Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(327)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 4211006: A follow-up of r64178.... (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: Upload before checkin Created 10 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/ssl_connection_status_flags.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 348 matching lines...) Expand 10 before | Expand all | Expand 10 after
359 } 359 }
360 360
361 #endif 361 #endif
362 362
363 // PeerCertificateChain is a helper object which extracts the certificate 363 // PeerCertificateChain is a helper object which extracts the certificate
364 // chain, as given by the server, from an NSS socket and performs the needed 364 // chain, as given by the server, from an NSS socket and performs the needed
365 // resource management. The first element of the chain is the leaf certificate 365 // resource management. The first element of the chain is the leaf certificate
366 // and the other elements are in the order given by the server. 366 // and the other elements are in the order given by the server.
367 class PeerCertificateChain { 367 class PeerCertificateChain {
368 public: 368 public:
369 PeerCertificateChain(PRFileDesc* nss_fd) 369 explicit PeerCertificateChain(PRFileDesc* nss_fd)
370 : num_certs_(0), 370 : num_certs_(0),
371 certs_(NULL) { 371 certs_(NULL) {
372 SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_); 372 SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_);
373 DCHECK_EQ(rv, SECSuccess); 373 DCHECK_EQ(rv, SECSuccess);
374 374
375 certs_ = new CERTCertificate*[num_certs_]; 375 certs_ = new CERTCertificate*[num_certs_];
376 const unsigned expected_num_certs = num_certs_; 376 const unsigned expected_num_certs = num_certs_;
377 rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_); 377 rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_);
378 DCHECK_EQ(rv, SECSuccess); 378 DCHECK_EQ(rv, SECSuccess);
379 DCHECK_EQ(num_certs_, expected_num_certs); 379 DCHECK_EQ(num_certs_, expected_num_certs);
(...skipping 718 matching lines...) Expand 10 before | Expand all | Expand 10 after
1098 ssl_connection_status_ |= 1098 ssl_connection_status_ |=
1099 (static_cast<int>(channel_info.cipherSuite) & 1099 (static_cast<int>(channel_info.cipherSuite) &
1100 SSL_CONNECTION_CIPHERSUITE_MASK) << 1100 SSL_CONNECTION_CIPHERSUITE_MASK) <<
1101 SSL_CONNECTION_CIPHERSUITE_SHIFT; 1101 SSL_CONNECTION_CIPHERSUITE_SHIFT;
1102 1102
1103 ssl_connection_status_ |= 1103 ssl_connection_status_ |=
1104 (static_cast<int>(channel_info.compressionMethod) & 1104 (static_cast<int>(channel_info.compressionMethod) &
1105 SSL_CONNECTION_COMPRESSION_MASK) << 1105 SSL_CONNECTION_COMPRESSION_MASK) <<
1106 SSL_CONNECTION_COMPRESSION_SHIFT; 1106 SSL_CONNECTION_COMPRESSION_SHIFT;
1107 1107
1108 // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS
1109 // doesn't support them yet), so we use 0x0302 and 0x0303 directly.
1108 int version = SSL_CONNECTION_VERSION_UNKNOWN; 1110 int version = SSL_CONNECTION_VERSION_UNKNOWN;
1109 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { 1111 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
1110 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL 1112 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
1111 // version 2. 1113 // version 2.
1112 version = SSL_CONNECTION_VERSION_SSL2; 1114 version = SSL_CONNECTION_VERSION_SSL2;
1113 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) { 1115 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
1114 version = SSL_CONNECTION_VERSION_SSL3; 1116 version = SSL_CONNECTION_VERSION_SSL3;
1115 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { 1117 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
1116 version = SSL_CONNECTION_VERSION_TLS1; 1118 version = SSL_CONNECTION_VERSION_TLS1;
1119 } else if (channel_info.protocolVersion == 0x0302) {
1120 version = SSL_CONNECTION_VERSION_TLS1_1;
1121 } else if (channel_info.protocolVersion == 0x0303) {
1122 version = SSL_CONNECTION_VERSION_TLS1_2;
1117 } 1123 }
1118 ssl_connection_status_ |= 1124 ssl_connection_status_ |=
1119 (version & SSL_CONNECTION_VERSION_MASK) << 1125 (version & SSL_CONNECTION_VERSION_MASK) <<
1120 SSL_CONNECTION_VERSION_SHIFT; 1126 SSL_CONNECTION_VERSION_SHIFT;
1121 } 1127 }
1122 1128
1123 // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6. 1129 // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
1124 // Since SSL_MAX_EXTENSIONS was added at the same time, we can test 1130 // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
1125 // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension. 1131 // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
1126 #if defined(SSL_MAX_EXTENSIONS) 1132 #if defined(SSL_MAX_EXTENSIONS)
(...skipping 517 matching lines...) Expand 10 before | Expand all | Expand 10 after
1644 1650
1645 // static 1651 // static
1646 // NSS calls this if a client certificate is needed. 1652 // NSS calls this if a client certificate is needed.
1647 // Based on Mozilla's NSS_GetClientAuthData. 1653 // Based on Mozilla's NSS_GetClientAuthData.
1648 SECStatus SSLClientSocketNSS::ClientAuthHandler( 1654 SECStatus SSLClientSocketNSS::ClientAuthHandler(
1649 void* arg, 1655 void* arg,
1650 PRFileDesc* socket, 1656 PRFileDesc* socket,
1651 CERTDistNames* ca_names, 1657 CERTDistNames* ca_names,
1652 CERTCertificate** result_certificate, 1658 CERTCertificate** result_certificate,
1653 SECKEYPrivateKey** result_private_key) { 1659 SECKEYPrivateKey** result_private_key) {
1660 // NSS passes a null ca_names if SSL 2.0 is used. Just fail rather than
1661 // trying to make this work, as we plan to remove SSL 2.0 support soon.
1662 if (!ca_names)
1663 return SECFailure;
1664
1654 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); 1665 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
1655 1666
1656 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; 1667 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
1657 1668
1658 #if defined(OS_WIN) 1669 #if defined(OS_WIN)
1659 if (that->ssl_config_.send_client_cert) { 1670 if (that->ssl_config_.send_client_cert) {
1660 // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using 1671 // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using
1661 // CryptoAPI yet (http://crbug.com/37560), so client_cert must be NULL. 1672 // CryptoAPI yet (http://crbug.com/37560), so client_cert must be NULL.
1662 DCHECK(!that->ssl_config_.client_cert); 1673 DCHECK(!that->ssl_config_.client_cert);
1663 // Send no client certificate. 1674 // Send no client certificate.
(...skipping 695 matching lines...) Expand 10 before | Expand all | Expand 10 after
2359 case SSL_CONNECTION_VERSION_TLS1_1: 2370 case SSL_CONNECTION_VERSION_TLS1_1:
2360 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); 2371 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
2361 break; 2372 break;
2362 case SSL_CONNECTION_VERSION_TLS1_2: 2373 case SSL_CONNECTION_VERSION_TLS1_2:
2363 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); 2374 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
2364 break; 2375 break;
2365 }; 2376 };
2366 } 2377 }
2367 2378
2368 } // namespace net 2379 } // namespace net
OLDNEW
« no previous file with comments | « net/base/ssl_connection_status_flags.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698