD_BLOCK_ERROR)
2196 return ERR_IO_PENDING; 2207 return ERR_IO_PENDING;
2197 2208
2198 rv = HandleNSSError(prerr, false); 2209 rv = HandleNSSError(prerr, false);
2199 PostOrRunCallback( 2210 PostOrRunCallback(
2200 FROM_HERE, 2211 FROM_HERE,
2201 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2212 base::Bind(&AddLogEvent, weak_net_log_,
2202 NetLog::TYPE_SSL_WRITE_ERROR, 2213 NetLog::TYPE_SSL_WRITE_ERROR,
2203 make_scoped_refptr(new SSLErrorParams(rv, prerr)))); 2214 make_scoped_refptr(new SSLErrorParams(rv, prerr))));
2204 return rv; 2215 return rv;
2205 } 2216 }
2206 2217
2207 // Do as much network I/O as possible between the buffer and the 2218 // Do as much network I/O as possible between the buffer and the
2208 // transport socket. Return true if some I/O performed, false 2219 // transport socket. Return true if some I/O performed, false
2209 // otherwise (error or ERR_IO_PENDING). 2220 // otherwise (error or ERR_IO_PENDING).
2210 bool SSLClientSocketNSS::Core::DoTransportIO() { 2221 bool SSLClientSocketNSS::Core::DoTransportIO() {
2211 DCHECK(OnNSSTaskRunner()); 2222 DCHECK(OnNSSTaskRunner());
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after
2439 domain_bound_cert_type_ = CLIENT_CERT_INVALID_TYPE; 2450 domain_bound_cert_type_ = CLIENT_CERT_INVALID_TYPE;
2440 rv = SECFailure; 2451 rv = SECFailure;
2441 } 2452 }
2442 } else { 2453 } else {
2443 rv = SECFailure; 2454 rv = SECFailure;
2444 } 2455 }
2445 2456
2446 int cert_count = (rv == SECSuccess) ? 1 : 0; 2457 int cert_count = (rv == SECSuccess) ? 1 : 0;
2447 PostOrRunCallback( 2458 PostOrRunCallback(
2448 FROM_HERE, 2459 FROM_HERE,
2449 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2460 base::Bind(&AddLogEvent, weak_net_log_,
2450 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 2461 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
2451 make_scoped_refptr( 2462 make_scoped_refptr(
2452 new NetLogIntegerParameter("cert_count", 2463 new NetLogIntegerParameter("cert_count",
2453 cert_count)))); 2464 cert_count))));
2454 return rv; 2465 return rv;
2455 } 2466 }
2456 2467
2457 int SSLClientSocketNSS::Core::ImportDBCertAndKey(CERTCertificate** cert, 2468 int SSLClientSocketNSS::Core::ImportDBCertAndKey(CERTCertificate** cert,
2458 SECKEYPrivateKey** key) { 2469 SECKEYPrivateKey** key) {
2459 // Set the certificate. 2470 // Set the certificate.
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
2499 return OK; 2510 return OK;
2500 } 2511 }
2501 2512
2502 void SSLClientSocketNSS::Core::UpdateServerCert() { 2513 void SSLClientSocketNSS::Core::UpdateServerCert() {
2503 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); 2514 nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
2504 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( 2515 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
2505 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); 2516 nss_handshake_state_.server_cert_chain.AsStringPieceVector());
2506 if (nss_handshake_state_.server_cert) { 2517 if (nss_handshake_state_.server_cert) {
2507 PostOrRunCallback( 2518 PostOrRunCallback(
2508 FROM_HERE, 2519 FROM_HERE,
2509 base::Bind(&BoundNetLog::AddEvent, weak_net_log_, 2520 base::Bind(&AddLogEvent, weak_net_log_,
2510 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED, 2521 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
2511 make_scoped_refptr( 2522 make_scoped_refptr(
2512 new X509CertificateNetLogParam( 2523 new X509CertificateNetLogParam(
2513 nss_handshake_state_.server_cert)))); 2524 nss_handshake_state_.server_cert))));
2514 } 2525 }
2515 } 2526 }
2516 2527
2517 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { 2528 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
2518 SSLChannelInfo channel_info; 2529 SSLChannelInfo channel_info;
2519 SECStatus ok = SSL_GetChannelInfo(nss_fd_, 2530 SECStatus ok = SSL_GetChannelInfo(nss_fd_,
(...skipping 1150 matching lines...) Expand 10 before | Expand all | Expand 10 after
3670 EnsureThreadIdAssigned(); 3681 EnsureThreadIdAssigned();
3671 base::AutoLock auto_lock(lock_); 3682 base::AutoLock auto_lock(lock_);
3672 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3683 return valid_thread_id_ == base::PlatformThread::CurrentId();
3673 } 3684 }
3674 3685
3675 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3686 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3676 return server_bound_cert_service_; 3687 return server_bound_cert_service_;
3677 } 3688 }
3678 3689
3679 } // namespace net 3690 } // namespace net
OLDNEW
« no previous file with comments | « net/net.gyp ('k') | net/spdy/spdy_proxy_client_socket.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698