| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_mac.h" | 5 #include "net/socket/ssl_client_socket_mac.h" |
| 6 | 6 |
| 7 #include <CoreServices/CoreServices.h> | 7 #include <CoreServices/CoreServices.h> |
| 8 #include <netdb.h> | 8 #include <netdb.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| (...skipping 498 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 509 if (ShouldEnableCipherSuite(supported_ciphers[i])) | 509 if (ShouldEnableCipherSuite(supported_ciphers[i])) |
| 510 ciphers_.push_back(supported_ciphers[i]); | 510 ciphers_.push_back(supported_ciphers[i]); |
| 511 } | 511 } |
| 512 } | 512 } |
| 513 | 513 |
| 514 } // namespace | 514 } // namespace |
| 515 | 515 |
| 516 //----------------------------------------------------------------------------- | 516 //----------------------------------------------------------------------------- |
| 517 | 517 |
| 518 SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, | 518 SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, |
| 519 const std::string& hostname, | 519 const HostPortPair& host_and_port, |
| 520 const SSLConfig& ssl_config) | 520 const SSLConfig& ssl_config) |
| 521 : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), | 521 : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), |
| 522 transport_read_callback_(this, | 522 transport_read_callback_(this, |
| 523 &SSLClientSocketMac::OnTransportReadComplete), | 523 &SSLClientSocketMac::OnTransportReadComplete), |
| 524 transport_write_callback_(this, | 524 transport_write_callback_(this, |
| 525 &SSLClientSocketMac::OnTransportWriteComplete), | 525 &SSLClientSocketMac::OnTransportWriteComplete), |
| 526 transport_(transport_socket), | 526 transport_(transport_socket), |
| 527 hostname_(hostname), | 527 host_and_port_(host_and_port), |
| 528 ssl_config_(ssl_config), | 528 ssl_config_(ssl_config), |
| 529 user_connect_callback_(NULL), | 529 user_connect_callback_(NULL), |
| 530 user_read_callback_(NULL), | 530 user_read_callback_(NULL), |
| 531 user_write_callback_(NULL), | 531 user_write_callback_(NULL), |
| 532 user_read_buf_len_(0), | 532 user_read_buf_len_(0), |
| 533 user_write_buf_len_(0), | 533 user_write_buf_len_(0), |
| 534 next_handshake_state_(STATE_NONE), | 534 next_handshake_state_(STATE_NONE), |
| 535 renegotiating_(false), | 535 renegotiating_(false), |
| 536 client_cert_requested_(false), | 536 client_cert_requested_(false), |
| 537 ssl_context_(NULL), | 537 ssl_context_(NULL), |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 735 CertPrincipal p; | 735 CertPrincipal p; |
| 736 if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer), | 736 if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer), |
| 737 CFDataGetLength(issuer))) { | 737 CFDataGetLength(issuer))) { |
| 738 valid_issuers.push_back(p); | 738 valid_issuers.push_back(p); |
| 739 } | 739 } |
| 740 } | 740 } |
| 741 CFRelease(valid_issuer_names); | 741 CFRelease(valid_issuer_names); |
| 742 } | 742 } |
| 743 | 743 |
| 744 // Now get the available client certs whose issuers are allowed by the server. | 744 // Now get the available client certs whose issuers are allowed by the server. |
| 745 cert_request_info->host_and_port = hostname_; | 745 cert_request_info->host_and_port = host_and_port_.ToString(); |
| 746 cert_request_info->client_certs.clear(); | 746 cert_request_info->client_certs.clear(); |
| 747 X509Certificate::GetSSLClientCertificates(hostname_, | 747 // TODO(rch): we should consider passing a host-port pair as the first |
| 748 // argument to X509Certificate::GetSSLClientCertificates. |
| 749 X509Certificate::GetSSLClientCertificates(host_and_port_.host(), |
| 748 valid_issuers, | 750 valid_issuers, |
| 749 &cert_request_info->client_certs); | 751 &cert_request_info->client_certs); |
| 750 VLOG(1) << "Asking user to choose between " | 752 VLOG(1) << "Asking user to choose between " |
| 751 << cert_request_info->client_certs.size() << " client certs..."; | 753 << cert_request_info->client_certs.size() << " client certs..."; |
| 752 } | 754 } |
| 753 | 755 |
| 754 SSLClientSocket::NextProtoStatus | 756 SSLClientSocket::NextProtoStatus |
| 755 SSLClientSocketMac::GetNextProto(std::string* proto) { | 757 SSLClientSocketMac::GetNextProto(std::string* proto) { |
| 756 proto->clear(); | 758 proto->clear(); |
| 757 return kNextProtoUnsupported; | 759 return kNextProtoUnsupported; |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 805 status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback); | 807 status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback); |
| 806 if (status) | 808 if (status) |
| 807 return NetErrorFromOSStatus(status); | 809 return NetErrorFromOSStatus(status); |
| 808 | 810 |
| 809 status = SSLSetConnection(ssl_context_, this); | 811 status = SSLSetConnection(ssl_context_, this); |
| 810 if (status) | 812 if (status) |
| 811 return NetErrorFromOSStatus(status); | 813 return NetErrorFromOSStatus(status); |
| 812 | 814 |
| 813 // Passing the domain name enables the server_name TLS extension (SNI). | 815 // Passing the domain name enables the server_name TLS extension (SNI). |
| 814 status = SSLSetPeerDomainName(ssl_context_, | 816 status = SSLSetPeerDomainName(ssl_context_, |
| 815 hostname_.data(), | 817 host_and_port_.host().data(), |
| 816 hostname_.length()); | 818 host_and_port_.host().length()); |
| 817 if (status) | 819 if (status) |
| 818 return NetErrorFromOSStatus(status); | 820 return NetErrorFromOSStatus(status); |
| 819 | 821 |
| 820 // Disable certificate verification within Secure Transport; we'll | 822 // Disable certificate verification within Secure Transport; we'll |
| 821 // be handling that ourselves. | 823 // be handling that ourselves. |
| 822 status = SSLSetEnableCertVerify(ssl_context_, false); | 824 status = SSLSetEnableCertVerify(ssl_context_, false); |
| 823 if (status) | 825 if (status) |
| 824 return NetErrorFromOSStatus(status); | 826 return NetErrorFromOSStatus(status); |
| 825 | 827 |
| 826 if (ssl_config_.send_client_cert) { | 828 if (ssl_config_.send_client_cert) { |
| 827 status = SetClientCert(); | 829 status = SetClientCert(); |
| 828 if (status) | 830 if (status) |
| 829 return NetErrorFromOSStatus(status); | 831 return NetErrorFromOSStatus(status); |
| 830 return OK; | 832 return OK; |
| 831 } | 833 } |
| 832 | 834 |
| 833 // Concatenate the hostname and peer address to use as the peer ID. To | 835 // Concatenate the hostname and peer address to use as the peer ID. To |
| 834 // resume a session, we must connect to the same server on the same port | 836 // resume a session, we must connect to the same server on the same port |
| 835 // using the same hostname (i.e., localhost and 127.0.0.1 are considered | 837 // using the same hostname (i.e., localhost and 127.0.0.1 are considered |
| 836 // different peers, which puts us through certificate validation again | 838 // different peers, which puts us through certificate validation again |
| 837 // and catches hostname/certificate name mismatches. | 839 // and catches hostname/certificate name mismatches. |
| 838 AddressList address; | 840 AddressList address; |
| 839 int rv = transport_->socket()->GetPeerAddress(&address); | 841 int rv = transport_->socket()->GetPeerAddress(&address); |
| 840 if (rv != OK) | 842 if (rv != OK) |
| 841 return rv; | 843 return rv; |
| 842 const struct addrinfo* ai = address.head(); | 844 const struct addrinfo* ai = address.head(); |
| 843 std::string peer_id(hostname_); | 845 std::string peer_id(host_and_port_.ToString()); |
| 844 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), | 846 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), |
| 845 ai->ai_addrlen); | 847 ai->ai_addrlen); |
| 846 | |
| 847 // SSLSetPeerID() treats peer_id as a binary blob, and makes its | 848 // SSLSetPeerID() treats peer_id as a binary blob, and makes its |
| 848 // own copy. | 849 // own copy. |
| 849 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); | 850 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); |
| 850 if (status) | 851 if (status) |
| 851 return NetErrorFromOSStatus(status); | 852 return NetErrorFromOSStatus(status); |
| 852 | 853 |
| 853 return OK; | 854 return OK; |
| 854 } | 855 } |
| 855 | 856 |
| 856 void SSLClientSocketMac::DoConnectCallback(int rv) { | 857 void SSLClientSocketMac::DoConnectCallback(int rv) { |
| (...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1056 | 1057 |
| 1057 DCHECK(server_cert_); | 1058 DCHECK(server_cert_); |
| 1058 | 1059 |
| 1059 VLOG(1) << "DoVerifyCert..."; | 1060 VLOG(1) << "DoVerifyCert..."; |
| 1060 int flags = 0; | 1061 int flags = 0; |
| 1061 if (ssl_config_.rev_checking_enabled) | 1062 if (ssl_config_.rev_checking_enabled) |
| 1062 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; | 1063 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; |
| 1063 if (ssl_config_.verify_ev_cert) | 1064 if (ssl_config_.verify_ev_cert) |
| 1064 flags |= X509Certificate::VERIFY_EV_CERT; | 1065 flags |= X509Certificate::VERIFY_EV_CERT; |
| 1065 verifier_.reset(new CertVerifier); | 1066 verifier_.reset(new CertVerifier); |
| 1066 return verifier_->Verify(server_cert_, hostname_, flags, | 1067 return verifier_->Verify(server_cert_, host_and_port_.host(), flags, |
| 1067 &server_cert_verify_result_, | 1068 &server_cert_verify_result_, |
| 1068 &handshake_io_callback_); | 1069 &handshake_io_callback_); |
| 1069 } | 1070 } |
| 1070 | 1071 |
| 1071 int SSLClientSocketMac::DoVerifyCertComplete(int result) { | 1072 int SSLClientSocketMac::DoVerifyCertComplete(int result) { |
| 1072 DCHECK(verifier_.get()); | 1073 DCHECK(verifier_.get()); |
| 1073 verifier_.reset(); | 1074 verifier_.reset(); |
| 1074 | 1075 |
| 1075 VLOG(1) << "...DoVerifyCertComplete (result=" << result << ")"; | 1076 VLOG(1) << "...DoVerifyCertComplete (result=" << result << ")"; |
| 1076 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) | 1077 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) |
| (...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1318 if (rv < 0 && rv != ERR_IO_PENDING) { | 1319 if (rv < 0 && rv != ERR_IO_PENDING) { |
| 1319 us->write_io_buf_ = NULL; | 1320 us->write_io_buf_ = NULL; |
| 1320 return OSStatusFromNetError(rv); | 1321 return OSStatusFromNetError(rv); |
| 1321 } | 1322 } |
| 1322 | 1323 |
| 1323 // always lie to our caller | 1324 // always lie to our caller |
| 1324 return noErr; | 1325 return noErr; |
| 1325 } | 1326 } |
| 1326 | 1327 |
| 1327 } // namespace net | 1328 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 4339001:
Correctly handle SSL Client Authentication requests when connecting... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/