| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 391 | 391 |
| 392 } // namespace | 392 } // namespace |
| 393 | 393 |
| 394 #if defined(OS_WIN) | 394 #if defined(OS_WIN) |
| 395 // static | 395 // static |
| 396 HCERTSTORE SSLClientSocketNSS::cert_store_ = NULL; | 396 HCERTSTORE SSLClientSocketNSS::cert_store_ = NULL; |
| 397 #endif | 397 #endif |
| 398 | 398 |
| 399 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, | 399 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, |
| 400 const std::string& hostname, | 400 const std::string& hostname, |
| 401 const SSLConfig& ssl_config) | 401 const SSLConfig& ssl_config, |
| 402 SSLHostInfo* ssl_host_info) |
| 402 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( | 403 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( |
| 403 this, &SSLClientSocketNSS::BufferSendComplete)), | 404 this, &SSLClientSocketNSS::BufferSendComplete)), |
| 404 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( | 405 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( |
| 405 this, &SSLClientSocketNSS::BufferRecvComplete)), | 406 this, &SSLClientSocketNSS::BufferRecvComplete)), |
| 406 transport_send_busy_(false), | 407 transport_send_busy_(false), |
| 407 transport_recv_busy_(false), | 408 transport_recv_busy_(false), |
| 408 corked_(false), | 409 corked_(false), |
| 409 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( | 410 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( |
| 410 this, &SSLClientSocketNSS::OnHandshakeIOComplete)), | 411 this, &SSLClientSocketNSS::OnHandshakeIOComplete)), |
| 411 transport_(transport_socket), | 412 transport_(transport_socket), |
| (...skipping 10 matching lines...) Expand all Loading... |
| 422 completed_handshake_(false), | 423 completed_handshake_(false), |
| 423 pseudo_connected_(false), | 424 pseudo_connected_(false), |
| 424 eset_mitm_detected_(false), | 425 eset_mitm_detected_(false), |
| 425 netnanny_mitm_detected_(false), | 426 netnanny_mitm_detected_(false), |
| 426 dnssec_provider_(NULL), | 427 dnssec_provider_(NULL), |
| 427 next_handshake_state_(STATE_NONE), | 428 next_handshake_state_(STATE_NONE), |
| 428 nss_fd_(NULL), | 429 nss_fd_(NULL), |
| 429 nss_bufs_(NULL), | 430 nss_bufs_(NULL), |
| 430 net_log_(transport_socket->socket()->NetLog()), | 431 net_log_(transport_socket->socket()->NetLog()), |
| 431 predicted_npn_status_(kNextProtoUnsupported), | 432 predicted_npn_status_(kNextProtoUnsupported), |
| 432 predicted_npn_proto_used_(false) { | 433 predicted_npn_proto_used_(false), |
| 434 ssl_host_info_(ssl_host_info) { |
| 433 EnterFunction(""); | 435 EnterFunction(""); |
| 434 } | 436 } |
| 435 | 437 |
| 436 SSLClientSocketNSS::~SSLClientSocketNSS() { | 438 SSLClientSocketNSS::~SSLClientSocketNSS() { |
| 437 EnterFunction(""); | 439 EnterFunction(""); |
| 438 Disconnect(); | 440 Disconnect(); |
| 439 LeaveFunction(""); | 441 LeaveFunction(""); |
| 440 } | 442 } |
| 441 | 443 |
| 442 int SSLClientSocketNSS::Init() { | 444 int SSLClientSocketNSS::Init() { |
| (...skipping 15 matching lines...) Expand all Loading... |
| 458 } | 460 } |
| 459 | 461 |
| 460 // This is a version number of the Snap Start information saved by | 462 // This is a version number of the Snap Start information saved by |
| 461 // |SaveSnapStartInfo| and loaded by |LoadSnapStartInfo|. Since the information | 463 // |SaveSnapStartInfo| and loaded by |LoadSnapStartInfo|. Since the information |
| 462 // can be saved on disk we might have version skew in the future. Any data with | 464 // can be saved on disk we might have version skew in the future. Any data with |
| 463 // a different version is ignored by |LoadSnapStartInfo|. | 465 // a different version is ignored by |LoadSnapStartInfo|. |
| 464 static const uint8 kSnapStartInfoVersion = 0; | 466 static const uint8 kSnapStartInfoVersion = 0; |
| 465 | 467 |
| 466 // SaveSnapStartInfo serialises the information needed to perform a Snap Start | 468 // SaveSnapStartInfo serialises the information needed to perform a Snap Start |
| 467 // with this server in the future (if any) and tells | 469 // with this server in the future (if any) and tells |
| 468 // |ssl_config_.ssl_host_info| to preserve it. | 470 // |ssl_host_info_| to preserve it. |
| 469 void SSLClientSocketNSS::SaveSnapStartInfo() { | 471 void SSLClientSocketNSS::SaveSnapStartInfo() { |
| 470 if (!ssl_config_.ssl_host_info.get()) | 472 if (!ssl_host_info_.get()) |
| 471 return; | 473 return; |
| 472 | 474 |
| 473 SECStatus rv; | 475 SECStatus rv; |
| 474 SSLSnapStartResult snap_start_type; | 476 SSLSnapStartResult snap_start_type; |
| 475 rv = SSL_GetSnapStartResult(nss_fd_, &snap_start_type); | 477 rv = SSL_GetSnapStartResult(nss_fd_, &snap_start_type); |
| 476 if (rv != SECSuccess) { | 478 if (rv != SECSuccess) { |
| 477 NOTREACHED(); | 479 NOTREACHED(); |
| 478 return; | 480 return; |
| 479 } | 481 } |
| 480 LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_; | 482 LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_; |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 583 node = CERT_LIST_NEXT(node), i++) { | 585 node = CERT_LIST_NEXT(node), i++) { |
| 584 data[j++] = node->cert->derCert.len >> 8; | 586 data[j++] = node->cert->derCert.len >> 8; |
| 585 data[j++] = node->cert->derCert.len; | 587 data[j++] = node->cert->derCert.len; |
| 586 memcpy(&data[j], node->cert->derCert.data, node->cert->derCert.len); | 588 memcpy(&data[j], node->cert->derCert.data, node->cert->derCert.len); |
| 587 j += node->cert->derCert.len; | 589 j += node->cert->derCert.len; |
| 588 } | 590 } |
| 589 | 591 |
| 590 DCHECK_EQ(j, len); | 592 DCHECK_EQ(j, len); |
| 591 | 593 |
| 592 LOG(ERROR) << "Setting Snap Start info " << hostname_ << " " << len; | 594 LOG(ERROR) << "Setting Snap Start info " << hostname_ << " " << len; |
| 593 ssl_config_.ssl_host_info->Set(std::string( | 595 ssl_host_info_->Set(std::string( |
| 594 reinterpret_cast<const char *>(&data[0]), len)); | 596 reinterpret_cast<const char *>(&data[0]), len)); |
| 595 | 597 |
| 596 CERT_DestroyCertList(cert_list); | 598 CERT_DestroyCertList(cert_list); |
| 597 } | 599 } |
| 598 | 600 |
| 599 static void DestroyCertificates(CERTCertificate** certs, unsigned len) { | 601 static void DestroyCertificates(CERTCertificate** certs, unsigned len) { |
| 600 for (unsigned i = 0; i < len; i++) | 602 for (unsigned i = 0; i < len; i++) |
| 601 CERT_DestroyCertificate(certs[i]); | 603 CERT_DestroyCertificate(certs[i]); |
| 602 } | 604 } |
| 603 | 605 |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 727 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); | 729 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); |
| 728 return rv; | 730 return rv; |
| 729 } | 731 } |
| 730 | 732 |
| 731 rv = InitializeSSLOptions(); | 733 rv = InitializeSSLOptions(); |
| 732 if (rv != OK) { | 734 if (rv != OK) { |
| 733 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); | 735 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); |
| 734 return rv; | 736 return rv; |
| 735 } | 737 } |
| 736 | 738 |
| 737 if (ssl_config_.snap_start_enabled && ssl_config_.ssl_host_info.get()) { | 739 if (ssl_config_.snap_start_enabled && ssl_host_info_.get()) { |
| 738 GotoState(STATE_SNAP_START_LOAD_INFO); | 740 GotoState(STATE_SNAP_START_LOAD_INFO); |
| 739 } else { | 741 } else { |
| 740 GotoState(STATE_HANDSHAKE); | 742 GotoState(STATE_HANDSHAKE); |
| 741 } | 743 } |
| 742 | 744 |
| 743 rv = DoHandshakeLoop(OK); | 745 rv = DoHandshakeLoop(OK); |
| 744 if (rv == ERR_IO_PENDING) { | 746 if (rv == ERR_IO_PENDING) { |
| 745 if (pseudo_connected_) { | 747 if (pseudo_connected_) { |
| 746 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); | 748 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL); |
| 747 rv = OK; | 749 rv = OK; |
| (...skipping 1212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1960 | 1962 |
| 1961 that->handshake_callback_called_ = true; | 1963 that->handshake_callback_called_ = true; |
| 1962 | 1964 |
| 1963 that->UpdateServerCert(); | 1965 that->UpdateServerCert(); |
| 1964 | 1966 |
| 1965 that->CheckSecureRenegotiation(); | 1967 that->CheckSecureRenegotiation(); |
| 1966 } | 1968 } |
| 1967 | 1969 |
| 1968 int SSLClientSocketNSS::DoSnapStartLoadInfo() { | 1970 int SSLClientSocketNSS::DoSnapStartLoadInfo() { |
| 1969 EnterFunction(""); | 1971 EnterFunction(""); |
| 1970 int rv = ssl_config_.ssl_host_info->WaitForDataReady(&handshake_io_callback_); | 1972 int rv = ssl_host_info_->WaitForDataReady(&handshake_io_callback_); |
| 1971 | 1973 |
| 1972 if (rv == OK) { | 1974 if (rv == OK) { |
| 1973 LOG(ERROR) << "SSL host info size " << hostname_ << " " | 1975 LOG(ERROR) << "SSL host info size " << hostname_ << " " |
| 1974 << ssl_config_.ssl_host_info->data().size(); | 1976 << ssl_host_info_->data().size(); |
| 1975 if (LoadSnapStartInfo(ssl_config_.ssl_host_info->data())) { | 1977 if (LoadSnapStartInfo(ssl_host_info_->data())) { |
| 1976 pseudo_connected_ = true; | 1978 pseudo_connected_ = true; |
| 1977 GotoState(STATE_SNAP_START_WAIT_FOR_WRITE); | 1979 GotoState(STATE_SNAP_START_WAIT_FOR_WRITE); |
| 1978 if (user_connect_callback_) | 1980 if (user_connect_callback_) |
| 1979 DoConnectCallback(OK); | 1981 DoConnectCallback(OK); |
| 1980 } else { | 1982 } else { |
| 1981 GotoState(STATE_HANDSHAKE); | 1983 GotoState(STATE_HANDSHAKE); |
| 1982 } | 1984 } |
| 1983 } else { | 1985 } else { |
| 1984 DCHECK_EQ(ERR_IO_PENDING, rv); | 1986 DCHECK_EQ(ERR_IO_PENDING, rv); |
| 1985 GotoState(STATE_SNAP_START_LOAD_INFO); | 1987 GotoState(STATE_SNAP_START_LOAD_INFO); |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2045 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 2047 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
| 2046 } | 2048 } |
| 2047 } else if (rv == SECSuccess) { | 2049 } else if (rv == SECSuccess) { |
| 2048 if (handshake_callback_called_) { | 2050 if (handshake_callback_called_) { |
| 2049 if (eset_mitm_detected_) { | 2051 if (eset_mitm_detected_) { |
| 2050 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; | 2052 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; |
| 2051 } else if (netnanny_mitm_detected_) { | 2053 } else if (netnanny_mitm_detected_) { |
| 2052 net_error = ERR_NETNANNY_SSL_INTERCEPTION; | 2054 net_error = ERR_NETNANNY_SSL_INTERCEPTION; |
| 2053 } else { | 2055 } else { |
| 2054 SaveSnapStartInfo(); | 2056 SaveSnapStartInfo(); |
| 2055 // SSL handshake is completed. It's possible that we mispredicted the NP
N | 2057 // SSL handshake is completed. It's possible that we mispredicted the |
| 2056 // agreed protocol. In this case, we've just sent a request in the wrong | 2058 // NPN agreed protocol. In this case, we've just sent a request in the |
| 2057 // protocol! The higher levels of this network stack aren't prepared for | 2059 // wrong protocol! The higher levels of this network stack aren't |
| 2058 // switching the protocol like that so we make up an error and rely on | 2060 // prepared for switching the protocol like that so we make up an error |
| 2059 // the fact that the request will be retried. | 2061 // and rely on the fact that the request will be retried. |
| 2060 if (IsNPNProtocolMispredicted()) { | 2062 if (IsNPNProtocolMispredicted()) { |
| 2061 LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_; | 2063 LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_; |
| 2062 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION; | 2064 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION; |
| 2063 } else { | 2065 } else { |
| 2064 // Let's verify the certificate. | 2066 // Let's verify the certificate. |
| 2065 GotoState(STATE_VERIFY_DNSSEC); | 2067 GotoState(STATE_VERIFY_DNSSEC); |
| 2066 } | 2068 } |
| 2067 } | 2069 } |
| 2068 // Done! | 2070 // Done! |
| 2069 } else { | 2071 } else { |
| (...skipping 374 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2444 return ERR_IO_PENDING; | 2446 return ERR_IO_PENDING; |
| 2445 } | 2447 } |
| 2446 LeaveFunction(""); | 2448 LeaveFunction(""); |
| 2447 rv = MapNSPRError(prerr); | 2449 rv = MapNSPRError(prerr); |
| 2448 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, | 2450 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, |
| 2449 new SSLErrorParams(rv, prerr)); | 2451 new SSLErrorParams(rv, prerr)); |
| 2450 return rv; | 2452 return rv; |
| 2451 } | 2453 } |
| 2452 | 2454 |
| 2453 } // namespace net | 2455 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3747003:
net: clean up SSLHostInfo construction. (Closed)
