| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 #include "net/base/io_buffer.h" | 87 #include "net/base/io_buffer.h" |
| 88 #include "net/base/net_errors.h" | 88 #include "net/base/net_errors.h" |
| 89 #include "net/base/net_log.h" | 89 #include "net/base/net_log.h" |
| 90 #include "net/base/ssl_cert_request_info.h" | 90 #include "net/base/ssl_cert_request_info.h" |
| 91 #include "net/base/ssl_connection_status_flags.h" | 91 #include "net/base/ssl_connection_status_flags.h" |
| 92 #include "net/base/ssl_info.h" | 92 #include "net/base/ssl_info.h" |
| 93 #include "net/base/sys_addrinfo.h" | 93 #include "net/base/sys_addrinfo.h" |
| 94 #include "net/ocsp/nss_ocsp.h" | 94 #include "net/ocsp/nss_ocsp.h" |
| 95 #include "net/socket/client_socket_handle.h" | 95 #include "net/socket/client_socket_handle.h" |
| 96 #include "net/socket/dns_cert_provenance_check.h" | 96 #include "net/socket/dns_cert_provenance_check.h" |
| 97 #include "net/socket/ssl_error_params.h" |
| 97 #include "net/socket/ssl_host_info.h" | 98 #include "net/socket/ssl_host_info.h" |
| 98 | 99 |
| 99 static const int kRecvBufferSize = 4096; | 100 static const int kRecvBufferSize = 4096; |
| 100 | 101 |
| 101 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a | 102 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a |
| 102 // Write to an SSL socket which we're False Starting. Since corking stops the | 103 // Write to an SSL socket which we're False Starting. Since corking stops the |
| 103 // Finished message from being sent, the server sees an incomplete handshake | 104 // Finished message from being sent, the server sees an incomplete handshake |
| 104 // and some will time out such sockets quite aggressively. | 105 // and some will time out such sockets quite aggressively. |
| 105 static const int kCorkTimeoutMs = 200; | 106 static const int kCorkTimeoutMs = 200; |
| 106 | 107 |
| (...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 265 // The handshake may fail because some signature (for example, the | 266 // The handshake may fail because some signature (for example, the |
| 266 // signature in the ServerKeyExchange message for an ephemeral | 267 // signature in the ServerKeyExchange message for an ephemeral |
| 267 // Diffie-Hellman cipher suite) is invalid. | 268 // Diffie-Hellman cipher suite) is invalid. |
| 268 case SEC_ERROR_BAD_SIGNATURE: | 269 case SEC_ERROR_BAD_SIGNATURE: |
| 269 return ERR_SSL_PROTOCOL_ERROR; | 270 return ERR_SSL_PROTOCOL_ERROR; |
| 270 default: | 271 default: |
| 271 return MapNSPRError(err); | 272 return MapNSPRError(err); |
| 272 } | 273 } |
| 273 } | 274 } |
| 274 | 275 |
| 275 // Extra parameters to attach to the NetLog when we receive an SSL error. | |
| 276 class SSLErrorParams : public NetLog::EventParameters { | |
| 277 public: | |
| 278 // If |ssl_lib_error| is 0, it will be ignored. | |
| 279 SSLErrorParams(int net_error, PRErrorCode ssl_lib_error) | |
| 280 : net_error_(net_error), | |
| 281 ssl_lib_error_(ssl_lib_error) { | |
| 282 } | |
| 283 | |
| 284 virtual Value* ToValue() const { | |
| 285 DictionaryValue* dict = new DictionaryValue(); | |
| 286 dict->SetInteger("net_error", net_error_); | |
| 287 if (ssl_lib_error_) | |
| 288 dict->SetInteger("ssl_lib_error", ssl_lib_error_); | |
| 289 return dict; | |
| 290 } | |
| 291 | |
| 292 private: | |
| 293 const int net_error_; | |
| 294 const PRErrorCode ssl_lib_error_; | |
| 295 }; | |
| 296 | |
| 297 // Extra parameters to attach to the NetLog when we receive an error in response | 276 // Extra parameters to attach to the NetLog when we receive an error in response |
| 298 // to a call to an NSS function. Used instead of SSLErrorParams with | 277 // to a call to an NSS function. Used instead of SSLErrorParams with |
| 299 // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. | 278 // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. |
| 300 class SSLFailedNSSFunctionParams : public NetLog::EventParameters { | 279 class SSLFailedNSSFunctionParams : public NetLog::EventParameters { |
| 301 public: | 280 public: |
| 302 // |param| is ignored if it has a length of 0. | 281 // |param| is ignored if it has a length of 0. |
| 303 SSLFailedNSSFunctionParams(const std::string& function, | 282 SSLFailedNSSFunctionParams(const std::string& function, |
| 304 const std::string& param) | 283 const std::string& param) |
| 305 : function_(function), param_(param), ssl_lib_error_(PR_GetError()) { | 284 : function_(function), param_(param), ssl_lib_error_(PR_GetError()) { |
| 306 } | 285 } |
| (...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 722 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); | 701 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); |
| 723 return ERR_UNEXPECTED; | 702 return ERR_UNEXPECTED; |
| 724 } | 703 } |
| 725 | 704 |
| 726 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); | 705 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); |
| 727 if (rv != SECSuccess) { | 706 if (rv != SECSuccess) { |
| 728 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); | 707 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); |
| 729 return ERR_UNEXPECTED; | 708 return ERR_UNEXPECTED; |
| 730 } | 709 } |
| 731 | 710 |
| 711 for (std::vector<uint16>::const_iterator it = |
| 712 ssl_config_.disabled_cipher_suites.begin(); |
| 713 it != ssl_config_.disabled_cipher_suites.end(); ++it) { |
| 714 // This will fail if the specified cipher is not implemented by NSS, but |
| 715 // the failure is harmless. |
| 716 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); |
| 717 } |
| 718 |
| 732 #ifdef SSL_ENABLE_SESSION_TICKETS | 719 #ifdef SSL_ENABLE_SESSION_TICKETS |
| 733 // Support RFC 5077 | 720 // Support RFC 5077 |
| 734 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); | 721 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); |
| 735 if (rv != SECSuccess) { | 722 if (rv != SECSuccess) { |
| 736 LogFailedNSSFunction( | 723 LogFailedNSSFunction( |
| 737 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); | 724 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); |
| 738 } | 725 } |
| 739 #else | 726 #else |
| 740 #error "You need to install NSS-3.12 or later to build chromium" | 727 #error "You need to install NSS-3.12 or later to build chromium" |
| 741 #endif | 728 #endif |
| (...skipping 1834 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2576 case SSL_CONNECTION_VERSION_TLS1_1: | 2563 case SSL_CONNECTION_VERSION_TLS1_1: |
| 2577 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 2564 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
| 2578 break; | 2565 break; |
| 2579 case SSL_CONNECTION_VERSION_TLS1_2: | 2566 case SSL_CONNECTION_VERSION_TLS1_2: |
| 2580 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 2567 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
| 2581 break; | 2568 break; |
| 2582 }; | 2569 }; |
| 2583 } | 2570 } |
| 2584 | 2571 |
| 2585 } // namespace net | 2572 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3845005:
Add support for restricting the cipher suites that SSLClientSocket(Mac,NSS) use (Closed)
