Chromium Code Reviews Chromium Code Reviews
Issue 4339001:
Correctly handle SSL Client Authentication requests when connecting... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_mac.h" | 5 #include "net/socket/ssl_client_socket_mac.h" |
| 6 | 6 |
| 7 #include <CoreServices/CoreServices.h> | 7 #include <CoreServices/CoreServices.h> |
| 8 #include <netdb.h> | 8 #include <netdb.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| 11 | 11 |
| 12 #include <algorithm> | 12 #include <algorithm> |
| 13 | 13 |
| 14 #include "base/mac/scoped_cftyperef.h" | 14 #include "base/mac/scoped_cftyperef.h" |
| 15 #include "base/singleton.h" | 15 #include "base/singleton.h" |
| 16 #include "base/string_util.h" | 16 #include "base/string_util.h" |
| 17 #include "net/base/address_list.h" | 17 #include "net/base/address_list.h" |
| 18 #include "net/base/cert_verifier.h" | 18 #include "net/base/cert_verifier.h" |
| 19 #include "net/base/host_port_pair.h" | |
| 19 #include "net/base/io_buffer.h" | 20 #include "net/base/io_buffer.h" |
| 20 #include "net/base/net_errors.h" | 21 #include "net/base/net_errors.h" |
| 21 #include "net/base/net_log.h" | 22 #include "net/base/net_log.h" |
| 22 #include "net/base/ssl_cert_request_info.h" | 23 #include "net/base/ssl_cert_request_info.h" |
| 23 #include "net/base/ssl_connection_status_flags.h" | 24 #include "net/base/ssl_connection_status_flags.h" |
| 24 #include "net/base/ssl_info.h" | 25 #include "net/base/ssl_info.h" |
| 25 #include "net/socket/client_socket_handle.h" | 26 #include "net/socket/client_socket_handle.h" |
| 26 #include "net/socket/ssl_error_params.h" | 27 #include "net/socket/ssl_error_params.h" |
| 27 | 28 |
| 28 // Welcome to Mac SSL. We've been waiting for you. | 29 // Welcome to Mac SSL. We've been waiting for you. |
| (...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 509 if (ShouldEnableCipherSuite(supported_ciphers[i])) | 510 if (ShouldEnableCipherSuite(supported_ciphers[i])) |
| 510 ciphers_.push_back(supported_ciphers[i]); | 511 ciphers_.push_back(supported_ciphers[i]); |
| 511 } | 512 } |
| 512 } | 513 } |
| 513 | 514 |
| 514 } // namespace | 515 } // namespace |
| 515 | 516 |
| 516 //----------------------------------------------------------------------------- | 517 //----------------------------------------------------------------------------- |
| 517 | 518 |
| 518 SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, | 519 SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, |
| 519 const std::string& hostname, | 520 const HostPortPair& host_and_port, |
| 520 const SSLConfig& ssl_config) | 521 const SSLConfig& ssl_config) |
| 521 : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), | 522 : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), |
| 522 transport_read_callback_(this, | 523 transport_read_callback_(this, |
| 523 &SSLClientSocketMac::OnTransportReadComplete), | 524 &SSLClientSocketMac::OnTransportReadComplete), |
| 524 transport_write_callback_(this, | 525 transport_write_callback_(this, |
| 525 &SSLClientSocketMac::OnTransportWriteComplete), | 526 &SSLClientSocketMac::OnTransportWriteComplete), |
| 526 transport_(transport_socket), | 527 transport_(transport_socket), |
| 527 hostname_(hostname), | 528 host_and_port_(host_and_port), |
| 528 ssl_config_(ssl_config), | 529 ssl_config_(ssl_config), |
| 529 user_connect_callback_(NULL), | 530 user_connect_callback_(NULL), |
| 530 user_read_callback_(NULL), | 531 user_read_callback_(NULL), |
| 531 user_write_callback_(NULL), | 532 user_write_callback_(NULL), |
| 532 user_read_buf_len_(0), | 533 user_read_buf_len_(0), |
| 533 user_write_buf_len_(0), | 534 user_write_buf_len_(0), |
| 534 next_handshake_state_(STATE_NONE), | 535 next_handshake_state_(STATE_NONE), |
| 535 renegotiating_(false), | 536 renegotiating_(false), |
| 536 client_cert_requested_(false), | 537 client_cert_requested_(false), |
| 537 ssl_context_(NULL), | 538 ssl_context_(NULL), |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 735 CertPrincipal p; | 736 CertPrincipal p; |
| 736 if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer), | 737 if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer), |
| 737 CFDataGetLength(issuer))) { | 738 CFDataGetLength(issuer))) { |
| 738 valid_issuers.push_back(p); | 739 valid_issuers.push_back(p); |
| 739 } | 740 } |
| 740 } | 741 } |
| 741 CFRelease(valid_issuer_names); | 742 CFRelease(valid_issuer_names); |
| 742 } | 743 } |
| 743 | 744 |
| 744 // Now get the available client certs whose issuers are allowed by the server. | 745 // Now get the available client certs whose issuers are allowed by the server. |
| 745 cert_request_info->host_and_port = hostname_; | 746 cert_request_info->host_and_port = host_and_port_.ToString(); |
| 746 cert_request_info->client_certs.clear(); | 747 cert_request_info->client_certs.clear(); |
| 747 X509Certificate::GetSSLClientCertificates(hostname_, | 748 // TODO(rch): we should consider passing a host-port pair as the first |
| 749 // argument to X509Certificate::GetSSLClientCertificates. | |
| 750 X509Certificate::GetSSLClientCertificates(host_and_port.host(), | |
| 748 valid_issuers, | 751 valid_issuers, |
| 749 &cert_request_info->client_certs); | 752 &cert_request_info->client_certs); |
| 750 VLOG(1) << "Asking user to choose between " | 753 VLOG(1) << "Asking user to choose between " |
| 751 << cert_request_info->client_certs.size() << " client certs..."; | 754 << cert_request_info->client_certs.size() << " client certs..."; |
| 752 } | 755 } |
| 753 | 756 |
| 754 SSLClientSocket::NextProtoStatus | 757 SSLClientSocket::NextProtoStatus |
| 755 SSLClientSocketMac::GetNextProto(std::string* proto) { | 758 SSLClientSocketMac::GetNextProto(std::string* proto) { |
| 756 proto->clear(); | 759 proto->clear(); |
| 757 return kNextProtoUnsupported; | 760 return kNextProtoUnsupported; |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 805 status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback); | 808 status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback); |
| 806 if (status) | 809 if (status) |
| 807 return NetErrorFromOSStatus(status); | 810 return NetErrorFromOSStatus(status); |
| 808 | 811 |
| 809 status = SSLSetConnection(ssl_context_, this); | 812 status = SSLSetConnection(ssl_context_, this); |
| 810 if (status) | 813 if (status) |
| 811 return NetErrorFromOSStatus(status); | 814 return NetErrorFromOSStatus(status); |
| 812 | 815 |
| 813 // Passing the domain name enables the server_name TLS extension (SNI). | 816 // Passing the domain name enables the server_name TLS extension (SNI). |
| 814 status = SSLSetPeerDomainName(ssl_context_, | 817 status = SSLSetPeerDomainName(ssl_context_, |
| 815 hostname_.data(), | 818 host_and_port_.host()_.data(), |
|
wtc
2010/11/12 00:12:55
Typo: extra '_'
Ryan Hamilton
2010/11/12 00:47:30
Done.
| |
| 816 hostname_.length()); | 819 host_and_port_.host().length()); |
| 817 if (status) | 820 if (status) |
| 818 return NetErrorFromOSStatus(status); | 821 return NetErrorFromOSStatus(status); |
| 819 | 822 |
| 820 // Disable certificate verification within Secure Transport; we'll | 823 // Disable certificate verification within Secure Transport; we'll |
| 821 // be handling that ourselves. | 824 // be handling that ourselves. |
| 822 status = SSLSetEnableCertVerify(ssl_context_, false); | 825 status = SSLSetEnableCertVerify(ssl_context_, false); |
| 823 if (status) | 826 if (status) |
| 824 return NetErrorFromOSStatus(status); | 827 return NetErrorFromOSStatus(status); |
| 825 | 828 |
| 826 if (ssl_config_.send_client_cert) { | 829 if (ssl_config_.send_client_cert) { |
| 827 status = SetClientCert(); | 830 status = SetClientCert(); |
| 828 if (status) | 831 if (status) |
| 829 return NetErrorFromOSStatus(status); | 832 return NetErrorFromOSStatus(status); |
| 830 return OK; | 833 return OK; |
| 831 } | 834 } |
| 832 | 835 |
| 833 // Concatenate the hostname and peer address to use as the peer ID. To | 836 // Concatenate the hostname and peer address to use as the peer ID. To |
| 834 // resume a session, we must connect to the same server on the same port | 837 // resume a session, we must connect to the same server on the same port |
| 835 // using the same hostname (i.e., localhost and 127.0.0.1 are considered | 838 // using the same hostname (i.e., localhost and 127.0.0.1 are considered |
| 836 // different peers, which puts us through certificate validation again | 839 // different peers, which puts us through certificate validation again |
| 837 // and catches hostname/certificate name mismatches. | 840 // and catches hostname/certificate name mismatches. |
| 838 AddressList address; | 841 AddressList address; |
| 839 int rv = transport_->socket()->GetPeerAddress(&address); | 842 int rv = transport_->socket()->GetPeerAddress(&address); |
| 840 if (rv != OK) | 843 if (rv != OK) |
| 841 return rv; | 844 return rv; |
| 842 const struct addrinfo* ai = address.head(); | 845 const struct addrinfo* ai = address.head(); |
| 843 std::string peer_id(hostname_); | 846 std::string peer_id(host_and_port_.host()); |
|
wtc
2010/11/12 00:12:55
BUG: this should say
std::string peer_id(host_an
Ryan Hamilton
2010/11/12 00:47:30
Done.
| |
| 844 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), | 847 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), |
| 845 ai->ai_addrlen); | 848 ai->ai_addrlen); |
| 846 | 849 peer_id += host_and_port_.port(); |
| 847 // SSLSetPeerID() treats peer_id as a binary blob, and makes its | 850 // SSLSetPeerID() treats peer_id as a binary blob, and makes its |
| 848 // own copy. | 851 // own copy. |
| 849 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); | 852 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); |
| 850 if (status) | 853 if (status) |
| 851 return NetErrorFromOSStatus(status); | 854 return NetErrorFromOSStatus(status); |
| 852 | 855 |
| 853 return OK; | 856 return OK; |
| 854 } | 857 } |
| 855 | 858 |
| 856 void SSLClientSocketMac::DoConnectCallback(int rv) { | 859 void SSLClientSocketMac::DoConnectCallback(int rv) { |
| (...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1056 | 1059 |
| 1057 DCHECK(server_cert_); | 1060 DCHECK(server_cert_); |
| 1058 | 1061 |
| 1059 VLOG(1) << "DoVerifyCert..."; | 1062 VLOG(1) << "DoVerifyCert..."; |
| 1060 int flags = 0; | 1063 int flags = 0; |
| 1061 if (ssl_config_.rev_checking_enabled) | 1064 if (ssl_config_.rev_checking_enabled) |
| 1062 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; | 1065 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; |
| 1063 if (ssl_config_.verify_ev_cert) | 1066 if (ssl_config_.verify_ev_cert) |
| 1064 flags |= X509Certificate::VERIFY_EV_CERT; | 1067 flags |= X509Certificate::VERIFY_EV_CERT; |
| 1065 verifier_.reset(new CertVerifier); | 1068 verifier_.reset(new CertVerifier); |
| 1066 return verifier_->Verify(server_cert_, hostname_, flags, | 1069 return verifier_->Verify(server_cert_, host_and_port_.host(), flags, |
| 1067 &server_cert_verify_result_, | 1070 &server_cert_verify_result_, |
| 1068 &handshake_io_callback_); | 1071 &handshake_io_callback_); |
| 1069 } | 1072 } |
| 1070 | 1073 |
| 1071 int SSLClientSocketMac::DoVerifyCertComplete(int result) { | 1074 int SSLClientSocketMac::DoVerifyCertComplete(int result) { |
| 1072 DCHECK(verifier_.get()); | 1075 DCHECK(verifier_.get()); |
| 1073 verifier_.reset(); | 1076 verifier_.reset(); |
| 1074 | 1077 |
| 1075 VLOG(1) << "...DoVerifyCertComplete (result=" << result << ")"; | 1078 VLOG(1) << "...DoVerifyCertComplete (result=" << result << ")"; |
| 1076 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) | 1079 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) |
| (...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1318 if (rv < 0 && rv != ERR_IO_PENDING) { | 1321 if (rv < 0 && rv != ERR_IO_PENDING) { |
| 1319 us->write_io_buf_ = NULL; | 1322 us->write_io_buf_ = NULL; |
| 1320 return OSStatusFromNetError(rv); | 1323 return OSStatusFromNetError(rv); |
| 1321 } | 1324 } |
| 1322 | 1325 |
| 1323 // always lie to our caller | 1326 // always lie to our caller |
| 1324 return noErr; | 1327 return noErr; |
| 1325 } | 1328 } |
| 1326 | 1329 |
| 1327 } // namespace net | 1330 } // namespace net |
| OLD | NEW |
