OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
87 #include "net/base/io_buffer.h" | 87 #include "net/base/io_buffer.h" |
88 #include "net/base/net_errors.h" | 88 #include "net/base/net_errors.h" |
89 #include "net/base/net_log.h" | 89 #include "net/base/net_log.h" |
90 #include "net/base/ssl_cert_request_info.h" | 90 #include "net/base/ssl_cert_request_info.h" |
91 #include "net/base/ssl_connection_status_flags.h" | 91 #include "net/base/ssl_connection_status_flags.h" |
92 #include "net/base/ssl_info.h" | 92 #include "net/base/ssl_info.h" |
93 #include "net/base/sys_addrinfo.h" | 93 #include "net/base/sys_addrinfo.h" |
94 #include "net/ocsp/nss_ocsp.h" | 94 #include "net/ocsp/nss_ocsp.h" |
95 #include "net/socket/client_socket_handle.h" | 95 #include "net/socket/client_socket_handle.h" |
96 #include "net/socket/dns_cert_provenance_check.h" | 96 #include "net/socket/dns_cert_provenance_check.h" |
| 97 #include "net/socket/ssl_error_params.h" |
97 #include "net/socket/ssl_host_info.h" | 98 #include "net/socket/ssl_host_info.h" |
98 | 99 |
99 static const int kRecvBufferSize = 4096; | 100 static const int kRecvBufferSize = 4096; |
100 | 101 |
101 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a | 102 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a |
102 // Write to an SSL socket which we're False Starting. Since corking stops the | 103 // Write to an SSL socket which we're False Starting. Since corking stops the |
103 // Finished message from being sent, the server sees an incomplete handshake | 104 // Finished message from being sent, the server sees an incomplete handshake |
104 // and some will time out such sockets quite aggressively. | 105 // and some will time out such sockets quite aggressively. |
105 static const int kCorkTimeoutMs = 200; | 106 static const int kCorkTimeoutMs = 200; |
106 | 107 |
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
265 // The handshake may fail because some signature (for example, the | 266 // The handshake may fail because some signature (for example, the |
266 // signature in the ServerKeyExchange message for an ephemeral | 267 // signature in the ServerKeyExchange message for an ephemeral |
267 // Diffie-Hellman cipher suite) is invalid. | 268 // Diffie-Hellman cipher suite) is invalid. |
268 case SEC_ERROR_BAD_SIGNATURE: | 269 case SEC_ERROR_BAD_SIGNATURE: |
269 return ERR_SSL_PROTOCOL_ERROR; | 270 return ERR_SSL_PROTOCOL_ERROR; |
270 default: | 271 default: |
271 return MapNSPRError(err); | 272 return MapNSPRError(err); |
272 } | 273 } |
273 } | 274 } |
274 | 275 |
275 // Extra parameters to attach to the NetLog when we receive an SSL error. | |
276 class SSLErrorParams : public NetLog::EventParameters { | |
277 public: | |
278 // If |ssl_lib_error| is 0, it will be ignored. | |
279 SSLErrorParams(int net_error, PRErrorCode ssl_lib_error) | |
280 : net_error_(net_error), | |
281 ssl_lib_error_(ssl_lib_error) { | |
282 } | |
283 | |
284 virtual Value* ToValue() const { | |
285 DictionaryValue* dict = new DictionaryValue(); | |
286 dict->SetInteger("net_error", net_error_); | |
287 if (ssl_lib_error_) | |
288 dict->SetInteger("ssl_lib_error", ssl_lib_error_); | |
289 return dict; | |
290 } | |
291 | |
292 private: | |
293 const int net_error_; | |
294 const PRErrorCode ssl_lib_error_; | |
295 }; | |
296 | |
297 // Extra parameters to attach to the NetLog when we receive an error in response | 276 // Extra parameters to attach to the NetLog when we receive an error in response |
298 // to a call to an NSS function. Used instead of SSLErrorParams with | 277 // to a call to an NSS function. Used instead of SSLErrorParams with |
299 // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. | 278 // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. |
300 class SSLFailedNSSFunctionParams : public NetLog::EventParameters { | 279 class SSLFailedNSSFunctionParams : public NetLog::EventParameters { |
301 public: | 280 public: |
302 // |param| is ignored if it has a length of 0. | 281 // |param| is ignored if it has a length of 0. |
303 SSLFailedNSSFunctionParams(const std::string& function, | 282 SSLFailedNSSFunctionParams(const std::string& function, |
304 const std::string& param) | 283 const std::string& param) |
305 : function_(function), param_(param), ssl_lib_error_(PR_GetError()) { | 284 : function_(function), param_(param), ssl_lib_error_(PR_GetError()) { |
306 } | 285 } |
(...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
722 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); | 701 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); |
723 return ERR_UNEXPECTED; | 702 return ERR_UNEXPECTED; |
724 } | 703 } |
725 | 704 |
726 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); | 705 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); |
727 if (rv != SECSuccess) { | 706 if (rv != SECSuccess) { |
728 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); | 707 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); |
729 return ERR_UNEXPECTED; | 708 return ERR_UNEXPECTED; |
730 } | 709 } |
731 | 710 |
| 711 for (std::vector<uint16>::const_iterator it = |
| 712 ssl_config_.disabled_cipher_suites.begin(); |
| 713 it != ssl_config_.disabled_cipher_suites.end(); ++it) { |
| 714 // This will fail if the specified cipher is not implemented by NSS, but |
| 715 // the failure is harmless. |
| 716 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); |
| 717 } |
| 718 |
732 #ifdef SSL_ENABLE_SESSION_TICKETS | 719 #ifdef SSL_ENABLE_SESSION_TICKETS |
733 // Support RFC 5077 | 720 // Support RFC 5077 |
734 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); | 721 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); |
735 if (rv != SECSuccess) { | 722 if (rv != SECSuccess) { |
736 LogFailedNSSFunction( | 723 LogFailedNSSFunction( |
737 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); | 724 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); |
738 } | 725 } |
739 #else | 726 #else |
740 #error "You need to install NSS-3.12 or later to build chromium" | 727 #error "You need to install NSS-3.12 or later to build chromium" |
741 #endif | 728 #endif |
(...skipping 1834 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2576 case SSL_CONNECTION_VERSION_TLS1_1: | 2563 case SSL_CONNECTION_VERSION_TLS1_1: |
2577 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 2564 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
2578 break; | 2565 break; |
2579 case SSL_CONNECTION_VERSION_TLS1_2: | 2566 case SSL_CONNECTION_VERSION_TLS1_2: |
2580 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 2567 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
2581 break; | 2568 break; |
2582 }; | 2569 }; |
2583 } | 2570 } |
2584 | 2571 |
2585 } // namespace net | 2572 } // namespace net |
OLD | NEW |