| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 364 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 375 // TODO(wtc,mattm): this is temporary while DBC support is changed into | 375 // TODO(wtc,mattm): this is temporary while DBC support is changed into |
| 376 // Channel ID. | 376 // Channel ID. |
| 377 return false; | 377 return false; |
| 378 } | 378 } |
| 379 | 379 |
| 380 void DestroyCertificates(CERTCertificate** certs, size_t len) { | 380 void DestroyCertificates(CERTCertificate** certs, size_t len) { |
| 381 for (size_t i = 0; i < len; i++) | 381 for (size_t i = 0; i < len; i++) |
| 382 CERT_DestroyCertificate(certs[i]); | 382 CERT_DestroyCertificate(certs[i]); |
| 383 } | 383 } |
| 384 | 384 |
| 385 // Helper functions to make it possible to log events from within the |
| 386 // SSLClientSocketNSS::Core. |
| 387 void AddLogEvent(BoundNetLog* net_log, NetLog::EventType event_type) { |
| 388 if (!net_log) |
| 389 return; |
| 390 net_log->AddEvent(event_type); |
| 391 } |
| 392 |
| 385 // Helper function to make it possible to log events from within the | 393 // Helper function to make it possible to log events from within the |
| 386 // SSLClientSocketNSS::Core. Can't use Bind with BoundNetLog::AddEntry directly | 394 // SSLClientSocketNSS::Core. |
| 387 // on Windows because it is overloaded. | |
| 388 // TODO(mmenke): Other than shutdown, NetLog is threadsafe. Figure out if this | |
| 389 // is needed. | |
| 390 void AddLogEventWithCallback(BoundNetLog* net_log, | 395 void AddLogEventWithCallback(BoundNetLog* net_log, |
| 391 NetLog::EventType event_type, | 396 NetLog::EventType event_type, |
| 392 const NetLog::ParametersCallback& callback) { | 397 const NetLog::ParametersCallback& callback) { |
| 393 if (!net_log) | 398 if (!net_log) |
| 394 return; | 399 return; |
| 395 net_log->AddEvent(event_type, callback); | 400 net_log->AddEvent(event_type, callback); |
| 396 } | 401 } |
| 397 | 402 |
| 398 // Helper functions to make it possible to log events from within the | |
| 399 // SSLClientSocketNSS::Core. Can't use Bind with BoundNetLog::AddEntry directly | |
| 400 // on Windows because it is overloaded. | |
| 401 // TODO(mmenke): This function is deprecated, delete it. | |
| 402 void AddLogEvent(BoundNetLog* net_log, | |
| 403 NetLog::EventType event_type, | |
| 404 const scoped_refptr<NetLog::EventParameters>& event_params) { | |
| 405 if (!net_log) | |
| 406 return; | |
| 407 net_log->AddEvent(event_type, event_params); | |
| 408 } | |
| 409 | |
| 410 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent | 403 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent |
| 411 // from within the SSLClientSocketNSS::Core. | 404 // from within the SSLClientSocketNSS::Core. |
| 412 // AddByteTransferEvent expects to receive a const char*, which within the | 405 // AddByteTransferEvent expects to receive a const char*, which within the |
| 413 // Core is backed by an IOBuffer. If the "const char*" is bound via | 406 // Core is backed by an IOBuffer. If the "const char*" is bound via |
| 414 // base::Bind and posted to another thread, and the IOBuffer that backs that | 407 // base::Bind and posted to another thread, and the IOBuffer that backs that |
| 415 // pointer then goes out of scope on the origin thread, this would result in | 408 // pointer then goes out of scope on the origin thread, this would result in |
| 416 // an invalid read of a stale pointer. | 409 // an invalid read of a stale pointer. |
| 417 // Instead, provide a signature that accepts an IOBuffer*, so that a reference | 410 // Instead, provide a signature that accepts an IOBuffer*, so that a reference |
| 418 // to the owning IOBuffer can be bound to the Callback. This ensures that the | 411 // to the owning IOBuffer can be bound to the Callback. This ensures that the |
| 419 // IOBuffer will stay alive long enough to cross threads if needed. | 412 // IOBuffer will stay alive long enough to cross threads if needed. |
| (...skipping 484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 904 void OnHandshakeIOComplete(int result); | 897 void OnHandshakeIOComplete(int result); |
| 905 void BufferRecvComplete(IOBuffer* buffer, int result); | 898 void BufferRecvComplete(IOBuffer* buffer, int result); |
| 906 void BufferSendComplete(int result); | 899 void BufferSendComplete(int result); |
| 907 | 900 |
| 908 // PostOrRunCallback is a helper function to ensure that |callback| is | 901 // PostOrRunCallback is a helper function to ensure that |callback| is |
| 909 // invoked on the network task runner, but only if Detach() has not yet | 902 // invoked on the network task runner, but only if Detach() has not yet |
| 910 // been called. | 903 // been called. |
| 911 void PostOrRunCallback(const tracked_objects::Location& location, | 904 void PostOrRunCallback(const tracked_objects::Location& location, |
| 912 const base::Closure& callback); | 905 const base::Closure& callback); |
| 913 | 906 |
| 907 // Uses PostOrRunCallback and |weak_net_log_| to try and log a |
| 908 // SSL_CLIENT_CERT_PROVIDED event, with the indicated count. |
| 909 void AddCertProvidedEvent(int cert_count); |
| 910 |
| 914 //////////////////////////////////////////////////////////////////////////// | 911 //////////////////////////////////////////////////////////////////////////// |
| 915 // Members that are ONLY accessed on the network task runner: | 912 // Members that are ONLY accessed on the network task runner: |
| 916 //////////////////////////////////////////////////////////////////////////// | 913 //////////////////////////////////////////////////////////////////////////// |
| 917 | 914 |
| 918 // True if the owning SSLClientSocketNSS has called Detach(). No further | 915 // True if the owning SSLClientSocketNSS has called Detach(). No further |
| 919 // callbacks will be invoked nor access to members owned by the network | 916 // callbacks will be invoked nor access to members owned by the network |
| 920 // task runner. | 917 // task runner. |
| 921 bool detached_; | 918 bool detached_; |
| 922 | 919 |
| 923 // The underlying transport to use for network IO. | 920 // The underlying transport to use for network IO. |
| (...skipping 387 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1311 CERTCertList** result_certs, | 1308 CERTCertList** result_certs, |
| 1312 void** result_private_key, | 1309 void** result_private_key, |
| 1313 CERTCertificate** result_nss_certificate, | 1310 CERTCertificate** result_nss_certificate, |
| 1314 SECKEYPrivateKey** result_nss_private_key) { | 1311 SECKEYPrivateKey** result_nss_private_key) { |
| 1315 Core* core = reinterpret_cast<Core*>(arg); | 1312 Core* core = reinterpret_cast<Core*>(arg); |
| 1316 DCHECK(core->OnNSSTaskRunner()); | 1313 DCHECK(core->OnNSSTaskRunner()); |
| 1317 | 1314 |
| 1318 core->PostOrRunCallback( | 1315 core->PostOrRunCallback( |
| 1319 FROM_HERE, | 1316 FROM_HERE, |
| 1320 base::Bind(&AddLogEvent, core->weak_net_log_, | 1317 base::Bind(&AddLogEvent, core->weak_net_log_, |
| 1321 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, | 1318 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED)); |
| 1322 scoped_refptr<NetLog::EventParameters>())); | |
| 1323 | 1319 |
| 1324 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 1320 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
| 1325 | 1321 |
| 1326 // Check if a domain-bound certificate is requested. | 1322 // Check if a domain-bound certificate is requested. |
| 1327 if (DomainBoundCertNegotiated(socket)) { | 1323 if (DomainBoundCertNegotiated(socket)) { |
| 1328 return core->DomainBoundClientAuthHandler(cert_types, | 1324 return core->DomainBoundClientAuthHandler(cert_types, |
| 1329 result_nss_certificate, | 1325 result_nss_certificate, |
| 1330 result_nss_private_key); | 1326 result_nss_private_key); |
| 1331 } | 1327 } |
| 1332 | 1328 |
| (...skipping 22 matching lines...) Expand all Loading... |
| 1355 der_cert.data = cert_context->pbCertEncoded; | 1351 der_cert.data = cert_context->pbCertEncoded; |
| 1356 der_cert.len = cert_context->cbCertEncoded; | 1352 der_cert.len = cert_context->cbCertEncoded; |
| 1357 | 1353 |
| 1358 // TODO(rsleevi): Error checking for NSS allocation errors. | 1354 // TODO(rsleevi): Error checking for NSS allocation errors. |
| 1359 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); | 1355 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); |
| 1360 CERTCertificate* user_cert = CERT_NewTempCertificate( | 1356 CERTCertificate* user_cert = CERT_NewTempCertificate( |
| 1361 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); | 1357 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); |
| 1362 if (!user_cert) { | 1358 if (!user_cert) { |
| 1363 // Importing the certificate can fail for reasons including a serial | 1359 // Importing the certificate can fail for reasons including a serial |
| 1364 // number collision. See crbug.com/97355. | 1360 // number collision. See crbug.com/97355. |
| 1365 core->PostOrRunCallback( | 1361 core->AddCertProvidedEvent(0); |
| 1366 FROM_HERE, | |
| 1367 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1368 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1369 make_scoped_refptr( | |
| 1370 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1371 return SECFailure; | 1362 return SECFailure; |
| 1372 } | 1363 } |
| 1373 CERTCertList* cert_chain = CERT_NewCertList(); | 1364 CERTCertList* cert_chain = CERT_NewCertList(); |
| 1374 CERT_AddCertToListTail(cert_chain, user_cert); | 1365 CERT_AddCertToListTail(cert_chain, user_cert); |
| 1375 | 1366 |
| 1376 // Add the intermediates. | 1367 // Add the intermediates. |
| 1377 X509Certificate::OSCertHandles intermediates = | 1368 X509Certificate::OSCertHandles intermediates = |
| 1378 core->ssl_config_.client_cert->GetIntermediateCertificates(); | 1369 core->ssl_config_.client_cert->GetIntermediateCertificates(); |
| 1379 for (X509Certificate::OSCertHandles::const_iterator it = | 1370 for (X509Certificate::OSCertHandles::const_iterator it = |
| 1380 intermediates.begin(); it != intermediates.end(); ++it) { | 1371 intermediates.begin(); it != intermediates.end(); ++it) { |
| 1381 der_cert.data = (*it)->pbCertEncoded; | 1372 der_cert.data = (*it)->pbCertEncoded; |
| 1382 der_cert.len = (*it)->cbCertEncoded; | 1373 der_cert.len = (*it)->cbCertEncoded; |
| 1383 | 1374 |
| 1384 CERTCertificate* intermediate = CERT_NewTempCertificate( | 1375 CERTCertificate* intermediate = CERT_NewTempCertificate( |
| 1385 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); | 1376 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); |
| 1386 if (!intermediate) { | 1377 if (!intermediate) { |
| 1387 CERT_DestroyCertList(cert_chain); | 1378 CERT_DestroyCertList(cert_chain); |
| 1388 core->PostOrRunCallback( | 1379 core->AddCertProvidedEvent(0); |
| 1389 FROM_HERE, | |
| 1390 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1391 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1392 make_scoped_refptr( | |
| 1393 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1394 return SECFailure; | 1380 return SECFailure; |
| 1395 } | 1381 } |
| 1396 CERT_AddCertToListTail(cert_chain, intermediate); | 1382 CERT_AddCertToListTail(cert_chain, intermediate); |
| 1397 } | 1383 } |
| 1398 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>( | 1384 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>( |
| 1399 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT))); | 1385 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT))); |
| 1400 key_context->cbSize = sizeof(*key_context); | 1386 key_context->cbSize = sizeof(*key_context); |
| 1401 // NSS will free this context when no longer in use, but the | 1387 // NSS will free this context when no longer in use, but the |
| 1402 // |must_free| result from CryptAcquireCertificatePrivateKey was false | 1388 // |must_free| result from CryptAcquireCertificatePrivateKey was false |
| 1403 // so we increment the refcount to negate NSS's future decrement. | 1389 // so we increment the refcount to negate NSS's future decrement. |
| 1404 CryptContextAddRef(crypt_prov, NULL, 0); | 1390 CryptContextAddRef(crypt_prov, NULL, 0); |
| 1405 key_context->hCryptProv = crypt_prov; | 1391 key_context->hCryptProv = crypt_prov; |
| 1406 key_context->dwKeySpec = key_spec; | 1392 key_context->dwKeySpec = key_spec; |
| 1407 *result_private_key = key_context; | 1393 *result_private_key = key_context; |
| 1408 *result_certs = cert_chain; | 1394 *result_certs = cert_chain; |
| 1409 | 1395 |
| 1410 int cert_count = 1 + intermediates.size(); | 1396 int cert_count = 1 + intermediates.size(); |
| 1411 core->PostOrRunCallback( | 1397 core->AddCertProvidedEvent(cert_count); |
| 1412 FROM_HERE, | |
| 1413 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1414 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1415 make_scoped_refptr( | |
| 1416 new NetLogIntegerParameter("cert_count", | |
| 1417 cert_count)))); | |
| 1418 return SECSuccess; | 1398 return SECSuccess; |
| 1419 } | 1399 } |
| 1420 LOG(WARNING) << "Client cert found without private key"; | 1400 LOG(WARNING) << "Client cert found without private key"; |
| 1421 } | 1401 } |
| 1422 | 1402 |
| 1423 // Send no client certificate. | 1403 // Send no client certificate. |
| 1424 core->PostOrRunCallback( | 1404 core->AddCertProvidedEvent(0); |
| 1425 FROM_HERE, | |
| 1426 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1427 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1428 make_scoped_refptr( | |
| 1429 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1430 return SECFailure; | 1405 return SECFailure; |
| 1431 } | 1406 } |
| 1432 | 1407 |
| 1433 core->nss_handshake_state_.client_certs.clear(); | 1408 core->nss_handshake_state_.client_certs.clear(); |
| 1434 | 1409 |
| 1435 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames); | 1410 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames); |
| 1436 for (int i = 0; i < ca_names->nnames; ++i) { | 1411 for (int i = 0; i < ca_names->nnames; ++i) { |
| 1437 issuer_list[i].cbData = ca_names->names[i].len; | 1412 issuer_list[i].cbData = ca_names->names[i].len; |
| 1438 issuer_list[i].pbData = ca_names->names[i].data; | 1413 issuer_list[i].pbData = ca_names->names[i].data; |
| 1439 } | 1414 } |
| 1440 | 1415 |
| 1441 // Client certificates of the user are in the "MY" system certificate store. | 1416 // Client certificates of the user are in the "MY" system certificate store. |
| 1442 HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY"); | 1417 HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY"); |
| 1443 if (!my_cert_store) { | 1418 if (!my_cert_store) { |
| 1444 PLOG(ERROR) << "Could not open the \"MY\" system certificate store"; | 1419 PLOG(ERROR) << "Could not open the \"MY\" system certificate store"; |
| 1445 | 1420 |
| 1446 core->PostOrRunCallback( | 1421 core->AddCertProvidedEvent(0); |
| 1447 FROM_HERE, | |
| 1448 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1449 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1450 make_scoped_refptr( | |
| 1451 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1452 return SECFailure; | 1422 return SECFailure; |
| 1453 } | 1423 } |
| 1454 | 1424 |
| 1455 // Enumerate the client certificates. | 1425 // Enumerate the client certificates. |
| 1456 CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para; | 1426 CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para; |
| 1457 memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para)); | 1427 memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para)); |
| 1458 find_by_issuer_para.cbSize = sizeof(find_by_issuer_para); | 1428 find_by_issuer_para.cbSize = sizeof(find_by_issuer_para); |
| 1459 find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH; | 1429 find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH; |
| 1460 find_by_issuer_para.cIssuer = ca_names->nnames; | 1430 find_by_issuer_para.cIssuer = ca_names->nnames; |
| 1461 find_by_issuer_para.rgIssuer = ca_names->nnames ? &issuer_list[0] : NULL; | 1431 find_by_issuer_para.rgIssuer = ca_names->nnames ? &issuer_list[0] : NULL; |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1581 } | 1551 } |
| 1582 CERT_AddCertToListTail(*result_certs, nss_cert); | 1552 CERT_AddCertToListTail(*result_certs, nss_cert); |
| 1583 } | 1553 } |
| 1584 } | 1554 } |
| 1585 if (os_error == noErr) { | 1555 if (os_error == noErr) { |
| 1586 int cert_count = 0; | 1556 int cert_count = 0; |
| 1587 if (chain) { | 1557 if (chain) { |
| 1588 cert_count = CFArrayGetCount(chain); | 1558 cert_count = CFArrayGetCount(chain); |
| 1589 CFRelease(chain); | 1559 CFRelease(chain); |
| 1590 } | 1560 } |
| 1591 core->PostOrRunCallback( | 1561 core->AddCertProvidedEvent(cert_count); |
| 1592 FROM_HERE, | |
| 1593 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1594 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1595 make_scoped_refptr( | |
| 1596 new NetLogIntegerParameter("cert_count", | |
| 1597 cert_count)))); | |
| 1598 return SECSuccess; | 1562 return SECSuccess; |
| 1599 } | 1563 } |
| 1600 OSSTATUS_LOG(WARNING, os_error) | 1564 OSSTATUS_LOG(WARNING, os_error) |
| 1601 << "Client cert found, but could not be used"; | 1565 << "Client cert found, but could not be used"; |
| 1602 if (*result_certs) { | 1566 if (*result_certs) { |
| 1603 CERT_DestroyCertList(*result_certs); | 1567 CERT_DestroyCertList(*result_certs); |
| 1604 *result_certs = NULL; | 1568 *result_certs = NULL; |
| 1605 } | 1569 } |
| 1606 if (*result_private_key) | 1570 if (*result_private_key) |
| 1607 *result_private_key = NULL; | 1571 *result_private_key = NULL; |
| 1608 if (private_key) | 1572 if (private_key) |
| 1609 CFRelease(private_key); | 1573 CFRelease(private_key); |
| 1610 if (chain) | 1574 if (chain) |
| 1611 CFRelease(chain); | 1575 CFRelease(chain); |
| 1612 } | 1576 } |
| 1613 | 1577 |
| 1614 // Send no client certificate. | 1578 // Send no client certificate. |
| 1615 core->PostOrRunCallback( | 1579 core->AddCertProvidedEvent(0); |
| 1616 FROM_HERE, | |
| 1617 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1618 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1619 make_scoped_refptr( | |
| 1620 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1621 return SECFailure; | 1580 return SECFailure; |
| 1622 } | 1581 } |
| 1623 | 1582 |
| 1624 core->nss_handshake_state_.client_certs.clear(); | 1583 core->nss_handshake_state_.client_certs.clear(); |
| 1625 | 1584 |
| 1626 // First, get the cert issuer names allowed by the server. | 1585 // First, get the cert issuer names allowed by the server. |
| 1627 std::vector<CertPrincipal> valid_issuers; | 1586 std::vector<CertPrincipal> valid_issuers; |
| 1628 int n = ca_names->nnames; | 1587 int n = ca_names->nnames; |
| 1629 for (int i = 0; i < n; i++) { | 1588 for (int i = 0; i < n; i++) { |
| 1630 // Parse each name into a CertPrincipal object. | 1589 // Parse each name into a CertPrincipal object. |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1663 PRFileDesc* socket, | 1622 PRFileDesc* socket, |
| 1664 CERTDistNames* ca_names, | 1623 CERTDistNames* ca_names, |
| 1665 CERTCertificate** result_certificate, | 1624 CERTCertificate** result_certificate, |
| 1666 SECKEYPrivateKey** result_private_key) { | 1625 SECKEYPrivateKey** result_private_key) { |
| 1667 Core* core = reinterpret_cast<Core*>(arg); | 1626 Core* core = reinterpret_cast<Core*>(arg); |
| 1668 DCHECK(core->OnNSSTaskRunner()); | 1627 DCHECK(core->OnNSSTaskRunner()); |
| 1669 | 1628 |
| 1670 core->PostOrRunCallback( | 1629 core->PostOrRunCallback( |
| 1671 FROM_HERE, | 1630 FROM_HERE, |
| 1672 base::Bind(&AddLogEvent, core->weak_net_log_, | 1631 base::Bind(&AddLogEvent, core->weak_net_log_, |
| 1673 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, | 1632 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED)); |
| 1674 scoped_refptr<NetLog::EventParameters>())); | |
| 1675 | 1633 |
| 1676 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 1634 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
| 1677 | 1635 |
| 1678 // Check if a domain-bound certificate is requested. | 1636 // Check if a domain-bound certificate is requested. |
| 1679 if (DomainBoundCertNegotiated(socket)) { | 1637 if (DomainBoundCertNegotiated(socket)) { |
| 1680 return core->DomainBoundClientAuthHandler( | 1638 return core->DomainBoundClientAuthHandler( |
| 1681 cert_types, result_certificate, result_private_key); | 1639 cert_types, result_certificate, result_private_key); |
| 1682 } | 1640 } |
| 1683 | 1641 |
| 1684 // Regular client certificate requested. | 1642 // Regular client certificate requested. |
| 1685 core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert; | 1643 core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert; |
| 1686 void* wincx = SSL_RevealPinArg(socket); | 1644 void* wincx = SSL_RevealPinArg(socket); |
| 1687 | 1645 |
| 1688 // Second pass: a client certificate should have been selected. | 1646 // Second pass: a client certificate should have been selected. |
| 1689 if (core->ssl_config_.send_client_cert) { | 1647 if (core->ssl_config_.send_client_cert) { |
| 1690 if (core->ssl_config_.client_cert) { | 1648 if (core->ssl_config_.client_cert) { |
| 1691 CERTCertificate* cert = CERT_DupCertificate( | 1649 CERTCertificate* cert = CERT_DupCertificate( |
| 1692 core->ssl_config_.client_cert->os_cert_handle()); | 1650 core->ssl_config_.client_cert->os_cert_handle()); |
| 1693 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); | 1651 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); |
| 1694 if (privkey) { | 1652 if (privkey) { |
| 1695 // TODO(jsorianopastor): We should wait for server certificate | 1653 // TODO(jsorianopastor): We should wait for server certificate |
| 1696 // verification before sending our credentials. See | 1654 // verification before sending our credentials. See |
| 1697 // http://crbug.com/13934. | 1655 // http://crbug.com/13934. |
| 1698 *result_certificate = cert; | 1656 *result_certificate = cert; |
| 1699 *result_private_key = privkey; | 1657 *result_private_key = privkey; |
| 1700 // A cert_count of -1 means the number of certificates is unknown. | 1658 // A cert_count of -1 means the number of certificates is unknown. |
| 1701 // NSS will construct the certificate chain. | 1659 // NSS will construct the certificate chain. |
| 1702 core->PostOrRunCallback( | 1660 core->AddCertProvidedEvent(-1); |
| 1703 FROM_HERE, | |
| 1704 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1705 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1706 make_scoped_refptr( | |
| 1707 new NetLogIntegerParameter("cert_count", -1)))); | |
| 1708 | 1661 |
| 1709 return SECSuccess; | 1662 return SECSuccess; |
| 1710 } | 1663 } |
| 1711 LOG(WARNING) << "Client cert found without private key"; | 1664 LOG(WARNING) << "Client cert found without private key"; |
| 1712 } | 1665 } |
| 1713 // Send no client certificate. | 1666 // Send no client certificate. |
| 1714 core->PostOrRunCallback( | 1667 core->AddCertProvidedEvent(0); |
| 1715 FROM_HERE, | |
| 1716 base::Bind(&AddLogEvent, core->weak_net_log_, | |
| 1717 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 1718 make_scoped_refptr( | |
| 1719 new NetLogIntegerParameter("cert_count", 0)))); | |
| 1720 return SECFailure; | 1668 return SECFailure; |
| 1721 } | 1669 } |
| 1722 | 1670 |
| 1723 core->nss_handshake_state_.client_certs.clear(); | 1671 core->nss_handshake_state_.client_certs.clear(); |
| 1724 | 1672 |
| 1725 // Iterate over all client certificates. | 1673 // Iterate over all client certificates. |
| 1726 CERTCertList* client_certs = CERT_FindUserCertsByUsage( | 1674 CERTCertList* client_certs = CERT_FindUserCertsByUsage( |
| 1727 CERT_GetDefaultCertDB(), certUsageSSLClient, | 1675 CERT_GetDefaultCertDB(), certUsageSSLClient, |
| 1728 PR_FALSE, PR_FALSE, wincx); | 1676 PR_FALSE, PR_FALSE, wincx); |
| 1729 if (client_certs) { | 1677 if (client_certs) { |
| (...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1957 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1905 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 1958 | 1906 |
| 1959 if (result < 0) | 1907 if (result < 0) |
| 1960 return result; | 1908 return result; |
| 1961 | 1909 |
| 1962 if (!nss_bufs_) { | 1910 if (!nss_bufs_) { |
| 1963 LOG(DFATAL) << "!nss_bufs_"; | 1911 LOG(DFATAL) << "!nss_bufs_"; |
| 1964 int rv = ERR_UNEXPECTED; | 1912 int rv = ERR_UNEXPECTED; |
| 1965 PostOrRunCallback( | 1913 PostOrRunCallback( |
| 1966 FROM_HERE, | 1914 FROM_HERE, |
| 1967 base::Bind(&AddLogEvent, weak_net_log_, | 1915 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 1968 NetLog::TYPE_SSL_READ_ERROR, | 1916 NetLog::TYPE_SSL_READ_ERROR, |
| 1969 make_scoped_refptr(new SSLErrorParams(rv, 0)))); | 1917 CreateNetLogSSLErrorCallback(rv, 0))); |
| 1970 return rv; | 1918 return rv; |
| 1971 } | 1919 } |
| 1972 | 1920 |
| 1973 bool network_moved; | 1921 bool network_moved; |
| 1974 int rv; | 1922 int rv; |
| 1975 do { | 1923 do { |
| 1976 rv = DoPayloadRead(); | 1924 rv = DoPayloadRead(); |
| 1977 network_moved = DoTransportIO(); | 1925 network_moved = DoTransportIO(); |
| 1978 } while (rv == ERR_IO_PENDING && network_moved); | 1926 } while (rv == ERR_IO_PENDING && network_moved); |
| 1979 | 1927 |
| 1980 return rv; | 1928 return rv; |
| 1981 } | 1929 } |
| 1982 | 1930 |
| 1983 int SSLClientSocketNSS::Core::DoWriteLoop(int result) { | 1931 int SSLClientSocketNSS::Core::DoWriteLoop(int result) { |
| 1984 DCHECK(OnNSSTaskRunner()); | 1932 DCHECK(OnNSSTaskRunner()); |
| 1985 DCHECK(handshake_callback_called_); | 1933 DCHECK(handshake_callback_called_); |
| 1986 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1934 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 1987 | 1935 |
| 1988 if (result < 0) | 1936 if (result < 0) |
| 1989 return result; | 1937 return result; |
| 1990 | 1938 |
| 1991 if (!nss_bufs_) { | 1939 if (!nss_bufs_) { |
| 1992 LOG(DFATAL) << "!nss_bufs_"; | 1940 LOG(DFATAL) << "!nss_bufs_"; |
| 1993 int rv = ERR_UNEXPECTED; | 1941 int rv = ERR_UNEXPECTED; |
| 1994 PostOrRunCallback( | 1942 PostOrRunCallback( |
| 1995 FROM_HERE, | 1943 FROM_HERE, |
| 1996 base::Bind(&AddLogEvent, weak_net_log_, | 1944 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 1997 NetLog::TYPE_SSL_READ_ERROR, | 1945 NetLog::TYPE_SSL_READ_ERROR, |
| 1998 make_scoped_refptr(new SSLErrorParams(rv, 0)))); | 1946 CreateNetLogSSLErrorCallback(rv, 0))); |
| 1999 return rv; | 1947 return rv; |
| 2000 } | 1948 } |
| 2001 | 1949 |
| 2002 bool network_moved; | 1950 bool network_moved; |
| 2003 int rv; | 1951 int rv; |
| 2004 do { | 1952 do { |
| 2005 rv = DoPayloadWrite(); | 1953 rv = DoPayloadWrite(); |
| 2006 network_moved = DoTransportIO(); | 1954 network_moved = DoTransportIO(); |
| 2007 } while (rv == ERR_IO_PENDING && network_moved); | 1955 } while (rv == ERR_IO_PENDING && network_moved); |
| 2008 | 1956 |
| (...skipping 12 matching lines...) Expand all Loading... |
| 2021 // code so that the higher level code will attempt to delete the socket and | 1969 // code so that the higher level code will attempt to delete the socket and |
| 2022 // redo the handshake. | 1970 // redo the handshake. |
| 2023 if (client_auth_cert_needed_) { | 1971 if (client_auth_cert_needed_) { |
| 2024 if (domain_bound_cert_xtn_negotiated_) { | 1972 if (domain_bound_cert_xtn_negotiated_) { |
| 2025 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); | 1973 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); |
| 2026 net_error = ERR_IO_PENDING; | 1974 net_error = ERR_IO_PENDING; |
| 2027 } else { | 1975 } else { |
| 2028 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1976 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 2029 PostOrRunCallback( | 1977 PostOrRunCallback( |
| 2030 FROM_HERE, | 1978 FROM_HERE, |
| 2031 base::Bind(&AddLogEvent, weak_net_log_, | 1979 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2032 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1980 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 2033 make_scoped_refptr(new SSLErrorParams(net_error, 0)))); | 1981 CreateNetLogSSLErrorCallback(net_error, 0))); |
| 2034 | 1982 |
| 2035 // If the handshake already succeeded (because the server requests but | 1983 // If the handshake already succeeded (because the server requests but |
| 2036 // doesn't require a client cert), we need to invalidate the SSL session | 1984 // doesn't require a client cert), we need to invalidate the SSL session |
| 2037 // so that we won't try to resume the non-client-authenticated session in | 1985 // so that we won't try to resume the non-client-authenticated session in |
| 2038 // the next handshake. This will cause the server to ask for a client | 1986 // the next handshake. This will cause the server to ask for a client |
| 2039 // cert again. | 1987 // cert again. |
| 2040 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) | 1988 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) |
| 2041 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1989 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
| 2042 } | 1990 } |
| 2043 } else if (rv == SECSuccess) { | 1991 } else if (rv == SECSuccess) { |
| 2044 if (!handshake_callback_called_) { | 1992 if (!handshake_callback_called_) { |
| 2045 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - | 1993 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - |
| 2046 // SSL_ForceHandshake returned SECSuccess prematurely. | 1994 // SSL_ForceHandshake returned SECSuccess prematurely. |
| 2047 rv = SECFailure; | 1995 rv = SECFailure; |
| 2048 net_error = ERR_SSL_PROTOCOL_ERROR; | 1996 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 2049 PostOrRunCallback( | 1997 PostOrRunCallback( |
| 2050 FROM_HERE, | 1998 FROM_HERE, |
| 2051 base::Bind(&AddLogEvent, weak_net_log_, | 1999 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2052 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 2000 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 2053 make_scoped_refptr( | 2001 CreateNetLogSSLErrorCallback(net_error, 0))); |
| 2054 new SSLErrorParams(net_error, 0)))); | |
| 2055 } else { | 2002 } else { |
| 2056 #if defined(SSL_ENABLE_OCSP_STAPLING) | 2003 #if defined(SSL_ENABLE_OCSP_STAPLING) |
| 2057 // TODO(agl): figure out how to plumb an OCSP response into the Mac | 2004 // TODO(agl): figure out how to plumb an OCSP response into the Mac |
| 2058 // system library and update IsOCSPStaplingSupported for Mac. | 2005 // system library and update IsOCSPStaplingSupported for Mac. |
| 2059 if (!nss_handshake_state_.predicted_cert_chain_correct && | 2006 if (!nss_handshake_state_.predicted_cert_chain_correct && |
| 2060 IsOCSPStaplingSupported()) { | 2007 IsOCSPStaplingSupported()) { |
| 2061 unsigned int len = 0; | 2008 unsigned int len = 0; |
| 2062 SSL_GetStapledOCSPResponse(nss_fd_, NULL, &len); | 2009 SSL_GetStapledOCSPResponse(nss_fd_, NULL, &len); |
| 2063 if (len) { | 2010 if (len) { |
| 2064 const unsigned int orig_len = len; | 2011 const unsigned int orig_len = len; |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2119 ssl_config_.version_max == SSL_PROTOCOL_VERSION_TLS1_1) { | 2066 ssl_config_.version_max == SSL_PROTOCOL_VERSION_TLS1_1) { |
| 2120 net_error = ERR_SSL_PROTOCOL_ERROR; | 2067 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 2121 } | 2068 } |
| 2122 | 2069 |
| 2123 // If not done, stay in this state | 2070 // If not done, stay in this state |
| 2124 if (net_error == ERR_IO_PENDING) { | 2071 if (net_error == ERR_IO_PENDING) { |
| 2125 GotoState(STATE_HANDSHAKE); | 2072 GotoState(STATE_HANDSHAKE); |
| 2126 } else { | 2073 } else { |
| 2127 PostOrRunCallback( | 2074 PostOrRunCallback( |
| 2128 FROM_HERE, | 2075 FROM_HERE, |
| 2129 base::Bind(&AddLogEvent, weak_net_log_, | 2076 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2130 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 2077 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 2131 make_scoped_refptr( | 2078 CreateNetLogSSLErrorCallback(net_error, prerr))); |
| 2132 new SSLErrorParams(net_error, prerr)))); | |
| 2133 } | 2079 } |
| 2134 } | 2080 } |
| 2135 | 2081 |
| 2136 return net_error; | 2082 return net_error; |
| 2137 } | 2083 } |
| 2138 | 2084 |
| 2139 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) { | 2085 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) { |
| 2140 SECStatus rv; | 2086 SECStatus rv; |
| 2141 PostOrRunCallback( | 2087 PostOrRunCallback( |
| 2142 FROM_HERE, | 2088 FROM_HERE, |
| (...skipping 15 matching lines...) Expand all Loading... |
| 2158 | 2104 |
| 2159 CERTCertificate* cert; | 2105 CERTCertificate* cert; |
| 2160 SECKEYPrivateKey* key; | 2106 SECKEYPrivateKey* key; |
| 2161 int error = ImportDBCertAndKey(&cert, &key); | 2107 int error = ImportDBCertAndKey(&cert, &key); |
| 2162 if (error != OK) | 2108 if (error != OK) |
| 2163 return error; | 2109 return error; |
| 2164 | 2110 |
| 2165 CERTCertificateList* cert_chain = | 2111 CERTCertificateList* cert_chain = |
| 2166 CERT_CertChainFromCert(cert, certUsageSSLClient, PR_FALSE); | 2112 CERT_CertChainFromCert(cert, certUsageSSLClient, PR_FALSE); |
| 2167 | 2113 |
| 2168 PostOrRunCallback( | 2114 AddCertProvidedEvent(cert_chain->len); |
| 2169 FROM_HERE, | |
| 2170 base::Bind(&AddLogEvent, weak_net_log_, | |
| 2171 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 2172 make_scoped_refptr( | |
| 2173 new NetLogIntegerParameter("cert_count", | |
| 2174 cert_chain->len)))); | |
| 2175 | 2115 |
| 2176 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); | 2116 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); |
| 2177 if (rv != SECSuccess) | 2117 if (rv != SECSuccess) |
| 2178 return MapNSSError(PORT_GetError()); | 2118 return MapNSSError(PORT_GetError()); |
| 2179 | 2119 |
| 2180 GotoState(STATE_HANDSHAKE); | 2120 GotoState(STATE_HANDSHAKE); |
| 2181 return OK; | 2121 return OK; |
| 2182 } | 2122 } |
| 2183 | 2123 |
| 2184 int SSLClientSocketNSS::Core::DoPayloadRead() { | 2124 int SSLClientSocketNSS::Core::DoPayloadRead() { |
| 2185 DCHECK(OnNSSTaskRunner()); | 2125 DCHECK(OnNSSTaskRunner()); |
| 2186 DCHECK(user_read_buf_); | 2126 DCHECK(user_read_buf_); |
| 2187 DCHECK_GT(user_read_buf_len_, 0); | 2127 DCHECK_GT(user_read_buf_len_, 0); |
| 2188 | 2128 |
| 2189 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_); | 2129 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_); |
| 2190 if (client_auth_cert_needed_) { | 2130 if (client_auth_cert_needed_) { |
| 2191 // We don't need to invalidate the non-client-authenticated SSL session | 2131 // We don't need to invalidate the non-client-authenticated SSL session |
| 2192 // because the server will renegotiate anyway. | 2132 // because the server will renegotiate anyway. |
| 2193 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 2133 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 2194 PostOrRunCallback( | 2134 PostOrRunCallback( |
| 2195 FROM_HERE, | 2135 FROM_HERE, |
| 2196 base::Bind(&AddLogEvent, weak_net_log_, | 2136 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2197 NetLog::TYPE_SSL_READ_ERROR, | 2137 NetLog::TYPE_SSL_READ_ERROR, |
| 2198 make_scoped_refptr(new SSLErrorParams(rv, 0)))); | 2138 CreateNetLogSSLErrorCallback(rv, 0))); |
| 2199 return rv; | 2139 return rv; |
| 2200 } | 2140 } |
| 2201 if (rv >= 0) { | 2141 if (rv >= 0) { |
| 2202 PostOrRunCallback( | 2142 PostOrRunCallback( |
| 2203 FROM_HERE, | 2143 FROM_HERE, |
| 2204 base::Bind(&LogByteTransferEvent, weak_net_log_, | 2144 base::Bind(&LogByteTransferEvent, weak_net_log_, |
| 2205 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, | 2145 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, |
| 2206 scoped_refptr<IOBuffer>(user_read_buf_))); | 2146 scoped_refptr<IOBuffer>(user_read_buf_))); |
| 2207 return rv; | 2147 return rv; |
| 2208 } | 2148 } |
| 2209 PRErrorCode prerr = PR_GetError(); | 2149 PRErrorCode prerr = PR_GetError(); |
| 2210 if (prerr == PR_WOULD_BLOCK_ERROR) | 2150 if (prerr == PR_WOULD_BLOCK_ERROR) |
| 2211 return ERR_IO_PENDING; | 2151 return ERR_IO_PENDING; |
| 2212 | 2152 |
| 2213 rv = HandleNSSError(prerr, false); | 2153 rv = HandleNSSError(prerr, false); |
| 2214 PostOrRunCallback( | 2154 PostOrRunCallback( |
| 2215 FROM_HERE, | 2155 FROM_HERE, |
| 2216 base::Bind(&AddLogEvent, weak_net_log_, | 2156 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2217 NetLog::TYPE_SSL_READ_ERROR, | 2157 NetLog::TYPE_SSL_READ_ERROR, |
| 2218 make_scoped_refptr(new SSLErrorParams(rv, prerr)))); | 2158 CreateNetLogSSLErrorCallback(rv, prerr))); |
| 2219 return rv; | 2159 return rv; |
| 2220 } | 2160 } |
| 2221 | 2161 |
| 2222 int SSLClientSocketNSS::Core::DoPayloadWrite() { | 2162 int SSLClientSocketNSS::Core::DoPayloadWrite() { |
| 2223 DCHECK(OnNSSTaskRunner()); | 2163 DCHECK(OnNSSTaskRunner()); |
| 2224 | 2164 |
| 2225 DCHECK(user_write_buf_); | 2165 DCHECK(user_write_buf_); |
| 2226 | 2166 |
| 2227 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); | 2167 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); |
| 2228 if (rv >= 0) { | 2168 if (rv >= 0) { |
| 2229 PostOrRunCallback( | 2169 PostOrRunCallback( |
| 2230 FROM_HERE, | 2170 FROM_HERE, |
| 2231 base::Bind(&LogByteTransferEvent, weak_net_log_, | 2171 base::Bind(&LogByteTransferEvent, weak_net_log_, |
| 2232 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 2172 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 2233 scoped_refptr<IOBuffer>(user_write_buf_))); | 2173 scoped_refptr<IOBuffer>(user_write_buf_))); |
| 2234 return rv; | 2174 return rv; |
| 2235 } | 2175 } |
| 2236 PRErrorCode prerr = PR_GetError(); | 2176 PRErrorCode prerr = PR_GetError(); |
| 2237 if (prerr == PR_WOULD_BLOCK_ERROR) | 2177 if (prerr == PR_WOULD_BLOCK_ERROR) |
| 2238 return ERR_IO_PENDING; | 2178 return ERR_IO_PENDING; |
| 2239 | 2179 |
| 2240 rv = HandleNSSError(prerr, false); | 2180 rv = HandleNSSError(prerr, false); |
| 2241 PostOrRunCallback( | 2181 PostOrRunCallback( |
| 2242 FROM_HERE, | 2182 FROM_HERE, |
| 2243 base::Bind(&AddLogEvent, weak_net_log_, | 2183 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2244 NetLog::TYPE_SSL_WRITE_ERROR, | 2184 NetLog::TYPE_SSL_WRITE_ERROR, |
| 2245 make_scoped_refptr(new SSLErrorParams(rv, prerr)))); | 2185 CreateNetLogSSLErrorCallback(rv, prerr))); |
| 2246 return rv; | 2186 return rv; |
| 2247 } | 2187 } |
| 2248 | 2188 |
| 2249 // Do as much network I/O as possible between the buffer and the | 2189 // Do as much network I/O as possible between the buffer and the |
| 2250 // transport socket. Return true if some I/O performed, false | 2190 // transport socket. Return true if some I/O performed, false |
| 2251 // otherwise (error or ERR_IO_PENDING). | 2191 // otherwise (error or ERR_IO_PENDING). |
| 2252 bool SSLClientSocketNSS::Core::DoTransportIO() { | 2192 bool SSLClientSocketNSS::Core::DoTransportIO() { |
| 2253 DCHECK(OnNSSTaskRunner()); | 2193 DCHECK(OnNSSTaskRunner()); |
| 2254 | 2194 |
| 2255 bool network_moved = false; | 2195 bool network_moved = false; |
| (...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2479 int result = ImportDBCertAndKey(result_certificate, result_private_key); | 2419 int result = ImportDBCertAndKey(result_certificate, result_private_key); |
| 2480 if (result != OK) { | 2420 if (result != OK) { |
| 2481 domain_bound_cert_type_ = CLIENT_CERT_INVALID_TYPE; | 2421 domain_bound_cert_type_ = CLIENT_CERT_INVALID_TYPE; |
| 2482 rv = SECFailure; | 2422 rv = SECFailure; |
| 2483 } | 2423 } |
| 2484 } else { | 2424 } else { |
| 2485 rv = SECFailure; | 2425 rv = SECFailure; |
| 2486 } | 2426 } |
| 2487 | 2427 |
| 2488 int cert_count = (rv == SECSuccess) ? 1 : 0; | 2428 int cert_count = (rv == SECSuccess) ? 1 : 0; |
| 2489 PostOrRunCallback( | 2429 AddCertProvidedEvent(cert_count); |
| 2490 FROM_HERE, | |
| 2491 base::Bind(&AddLogEvent, weak_net_log_, | |
| 2492 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
| 2493 make_scoped_refptr( | |
| 2494 new NetLogIntegerParameter("cert_count", | |
| 2495 cert_count)))); | |
| 2496 return rv; | 2430 return rv; |
| 2497 } | 2431 } |
| 2498 | 2432 |
| 2499 int SSLClientSocketNSS::Core::ImportDBCertAndKey(CERTCertificate** cert, | 2433 int SSLClientSocketNSS::Core::ImportDBCertAndKey(CERTCertificate** cert, |
| 2500 SECKEYPrivateKey** key) { | 2434 SECKEYPrivateKey** key) { |
| 2501 // Set the certificate. | 2435 // Set the certificate. |
| 2502 SECItem cert_item; | 2436 SECItem cert_item; |
| 2503 cert_item.data = (unsigned char*) domain_bound_cert_.data(); | 2437 cert_item.data = (unsigned char*) domain_bound_cert_.data(); |
| 2504 cert_item.len = domain_bound_cert_.size(); | 2438 cert_item.len = domain_bound_cert_.size(); |
| 2505 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), | 2439 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), |
| (...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2690 } | 2624 } |
| 2691 | 2625 |
| 2692 int SSLClientSocketNSS::Core::DoGetDomainBoundCert( | 2626 int SSLClientSocketNSS::Core::DoGetDomainBoundCert( |
| 2693 const std::string& origin, | 2627 const std::string& origin, |
| 2694 const std::vector<uint8>& requested_cert_types) { | 2628 const std::vector<uint8>& requested_cert_types) { |
| 2695 DCHECK(OnNetworkTaskRunner()); | 2629 DCHECK(OnNetworkTaskRunner()); |
| 2696 | 2630 |
| 2697 if (detached_) | 2631 if (detached_) |
| 2698 return ERR_FAILED; | 2632 return ERR_FAILED; |
| 2699 | 2633 |
| 2700 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL); | 2634 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); |
| 2701 | 2635 |
| 2702 int rv = server_bound_cert_service_->GetDomainBoundCert( | 2636 int rv = server_bound_cert_service_->GetDomainBoundCert( |
| 2703 origin, | 2637 origin, |
| 2704 requested_cert_types, | 2638 requested_cert_types, |
| 2705 &domain_bound_cert_type_, | 2639 &domain_bound_cert_type_, |
| 2706 &domain_bound_private_key_, | 2640 &domain_bound_private_key_, |
| 2707 &domain_bound_cert_, | 2641 &domain_bound_cert_, |
| 2708 base::Bind(&Core::OnGetDomainBoundCertComplete, base::Unretained(this)), | 2642 base::Bind(&Core::OnGetDomainBoundCertComplete, base::Unretained(this)), |
| 2709 &domain_bound_cert_request_handle_); | 2643 &domain_bound_cert_request_handle_); |
| 2710 | 2644 |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2803 FROM_HERE, | 2737 FROM_HERE, |
| 2804 base::Bind(&Core::PostOrRunCallback, this, location, task)); | 2738 base::Bind(&Core::PostOrRunCallback, this, location, task)); |
| 2805 return; | 2739 return; |
| 2806 } | 2740 } |
| 2807 | 2741 |
| 2808 if (detached_ || task.is_null()) | 2742 if (detached_ || task.is_null()) |
| 2809 return; | 2743 return; |
| 2810 task.Run(); | 2744 task.Run(); |
| 2811 } | 2745 } |
| 2812 | 2746 |
| 2747 void SSLClientSocketNSS::Core::AddCertProvidedEvent(int cert_count) { |
| 2748 PostOrRunCallback( |
| 2749 FROM_HERE, |
| 2750 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
| 2751 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
| 2752 NetLog::IntegerCallback("cert_count", cert_count))); |
| 2753 } |
| 2754 |
| 2813 SSLClientSocketNSS::SSLClientSocketNSS( | 2755 SSLClientSocketNSS::SSLClientSocketNSS( |
| 2814 base::SingleThreadTaskRunner* nss_task_runner, | 2756 base::SingleThreadTaskRunner* nss_task_runner, |
| 2815 ClientSocketHandle* transport_socket, | 2757 ClientSocketHandle* transport_socket, |
| 2816 const HostPortPair& host_and_port, | 2758 const HostPortPair& host_and_port, |
| 2817 const SSLConfig& ssl_config, | 2759 const SSLConfig& ssl_config, |
| 2818 SSLHostInfo* ssl_host_info, | 2760 SSLHostInfo* ssl_host_info, |
| 2819 const SSLClientSocketContext& context) | 2761 const SSLClientSocketContext& context) |
| 2820 : nss_task_runner_(nss_task_runner), | 2762 : nss_task_runner_(nss_task_runner), |
| 2821 transport_(transport_socket), | 2763 transport_(transport_socket), |
| 2822 host_and_port_(host_and_port), | 2764 host_and_port_(host_and_port), |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2935 | 2877 |
| 2936 int SSLClientSocketNSS::Connect(const CompletionCallback& callback) { | 2878 int SSLClientSocketNSS::Connect(const CompletionCallback& callback) { |
| 2937 EnterFunction(""); | 2879 EnterFunction(""); |
| 2938 DCHECK(transport_.get()); | 2880 DCHECK(transport_.get()); |
| 2939 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 2881 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 2940 DCHECK(user_connect_callback_.is_null()); | 2882 DCHECK(user_connect_callback_.is_null()); |
| 2941 DCHECK(!callback.is_null()); | 2883 DCHECK(!callback.is_null()); |
| 2942 | 2884 |
| 2943 EnsureThreadIdAssigned(); | 2885 EnsureThreadIdAssigned(); |
| 2944 | 2886 |
| 2945 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT, NULL); | 2887 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); |
| 2946 | 2888 |
| 2947 int rv = Init(); | 2889 int rv = Init(); |
| 2948 if (rv != OK) { | 2890 if (rv != OK) { |
| 2949 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2891 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2950 return rv; | 2892 return rv; |
| 2951 } | 2893 } |
| 2952 | 2894 |
| 2953 rv = InitializeSSLOptions(); | 2895 rv = InitializeSSLOptions(); |
| 2954 if (rv != OK) { | 2896 if (rv != OK) { |
| 2955 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2897 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| (...skipping 566 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3522 } | 3464 } |
| 3523 | 3465 |
| 3524 start_cert_verification_time_ = base::TimeTicks::Now(); | 3466 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 3525 | 3467 |
| 3526 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() && | 3468 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() && |
| 3527 core_->state().predicted_cert_chain_correct) { | 3469 core_->state().predicted_cert_chain_correct) { |
| 3528 // If the SSLHostInfo had a prediction for the certificate chain of this | 3470 // If the SSLHostInfo had a prediction for the certificate chain of this |
| 3529 // server then it will have optimistically started a verification of that | 3471 // server then it will have optimistically started a verification of that |
| 3530 // chain. So, if the prediction was correct, we should wait for that | 3472 // chain. So, if the prediction was correct, we should wait for that |
| 3531 // verification to finish rather than start our own. | 3473 // verification to finish rather than start our own. |
| 3532 net_log_.AddEvent(NetLog::TYPE_SSL_VERIFICATION_MERGED, NULL); | 3474 net_log_.AddEvent(NetLog::TYPE_SSL_VERIFICATION_MERGED); |
| 3533 UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 1 /* true */, 2); | 3475 UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 1 /* true */, 2); |
| 3534 base::TimeTicks end_time = ssl_host_info_->verification_end_time(); | 3476 base::TimeTicks end_time = ssl_host_info_->verification_end_time(); |
| 3535 if (end_time.is_null()) | 3477 if (end_time.is_null()) |
| 3536 end_time = base::TimeTicks::Now(); | 3478 end_time = base::TimeTicks::Now(); |
| 3537 UMA_HISTOGRAM_TIMES("Net.SSLVerificationMergedMsSaved", | 3479 UMA_HISTOGRAM_TIMES("Net.SSLVerificationMergedMsSaved", |
| 3538 end_time - ssl_host_info_->verification_start_time()); | 3480 end_time - ssl_host_info_->verification_start_time()); |
| 3539 server_cert_verify_result_ = &ssl_host_info_->cert_verify_result(); | 3481 server_cert_verify_result_ = &ssl_host_info_->cert_verify_result(); |
| 3540 return ssl_host_info_->WaitForCertVerification( | 3482 return ssl_host_info_->WaitForCertVerification( |
| 3541 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, | 3483 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
| 3542 base::Unretained(this))); | 3484 base::Unretained(this))); |
| (...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3715 EnsureThreadIdAssigned(); | 3657 EnsureThreadIdAssigned(); |
| 3716 base::AutoLock auto_lock(lock_); | 3658 base::AutoLock auto_lock(lock_); |
| 3717 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3659 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 3718 } | 3660 } |
| 3719 | 3661 |
| 3720 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3662 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
| 3721 return server_bound_cert_service_; | 3663 return server_bound_cert_service_; |
| 3722 } | 3664 } |
| 3723 | 3665 |
| 3724 } // namespace net | 3666 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10546162:
NetLogEventParameter to Callback refactoring 9. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/