| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 379 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 390 | 390 |
| 391 private: | 391 private: |
| 392 unsigned num_certs_; | 392 unsigned num_certs_; |
| 393 CERTCertificate** certs_; | 393 CERTCertificate** certs_; |
| 394 }; | 394 }; |
| 395 | 395 |
| 396 } // namespace | 396 } // namespace |
| 397 | 397 |
| 398 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, | 398 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, |
| 399 const std::string& hostname, | 399 const std::string& hostname, |
| 400 uint16 port, |
| 400 const SSLConfig& ssl_config, | 401 const SSLConfig& ssl_config, |
| 401 SSLHostInfo* ssl_host_info, | 402 SSLHostInfo* ssl_host_info, |
| 402 DnsRRResolver* dnsrr_resolver) | 403 DnsRRResolver* dnsrr_resolver) |
| 403 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( | 404 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( |
| 404 this, &SSLClientSocketNSS::BufferSendComplete)), | 405 this, &SSLClientSocketNSS::BufferSendComplete)), |
| 405 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( | 406 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( |
| 406 this, &SSLClientSocketNSS::BufferRecvComplete)), | 407 this, &SSLClientSocketNSS::BufferRecvComplete)), |
| 407 transport_send_busy_(false), | 408 transport_send_busy_(false), |
| 408 transport_recv_busy_(false), | 409 transport_recv_busy_(false), |
| 409 corked_(false), | 410 corked_(false), |
| 410 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( | 411 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( |
| 411 this, &SSLClientSocketNSS::OnHandshakeIOComplete)), | 412 this, &SSLClientSocketNSS::OnHandshakeIOComplete)), |
| 412 transport_(transport_socket), | 413 transport_(transport_socket), |
| 413 hostname_(hostname), | 414 hostname_(hostname), |
| 415 port_(port), |
| 414 ssl_config_(ssl_config), | 416 ssl_config_(ssl_config), |
| 415 user_connect_callback_(NULL), | 417 user_connect_callback_(NULL), |
| 416 user_read_callback_(NULL), | 418 user_read_callback_(NULL), |
| 417 user_write_callback_(NULL), | 419 user_write_callback_(NULL), |
| 418 user_read_buf_len_(0), | 420 user_read_buf_len_(0), |
| 419 user_write_buf_len_(0), | 421 user_write_buf_len_(0), |
| 420 server_cert_nss_(NULL), | 422 server_cert_nss_(NULL), |
| 421 server_cert_verify_result_(NULL), | 423 server_cert_verify_result_(NULL), |
| 422 ssl_connection_status_(0), | 424 ssl_connection_status_(0), |
| 423 client_auth_cert_needed_(false), | 425 client_auth_cert_needed_(false), |
| (...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 851 // structure has a one-byte length and one-byte address family | 853 // structure has a one-byte length and one-byte address family |
| 852 // field at the beginning. PRNetAddr has a two-byte address | 854 // field at the beginning. PRNetAddr has a two-byte address |
| 853 // family field at the beginning. | 855 // family field at the beginning. |
| 854 peername.raw.family = ai->ai_addr->sa_family; | 856 peername.raw.family = ai->ai_addr->sa_family; |
| 855 | 857 |
| 856 memio_SetPeerName(nss_fd_, &peername); | 858 memio_SetPeerName(nss_fd_, &peername); |
| 857 | 859 |
| 858 // Set the peer ID for session reuse. This is necessary when we create an | 860 // Set the peer ID for session reuse. This is necessary when we create an |
| 859 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address | 861 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address |
| 860 // rather than the destination server's address in that case. | 862 // rather than the destination server's address in that case. |
| 861 // TODO(wtc): port in |peer_address| is not the server's port when a proxy is | 863 std::string peer_id = HostPortPair(hostname_, port_).ToString(); |
| 862 // used. | |
| 863 std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(), | |
| 864 peer_address.GetPort()); | |
| 865 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str())); | 864 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str())); |
| 866 if (rv != SECSuccess) | 865 if (rv != SECSuccess) |
| 867 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str()); | 866 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str()); |
| 868 | 867 |
| 869 peername_initialized_ = true; | 868 peername_initialized_ = true; |
| 870 return OK; | 869 return OK; |
| 871 } | 870 } |
| 872 | 871 |
| 873 void SSLClientSocketNSS::Disconnect() { | 872 void SSLClientSocketNSS::Disconnect() { |
| 874 EnterFunction(""); | 873 EnterFunction(""); |
| (...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1177 ssl_info->security_bits = -1; | 1176 ssl_info->security_bits = -1; |
| 1178 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError() | 1177 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError() |
| 1179 << " for cipherSuite " << cipher_suite; | 1178 << " for cipherSuite " << cipher_suite; |
| 1180 } | 1179 } |
| 1181 LeaveFunction(""); | 1180 LeaveFunction(""); |
| 1182 } | 1181 } |
| 1183 | 1182 |
| 1184 void SSLClientSocketNSS::GetSSLCertRequestInfo( | 1183 void SSLClientSocketNSS::GetSSLCertRequestInfo( |
| 1185 SSLCertRequestInfo* cert_request_info) { | 1184 SSLCertRequestInfo* cert_request_info) { |
| 1186 EnterFunction(""); | 1185 EnterFunction(""); |
| 1187 cert_request_info->host_and_port = hostname_; // TODO(wtc): no port! | 1186 cert_request_info->host_and_port = HostPortPair(hostname_, port_).ToString(); |
| 1188 cert_request_info->client_certs = client_certs_; | 1187 cert_request_info->client_certs = client_certs_; |
| 1189 LeaveFunction(cert_request_info->client_certs.size()); | 1188 LeaveFunction(cert_request_info->client_certs.size()); |
| 1190 } | 1189 } |
| 1191 | 1190 |
| 1192 SSLClientSocket::NextProtoStatus | 1191 SSLClientSocket::NextProtoStatus |
| 1193 SSLClientSocketNSS::GetNextProto(std::string* proto) { | 1192 SSLClientSocketNSS::GetNextProto(std::string* proto) { |
| 1194 #if defined(SSL_NEXT_PROTO_NEGOTIATED) | 1193 #if defined(SSL_NEXT_PROTO_NEGOTIATED) |
| 1195 if (!handshake_callback_called_) { | 1194 if (!handshake_callback_called_) { |
| 1196 DCHECK(pseudo_connected_); | 1195 DCHECK(pseudo_connected_); |
| 1197 predicted_npn_proto_used_ = true; | 1196 predicted_npn_proto_used_ = true; |
| (...skipping 1142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2340 if (verifier.rrtype() != kDNS_TXT) | 2339 if (verifier.rrtype() != kDNS_TXT) |
| 2341 return DNSVR_CONTINUE; | 2340 return DNSVR_CONTINUE; |
| 2342 | 2341 |
| 2343 DNSValidationResult r = VerifyTXTRecords( | 2342 DNSValidationResult r = VerifyTXTRecords( |
| 2344 true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas()); | 2343 true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas()); |
| 2345 SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE); | 2344 SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE); |
| 2346 return r; | 2345 return r; |
| 2347 } | 2346 } |
| 2348 | 2347 |
| 2349 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { | 2348 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { |
| 2350 #if !defined(USE_OPENSSL) | |
| 2351 if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) { | |
| 2352 PeerCertificateChain certs(nss_fd_); | |
| 2353 DoAsyncDNSCertProvenanceVerification( | |
| 2354 hostname_, dnsrr_resolver_, certs.AsStringPieceVector()); | |
| 2355 } | |
| 2356 #endif | |
| 2357 | |
| 2358 if (ssl_config_.dnssec_enabled) { | 2349 if (ssl_config_.dnssec_enabled) { |
| 2359 DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_); | 2350 DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_); |
| 2360 if (r == DNSVR_SUCCESS) { | 2351 if (r == DNSVR_SUCCESS) { |
| 2361 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; | 2352 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; |
| 2362 server_cert_verify_result_ = &local_server_cert_verify_result_; | 2353 server_cert_verify_result_ = &local_server_cert_verify_result_; |
| 2363 GotoState(STATE_VERIFY_CERT_COMPLETE); | 2354 GotoState(STATE_VERIFY_CERT_COMPLETE); |
| 2364 return OK; | 2355 return OK; |
| 2365 } | 2356 } |
| 2366 } | 2357 } |
| 2367 | 2358 |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2605 case SSL_CONNECTION_VERSION_TLS1_1: | 2596 case SSL_CONNECTION_VERSION_TLS1_1: |
| 2606 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 2597 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
| 2607 break; | 2598 break; |
| 2608 case SSL_CONNECTION_VERSION_TLS1_2: | 2599 case SSL_CONNECTION_VERSION_TLS1_2: |
| 2609 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 2600 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
| 2610 break; | 2601 break; |
| 2611 }; | 2602 }; |
| 2612 } | 2603 } |
| 2613 | 2604 |
| 2614 } // namespace net | 2605 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 4339001:
Correctly handle SSL Client Authentication requests when connecting... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/