Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(128)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 10910240: Enable TLS channeld id by default. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: split out the extraneous fixes to http://codereview.chromium.org/10909245/ Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 912 matching lines...) Expand 10 before | Expand all | Expand 10 after
923 // task runner. 923 // task runner.
924 bool detached_; 924 bool detached_;
925 925
926 // The underlying transport to use for network IO. 926 // The underlying transport to use for network IO.
927 ClientSocketHandle* transport_; 927 ClientSocketHandle* transport_;
928 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; 928 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_;
929 929
930 // The current handshake state. Mirrors |nss_handshake_state_|. 930 // The current handshake state. Mirrors |nss_handshake_state_|.
931 HandshakeState network_handshake_state_; 931 HandshakeState network_handshake_state_;
932 932
933 // The service for retrieving Channel ID keys. May be NULL.
933 ServerBoundCertService* server_bound_cert_service_; 934 ServerBoundCertService* server_bound_cert_service_;
934 ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; 935 ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
935 936
936 //////////////////////////////////////////////////////////////////////////// 937 ////////////////////////////////////////////////////////////////////////////
937 // Members that are ONLY accessed on the NSS task runner: 938 // Members that are ONLY accessed on the NSS task runner:
938 //////////////////////////////////////////////////////////////////////////// 939 ////////////////////////////////////////////////////////////////////////////
939 HostPortPair host_and_port_; 940 HostPortPair host_and_port_;
940 SSLConfig ssl_config_; 941 SSLConfig ssl_config_;
941 942
942 // NSS SSL socket. 943 // NSS SSL socket.
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after
1073 #else 1074 #else
1074 rv = SSL_GetClientAuthDataHook( 1075 rv = SSL_GetClientAuthDataHook(
1075 nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this); 1076 nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this);
1076 #endif 1077 #endif
1077 if (rv != SECSuccess) { 1078 if (rv != SECSuccess) {
1078 LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", ""); 1079 LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", "");
1079 return false; 1080 return false;
1080 } 1081 }
1081 1082
1082 if (ssl_config_.channel_id_enabled) { 1083 if (ssl_config_.channel_id_enabled) {
1083 if (!crypto::ECPrivateKey::IsSupported()) { 1084 if (!server_bound_cert_service_) {
1085 DVLOG(1) << "NULL server_bound_cert_service_, not enabling channel ID.";
1086 } else if (!crypto::ECPrivateKey::IsSupported()) {
1084 DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; 1087 DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
1085 } else if (!server_bound_cert_service_->IsSystemTimeValid()) { 1088 } else if (!server_bound_cert_service_->IsSystemTimeValid()) {
1086 DVLOG(1) << "System time is weird, not enabling channel ID."; 1089 DVLOG(1) << "System time is weird, not enabling channel ID.";
1087 } else { 1090 } else {
1088 rv = SSL_SetClientChannelIDCallback( 1091 rv = SSL_SetClientChannelIDCallback(
1089 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this); 1092 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
1090 if (rv != SECSuccess) 1093 if (rv != SECSuccess)
1091 LogFailedNSSFunction(*weak_net_log_, "SSL_SetClientChannelIDCallback", 1094 LogFailedNSSFunction(*weak_net_log_, "SSL_SetClientChannelIDCallback",
1092 ""); 1095 "");
1093 } 1096 }
(...skipping 1422 matching lines...) Expand 10 before | Expand all | Expand 10 after
2516 if (nss_handshake_state_.resumed_handshake) 2519 if (nss_handshake_state_.resumed_handshake)
2517 return; 2520 return;
2518 2521
2519 // Since this enum is used for a histogram, do not change or re-use values. 2522 // Since this enum is used for a histogram, do not change or re-use values.
2520 enum { 2523 enum {
2521 DISABLED = 0, 2524 DISABLED = 0,
2522 CLIENT_ONLY = 1, 2525 CLIENT_ONLY = 1,
2523 CLIENT_AND_SERVER = 2, 2526 CLIENT_AND_SERVER = 2,
2524 CLIENT_NO_ECC = 3, 2527 CLIENT_NO_ECC = 3,
2525 CLIENT_BAD_SYSTEM_TIME = 4, 2528 CLIENT_BAD_SYSTEM_TIME = 4,
2529 CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 5,
2526 DOMAIN_BOUND_CERT_USAGE_MAX 2530 DOMAIN_BOUND_CERT_USAGE_MAX
2527 } supported = DISABLED; 2531 } supported = DISABLED;
2528 if (channel_id_xtn_negotiated_) { 2532 if (channel_id_xtn_negotiated_) {
2529 supported = CLIENT_AND_SERVER; 2533 supported = CLIENT_AND_SERVER;
2530 } else if (ssl_config_.channel_id_enabled) { 2534 } else if (ssl_config_.channel_id_enabled) {
2531 if (!crypto::ECPrivateKey::IsSupported()) 2535 if (!server_bound_cert_service_)
2536 supported = CLIENT_NO_SERVER_BOUND_CERT_SERVICE;
2537 else if (!crypto::ECPrivateKey::IsSupported())
2532 supported = CLIENT_NO_ECC; 2538 supported = CLIENT_NO_ECC;
2533 else if (!server_bound_cert_service_->IsSystemTimeValid()) 2539 else if (!server_bound_cert_service_->IsSystemTimeValid())
2534 supported = CLIENT_BAD_SYSTEM_TIME; 2540 supported = CLIENT_BAD_SYSTEM_TIME;
2535 else 2541 else
2536 supported = CLIENT_ONLY; 2542 supported = CLIENT_ONLY;
2537 } 2543 }
2538 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, 2544 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
2539 DOMAIN_BOUND_CERT_USAGE_MAX); 2545 DOMAIN_BOUND_CERT_USAGE_MAX);
2540 } 2546 }
2541 2547
(...skipping 979 matching lines...) Expand 10 before | Expand all | Expand 10 after
3521 EnsureThreadIdAssigned(); 3527 EnsureThreadIdAssigned();
3522 base::AutoLock auto_lock(lock_); 3528 base::AutoLock auto_lock(lock_);
3523 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3529 return valid_thread_id_ == base::PlatformThread::CurrentId();
3524 } 3530 }
3525 3531
3526 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3532 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3527 return server_bound_cert_service_; 3533 return server_bound_cert_service_;
3528 } 3534 }
3529 3535
3530 } // namespace net 3536 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698