net/socket/ssl_client_socket_mac.cc - Issue 1514004: Mac SSL fix: Go back to not enabling break-on-auth when we have a client cert to send.

Side by Side Diff: net/socket/ssl_client_socket_mac.cc

Issue 1514004: Mac SSL fix: Go back to not enabling break-on-auth when we have a client cert to send. (Closed)

Patch Set: Set cert up-front as well as on demand. Created 10 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/ssl_client_socket_mac.h"	5 #include "net/socket/ssl_client_socket_mac.h"

6	6

7 #include <CoreServices/CoreServices.h>	7 #include <CoreServices/CoreServices.h>

8 #include <netdb.h>	8 #include <netdb.h>

9 #include <sys/socket.h>	9 #include <sys/socket.h>

10 #include <sys/types.h>	10 #include <sys/types.h>

(...skipping 756 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
767 hostname_.length());	767 hostname_.length());

768 if (status)	768 if (status)

769 return NetErrorFromOSStatus(status);	769 return NetErrorFromOSStatus(status);

770	770

771 // Disable certificate verification within Secure Transport; we'll	771 // Disable certificate verification within Secure Transport; we'll

772 // be handling that ourselves.	772 // be handling that ourselves.

773 status = SSLSetEnableCertVerify(ssl_context_, false);	773 status = SSLSetEnableCertVerify(ssl_context_, false);

774 if (status)	774 if (status)

775 return NetErrorFromOSStatus(status);	775 return NetErrorFromOSStatus(status);

776	776

777 // If break-on-auth is not available, we do not enable session	777 if (ssl_config_.send_client_cert) {

778 // resumption, because in that case we are verifying the server's certificate	778 // Provide the client cert up-front if we have one, even though we'll get

779 // after the handshake completes (but before any application data is	779 // notified later when the server requests it, and set it again; this is

780 // exchanged). If we were to enable session resumption in this situation,	780 // seemingly redundant but works around a problem with SecureTransport

781 // the session would be cached before we verified the certificate, leaving	781 // and provides correct behavior on both 10.5 and 10.6:

782 // the potential for a session in which the certificate failed to validate	782 // http://lists.apple.com/archives/apple-cdsa/2010/Feb/msg00058.html

783 // to still be able to be resumed.	783 // http://code.google.com/p/chromium/issues/detail?id=38905

	784 SSL_LOG << "Setting client cert in advance because send_client_cert is set";

	785 status = SetClientCert();
	wtc 2010/03/30 19:17:52 The other two SetClientCert() calls are now redund The other two SetClientCert() calls are now redundant and should be removed.
	786 if (status)

	787 return NetErrorFromOSStatus(status);

	788 }

	789

784 status = EnableBreakOnAuth(true);	790 status = EnableBreakOnAuth(true);

785 if (status == noErr) {	791 if (status == noErr) {

	792 // Only enable session resumption if break-on-auth is available,
	wtc 2010/03/30 19:17:52 You changed the sense of this sentence (from "is n You changed the sense of this sentence (from "is not available" to "is available", so the following words in subsequent sentences need to be changed as well: with break-on-auth => without break-on-auth in this situation => when break-on-auth is not available Alternatively, change back to the original comment.
	793 // because with break-on-auth we are verifying the server's certificate

	794 // after the handshake completes (but before any application data is

	795 // exchanged). If we were to enable session resumption in this situation,

	796 // the session would be cached before we verified the certificate, leaving

	797 // the potential for a session in which the certificate failed to validate

	798 // to still be able to be resumed.

	799

786 // Concatenate the hostname and peer address to use as the peer ID. To	800 // Concatenate the hostname and peer address to use as the peer ID. To

787 // resume a session, we must connect to the same server on the same port	801 // resume a session, we must connect to the same server on the same port

788 // using the same hostname (i.e., localhost and 127.0.0.1 are considered	802 // using the same hostname (i.e., localhost and 127.0.0.1 are considered

789 // different peers, which puts us through certificate validation again	803 // different peers, which puts us through certificate validation again

790 // and catches hostname/certificate name mismatches.	804 // and catches hostname/certificate name mismatches.

791 AddressList address;	805 AddressList address;

792 int rv = transport_->GetPeerAddress(&address);	806 int rv = transport_->GetPeerAddress(&address);

793 if (rv != OK)	807 if (rv != OK)

794 return rv;	808 return rv;

795 const struct addrinfo* ai = address.head();	809 const struct addrinfo* ai = address.head();

(...skipping 463 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1259 if (rv < 0 && rv != ERR_IO_PENDING) {	1273 if (rv < 0 && rv != ERR_IO_PENDING) {

1260 us->write_io_buf_ = NULL;	1274 us->write_io_buf_ = NULL;

1261 return OSStatusFromNetError(rv);	1275 return OSStatusFromNetError(rv);

1262 }	1276 }

1263	1277

1264 // always lie to our caller	1278 // always lie to our caller

1265 return noErr;	1279 return noErr;

1266 }	1280 }

1267	1281

1268 } // namespace net	1282 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »