| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 3008 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3019 LeaveFunction(result); | 3019 LeaveFunction(result); |
| 3020 return result; | 3020 return result; |
| 3021 } | 3021 } |
| 3022 | 3022 |
| 3023 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3023 int SSLClientSocketNSS::DoVerifyCert(int result) { |
| 3024 DCHECK(!core_->state().server_cert_chain.empty()); | 3024 DCHECK(!core_->state().server_cert_chain.empty()); |
| 3025 DCHECK(core_->state().server_cert_chain[0]); | 3025 DCHECK(core_->state().server_cert_chain[0]); |
| 3026 | 3026 |
| 3027 GotoState(STATE_VERIFY_CERT_COMPLETE); | 3027 GotoState(STATE_VERIFY_CERT_COMPLETE); |
| 3028 | 3028 |
| 3029 // NSS decoded the certificate, but the platform certificate implementation |
| 3030 // could not. This is treated as a fatal SSL-level protocol error rather than |
| 3031 // a certificate error. See https://crbug.com/91341. |
| 3032 if (!core_->state().server_cert.get()) |
| 3033 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 3034 |
| 3029 // If the certificate is expected to be bad we can use the expectation as | 3035 // If the certificate is expected to be bad we can use the expectation as |
| 3030 // the cert status. | 3036 // the cert status. |
| 3031 base::StringPiece der_cert( | 3037 base::StringPiece der_cert( |
| 3032 reinterpret_cast<char*>( | 3038 reinterpret_cast<char*>( |
| 3033 core_->state().server_cert_chain[0]->derCert.data), | 3039 core_->state().server_cert_chain[0]->derCert.data), |
| 3034 core_->state().server_cert_chain[0]->derCert.len); | 3040 core_->state().server_cert_chain[0]->derCert.len); |
| 3035 CertStatus cert_status; | 3041 CertStatus cert_status; |
| 3036 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 3042 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { |
| 3037 DCHECK(start_cert_verification_time_.is_null()); | 3043 DCHECK(start_cert_verification_time_.is_null()); |
| 3038 VLOG(1) << "Received an expected bad cert with status: " << cert_status; | 3044 VLOG(1) << "Received an expected bad cert with status: " << cert_status; |
| 3039 server_cert_verify_result_.Reset(); | 3045 server_cert_verify_result_.Reset(); |
| 3040 server_cert_verify_result_.cert_status = cert_status; | 3046 server_cert_verify_result_.cert_status = cert_status; |
| 3041 server_cert_verify_result_.verified_cert = core_->state().server_cert; | 3047 server_cert_verify_result_.verified_cert = core_->state().server_cert; |
| 3042 return OK; | 3048 return OK; |
| 3043 } | 3049 } |
| 3044 | 3050 |
| 3045 // We may have failed to create X509Certificate object if we are | |
| 3046 // running inside sandbox. | |
| 3047 if (!core_->state().server_cert.get()) { | |
| 3048 server_cert_verify_result_.Reset(); | |
| 3049 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; | |
| 3050 return ERR_CERT_INVALID; | |
| 3051 } | |
| 3052 | |
| 3053 start_cert_verification_time_ = base::TimeTicks::Now(); | 3051 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 3054 | 3052 |
| 3055 return cert_verifier_->Verify( | 3053 return cert_verifier_->Verify( |
| 3056 core_->state().server_cert.get(), host_and_port_.host(), | 3054 core_->state().server_cert.get(), host_and_port_.host(), |
| 3057 core_->state().stapled_ocsp_response, ssl_config_.GetCertVerifyFlags(), | 3055 core_->state().stapled_ocsp_response, ssl_config_.GetCertVerifyFlags(), |
| 3058 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | 3056 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
| 3059 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, | 3057 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
| 3060 base::Unretained(this)), | 3058 base::Unretained(this)), |
| 3061 &cert_verifier_request_, net_log_); | 3059 &cert_verifier_request_, net_log_); |
| 3062 } | 3060 } |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3184 return channel_id_service_; | 3182 return channel_id_service_; |
| 3185 } | 3183 } |
| 3186 | 3184 |
| 3187 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3185 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
| 3188 if (completed_handshake_) | 3186 if (completed_handshake_) |
| 3189 return SSL_FAILURE_NONE; | 3187 return SSL_FAILURE_NONE; |
| 3190 return SSL_FAILURE_UNKNOWN; | 3188 return SSL_FAILURE_UNKNOWN; |
| 3191 } | 3189 } |
| 3192 | 3190 |
| 3193 } // namespace net | 3191 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1286793002:
Treat failure to parse certificates as SSL protocol errors. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master