| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 53 #include "net/socket/client_socket_factory.h" | 53 #include "net/socket/client_socket_factory.h" |
| 54 #include "net/socket/socks_client_socket_pool.h" | 54 #include "net/socket/socks_client_socket_pool.h" |
| 55 #include "net/socket/ssl_client_socket.h" | 55 #include "net/socket/ssl_client_socket.h" |
| 56 #include "net/socket/ssl_client_socket_pool.h" | 56 #include "net/socket/ssl_client_socket_pool.h" |
| 57 #include "net/socket/transport_client_socket_pool.h" | 57 #include "net/socket/transport_client_socket_pool.h" |
| 58 #include "net/spdy/spdy_http_stream.h" | 58 #include "net/spdy/spdy_http_stream.h" |
| 59 #include "net/spdy/spdy_session.h" | 59 #include "net/spdy/spdy_session.h" |
| 60 #include "net/spdy/spdy_session_pool.h" | 60 #include "net/spdy/spdy_session_pool.h" |
| 61 #include "net/ssl/ssl_cert_request_info.h" | 61 #include "net/ssl/ssl_cert_request_info.h" |
| 62 #include "net/ssl/ssl_connection_status_flags.h" | 62 #include "net/ssl/ssl_connection_status_flags.h" |
| 63 #include "net/ssl/ssl_private_key.h" |
| 63 #include "url/gurl.h" | 64 #include "url/gurl.h" |
| 64 #include "url/url_canon.h" | 65 #include "url/url_canon.h" |
| 65 | 66 |
| 66 namespace net { | 67 namespace net { |
| 67 | 68 |
| 68 namespace { | 69 namespace { |
| 69 | 70 |
| 70 void ProcessAlternativeServices(HttpNetworkSession* session, | 71 void ProcessAlternativeServices(HttpNetworkSession* session, |
| 71 const HttpResponseHeaders& headers, | 72 const HttpResponseHeaders& headers, |
| 72 const HostPortPair& http_host_port_pair) { | 73 const HostPortPair& http_host_port_pair) { |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 212 | 213 |
| 213 next_state_ = STATE_CREATE_STREAM; | 214 next_state_ = STATE_CREATE_STREAM; |
| 214 | 215 |
| 215 int rv = DoLoop(OK); | 216 int rv = DoLoop(OK); |
| 216 if (rv == ERR_IO_PENDING) | 217 if (rv == ERR_IO_PENDING) |
| 217 callback_ = callback; | 218 callback_ = callback; |
| 218 return rv; | 219 return rv; |
| 219 } | 220 } |
| 220 | 221 |
| 221 int HttpNetworkTransaction::RestartWithCertificate( | 222 int HttpNetworkTransaction::RestartWithCertificate( |
| 222 X509Certificate* client_cert, const CompletionCallback& callback) { | 223 X509Certificate* client_cert, |
| 224 SSLPrivateKey* client_private_key, |
| 225 const CompletionCallback& callback) { |
| 223 // In HandleCertificateRequest(), we always tear down existing stream | 226 // In HandleCertificateRequest(), we always tear down existing stream |
| 224 // requests to force a new connection. So we shouldn't have one here. | 227 // requests to force a new connection. So we shouldn't have one here. |
| 225 DCHECK(!stream_request_.get()); | 228 DCHECK(!stream_request_.get()); |
| 226 DCHECK(!stream_.get()); | 229 DCHECK(!stream_.get()); |
| 227 DCHECK_EQ(STATE_NONE, next_state_); | 230 DCHECK_EQ(STATE_NONE, next_state_); |
| 228 | 231 |
| 229 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? | 232 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? |
| 230 &proxy_ssl_config_ : &server_ssl_config_; | 233 &proxy_ssl_config_ : &server_ssl_config_; |
| 231 ssl_config->send_client_cert = true; | 234 ssl_config->send_client_cert = true; |
| 232 ssl_config->client_cert = client_cert; | 235 ssl_config->client_cert = client_cert; |
| 236 ssl_config->client_private_key = client_private_key; |
| 233 session_->ssl_client_auth_cache()->Add( | 237 session_->ssl_client_auth_cache()->Add( |
| 234 response_.cert_request_info->host_and_port, client_cert); | 238 response_.cert_request_info->host_and_port, client_cert, |
| 239 client_private_key); |
| 235 // Reset the other member variables. | 240 // Reset the other member variables. |
| 236 // Note: this is necessary only with SSL renegotiation. | 241 // Note: this is necessary only with SSL renegotiation. |
| 237 ResetStateForRestart(); | 242 ResetStateForRestart(); |
| 238 next_state_ = STATE_CREATE_STREAM; | 243 next_state_ = STATE_CREATE_STREAM; |
| 239 int rv = DoLoop(OK); | 244 int rv = DoLoop(OK); |
| 240 if (rv == ERR_IO_PENDING) | 245 if (rv == ERR_IO_PENDING) |
| 241 callback_ = callback; | 246 callback_ = callback; |
| 242 return rv; | 247 return rv; |
| 243 } | 248 } |
| 244 | 249 |
| (...skipping 973 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1218 } | 1223 } |
| 1219 | 1224 |
| 1220 // The server is asking for a client certificate during the initial | 1225 // The server is asking for a client certificate during the initial |
| 1221 // handshake. | 1226 // handshake. |
| 1222 stream_request_.reset(); | 1227 stream_request_.reset(); |
| 1223 | 1228 |
| 1224 // If the user selected one of the certificates in client_certs or declined | 1229 // If the user selected one of the certificates in client_certs or declined |
| 1225 // to provide one for this server before, use the past decision | 1230 // to provide one for this server before, use the past decision |
| 1226 // automatically. | 1231 // automatically. |
| 1227 scoped_refptr<X509Certificate> client_cert; | 1232 scoped_refptr<X509Certificate> client_cert; |
| 1233 scoped_refptr<SSLPrivateKey> client_private_key; |
| 1228 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( | 1234 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( |
| 1229 response_.cert_request_info->host_and_port, &client_cert); | 1235 response_.cert_request_info->host_and_port, &client_cert, |
| 1236 &client_private_key); |
| 1230 if (!found_cached_cert) | 1237 if (!found_cached_cert) |
| 1231 return error; | 1238 return error; |
| 1232 | 1239 |
| 1233 // Check that the certificate selected is still a certificate the server | 1240 // Check that the certificate selected is still a certificate the server |
| 1234 // is likely to accept, based on the criteria supplied in the | 1241 // is likely to accept, based on the criteria supplied in the |
| 1235 // CertificateRequest message. | 1242 // CertificateRequest message. |
| 1236 if (client_cert.get()) { | 1243 if (client_cert.get()) { |
| 1237 const std::vector<std::string>& cert_authorities = | 1244 const std::vector<std::string>& cert_authorities = |
| 1238 response_.cert_request_info->cert_authorities; | 1245 response_.cert_request_info->cert_authorities; |
| 1239 | 1246 |
| 1240 bool cert_still_valid = cert_authorities.empty() || | 1247 bool cert_still_valid = cert_authorities.empty() || |
| 1241 client_cert->IsIssuedByEncoded(cert_authorities); | 1248 client_cert->IsIssuedByEncoded(cert_authorities); |
| 1242 if (!cert_still_valid) | 1249 if (!cert_still_valid) |
| 1243 return error; | 1250 return error; |
| 1244 } | 1251 } |
| 1245 | 1252 |
| 1246 // TODO(davidben): Add a unit test which covers this path; we need to be | 1253 // TODO(davidben): Add a unit test which covers this path; we need to be |
| 1247 // able to send a legitimate certificate and also bypass/clear the | 1254 // able to send a legitimate certificate and also bypass/clear the |
| 1248 // SSL session cache. | 1255 // SSL session cache. |
| 1249 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? | 1256 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? |
| 1250 &proxy_ssl_config_ : &server_ssl_config_; | 1257 &proxy_ssl_config_ : &server_ssl_config_; |
| 1251 ssl_config->send_client_cert = true; | 1258 ssl_config->send_client_cert = true; |
| 1252 ssl_config->client_cert = client_cert; | 1259 ssl_config->client_cert = client_cert; |
| 1260 ssl_config->client_private_key = client_private_key; |
| 1253 next_state_ = STATE_CREATE_STREAM; | 1261 next_state_ = STATE_CREATE_STREAM; |
| 1254 // Reset the other member variables. | 1262 // Reset the other member variables. |
| 1255 // Note: this is necessary only with SSL renegotiation. | 1263 // Note: this is necessary only with SSL renegotiation. |
| 1256 ResetStateForRestart(); | 1264 ResetStateForRestart(); |
| 1257 return OK; | 1265 return OK; |
| 1258 } | 1266 } |
| 1259 | 1267 |
| 1260 int HttpNetworkTransaction::HandleHttp11Required(int error) { | 1268 int HttpNetworkTransaction::HandleHttp11Required(int error) { |
| 1261 DCHECK(error == ERR_HTTP_1_1_REQUIRED || | 1269 DCHECK(error == ERR_HTTP_1_1_REQUIRED || |
| 1262 error == ERR_PROXY_HTTP_1_1_REQUIRED); | 1270 error == ERR_PROXY_HTTP_1_1_REQUIRED); |
| (...skipping 409 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1672 DCHECK(stream_request_); | 1680 DCHECK(stream_request_); |
| 1673 | 1681 |
| 1674 // Since the transaction can restart with auth credentials, it may create a | 1682 // Since the transaction can restart with auth credentials, it may create a |
| 1675 // stream more than once. Accumulate all of the connection attempts across | 1683 // stream more than once. Accumulate all of the connection attempts across |
| 1676 // those streams by appending them to the vector: | 1684 // those streams by appending them to the vector: |
| 1677 for (const auto& attempt : stream_request_->connection_attempts()) | 1685 for (const auto& attempt : stream_request_->connection_attempts()) |
| 1678 connection_attempts_.push_back(attempt); | 1686 connection_attempts_.push_back(attempt); |
| 1679 } | 1687 } |
| 1680 | 1688 |
| 1681 } // namespace net | 1689 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1304143010:
Plumbing SSLPrivateKey
Base URL: https://chromium.googlesource.com/chromium/src.git@master