OLD | NEW |
---|---|
1 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_mac.h" | 5 #include "net/socket/ssl_client_socket_mac.h" |
6 | 6 |
7 #include <CoreServices/CoreServices.h> | 7 #include <CoreServices/CoreServices.h> |
8 #include <netdb.h> | 8 #include <netdb.h> |
9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
91 // value indicates an error, a zero return value indicates end-of-stream (for | 91 // value indicates an error, a zero return value indicates end-of-stream (for |
92 // reads), and a positive return value indicates the number of bytes read or | 92 // reads), and a positive return value indicates the number of bytes read or |
93 // written. Thus, many functions start off with |if (result < 0) return | 93 // written. Thus, many functions start off with |if (result < 0) return |
94 // result;|. That gets the error condition out of the way, and from that point | 94 // result;|. That gets the error condition out of the way, and from that point |
95 // forward the result can be treated as a length. | 95 // forward the result can be treated as a length. |
96 | 96 |
97 namespace net { | 97 namespace net { |
98 | 98 |
99 namespace { | 99 namespace { |
100 | 100 |
101 // You can change this to LOG(WARNING) during development. | |
102 #define SSL_LOG LOG(INFO) << "SSL: " | |
103 | |
101 #if MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_5 | 104 #if MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_5 |
102 // Declarations needed to call the 10.5.7 and later SSLSetSessionOption() | 105 // Declarations needed to call the 10.5.7 and later SSLSetSessionOption() |
103 // function when building with the 10.5.0 SDK. | 106 // function when building with the 10.5.0 SDK. |
104 typedef enum { | 107 typedef enum { |
105 kSSLSessionOptionBreakOnServerAuth, | 108 kSSLSessionOptionBreakOnServerAuth, |
106 kSSLSessionOptionBreakOnCertRequested, | 109 kSSLSessionOptionBreakOnCertRequested, |
107 } SSLSessionOption; | 110 } SSLSessionOption; |
108 | 111 |
109 enum { | 112 enum { |
110 errSSLServerAuthCompleted = -9841, | 113 errSSLServerAuthCompleted = -9841, |
(...skipping 431 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
542 return rv; | 545 return rv; |
543 } | 546 } |
544 | 547 |
545 void SSLClientSocketMac::Disconnect() { | 548 void SSLClientSocketMac::Disconnect() { |
546 completed_handshake_ = false; | 549 completed_handshake_ = false; |
547 | 550 |
548 if (ssl_context_) { | 551 if (ssl_context_) { |
549 SSLClose(ssl_context_); | 552 SSLClose(ssl_context_); |
550 SSLDisposeContext(ssl_context_); | 553 SSLDisposeContext(ssl_context_); |
551 ssl_context_ = NULL; | 554 ssl_context_ = NULL; |
555 SSL_LOG << "----- Disposed SSLContext"; | |
552 } | 556 } |
553 | 557 |
554 // Shut down anything that may call us back. | 558 // Shut down anything that may call us back. |
555 verifier_.reset(); | 559 verifier_.reset(); |
556 transport_->Disconnect(); | 560 transport_->Disconnect(); |
557 } | 561 } |
558 | 562 |
559 bool SSLClientSocketMac::IsConnected() const { | 563 bool SSLClientSocketMac::IsConnected() const { |
560 // Ideally, we should also check if we have received the close_notify alert | 564 // Ideally, we should also check if we have received the close_notify alert |
561 // message from the server, and return false in that case. We're not doing | 565 // message from the server, and return false in that case. We're not doing |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
643 // security info | 647 // security info |
644 SSLCipherSuite suite; | 648 SSLCipherSuite suite; |
645 OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite); | 649 OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite); |
646 if (!status) | 650 if (!status) |
647 ssl_info->security_bits = KeySizeOfCipherSuite(suite); | 651 ssl_info->security_bits = KeySizeOfCipherSuite(suite); |
648 } | 652 } |
649 | 653 |
650 void SSLClientSocketMac::GetSSLCertRequestInfo( | 654 void SSLClientSocketMac::GetSSLCertRequestInfo( |
651 SSLCertRequestInfo* cert_request_info) { | 655 SSLCertRequestInfo* cert_request_info) { |
652 // I'm being asked for available client certs (identities). | 656 // I'm being asked for available client certs (identities). |
657 | |
658 CFArrayRef allowed_issuer_names = NULL; | |
659 if (SSLCopyDistinguishedNames(ssl_context_, &allowed_issuer_names) == noErr && | |
660 allowed_issuer_names != NULL) { | |
661 SSL_LOG << "Server has " << CFArrayGetCount(allowed_issuer_names) | |
662 << " allowed issuer names"; | |
wtc
2010/03/16 00:42:48
Nit: please align "<<" with the first "<<" on the
| |
663 CFRelease(allowed_issuer_names); | |
664 // TODO(snej): Filter GetSSLClientCertificates using this array. | |
665 } | |
666 | |
653 cert_request_info->host_and_port = hostname_; | 667 cert_request_info->host_and_port = hostname_; |
654 cert_request_info->client_certs.clear(); | 668 cert_request_info->client_certs.clear(); |
655 X509Certificate::GetSSLClientCertificates(hostname_, | 669 X509Certificate::GetSSLClientCertificates(hostname_, |
656 &cert_request_info->client_certs); | 670 &cert_request_info->client_certs); |
671 SSL_LOG << "Asking user to choose between " | |
672 << cert_request_info->client_certs.size() << " client certs..."; | |
657 } | 673 } |
658 | 674 |
659 SSLClientSocket::NextProtoStatus | 675 SSLClientSocket::NextProtoStatus |
660 SSLClientSocketMac::GetNextProto(std::string* proto) { | 676 SSLClientSocketMac::GetNextProto(std::string* proto) { |
661 proto->clear(); | 677 proto->clear(); |
662 return kNextProtoUnsupported; | 678 return kNextProtoUnsupported; |
663 } | 679 } |
664 | 680 |
665 int SSLClientSocketMac::InitializeSSLContext() { | 681 int SSLClientSocketMac::InitializeSSLContext() { |
682 SSL_LOG << "----- InitializeSSLContext"; | |
666 OSStatus status = noErr; | 683 OSStatus status = noErr; |
667 | 684 |
668 status = SSLNewContext(false, &ssl_context_); | 685 status = SSLNewContext(false, &ssl_context_); |
669 if (status) | 686 if (status) |
670 return NetErrorFromOSStatus(status); | 687 return NetErrorFromOSStatus(status); |
671 | 688 |
672 status = SSLSetProtocolVersionEnabled(ssl_context_, | 689 status = SSLSetProtocolVersionEnabled(ssl_context_, |
673 kSSLProtocol2, | 690 kSSLProtocol2, |
674 ssl_config_.ssl2_enabled); | 691 ssl_config_.ssl2_enabled); |
675 if (status) | 692 if (status) |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
732 // the session would be cached before we verified the certificate, leaving | 749 // the session would be cached before we verified the certificate, leaving |
733 // the potential for a session in which the certificate failed to validate | 750 // the potential for a session in which the certificate failed to validate |
734 // to still be able to be resumed. | 751 // to still be able to be resumed. |
735 static SSLSetSessionOptionFuncPtr ssl_set_session_options = | 752 static SSLSetSessionOptionFuncPtr ssl_set_session_options = |
736 LookupFunction<SSLSetSessionOptionFuncPtr>(CFSTR("com.apple.security"), | 753 LookupFunction<SSLSetSessionOptionFuncPtr>(CFSTR("com.apple.security"), |
737 CFSTR("SSLSetSessionOption")); | 754 CFSTR("SSLSetSessionOption")); |
738 if (ssl_set_session_options && !ssl_config_.send_client_cert) { | 755 if (ssl_set_session_options && !ssl_config_.send_client_cert) { |
739 status = ssl_set_session_options(ssl_context_, | 756 status = ssl_set_session_options(ssl_context_, |
740 kSSLSessionOptionBreakOnServerAuth, | 757 kSSLSessionOptionBreakOnServerAuth, |
741 true); | 758 true); |
742 if (!status) | 759 if (!status) { |
760 SSL_LOG << "Setting kSSLSessionOptionBreakOnCertRequested"; | |
743 status = ssl_set_session_options(ssl_context_, | 761 status = ssl_set_session_options(ssl_context_, |
744 kSSLSessionOptionBreakOnCertRequested, | 762 kSSLSessionOptionBreakOnCertRequested, |
745 true); | 763 true); |
764 } | |
746 if (status) | 765 if (status) |
747 return NetErrorFromOSStatus(status); | 766 return NetErrorFromOSStatus(status); |
748 | 767 |
749 // Concatenate the hostname and peer address to use as the peer ID. To | 768 // Concatenate the hostname and peer address to use as the peer ID. To |
750 // resume a session, we must connect to the same server on the same port | 769 // resume a session, we must connect to the same server on the same port |
751 // using the same hostname (i.e., localhost and 127.0.0.1 are considered | 770 // using the same hostname (i.e., localhost and 127.0.0.1 are considered |
752 // different peers, which puts us through certificate validation again | 771 // different peers, which puts us through certificate validation again |
753 // and catches hostname/certificate name mismatches. | 772 // and catches hostname/certificate name mismatches. |
754 AddressList address; | 773 AddressList address; |
755 int rv = transport_->GetPeerAddress(&address); | 774 int rv = transport_->GetPeerAddress(&address); |
756 if (rv != OK) | 775 if (rv != OK) |
757 return rv; | 776 return rv; |
758 const struct addrinfo* ai = address.head(); | 777 const struct addrinfo* ai = address.head(); |
759 std::string peer_id(hostname_); | 778 std::string peer_id(hostname_); |
760 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), | 779 peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), |
761 ai->ai_addrlen); | 780 ai->ai_addrlen); |
762 | 781 |
763 // SSLSetPeerID() treats peer_id as a binary blob, and makes its | 782 // SSLSetPeerID() treats peer_id as a binary blob, and makes its |
764 // own copy. | 783 // own copy. |
765 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); | 784 status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); |
766 if (status) | 785 if (status) |
767 return NetErrorFromOSStatus(status); | 786 return NetErrorFromOSStatus(status); |
768 } else { | 787 } else if (ssl_config_.send_client_cert) { |
769 // If I have a cert, set it up-front, otherwise the server may try to get | 788 // If I have a cert, set it up-front, otherwise the server may try to get |
770 // it later by renegotiating, which SecureTransport doesn't support well. | 789 // it later by renegotiating, which SecureTransport doesn't support well. |
790 SSL_LOG << "Setting client cert in advance because send_client_cert is set"; | |
771 status = SetClientCert(); | 791 status = SetClientCert(); |
772 if (status) | 792 if (status) |
773 return NetErrorFromOSStatus(status); | 793 return NetErrorFromOSStatus(status); |
774 } | 794 } |
775 | 795 |
776 return OK; | 796 return OK; |
777 } | 797 } |
778 | 798 |
779 void SSLClientSocketMac::DoConnectCallback(int rv) { | 799 void SSLClientSocketMac::DoConnectCallback(int rv) { |
780 DCHECK(rv != ERR_IO_PENDING); | 800 DCHECK(rv != ERR_IO_PENDING); |
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
896 rv = ERR_UNEXPECTED; | 916 rv = ERR_UNEXPECTED; |
897 NOTREACHED() << "unexpected state"; | 917 NOTREACHED() << "unexpected state"; |
898 break; | 918 break; |
899 } | 919 } |
900 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); | 920 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); |
901 return rv; | 921 return rv; |
902 } | 922 } |
903 | 923 |
904 int SSLClientSocketMac::DoHandshakeStart() { | 924 int SSLClientSocketMac::DoHandshakeStart() { |
905 OSStatus status = SSLHandshake(ssl_context_); | 925 OSStatus status = SSLHandshake(ssl_context_); |
906 if (status == errSSLWouldBlock) | |
907 next_handshake_state_ = STATE_HANDSHAKE_START; | |
908 | 926 |
909 if (status == noErr || status == errSSLServerAuthCompleted) { | 927 switch (status) { |
910 // TODO(hawk): we verify the certificate chain even on resumed sessions | 928 case errSSLWouldBlock: |
911 // so that we have the certificate status (valid, expired but overridden | 929 next_handshake_state_ = STATE_HANDSHAKE_START; |
912 // by the user, EV, etc.) available. Eliminate this step once we have | 930 break; |
913 // a certificate validation result cache. | 931 |
914 next_handshake_state_ = STATE_VERIFY_CERT; | 932 case noErr: |
915 if (status == errSSLServerAuthCompleted) { | 933 // TODO(hawk): we verify the certificate chain even on resumed sessions |
934 // so that we have the certificate status (valid, expired but overridden | |
935 // by the user, EV, etc.) available. Eliminate this step once we have | |
936 // a certificate validation result cache. (Also applies to the | |
937 // errSSLServerAuthCompleted case below.) | |
938 next_handshake_state_ = STATE_VERIFY_CERT; | |
939 break; | |
940 | |
941 case errSSLServerAuthCompleted: | |
916 // Override errSSLServerAuthCompleted as it's not actually an error, | 942 // Override errSSLServerAuthCompleted as it's not actually an error, |
917 // but rather an indication that we're only half way through the | 943 // but rather an indication that we're only half way through the |
918 // handshake. | 944 // handshake. |
945 SSL_LOG << "Server auth completed (DoHandshakeStart)"; | |
946 next_handshake_state_ = STATE_VERIFY_CERT; | |
919 handshake_interrupted_ = true; | 947 handshake_interrupted_ = true; |
920 status = noErr; | 948 status = noErr; |
921 } | 949 break; |
922 } | |
923 | 950 |
924 if (status == errSSLClosedGraceful) { | 951 case errSSLClientCertRequested: |
wtc
2010/03/16 00:42:48
IMPORTANT:
1. Please document that if we get errS
Jens Alfke
2010/03/16 18:50:10
No, because we always abort the connection in this
| |
925 // The server unexpectedly closed on us. | 952 SSL_LOG << "Received client cert request in DoHandshakeStart"; |
926 return ERR_SSL_PROTOCOL_ERROR; | 953 // If we knew the client cert, we would have set it already in |
954 // InitializeSSLContext, instead of asking for this callback. | |
955 // So tell the caller that we need a client cert. | |
956 DCHECK(!ssl_config_.send_client_cert); | |
957 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | |
958 | |
959 case errSSLClosedGraceful: | |
960 // The server unexpectedly closed on us. | |
961 return ERR_SSL_PROTOCOL_ERROR; | |
927 } | 962 } |
928 | 963 |
929 int net_error = NetErrorFromOSStatus(status); | 964 int net_error = NetErrorFromOSStatus(status); |
930 if (status == noErr || IsCertificateError(net_error)) { | 965 if (status == noErr || IsCertificateError(net_error)) { |
931 server_cert_ = GetServerCert(ssl_context_); | 966 server_cert_ = GetServerCert(ssl_context_); |
932 if (!server_cert_) | 967 if (!server_cert_) |
933 return ERR_UNEXPECTED; | 968 return ERR_UNEXPECTED; |
934 } | 969 } |
935 return net_error; | 970 return net_error; |
936 } | 971 } |
937 | 972 |
938 int SSLClientSocketMac::DoVerifyCert() { | 973 int SSLClientSocketMac::DoVerifyCert() { |
939 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; | 974 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; |
940 | 975 |
941 if (!server_cert_) | 976 if (!server_cert_) |
942 return ERR_UNEXPECTED; | 977 return ERR_UNEXPECTED; |
943 | 978 |
979 SSL_LOG << "DoVerifyCert..."; | |
944 int flags = 0; | 980 int flags = 0; |
945 if (ssl_config_.rev_checking_enabled) | 981 if (ssl_config_.rev_checking_enabled) |
946 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; | 982 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; |
947 if (ssl_config_.verify_ev_cert) | 983 if (ssl_config_.verify_ev_cert) |
948 flags |= X509Certificate::VERIFY_EV_CERT; | 984 flags |= X509Certificate::VERIFY_EV_CERT; |
949 verifier_.reset(new CertVerifier); | 985 verifier_.reset(new CertVerifier); |
950 return verifier_->Verify(server_cert_, hostname_, flags, | 986 return verifier_->Verify(server_cert_, hostname_, flags, |
951 &server_cert_verify_result_, | 987 &server_cert_verify_result_, |
952 &handshake_io_callback_); | 988 &handshake_io_callback_); |
953 } | 989 } |
954 | 990 |
955 int SSLClientSocketMac::DoVerifyCertComplete(int result) { | 991 int SSLClientSocketMac::DoVerifyCertComplete(int result) { |
956 DCHECK(verifier_.get()); | 992 DCHECK(verifier_.get()); |
957 verifier_.reset(); | 993 verifier_.reset(); |
958 | 994 |
995 SSL_LOG << "...DoVerifyCertComplete (result=" << result << ")"; | |
959 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) | 996 if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_)) |
960 result = OK; | 997 result = OK; |
961 | 998 |
962 if (handshake_interrupted_) { | 999 if (handshake_interrupted_) { |
963 // With session resumption enabled the full handshake (i.e., the handshake | 1000 // With session resumption enabled the full handshake (i.e., the handshake |
964 // in a non-resumed session) occurs in two steps. Continue on to the second | 1001 // in a non-resumed session) occurs in two steps. Continue on to the second |
965 // step if the certificate is OK. | 1002 // step if the certificate is OK. |
966 if (result == OK) | 1003 if (result == OK) |
967 next_handshake_state_ = STATE_HANDSHAKE_FINISH; | 1004 next_handshake_state_ = STATE_HANDSHAKE_FINISH; |
968 } else { | 1005 } else { |
969 // If the session was resumed or session resumption was disabled, we're | 1006 // If the session was resumed or session resumption was disabled, we're |
970 // done with the handshake. | 1007 // done with the handshake. |
1008 SSL_LOG << "Handshake finished! (DoVerifyCertComplete)"; | |
971 completed_handshake_ = true; | 1009 completed_handshake_ = true; |
972 DCHECK(next_handshake_state_ == STATE_NONE); | 1010 DCHECK(next_handshake_state_ == STATE_NONE); |
973 } | 1011 } |
974 | 1012 |
975 return result; | 1013 return result; |
976 } | 1014 } |
977 | 1015 |
978 int SSLClientSocketMac::SetClientCert() { | 1016 int SSLClientSocketMac::SetClientCert() { |
979 if (!ssl_config_.send_client_cert || !ssl_config_.client_cert) | 1017 if (!ssl_config_.send_client_cert || !ssl_config_.client_cert) |
980 return noErr; | 1018 return noErr; |
981 | 1019 |
982 scoped_cftyperef<CFArrayRef> cert_refs( | 1020 scoped_cftyperef<CFArrayRef> cert_refs( |
983 ssl_config_.client_cert->CreateClientCertificateChain()); | 1021 ssl_config_.client_cert->CreateClientCertificateChain()); |
1022 SSL_LOG << "SSLSetCertificate(" << CFArrayGetCount(cert_refs) << " certs)"; | |
984 OSStatus result = SSLSetCertificate(ssl_context_, cert_refs); | 1023 OSStatus result = SSLSetCertificate(ssl_context_, cert_refs); |
985 if (result) | 1024 if (result) |
986 LOG(ERROR) << "SSLSetCertificate returned OSStatus " << result; | 1025 LOG(ERROR) << "SSLSetCertificate returned OSStatus " << result; |
987 return result; | 1026 return result; |
988 } | 1027 } |
989 | 1028 |
990 int SSLClientSocketMac::DoHandshakeFinish() { | 1029 int SSLClientSocketMac::DoHandshakeFinish() { |
991 OSStatus status = SSLHandshake(ssl_context_); | 1030 OSStatus status = SSLHandshake(ssl_context_); |
992 | 1031 |
993 switch (status) { | 1032 switch (status) { |
994 case errSSLWouldBlock: | 1033 case errSSLWouldBlock: |
995 next_handshake_state_ = STATE_HANDSHAKE_FINISH; | 1034 next_handshake_state_ = STATE_HANDSHAKE_FINISH; |
996 break; | 1035 break; |
997 case errSSLClientCertRequested: | 1036 case errSSLClientCertRequested: |
998 status = SetClientCert(); | 1037 SSL_LOG << "Server requested client cert (DoHandshakeFinish)"; |
999 next_handshake_state_ = STATE_HANDSHAKE_FINISH; | 1038 // If we knew the client cert, we would have set it already in |
1000 break; | 1039 // InitializeSSLContext, instead of asking for this callback. |
1040 // So tell the caller that we need a client cert. | |
1041 DCHECK(!ssl_config_.send_client_cert); | |
1042 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | |
1001 case errSSLClosedGraceful: | 1043 case errSSLClosedGraceful: |
1002 return ERR_SSL_PROTOCOL_ERROR; | 1044 return ERR_SSL_PROTOCOL_ERROR; |
1003 case errSSLClosedAbort: | 1045 case errSSLClosedAbort: |
1004 case errSSLPeerHandshakeFail: { | 1046 case errSSLPeerHandshakeFail: { |
1005 // See if the server aborted due to client cert checking. | 1047 // See if the server aborted due to client cert checking. |
1006 SSLClientCertificateState client_state; | 1048 SSLClientCertificateState client_state; |
1007 if (SSLGetClientCertificateState(ssl_context_, &client_state) == noErr && | 1049 if (SSLGetClientCertificateState(ssl_context_, &client_state) == noErr && |
1008 client_state > kSSLClientCertNone) { | 1050 client_state > kSSLClientCertNone) { |
1009 if (client_state == kSSLClientCertRequested && | 1051 if (client_state == kSSLClientCertRequested && |
1010 !ssl_config_.send_client_cert) | 1052 !ssl_config_.send_client_cert) { |
1053 SSL_LOG << "Server requested SSL cert during handshake"; | |
1011 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1054 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1012 LOG(WARNING) << "Server aborted SSL handshake; client_state=" << | 1055 } |
1013 client_state; | 1056 LOG(WARNING) << "Server aborted SSL handshake; client_state=" |
1057 << client_state; | |
1014 return ERR_BAD_SSL_CLIENT_AUTH_CERT; | 1058 return ERR_BAD_SSL_CLIENT_AUTH_CERT; |
1015 } | 1059 } |
1016 break; | 1060 break; |
1017 } | 1061 } |
1018 case noErr: | 1062 case noErr: |
1063 SSL_LOG << "Handshake finished! (DoHandshakeFinish)"; | |
1019 completed_handshake_ = true; | 1064 completed_handshake_ = true; |
1020 DCHECK(next_handshake_state_ == STATE_NONE); | 1065 DCHECK(next_handshake_state_ == STATE_NONE); |
1021 break; | 1066 break; |
1022 default: | 1067 default: |
1023 break; | 1068 break; |
1024 } | 1069 } |
1025 | 1070 |
1026 return NetErrorFromOSStatus(status); | 1071 return NetErrorFromOSStatus(status); |
1027 } | 1072 } |
1028 | 1073 |
(...skipping 18 matching lines...) Expand all Loading... | |
1047 // TODO(wtc): Unless we have received the close_notify alert, we need to | 1092 // TODO(wtc): Unless we have received the close_notify alert, we need to |
1048 // return an error code indicating that the SSL connection ended | 1093 // return an error code indicating that the SSL connection ended |
1049 // uncleanly, a potential truncation attack. See http://crbug.com/18586. | 1094 // uncleanly, a potential truncation attack. See http://crbug.com/18586. |
1050 return OK; | 1095 return OK; |
1051 | 1096 |
1052 case errSSLServerAuthCompleted: | 1097 case errSSLServerAuthCompleted: |
1053 case errSSLClientCertRequested: | 1098 case errSSLClientCertRequested: |
1054 // Server wants to renegotiate, probably to ask for a client cert, | 1099 // Server wants to renegotiate, probably to ask for a client cert, |
1055 // but SecureTransport doesn't support renegotiation so we have to close. | 1100 // but SecureTransport doesn't support renegotiation so we have to close. |
1056 // Tell my caller the server wants a client cert so it can reconnect. | 1101 // Tell my caller the server wants a client cert so it can reconnect. |
1057 LOG(INFO) << "Server renegotiating for client cert; restarting..."; | 1102 SSL_LOG << "Server renegotiating; assuming it wants a client cert..."; |
1058 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1103 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1059 | 1104 |
1060 default: | 1105 default: |
1061 return NetErrorFromOSStatus(status); | 1106 return NetErrorFromOSStatus(status); |
1062 } | 1107 } |
1063 } | 1108 } |
1064 | 1109 |
1065 int SSLClientSocketMac::DoPayloadWrite() { | 1110 int SSLClientSocketMac::DoPayloadWrite() { |
1066 size_t processed = 0; | 1111 size_t processed = 0; |
1067 OSStatus status = SSLWrite(ssl_context_, | 1112 OSStatus status = SSLWrite(ssl_context_, |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1172 if (rv < 0 && rv != ERR_IO_PENDING) { | 1217 if (rv < 0 && rv != ERR_IO_PENDING) { |
1173 us->write_io_buf_ = NULL; | 1218 us->write_io_buf_ = NULL; |
1174 return OSStatusFromNetError(rv); | 1219 return OSStatusFromNetError(rv); |
1175 } | 1220 } |
1176 | 1221 |
1177 // always lie to our caller | 1222 // always lie to our caller |
1178 return noErr; | 1223 return noErr; |
1179 } | 1224 } |
1180 | 1225 |
1181 } // namespace net | 1226 } // namespace net |
OLD | NEW |