OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 825 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
836 memio_Private* buffers) { | 836 memio_Private* buffers) { |
837 DCHECK(OnNetworkTaskRunner()); | 837 DCHECK(OnNetworkTaskRunner()); |
838 DCHECK(!nss_fd_); | 838 DCHECK(!nss_fd_); |
839 DCHECK(!nss_bufs_); | 839 DCHECK(!nss_bufs_); |
840 | 840 |
841 nss_fd_ = socket; | 841 nss_fd_ = socket; |
842 nss_bufs_ = buffers; | 842 nss_bufs_ = buffers; |
843 | 843 |
844 SECStatus rv = SECSuccess; | 844 SECStatus rv = SECSuccess; |
845 | 845 |
846 if (!ssl_config_.next_protos.empty()) { | 846 if (!ssl_config_.alpn_protos.empty()) { |
847 NextProtoVector next_protos = ssl_config_.next_protos; | 847 NextProtoVector alpn_protos = ssl_config_.alpn_protos; |
848 // TODO(bnc): Check ssl_config_.disabled_cipher_suites. | 848 // TODO(bnc): Check ssl_config_.disabled_cipher_suites. |
849 if (!IsTLSVersionAdequateForHTTP2(ssl_config_)) | 849 if (!IsTLSVersionAdequateForHTTP2(ssl_config_)) |
850 DisableHTTP2(&next_protos); | 850 DisableHTTP2(&alpn_protos); |
851 // |ssl_config_| has fallback protocol at the end of the list, but NSS | 851 // |ssl_config_| has fallback protocol at the end of the list, but NSS |
852 // expects fallback at the first place, thus protocols need to be reordered. | 852 // expects fallback at the first place, thus protocols need to be reordered. |
853 ReorderNextProtos(&next_protos); | 853 ReorderNextProtos(&alpn_protos); |
854 std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos); | 854 // NSS only supports a single protocol vector to be used with ALPN and NPN. |
| 855 // Because of this limitation, |alpn_prototos| will be used for both. |
| 856 // However, it is possible to enable ALPN and NPN separately. |
| 857 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); |
855 rv = SSL_SetNextProtoNego( | 858 rv = SSL_SetNextProtoNego( |
856 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], | 859 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], |
857 wire_protos.size()); | 860 wire_protos.size()); |
858 if (rv != SECSuccess) | 861 if (rv != SECSuccess) |
859 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", ""); | 862 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", ""); |
860 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); | 863 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); |
861 if (rv != SECSuccess) | 864 if (rv != SECSuccess) |
862 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); | 865 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); |
863 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); | 866 if (!ssl_config_.npn_protos.empty()) { |
864 if (rv != SECSuccess) | 867 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); |
865 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN"); | 868 if (rv != SECSuccess) |
| 869 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN"); |
| 870 } |
866 } | 871 } |
867 | 872 |
868 rv = SSL_AuthCertificateHook( | 873 rv = SSL_AuthCertificateHook( |
869 nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this); | 874 nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this); |
870 if (rv != SECSuccess) { | 875 if (rv != SECSuccess) { |
871 LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", ""); | 876 LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", ""); |
872 return false; | 877 return false; |
873 } | 878 } |
874 | 879 |
875 rv = SSL_GetClientAuthDataHook( | 880 rv = SSL_GetClientAuthDataHook( |
(...skipping 2308 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3184 return channel_id_service_; | 3189 return channel_id_service_; |
3185 } | 3190 } |
3186 | 3191 |
3187 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3192 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
3188 if (completed_handshake_) | 3193 if (completed_handshake_) |
3189 return SSL_FAILURE_NONE; | 3194 return SSL_FAILURE_NONE; |
3190 return SSL_FAILURE_UNKNOWN; | 3195 return SSL_FAILURE_UNKNOWN; |
3191 } | 3196 } |
3192 | 3197 |
3193 } // namespace net | 3198 } // namespace net |
OLD | NEW |