OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
68 | 68 |
69 #include "base/compiler_specific.h" | 69 #include "base/compiler_specific.h" |
70 #include "base/logging.h" | 70 #include "base/logging.h" |
71 #include "base/metrics/histogram.h" | 71 #include "base/metrics/histogram.h" |
72 #include "base/nss_util.h" | 72 #include "base/nss_util.h" |
73 #include "base/singleton.h" | 73 #include "base/singleton.h" |
74 #include "base/string_number_conversions.h" | 74 #include "base/string_number_conversions.h" |
75 #include "base/string_util.h" | 75 #include "base/string_util.h" |
76 #include "base/stringprintf.h" | 76 #include "base/stringprintf.h" |
77 #include "base/threading/thread_restrictions.h" | 77 #include "base/threading/thread_restrictions.h" |
| 78 #include "base/utf_string_conversions.h" |
78 #include "base/values.h" | 79 #include "base/values.h" |
79 #include "net/base/address_list.h" | 80 #include "net/base/address_list.h" |
80 #include "net/base/cert_status_flags.h" | 81 #include "net/base/cert_status_flags.h" |
81 #include "net/base/cert_verifier.h" | 82 #include "net/base/cert_verifier.h" |
82 #include "net/base/connection_type_histograms.h" | 83 #include "net/base/connection_type_histograms.h" |
83 #include "net/base/dns_util.h" | 84 #include "net/base/dns_util.h" |
84 #include "net/base/dnsrr_resolver.h" | 85 #include "net/base/dnsrr_resolver.h" |
85 #include "net/base/dnssec_chain_verifier.h" | 86 #include "net/base/dnssec_chain_verifier.h" |
86 #include "net/base/io_buffer.h" | 87 #include "net/base/io_buffer.h" |
87 #include "net/base/net_errors.h" | 88 #include "net/base/net_errors.h" |
(...skipping 374 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
462 user_write_buf_len_(0), | 463 user_write_buf_len_(0), |
463 server_cert_nss_(NULL), | 464 server_cert_nss_(NULL), |
464 server_cert_verify_result_(NULL), | 465 server_cert_verify_result_(NULL), |
465 ssl_connection_status_(0), | 466 ssl_connection_status_(0), |
466 client_auth_cert_needed_(false), | 467 client_auth_cert_needed_(false), |
467 cert_verifier_(cert_verifier), | 468 cert_verifier_(cert_verifier), |
468 handshake_callback_called_(false), | 469 handshake_callback_called_(false), |
469 completed_handshake_(false), | 470 completed_handshake_(false), |
470 pseudo_connected_(false), | 471 pseudo_connected_(false), |
471 eset_mitm_detected_(false), | 472 eset_mitm_detected_(false), |
| 473 server_cert_needed_(true), |
472 predicted_cert_chain_correct_(false), | 474 predicted_cert_chain_correct_(false), |
473 peername_initialized_(false), | 475 peername_initialized_(false), |
474 dnssec_provider_(NULL), | 476 dnssec_provider_(NULL), |
475 next_handshake_state_(STATE_NONE), | 477 next_handshake_state_(STATE_NONE), |
476 nss_fd_(NULL), | 478 nss_fd_(NULL), |
477 nss_bufs_(NULL), | 479 nss_bufs_(NULL), |
478 net_log_(transport_socket->socket()->NetLog()), | 480 net_log_(transport_socket->socket()->NetLog()), |
479 predicted_npn_status_(kNextProtoUnsupported), | 481 predicted_npn_status_(kNextProtoUnsupported), |
480 predicted_npn_proto_used_(false), | 482 predicted_npn_proto_used_(false), |
481 ssl_host_info_(ssl_host_info), | 483 ssl_host_info_(ssl_host_info), |
482 dns_cert_checker_(dns_ctx) { | 484 dns_cert_checker_(dns_ctx) { |
483 EnterFunction(""); | 485 EnterFunction(""); |
484 } | 486 } |
485 | 487 |
486 SSLClientSocketNSS::~SSLClientSocketNSS() { | 488 SSLClientSocketNSS::~SSLClientSocketNSS() { |
487 EnterFunction(""); | 489 EnterFunction(""); |
488 Disconnect(); | 490 Disconnect(); |
489 LeaveFunction(""); | 491 LeaveFunction(""); |
490 } | 492 } |
491 | 493 |
492 // static | 494 // static |
493 void SSLClientSocketNSS::ClearSessionCache() { | 495 void SSLClientSocketNSS::ClearSessionCache() { |
494 SSL_ClearSessionCache(); | 496 SSL_ClearSessionCache(); |
495 } | 497 } |
496 | 498 |
497 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { | 499 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { |
498 EnterFunction(""); | 500 EnterFunction(""); |
499 ssl_info->Reset(); | 501 ssl_info->Reset(); |
500 | 502 |
501 if (!server_cert_) { | 503 if (!server_cert_ && server_cert_needed_) { |
502 LOG(DFATAL) << "!server_cert_"; | 504 LOG(DFATAL) << "!server_cert_ && server_cert_needed_"; |
503 return; | 505 return; |
504 } | 506 } |
505 | 507 |
506 ssl_info->cert_status = server_cert_verify_result_->cert_status; | |
507 DCHECK(server_cert_ != NULL); | |
508 ssl_info->cert = server_cert_; | |
509 ssl_info->connection_status = ssl_connection_status_; | 508 ssl_info->connection_status = ssl_connection_status_; |
| 509 if (server_cert_verify_result_) { |
| 510 ssl_info->cert_status = server_cert_verify_result_->cert_status; |
| 511 } |
| 512 if (server_cert_ != NULL) { |
| 513 ssl_info->cert = server_cert_; |
| 514 } |
| 515 if (ssl_config_.use_tls_auth && !authenticated_tls_username_.empty()) { |
| 516 ssl_info->tls_username = UTF8ToUTF16(authenticated_tls_username_); |
| 517 } |
510 | 518 |
511 PRUint16 cipher_suite = | 519 PRUint16 cipher_suite = |
512 SSLConnectionStatusToCipherSuite(ssl_connection_status_); | 520 SSLConnectionStatusToCipherSuite(ssl_connection_status_); |
513 SSLCipherSuiteInfo cipher_info; | 521 SSLCipherSuiteInfo cipher_info; |
514 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, | 522 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, |
515 &cipher_info, sizeof(cipher_info)); | 523 &cipher_info, sizeof(cipher_info)); |
516 if (ok == SECSuccess) { | 524 if (ok == SECSuccess) { |
517 ssl_info->security_bits = cipher_info.effectiveKeyBits; | 525 ssl_info->security_bits = cipher_info.effectiveKeyBits; |
518 } else { | 526 } else { |
519 ssl_info->security_bits = -1; | 527 ssl_info->security_bits = -1; |
(...skipping 384 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
904 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); | 912 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3"); |
905 return ERR_UNEXPECTED; | 913 return ERR_UNEXPECTED; |
906 } | 914 } |
907 | 915 |
908 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); | 916 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled); |
909 if (rv != SECSuccess) { | 917 if (rv != SECSuccess) { |
910 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); | 918 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS"); |
911 return ERR_UNEXPECTED; | 919 return ERR_UNEXPECTED; |
912 } | 920 } |
913 | 921 |
914 for (std::vector<uint16>::const_iterator it = | |
915 ssl_config_.disabled_cipher_suites.begin(); | |
916 it != ssl_config_.disabled_cipher_suites.end(); ++it) { | |
917 // This will fail if the specified cipher is not implemented by NSS, but | |
918 // the failure is harmless. | |
919 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); | |
920 } | |
921 | |
922 #ifdef SSL_ENABLE_SESSION_TICKETS | 922 #ifdef SSL_ENABLE_SESSION_TICKETS |
923 // Support RFC 5077 | 923 // Support RFC 5077 |
924 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); | 924 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); |
925 if (rv != SECSuccess) { | 925 if (rv != SECSuccess) { |
926 LogFailedNSSFunction( | 926 LogFailedNSSFunction( |
927 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); | 927 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); |
928 } | 928 } |
929 #else | 929 #else |
930 #error "You need to install NSS-3.12 or later to build chromium" | 930 #error "You need to install NSS-3.12 or later to build chromium" |
931 #endif | 931 #endif |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1022 rv = SSL_GetPlatformClientAuthDataHook(nss_fd_, PlatformClientAuthHandler, | 1022 rv = SSL_GetPlatformClientAuthDataHook(nss_fd_, PlatformClientAuthHandler, |
1023 this); | 1023 this); |
1024 #else | 1024 #else |
1025 rv = SSL_GetClientAuthDataHook(nss_fd_, ClientAuthHandler, this); | 1025 rv = SSL_GetClientAuthDataHook(nss_fd_, ClientAuthHandler, this); |
1026 #endif | 1026 #endif |
1027 if (rv != SECSuccess) { | 1027 if (rv != SECSuccess) { |
1028 LogFailedNSSFunction(net_log_, "SSL_GetClientAuthDataHook", ""); | 1028 LogFailedNSSFunction(net_log_, "SSL_GetClientAuthDataHook", ""); |
1029 return ERR_UNEXPECTED; | 1029 return ERR_UNEXPECTED; |
1030 } | 1030 } |
1031 | 1031 |
| 1032 if (ssl_config_.use_tls_auth) { |
| 1033 // Enable SRP ciphers, and disable non-SRP ciphers if we *require* TLS auth. |
| 1034 rv = SetCiphersForTLSAuth(true, ssl_config_.require_tls_auth); |
| 1035 if (rv != OK) |
| 1036 return rv; |
| 1037 |
| 1038 if (!ssl_config_.tls_username.empty() && |
| 1039 !ssl_config_.tls_password.empty()) { |
| 1040 LOG(WARNING) << "Using TLS-SRP as " << |
| 1041 ssl_config_.tls_username << " / " << ssl_config_.tls_password; |
| 1042 |
| 1043 rv = SSL_SetUserLogin(nss_fd_, |
| 1044 ssl_config_.tls_username.c_str(), |
| 1045 ssl_config_.tls_password.c_str()); |
| 1046 if (rv != SECSuccess) { |
| 1047 LogFailedNSSFunction(net_log_, "SSL_SetUserLogin", ""); |
| 1048 return ERR_UNEXPECTED; |
| 1049 } |
| 1050 } else |
| 1051 LOG(INFO) << "Using TLS-SRP with no username/password"; |
| 1052 } else { |
| 1053 // Disable SRP ciphers. |
| 1054 // TODO(sqs): this disable step should only be called if the SRP cipher |
| 1055 // suites are on by default. |
| 1056 rv = SetCiphersForTLSAuth(false, false); |
| 1057 if (rv != OK) |
| 1058 return rv; |
| 1059 } |
| 1060 |
| 1061 for (std::vector<uint16>::const_iterator it = |
| 1062 ssl_config_.disabled_cipher_suites.begin(); |
| 1063 it != ssl_config_.disabled_cipher_suites.end(); ++it) { |
| 1064 // This will fail if the specified cipher is not implemented by NSS, but |
| 1065 // the failure is harmless. |
| 1066 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); |
| 1067 } |
| 1068 |
1032 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this); | 1069 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this); |
1033 if (rv != SECSuccess) { | 1070 if (rv != SECSuccess) { |
1034 LogFailedNSSFunction(net_log_, "SSL_HandshakeCallback", ""); | 1071 LogFailedNSSFunction(net_log_, "SSL_HandshakeCallback", ""); |
1035 return ERR_UNEXPECTED; | 1072 return ERR_UNEXPECTED; |
1036 } | 1073 } |
1037 | 1074 |
1038 // Tell SSL the hostname we're trying to connect to. | 1075 // Tell SSL the hostname we're trying to connect to. |
1039 SSL_SetURL(nss_fd_, host_and_port_.host().c_str()); | 1076 SSL_SetURL(nss_fd_, host_and_port_.host().c_str()); |
1040 | 1077 |
1041 // Tell SSL we're a client; needed if not letting NSPR do socket I/O | 1078 // Tell SSL we're a client; needed if not letting NSPR do socket I/O |
1042 SSL_ResetHandshake(nss_fd_, 0); | 1079 SSL_ResetHandshake(nss_fd_, 0); |
1043 | 1080 |
1044 return OK; | 1081 return OK; |
1045 } | 1082 } |
1046 | 1083 |
| 1084 // Enables SRP ciphers if |set_srp_ciphers| is true; otherwise, disables SRP |
| 1085 // ciphers. If |disable_non_srp_ciphers| is true, then disable non-SRP ciphers; |
| 1086 // otherwise, leave them alone. |
| 1087 int SSLClientSocketNSS::SetCiphersForTLSAuth(bool set_srp_ciphers, |
| 1088 bool disable_non_srp_ciphers) { |
| 1089 int rv; |
| 1090 const PRUint16 *cipherSuites = SSL_GetImplementedCiphers(); |
| 1091 int numCiphers = SSL_GetNumImplementedCiphers(); |
| 1092 SSLCipherSuiteInfo info; |
| 1093 for (int i = 0; i < numCiphers; i++) { |
| 1094 PRUint16 suite = cipherSuites[i]; |
| 1095 rv = SSL_GetCipherSuiteInfo(suite, &info, sizeof(info)); |
| 1096 if (rv != SECSuccess) { |
| 1097 LogFailedNSSFunction(net_log_, "SSL_GetCipherSuiteInfo", ""); |
| 1098 return ERR_UNEXPECTED; |
| 1099 } |
| 1100 if (IsNSSCipherKEATypeSRP(info.keaType)) { |
| 1101 rv = SSL_CipherPrefSet(nss_fd_, suite, set_srp_ciphers); |
| 1102 } else if (disable_non_srp_ciphers) { |
| 1103 rv = SSL_CipherPrefSet(nss_fd_, suite, PR_FALSE); |
| 1104 } |
| 1105 if (rv != SECSuccess) { |
| 1106 LogFailedNSSFunction(net_log_, "SSL_CipherPrefSet", ""); |
| 1107 return ERR_UNEXPECTED; |
| 1108 } |
| 1109 } |
| 1110 return OK; |
| 1111 } |
| 1112 |
1047 int SSLClientSocketNSS::InitializeSSLPeerName() { | 1113 int SSLClientSocketNSS::InitializeSSLPeerName() { |
1048 // Tell NSS who we're connected to | 1114 // Tell NSS who we're connected to |
1049 AddressList peer_address; | 1115 AddressList peer_address; |
1050 int err = transport_->socket()->GetPeerAddress(&peer_address); | 1116 int err = transport_->socket()->GetPeerAddress(&peer_address); |
1051 if (err != OK) | 1117 if (err != OK) |
1052 return err; | 1118 return err; |
1053 | 1119 |
1054 const struct addrinfo* ai = peer_address.head(); | 1120 const struct addrinfo* ai = peer_address.head(); |
1055 | 1121 |
1056 PRNetAddr peername; | 1122 PRNetAddr peername; |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1089 server_cert_nss_ = SSL_PeerCertificate(nss_fd_); | 1155 server_cert_nss_ = SSL_PeerCertificate(nss_fd_); |
1090 if (server_cert_nss_) { | 1156 if (server_cert_nss_) { |
1091 PeerCertificateChain certs(nss_fd_); | 1157 PeerCertificateChain certs(nss_fd_); |
1092 server_cert_ = X509Certificate::CreateFromDERCertChain( | 1158 server_cert_ = X509Certificate::CreateFromDERCertChain( |
1093 certs.AsStringPieceVector()); | 1159 certs.AsStringPieceVector()); |
1094 } | 1160 } |
1095 } | 1161 } |
1096 return server_cert_; | 1162 return server_cert_; |
1097 } | 1163 } |
1098 | 1164 |
| 1165 // Sets tls_username_ and server_cert_needed_. |
| 1166 void SSLClientSocketNSS::UpdateAuth() { |
| 1167 if (ssl_config_.use_tls_auth) { |
| 1168 // Get the username that we actually authenticated with. |
| 1169 SECItem user; |
| 1170 SECStatus rv = SSL_GetChannelUsername(nss_fd_, &user); |
| 1171 if (rv != SECSuccess) { |
| 1172 LogFailedNSSFunction(net_log_, "SSL_GetChannelUsername", ""); |
| 1173 } else { |
| 1174 authenticated_tls_username_.assign(const_cast<char *>((char *)user.data), |
| 1175 (size_t)user.len); |
| 1176 SECITEM_FreeItem(&user, PR_FALSE); |
| 1177 } |
| 1178 DCHECK(authenticated_tls_username_ == ssl_config_.tls_username); |
| 1179 |
| 1180 // See whether this SRP cipher suite uses certs. |
| 1181 SSLChannelInfo channel_info; |
| 1182 SSLCipherSuiteInfo info; |
| 1183 rv = SSL_GetChannelInfo(nss_fd_, &channel_info, sizeof(channel_info)); |
| 1184 if (rv != SECSuccess) { |
| 1185 LogFailedNSSFunction(net_log_, "SSL_GetChannelInfo", ""); |
| 1186 return; |
| 1187 } |
| 1188 if (!channel_info.cipherSuite) { |
| 1189 LOG(WARNING) << "Couldn't get SSL channel cipher suite"; |
| 1190 return; |
| 1191 } |
| 1192 rv = SSL_GetCipherSuiteInfo(channel_info.cipherSuite, &info, sizeof(info)); |
| 1193 if (rv != SECSuccess) { |
| 1194 LogFailedNSSFunction(net_log_, "SSL_GetCipherSuiteInfo", ""); |
| 1195 return; |
| 1196 } |
| 1197 bool cipher_is_srp_no_certs = (info.keaType == ssl_kea_srp); |
| 1198 server_cert_needed_ = !cipher_is_srp_no_certs; |
| 1199 } |
| 1200 } |
| 1201 |
1099 // Sets ssl_connection_status_. | 1202 // Sets ssl_connection_status_. |
1100 void SSLClientSocketNSS::UpdateConnectionStatus() { | 1203 void SSLClientSocketNSS::UpdateConnectionStatus() { |
1101 SSLChannelInfo channel_info; | 1204 SSLChannelInfo channel_info; |
1102 SECStatus ok = SSL_GetChannelInfo(nss_fd_, | 1205 SECStatus ok = SSL_GetChannelInfo(nss_fd_, |
1103 &channel_info, sizeof(channel_info)); | 1206 &channel_info, sizeof(channel_info)); |
1104 if (ok == SECSuccess && | 1207 if (ok == SECSuccess && |
1105 channel_info.length == sizeof(channel_info) && | 1208 channel_info.length == sizeof(channel_info) && |
1106 channel_info.cipherSuite) { | 1209 channel_info.cipherSuite) { |
1107 ssl_connection_status_ |= | 1210 ssl_connection_status_ |= |
1108 (static_cast<int>(channel_info.cipherSuite) & | 1211 (static_cast<int>(channel_info.cipherSuite) & |
(...skipping 333 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1442 SECStatus rv = SSL_SetSnapStartApplicationData( | 1545 SECStatus rv = SSL_SetSnapStartApplicationData( |
1443 nss_fd_, reinterpret_cast<const unsigned char*>(user_write_buf_->data()), | 1546 nss_fd_, reinterpret_cast<const unsigned char*>(user_write_buf_->data()), |
1444 user_write_buf_len_); | 1547 user_write_buf_len_); |
1445 DCHECK_EQ(SECSuccess, rv); | 1548 DCHECK_EQ(SECSuccess, rv); |
1446 | 1549 |
1447 GotoState(STATE_HANDSHAKE); | 1550 GotoState(STATE_HANDSHAKE); |
1448 LeaveFunction(""); | 1551 LeaveFunction(""); |
1449 return OK; | 1552 return OK; |
1450 } | 1553 } |
1451 | 1554 |
| 1555 // TODO(sqs): this hangs if the server returns an unknown_psk_identity alert |
| 1556 // that is not fatal (that is a warning) |
1452 int SSLClientSocketNSS::DoHandshake() { | 1557 int SSLClientSocketNSS::DoHandshake() { |
1453 EnterFunction(""); | 1558 EnterFunction(""); |
1454 int net_error = net::OK; | 1559 int net_error = net::OK; |
1455 SECStatus rv = SSL_ForceHandshake(nss_fd_); | 1560 SECStatus rv = SSL_ForceHandshake(nss_fd_); |
1456 | 1561 |
1457 if (client_auth_cert_needed_) { | 1562 if (client_auth_cert_needed_) { |
1458 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1563 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1459 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1564 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1460 make_scoped_refptr(new SSLErrorParams(net_error, 0))); | 1565 make_scoped_refptr(new SSLErrorParams(net_error, 0))); |
1461 // If the handshake already succeeded (because the server requests but | 1566 // If the handshake already succeeded (because the server requests but |
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1633 break; | 1738 break; |
1634 default: | 1739 default: |
1635 NOTREACHED(); | 1740 NOTREACHED(); |
1636 GotoState(STATE_VERIFY_CERT); | 1741 GotoState(STATE_VERIFY_CERT); |
1637 } | 1742 } |
1638 | 1743 |
1639 return OK; | 1744 return OK; |
1640 } | 1745 } |
1641 | 1746 |
1642 int SSLClientSocketNSS::DoVerifyCert(int result) { | 1747 int SSLClientSocketNSS::DoVerifyCert(int result) { |
| 1748 if (!server_cert_needed_) { |
| 1749 DCHECK(ssl_config_.use_tls_auth); |
| 1750 DCHECK(!ssl_config_.tls_username.empty()); |
| 1751 GotoState(STATE_VERIFY_CERT_COMPLETE); |
| 1752 return OK; |
| 1753 } |
| 1754 |
1643 DCHECK(server_cert_); | 1755 DCHECK(server_cert_); |
1644 | 1756 |
1645 GotoState(STATE_VERIFY_CERT_COMPLETE); | 1757 GotoState(STATE_VERIFY_CERT_COMPLETE); |
1646 start_cert_verification_time_ = base::TimeTicks::Now(); | 1758 start_cert_verification_time_ = base::TimeTicks::Now(); |
1647 | 1759 |
1648 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() && | 1760 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() && |
1649 predicted_cert_chain_correct_) { | 1761 predicted_cert_chain_correct_) { |
1650 // If the SSLHostInfo had a prediction for the certificate chain of this | 1762 // If the SSLHostInfo had a prediction for the certificate chain of this |
1651 // server then it will have optimistically started a verification of that | 1763 // server then it will have optimistically started a verification of that |
1652 // chain. So, if the prediction was correct, we should wait for that | 1764 // chain. So, if the prediction was correct, we should wait for that |
(...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1802 } | 1914 } |
1803 LeaveFunction(""); | 1915 LeaveFunction(""); |
1804 rv = HandleNSSError(prerr, false); | 1916 rv = HandleNSSError(prerr, false); |
1805 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, | 1917 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, |
1806 make_scoped_refptr(new SSLErrorParams(rv, prerr))); | 1918 make_scoped_refptr(new SSLErrorParams(rv, prerr))); |
1807 return rv; | 1919 return rv; |
1808 } | 1920 } |
1809 | 1921 |
1810 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 1922 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
1811 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 1923 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
1812 if (server_cert_verify_result_->has_md5) | 1924 |
1813 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); | 1925 if (server_cert_verify_result_) { |
1814 if (server_cert_verify_result_->has_md2) | 1926 if (server_cert_verify_result_->has_md5) |
1815 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); | 1927 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); |
1816 if (server_cert_verify_result_->has_md4) | 1928 if (server_cert_verify_result_->has_md2) |
1817 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4); | 1929 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); |
1818 if (server_cert_verify_result_->has_md5_ca) | 1930 if (server_cert_verify_result_->has_md4) |
1819 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5_CA); | 1931 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4); |
1820 if (server_cert_verify_result_->has_md2_ca) | 1932 if (server_cert_verify_result_->has_md5_ca) |
1821 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA); | 1933 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5_CA); |
| 1934 if (server_cert_verify_result_->has_md2_ca) |
| 1935 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA); |
| 1936 } |
| 1937 |
1822 int ssl_version = SSLConnectionStatusToVersion(ssl_connection_status_); | 1938 int ssl_version = SSLConnectionStatusToVersion(ssl_connection_status_); |
1823 switch (ssl_version) { | 1939 switch (ssl_version) { |
1824 case SSL_CONNECTION_VERSION_SSL2: | 1940 case SSL_CONNECTION_VERSION_SSL2: |
1825 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | 1941 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); |
1826 break; | 1942 break; |
1827 case SSL_CONNECTION_VERSION_SSL3: | 1943 case SSL_CONNECTION_VERSION_SSL3: |
1828 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); | 1944 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); |
1829 break; | 1945 break; |
1830 case SSL_CONNECTION_VERSION_TLS1: | 1946 case SSL_CONNECTION_VERSION_TLS1: |
1831 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1); | 1947 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1); |
1832 break; | 1948 break; |
1833 case SSL_CONNECTION_VERSION_TLS1_1: | 1949 case SSL_CONNECTION_VERSION_TLS1_1: |
1834 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 1950 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
1835 break; | 1951 break; |
1836 case SSL_CONNECTION_VERSION_TLS1_2: | 1952 case SSL_CONNECTION_VERSION_TLS1_2: |
1837 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 1953 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
1838 break; | 1954 break; |
1839 }; | 1955 }; |
| 1956 |
| 1957 if (!authenticated_tls_username_.empty()) |
| 1958 UpdateConnectionTypeHistograms(CONNECTION_TLS_PASSWORD_AUTH); |
1840 } | 1959 } |
1841 | 1960 |
1842 // SaveSnapStartInfo extracts the information needed to perform a Snap Start | 1961 // SaveSnapStartInfo extracts the information needed to perform a Snap Start |
1843 // with this server in the future (if any) and tells |ssl_host_info_| to | 1962 // with this server in the future (if any) and tells |ssl_host_info_| to |
1844 // preserve it. | 1963 // preserve it. |
1845 void SSLClientSocketNSS::SaveSnapStartInfo() { | 1964 void SSLClientSocketNSS::SaveSnapStartInfo() { |
1846 if (!ssl_host_info_.get()) | 1965 if (!ssl_host_info_.get()) |
1847 return; | 1966 return; |
1848 | 1967 |
1849 // If the SSLHostInfo hasn't managed to load from disk yet then we can't save | 1968 // If the SSLHostInfo hasn't managed to load from disk yet then we can't save |
(...skipping 638 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2488 // NSS calls this when handshake is completed. | 2607 // NSS calls this when handshake is completed. |
2489 // After the SSL handshake is finished, use CertVerifier to verify | 2608 // After the SSL handshake is finished, use CertVerifier to verify |
2490 // the saved server certificate. | 2609 // the saved server certificate. |
2491 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, | 2610 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, |
2492 void* arg) { | 2611 void* arg) { |
2493 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 2612 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
2494 | 2613 |
2495 that->handshake_callback_called_ = true; | 2614 that->handshake_callback_called_ = true; |
2496 | 2615 |
2497 that->UpdateServerCert(); | 2616 that->UpdateServerCert(); |
| 2617 that->UpdateAuth(); |
2498 that->UpdateConnectionStatus(); | 2618 that->UpdateConnectionStatus(); |
2499 } | 2619 } |
2500 | 2620 |
2501 } // namespace net | 2621 } // namespace net |
OLD | NEW |