net/socket/ssl_client_socket_nss.cc - Issue 4339001: Correctly handle SSL Client Authentication requests when connecting...

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 4339001: Correctly handle SSL Client Authentication requests when connecting... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 10 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 378 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
389 }	389 }

390	390

391 private:	391 private:

392 unsigned num_certs_;	392 unsigned num_certs_;

393 CERTCertificate** certs_;	393 CERTCertificate** certs_;

394 };	394 };

395	395

396 } // namespace	396 } // namespace

397	397

398 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,	398 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,

399 const std::string& hostname,	399 const HostPortPair& host_and_port,

400 const SSLConfig& ssl_config,	400 const SSLConfig& ssl_config,

401 SSLHostInfo* ssl_host_info,	401 SSLHostInfo* ssl_host_info,

402 DnsRRResolver* dnsrr_resolver)	402 DnsRRResolver* dnsrr_resolver)

403 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(	403 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(

404 this, &SSLClientSocketNSS::BufferSendComplete)),	404 this, &SSLClientSocketNSS::BufferSendComplete)),

405 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(	405 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(

406 this, &SSLClientSocketNSS::BufferRecvComplete)),	406 this, &SSLClientSocketNSS::BufferRecvComplete)),

407 transport_send_busy_(false),	407 transport_send_busy_(false),

408 transport_recv_busy_(false),	408 transport_recv_busy_(false),

409 corked_(false),	409 corked_(false),

410 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(	410 ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(

411 this, &SSLClientSocketNSS::OnHandshakeIOComplete)),	411 this, &SSLClientSocketNSS::OnHandshakeIOComplete)),

412 transport_(transport_socket),	412 transport_(transport_socket),

413 hostname_(hostname),	413 host_and_port_(host_and_port),

414 ssl_config_(ssl_config),	414 ssl_config_(ssl_config),

415 user_connect_callback_(NULL),	415 user_connect_callback_(NULL),

416 user_read_callback_(NULL),	416 user_read_callback_(NULL),

417 user_write_callback_(NULL),	417 user_write_callback_(NULL),

418 user_read_buf_len_(0),	418 user_read_buf_len_(0),

419 user_write_buf_len_(0),	419 user_write_buf_len_(0),

420 server_cert_nss_(NULL),	420 server_cert_nss_(NULL),

421 server_cert_verify_result_(NULL),	421 server_cert_verify_result_(NULL),

422 ssl_connection_status_(0),	422 ssl_connection_status_(0),

423 client_auth_cert_needed_(false),	423 client_auth_cert_needed_(false),

(...skipping 48 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
472	472

473 SECStatus rv;	473 SECStatus rv;

474 SSLSnapStartResult snap_start_type;	474 SSLSnapStartResult snap_start_type;

475 rv = SSL_GetSnapStartResult(nss_fd_, &snap_start_type);	475 rv = SSL_GetSnapStartResult(nss_fd_, &snap_start_type);

476 if (rv != SECSuccess) {	476 if (rv != SECSuccess) {

477 NOTREACHED();	477 NOTREACHED();

478 return;	478 return;

479 }	479 }

480 net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START,	480 net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START,

481 new NetLogIntegerParameter("type", snap_start_type));	481 new NetLogIntegerParameter("type", snap_start_type));

482 LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_;	482 LOG(ERROR) << "Snap Start: " << snap_start_type << " "

	483 << host_and_port_.host();

483 if (snap_start_type == SSL_SNAP_START_FULL \|\|	484 if (snap_start_type == SSL_SNAP_START_FULL \|\|

484 snap_start_type == SSL_SNAP_START_RESUME) {	485 snap_start_type == SSL_SNAP_START_RESUME) {

485 // If we did a successful Snap Start then our information was correct and	486 // If we did a successful Snap Start then our information was correct and

486 // there's no point saving it again.	487 // there's no point saving it again.

487 return;	488 return;

488 }	489 }

489	490

490 const unsigned char* hello_data;	491 const unsigned char* hello_data;

491 unsigned hello_data_len;	492 unsigned hello_data_len;

492 rv = SSL_GetPredictedServerHelloData(nss_fd_, &hello_data, &hello_data_len);	493 rv = SSL_GetPredictedServerHelloData(nss_fd_, &hello_data, &hello_data_len);

(...skipping 18 matching lines...) Expand all Loading...
511 PeerCertificateChain certs(nss_fd_);	512 PeerCertificateChain certs(nss_fd_);

512 for (unsigned i = 0; i < certs.size(); i++) {	513 for (unsigned i = 0; i < certs.size(); i++) {

513 if (certs[i]->derCert.len > std::numeric_limits<uint16>::max())	514 if (certs[i]->derCert.len > std::numeric_limits<uint16>::max())

514 return;	515 return;

515	516

516 state->certs.push_back(std::string(	517 state->certs.push_back(std::string(

517 reinterpret_cast<char*>(certs[i]->derCert.data),	518 reinterpret_cast<char*>(certs[i]->derCert.data),

518 certs[i]->derCert.len));	519 certs[i]->derCert.len));

519 }	520 }

520	521

521 LOG(ERROR) << "Setting Snap Start info " << hostname_;	522 LOG(ERROR) << "Setting Snap Start info " << host_and_port_.host();
	eroman 2010/11/12 01:12:56 nit: would it make sense to use the ToString() ins nit: would it make sense to use the ToString() instead and show the port? (ditto to other instance in this file). Ryan Hamilton 2010/11/12 16:47:26 Done. (Just the logging, not the various method c Show quoted text On 2010/11/12 01:12:56, eroman wrote: > nit: would it make sense to use the ToString() instead and show the port? (ditto > to other instance in this file). Done. (Just the logging, not the various method calls)
522 ssl_host_info_->Persist();	523 ssl_host_info_->Persist();

523 }	524 }

524	525

525 static void DestroyCertificates(CERTCertificate** certs, unsigned len) {	526 static void DestroyCertificates(CERTCertificate** certs, unsigned len) {

526 for (unsigned i = 0; i < len; i++)	527 for (unsigned i = 0; i < len; i++)

527 CERT_DestroyCertificate(certs[i]);	528 CERT_DestroyCertificate(certs[i]);

528 }	529 }

529	530

530 // LoadSnapStartInfo parses \|info\|, which contains data previously serialised	531 // LoadSnapStartInfo parses \|info\|, which contains data previously serialised

531 // by \|SaveSnapStartInfo\|, and sets the predicted certificates and ServerHello	532 // by \|SaveSnapStartInfo\|, and sets the predicted certificates and ServerHello

(...skipping 202 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
734 // See http://crbug.com/31628	735 // See http://crbug.com/31628

735 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_DEFLATE, ssl_config_.tls1_enabled);	736 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_DEFLATE, ssl_config_.tls1_enabled);

736 if (rv != SECSuccess)	737 if (rv != SECSuccess)

737 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_DEFLATE");	738 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_DEFLATE");

738 #endif	739 #endif

739	740

740 #ifdef SSL_ENABLE_FALSE_START	741 #ifdef SSL_ENABLE_FALSE_START

741 rv = SSL_OptionSet(	742 rv = SSL_OptionSet(

742 nss_fd_, SSL_ENABLE_FALSE_START,	743 nss_fd_, SSL_ENABLE_FALSE_START,

743 ssl_config_.false_start_enabled &&	744 ssl_config_.false_start_enabled &&

744 !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_));	745 !SSLConfigService::IsKnownFalseStartIncompatibleServer(

	746 host_and_port_.host()));

745 if (rv != SECSuccess)	747 if (rv != SECSuccess)

746 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");	748 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");

747 #endif	749 #endif

748	750

749 #ifdef SSL_ENABLE_SNAP_START	751 #ifdef SSL_ENABLE_SNAP_START

750 // TODO(agl): check that SSL_ENABLE_SNAP_START actually does something in the	752 // TODO(agl): check that SSL_ENABLE_SNAP_START actually does something in the

751 // current NSS code.	753 // current NSS code.

752 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START,	754 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START,

753 ssl_config_.snap_start_enabled);	755 ssl_config_.snap_start_enabled);

754 if (rv != SECSuccess)	756 if (rv != SECSuccess)

755 VLOG(1) << "SSL_ENABLE_SNAP_START failed. Old system nss?";	757 VLOG(1) << "SSL_ENABLE_SNAP_START failed. Old system nss?";

756 #endif	758 #endif

757	759

758 #ifdef SSL_ENABLE_RENEGOTIATION	760 #ifdef SSL_ENABLE_RENEGOTIATION

759 // Deliberately disable this check for now: http://crbug.com/55410	761 // Deliberately disable this check for now: http://crbug.com/55410

760 if (false &&	762 if (false &&

761 SSLConfigService::IsKnownStrictTLSServer(hostname_) &&	763 SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) &&

762 !ssl_config_.mitm_proxies_allowed) {	764 !ssl_config_.mitm_proxies_allowed) {

763 rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);	765 rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);

764 if (rv != SECSuccess) {	766 if (rv != SECSuccess) {

765 LogFailedNSSFunction(	767 LogFailedNSSFunction(

766 net_log_, "SSL_OptionSet", "SSL_REQUIRE_SAFE_NEGOTIATION");	768 net_log_, "SSL_OptionSet", "SSL_REQUIRE_SAFE_NEGOTIATION");

767 }	769 }

768 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,	770 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,

769 SSL_RENEGOTIATE_REQUIRES_XTN);	771 SSL_RENEGOTIATE_REQUIRES_XTN);

770 } else {	772 } else {

771 // We allow servers to request renegotiation. Since we're a client,	773 // We allow servers to request renegotiation. Since we're a client,

(...skipping 44 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
816 return ERR_UNEXPECTED;	818 return ERR_UNEXPECTED;

817 }	819 }

818	820

819 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this);	821 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this);

820 if (rv != SECSuccess) {	822 if (rv != SECSuccess) {

821 LogFailedNSSFunction(net_log_, "SSL_HandshakeCallback", "");	823 LogFailedNSSFunction(net_log_, "SSL_HandshakeCallback", "");

822 return ERR_UNEXPECTED;	824 return ERR_UNEXPECTED;

823 }	825 }

824	826

825 // Tell SSL the hostname we're trying to connect to.	827 // Tell SSL the hostname we're trying to connect to.

826 SSL_SetURL(nss_fd_, hostname_.c_str());	828 SSL_SetURL(nss_fd_, host_and_port_.host().c_str());

827	829

828 // Tell SSL we're a client; needed if not letting NSPR do socket I/O	830 // Tell SSL we're a client; needed if not letting NSPR do socket I/O

829 SSL_ResetHandshake(nss_fd_, 0);	831 SSL_ResetHandshake(nss_fd_, 0);

830	832

831 return OK;	833 return OK;

832 }	834 }

833	835

834 int SSLClientSocketNSS::InitializeSSLPeerName() {	836 int SSLClientSocketNSS::InitializeSSLPeerName() {

835 // Tell NSS who we're connected to	837 // Tell NSS who we're connected to

836 AddressList peer_address;	838 AddressList peer_address;

(...skipping 14 matching lines...) Expand all Loading...
851 // structure has a one-byte length and one-byte address family	853 // structure has a one-byte length and one-byte address family

852 // field at the beginning. PRNetAddr has a two-byte address	854 // field at the beginning. PRNetAddr has a two-byte address

853 // family field at the beginning.	855 // family field at the beginning.

854 peername.raw.family = ai->ai_addr->sa_family;	856 peername.raw.family = ai->ai_addr->sa_family;

855	857

856 memio_SetPeerName(nss_fd_, &peername);	858 memio_SetPeerName(nss_fd_, &peername);

857	859

858 // Set the peer ID for session reuse. This is necessary when we create an	860 // Set the peer ID for session reuse. This is necessary when we create an

859 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address	861 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address

860 // rather than the destination server's address in that case.	862 // rather than the destination server's address in that case.

861 // TODO(wtc): port in \|peer_address\| is not the server's port when a proxy is	863 std::string peer_id = host_and_port_.ToString();

862 // used.

863 std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(),

864 peer_address.GetPort());

865 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));	864 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));

866 if (rv != SECSuccess)	865 if (rv != SECSuccess)

867 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());	866 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());

868	867

869 peername_initialized_ = true;	868 peername_initialized_ = true;

870 return OK;	869 return OK;

871 }	870 }

872	871

873 void SSLClientSocketNSS::Disconnect() {	872 void SSLClientSocketNSS::Disconnect() {

874 EnterFunction("");	873 EnterFunction("");

(...skipping 258 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1133 // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.	1132 // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.

1134 #if defined(SSL_MAX_EXTENSIONS)	1133 #if defined(SSL_MAX_EXTENSIONS)

1135 PRBool peer_supports_renego_ext;	1134 PRBool peer_supports_renego_ext;

1136 ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,	1135 ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,

1137 &peer_supports_renego_ext);	1136 &peer_supports_renego_ext);

1138 if (ok == SECSuccess) {	1137 if (ok == SECSuccess) {

1139 if (!peer_supports_renego_ext) {	1138 if (!peer_supports_renego_ext) {

1140 ssl_connection_status_ \|= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;	1139 ssl_connection_status_ \|= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;

1141 // Log an informational message if the server does not support secure	1140 // Log an informational message if the server does not support secure

1142 // renegotiation (RFC 5746).	1141 // renegotiation (RFC 5746).

1143 VLOG(1) << "The server " << hostname_	1142 VLOG(1) << "The server " << host_and_port_.host()
	eroman 2010/11/12 01:12:56 ditto on port. ditto on port. Ryan Hamilton 2010/11/12 16:47:26 Done. Show quoted text On 2010/11/12 01:12:56, eroman wrote: > ditto on port. Done.
1144 << " does not support the TLS renegotiation_info extension.";	1143 << " does not support the TLS renegotiation_info extension.";

1145 }	1144 }

1146 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",	1145 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",

1147 peer_supports_renego_ext, 2);	1146 peer_supports_renego_ext, 2);

1148 }	1147 }

1149 #endif	1148 #endif

1150	1149

1151 if (ssl_config_.ssl3_fallback)	1150 if (ssl_config_.ssl3_fallback)

1152 ssl_connection_status_ \|= SSL_CONNECTION_SSL3_FALLBACK;	1151 ssl_connection_status_ \|= SSL_CONNECTION_SSL3_FALLBACK;

1153 }	1152 }

(...skipping 23 matching lines...) Expand all Loading...
1177 ssl_info->security_bits = -1;	1176 ssl_info->security_bits = -1;

1178 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()	1177 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()

1179 << " for cipherSuite " << cipher_suite;	1178 << " for cipherSuite " << cipher_suite;

1180 }	1179 }

1181 LeaveFunction("");	1180 LeaveFunction("");

1182 }	1181 }

1183	1182

1184 void SSLClientSocketNSS::GetSSLCertRequestInfo(	1183 void SSLClientSocketNSS::GetSSLCertRequestInfo(

1185 SSLCertRequestInfo* cert_request_info) {	1184 SSLCertRequestInfo* cert_request_info) {

1186 EnterFunction("");	1185 EnterFunction("");

1187 cert_request_info->host_and_port = hostname_; // TODO(wtc): no port!	1186 cert_request_info->host_and_port = host_and_port_.ToString();
	eroman 2010/11/12 01:12:56 It may make sense in the future for cert_request_i It may make sense in the future for cert_request_info to simply be a HostPortPair. Ryan Hamilton 2010/11/12 16:47:26 agreed. added a todo. Show quoted text On 2010/11/12 01:12:56, eroman wrote: > It may make sense in the future for cert_request_info to simply be a > HostPortPair. agreed. added a todo.
1188 cert_request_info->client_certs = client_certs_;	1187 cert_request_info->client_certs = client_certs_;

1189 LeaveFunction(cert_request_info->client_certs.size());	1188 LeaveFunction(cert_request_info->client_certs.size());

1190 }	1189 }

1191	1190

1192 SSLClientSocket::NextProtoStatus	1191 SSLClientSocket::NextProtoStatus

1193 SSLClientSocketNSS::GetNextProto(std::string* proto) {	1192 SSLClientSocketNSS::GetNextProto(std::string* proto) {

1194 #if defined(SSL_NEXT_PROTO_NEGOTIATED)	1193 #if defined(SSL_NEXT_PROTO_NEGOTIATED)

1195 if (!handshake_callback_called_) {	1194 if (!handshake_callback_called_) {

1196 DCHECK(pseudo_connected_);	1195 DCHECK(pseudo_connected_);

1197 predicted_npn_proto_used_ = true;	1196 predicted_npn_proto_used_ = true;

(...skipping 953 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2151 }	2150 }

2152 }	2151 }

2153	2152

2154 SaveSnapStartInfo();	2153 SaveSnapStartInfo();

2155 // SSL handshake is completed. It's possible that we mispredicted the	2154 // SSL handshake is completed. It's possible that we mispredicted the

2156 // NPN agreed protocol. In this case, we've just sent a request in the	2155 // NPN agreed protocol. In this case, we've just sent a request in the

2157 // wrong protocol! The higher levels of this network stack aren't	2156 // wrong protocol! The higher levels of this network stack aren't

2158 // prepared for switching the protocol like that so we make up an error	2157 // prepared for switching the protocol like that so we make up an error

2159 // and rely on the fact that the request will be retried.	2158 // and rely on the fact that the request will be retried.

2160 if (IsNPNProtocolMispredicted()) {	2159 if (IsNPNProtocolMispredicted()) {

2161 LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_;	2160 LOG(WARNING) << "Mispredicted NPN protocol for "

	2161 << host_and_port_.host();

2162 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;	2162 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;

2163 } else {	2163 } else {

2164 // Let's verify the certificate.	2164 // Let's verify the certificate.

2165 GotoState(STATE_VERIFY_DNSSEC);	2165 GotoState(STATE_VERIFY_DNSSEC);

2166 }	2166 }

2167 }	2167 }

2168 // Done!	2168 // Done!

2169 } else {	2169 } else {

2170 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 -	2170 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 -

2171 // SSL_ForceHandshake returned SECSuccess prematurely.	2171 // SSL_ForceHandshake returned SECSuccess prematurely.

(...skipping 168 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2340 if (verifier.rrtype() != kDNS_TXT)	2340 if (verifier.rrtype() != kDNS_TXT)

2341 return DNSVR_CONTINUE;	2341 return DNSVR_CONTINUE;

2342	2342

2343 DNSValidationResult r = VerifyTXTRecords(	2343 DNSValidationResult r = VerifyTXTRecords(

2344 true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas());	2344 true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas());

2345 SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE);	2345 SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE);

2346 return r;	2346 return r;

2347 }	2347 }

2348	2348

2349 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {	2349 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {

2350 #if !defined(USE_OPENSSL)

2351 if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) {

2352 PeerCertificateChain certs(nss_fd_);

2353 DoAsyncDNSCertProvenanceVerification(

2354 hostname_, dnsrr_resolver_, certs.AsStringPieceVector());

2355 }

2356 #endif

2357

2358 if (ssl_config_.dnssec_enabled) {	2350 if (ssl_config_.dnssec_enabled) {

2359 DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_);	2351 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),

	2352 server_cert_nss_);

2360 if (r == DNSVR_SUCCESS) {	2353 if (r == DNSVR_SUCCESS) {

2361 local_server_cert_verify_result_.cert_status \|= CERT_STATUS_IS_DNSSEC;	2354 local_server_cert_verify_result_.cert_status \|= CERT_STATUS_IS_DNSSEC;

2362 server_cert_verify_result_ = &local_server_cert_verify_result_;	2355 server_cert_verify_result_ = &local_server_cert_verify_result_;

2363 GotoState(STATE_VERIFY_CERT_COMPLETE);	2356 GotoState(STATE_VERIFY_CERT_COMPLETE);

2364 return OK;	2357 return OK;

2365 }	2358 }

2366 }	2359 }

2367	2360

2368 if (dnssec_provider_ == NULL) {	2361 if (dnssec_provider_ == NULL) {

2369 GotoState(STATE_VERIFY_CERT);	2362 GotoState(STATE_VERIFY_CERT);

(...skipping 75 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2445 UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 0 /* false */, 2);	2438 UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 0 /* false */, 2);

2446 }	2439 }

2447	2440

2448 int flags = 0;	2441 int flags = 0;

2449 if (ssl_config_.rev_checking_enabled)	2442 if (ssl_config_.rev_checking_enabled)

2450 flags \|= X509Certificate::VERIFY_REV_CHECKING_ENABLED;	2443 flags \|= X509Certificate::VERIFY_REV_CHECKING_ENABLED;

2451 if (ssl_config_.verify_ev_cert)	2444 if (ssl_config_.verify_ev_cert)

2452 flags \|= X509Certificate::VERIFY_EV_CERT;	2445 flags \|= X509Certificate::VERIFY_EV_CERT;

2453 verifier_.reset(new CertVerifier);	2446 verifier_.reset(new CertVerifier);

2454 server_cert_verify_result_ = &local_server_cert_verify_result_;	2447 server_cert_verify_result_ = &local_server_cert_verify_result_;

2455 return verifier_->Verify(server_cert_, hostname_, flags,	2448 return verifier_->Verify(server_cert_, host_and_port_.host(), flags,

2456 &local_server_cert_verify_result_,	2449 &local_server_cert_verify_result_,

2457 &handshake_io_callback_);	2450 &handshake_io_callback_);

2458 }	2451 }

2459	2452

2460 // Derived from AuthCertificateCallback() in	2453 // Derived from AuthCertificateCallback() in

2461 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.	2454 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.

2462 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {	2455 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {

2463 verifier_.reset();	2456 verifier_.reset();

2464	2457

2465 // We used to remember the intermediate CA certs in the NSS database	2458 // We used to remember the intermediate CA certs in the NSS database

(...skipping 139 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2605 case SSL_CONNECTION_VERSION_TLS1_1:	2598 case SSL_CONNECTION_VERSION_TLS1_1:

2606 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);	2599 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);

2607 break;	2600 break;

2608 case SSL_CONNECTION_VERSION_TLS1_2:	2601 case SSL_CONNECTION_VERSION_TLS1_2:

2609 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);	2602 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);

2610 break;	2603 break;

2611 };	2604 };

2612 }	2605 }

2613	2606

2614 } // namespace net	2607 } // namespace net

OLD	NEW

« net/socket/ssl_client_socket_nss.h ('K') | « net/socket/ssl_client_socket_nss.h ('k') | net/socket/ssl_client_socket_nss_factory.cc » ('j') | net/socket/ssl_client_socket_win.h » ('J')