Implement SSL certificate error handling on the Mac. If the user gives...

net/socket/ssl_client_socket_mac.cc

 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_mac.h"
 
 #include "base/singleton.h"
 #include "base/string_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
@@ skipping 223 matching lines @@
     case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
     case TLS_DH_anon_WITH_AES_256_CBC_SHA:
       return 256;
 
     default:
       return -1;
   }
 }
 
+// Returns the server's certificate.  The caller must release a reference
+// to the return value when done.  Returns NULL on failure.
+X509Certificate* GetServerCert(SSLContextRef ssl_context) {
+  CFArrayRef certs;
+  OSStatus status = SSLCopyPeerCertificates(ssl_context, &certs);
+  if (status != noErr)
+    return NULL;
+
+  DCHECK_GT(CFArrayGetCount(certs), 0);
+
+  SecCertificateRef server_cert = static_cast<SecCertificateRef>(
+      const_cast<void*>(CFArrayGetValueAtIndex(certs, 0)));
+  CFRetain(server_cert);
+  CFRelease(certs);
+  return X509Certificate::CreateFromHandle(
+      server_cert, X509Certificate::SOURCE_FROM_NETWORK);
+}
+
 }  // namespace
 
 //-----------------------------------------------------------------------------
 
 SSLClientSocketMac::SSLClientSocketMac(ClientSocket* transport_socket,
                                        const std::string& hostname,
                                        const SSLConfig& ssl_config)
     : io_callback_(this, &SSLClientSocketMac::OnIOComplete),
       write_callback_(this, &SSLClientSocketMac::OnWriteComplete),
       transport_(transport_socket),
@@ skipping 44 matching lines @@
     return NetErrorFromOSStatus(status);
 
   status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback);
   if (status)
     return NetErrorFromOSStatus(status);
 
   status = SSLSetConnection(ssl_context_, this);
   if (status)
     return NetErrorFromOSStatus(status);
 
-  status = SSLSetPeerDomainName(ssl_context_, hostname_.c_str(),
-                                hostname_.length());
-  if (status)
-    return NetErrorFromOSStatus(status);
+  if (ssl_config_.allowed_bad_certs.empty()) {
+    // We're going to use the default certificate verification that the system
+    // does, and accept its answer for the cert status.
+    status = SSLSetPeerDomainName(ssl_context_, hostname_.data(),
+                                  hostname_.length());
+    if (status)
+      return NetErrorFromOSStatus(status);
+
+    // TODO(wtc): for now, always check revocation.
+    server_cert_status_ = CERT_STATUS_REV_CHECKING_ENABLED;
+  } else {
+    // Disable certificate chain validation.  We will only allow the certs in
+    // ssl_config_.allowed_bad_certs.
+    status = SSLSetEnableCertVerify(ssl_context_, false);
+    if (status)
+      return NetErrorFromOSStatus(status);
+  }
 
   next_state_ = STATE_HANDSHAKE;
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
 }
 
 void SSLClientSocketMac::Disconnect() {
   completed_handshake_ = false;
@@ skipping 65 matching lines @@
   } else {
     user_buf_ = NULL;
   }
   return rv;
 }
 
 void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->Reset();
 
   // set cert
-  CFArrayRef certs;
-  OSStatus status = SSLCopyPeerCertificates(ssl_context_, &certs);
-  if (!status) {
-    DCHECK(CFArrayGetCount(certs) > 0);
-
-    SecCertificateRef client_cert =
-        static_cast<SecCertificateRef>(
-          const_cast<void*>(CFArrayGetValueAtIndex(certs, 0)));
-    CFRetain(client_cert);
-    ssl_info->cert = X509Certificate::CreateFromHandle(
-        client_cert, X509Certificate::SOURCE_FROM_NETWORK);
-    CFRelease(certs);
-  }
+  ssl_info->cert = server_cert_;
 
   // update status
   ssl_info->cert_status = server_cert_status_;
 
   // security info
   SSLCipherSuite suite;
-  status = SSLGetNegotiatedCipher(ssl_context_, &suite);
+  OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite);
   if (!status)
     ssl_info->security_bits = KeySizeOfCipherSuite(suite);
 }
 
 void SSLClientSocketMac::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   // TODO(wtc): implement this.
 }
 
 void SSLClientSocketMac::DoCallback(int rv) {
@@ skipping 51 matching lines @@
         rv = ERR_UNEXPECTED;
         NOTREACHED() << "unexpected state";
         break;
     }
   } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
   return rv;
 }
 
 int SSLClientSocketMac::DoHandshake() {
   OSStatus status = SSLHandshake(ssl_context_);
-
-  if (status == errSSLWouldBlock)
-    next_state_ = STATE_HANDSHAKE;
-
-  if (status == noErr)
-    completed_handshake_ = true;
-
   int net_error = NetErrorFromOSStatus(status);
 
-  // At this point we have a connection. For now, we're going to use the default
-  // certificate verification that the system does, and accept its answer for
-  // the cert status. In the future, we'll need to call SSLSetEnableCertVerify
-  // to disable cert verification and do the verification ourselves. This allows
-  // very fine-grained control over what we'll accept for certification.
-  // TODO(avi): ditto
+  if (status == errSSLWouldBlock) {
+    next_state_ = STATE_HANDSHAKE;
+  } else if (status == noErr) {
+    completed_handshake_ = true;  // We have a connection.
 
-  // TODO(wtc): for now, always check revocation.
-  server_cert_status_ = CERT_STATUS_REV_CHECKING_ENABLED;
-  if (net_error)
+    server_cert_ = GetServerCert(ssl_context_);
+    DCHECK(server_cert_);
+    if (!ssl_config_.allowed_bad_certs.empty()) {
+      // Check server_cert_ because SecureTransport didn't verify it.
+      // TODO(wtc): If server_cert_ is not one of the allowed bad certificates,
+      // we should verify server_cert_ ourselves.  Since we don't know how to
+      // do that yet, treat it as an invalid certificate.
+      net_error = ERR_CERT_INVALID;
+      server_cert_status_ |= CERT_STATUS_INVALID;
+
+      for (size_t i = 0; i < ssl_config_.allowed_bad_certs.size(); ++i) {
+        if (server_cert_ == ssl_config_.allowed_bad_certs[i].cert) {
+          net_error = OK;
+          server_cert_status_ = ssl_config_.allowed_bad_certs[i].cert_status;
+          break;
+        }
+      }
+    }
+  } else if (IsCertStatusError(net_error)) {
+    server_cert_ = GetServerCert(ssl_context_);
+    DCHECK(server_cert_);
     server_cert_status_ |= MapNetErrorToCertStatus(net_error);
+  }
 
   return net_error;
 }
 
 int SSLClientSocketMac::DoReadComplete(int result) {
   if (result < 0) {
     read_io_buf_ = NULL;
     return result;
   }
 
@@ skipping 252 matching lines @@
 
   if (rv < 0 && rv != ERR_IO_PENDING) {
     return OSStatusFromNetError(rv);
   }
 
   // always lie to our caller
   return noErr;
 }
 
 }  // namespace net