net/socket/ssl_server_socket_openssl.cc - Issue 1474983003: Support for client certs in ssl_server_socket.

Side by Side Diff: net/socket/ssl_server_socket_openssl.cc

Issue 1474983003: Support for client certs in ssl_server_socket. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addresses reviewer comments Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/ssl_server_socket_openssl.h"	5 #include "net/socket/ssl_server_socket_openssl.h"

6	6

7 #include <openssl/err.h>	7 #include <openssl/err.h>

8 #include <openssl/ssl.h>	8 #include <openssl/ssl.h>

9	9

10 #include "base/callback_helpers.h"	10 #include "base/callback_helpers.h"

11 #include "base/logging.h"	11 #include "base/logging.h"

12 #include "base/strings/string_util.h"	12 #include "base/strings/string_util.h"

13 #include "crypto/openssl_util.h"	13 #include "crypto/openssl_util.h"

14 #include "crypto/rsa_private_key.h"	14 #include "crypto/rsa_private_key.h"

15 #include "crypto/scoped_openssl_types.h"	15 #include "crypto/scoped_openssl_types.h"

16 #include "net/base/net_errors.h"	16 #include "net/base/net_errors.h"

	17 #include "net/cert/cert_verify_result.h"

	18 #include "net/cert/client_cert_verifier.h"

	19 #include "net/cert/x509_util_openssl.h"

17 #include "net/ssl/openssl_ssl_util.h"	20 #include "net/ssl/openssl_ssl_util.h"

18 #include "net/ssl/scoped_openssl_types.h"	21 #include "net/ssl/scoped_openssl_types.h"

	22 #include "net/ssl/ssl_connection_status_flags.h"

	23 #include "net/ssl/ssl_info.h"

19	24

20 #define GotoState(s) next_handshake_state_ = s	25 #define GotoState(s) next_handshake_state_ = s

21	26

22 namespace net {	27 namespace net {

23	28

	29 namespace {

	30

	31 scoped_refptr<X509Certificate> CreateX509Certificate(X509* cert,

	32 STACK_OF(X509) * chain) {

	33 std::vector<base::StringPiece> der_chain;

	34 base::StringPiece der_cert;

	35 scoped_refptr<X509Certificate> client_cert;

	36 if (cert) {

	37 if (!x509_util::GetDER(cert, &der_cert))

	38 return client_cert;

	39 der_chain.push_back(der_cert);

	40 }

	41

	42 ScopedX509_STACK openssl_chain(X509_chain_up_ref(chain));

	43 for (size_t i = 0; i < sk_X509_num(openssl_chain.get()); ++i) {

	44 X509* x = sk_X509_value(openssl_chain.get(), i);

	45 if (x509_util::GetDER(x, &der_cert)) {

	46 der_chain.push_back(der_cert);

	47 } else {

	48 return nullptr;

	49 }

	50 }

	51

	52 return X509Certificate::CreateFromDERCertChain(der_chain);

	53 }

	54

	55 } // namespace

	56

24 void EnableSSLServerSockets() {	57 void EnableSSLServerSockets() {

25 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit().	58 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit().

26 }	59 }

27	60

28 scoped_ptr<SSLServerSocket> CreateSSLServerSocket(	61 scoped_ptr<SSLServerSocket> CreateSSLServerSocket(

29 scoped_ptr<StreamSocket> socket,	62 scoped_ptr<StreamSocket> socket,

30 X509Certificate* certificate,	63 X509Certificate* certificate,

31 crypto::RSAPrivateKey* key,	64 crypto::RSAPrivateKey* key,

32 const SSLServerConfig& ssl_config) {	65 const SSLServerConfig& ssl_server_config) {

33 crypto::EnsureOpenSSLInit();	66 crypto::EnsureOpenSSLInit();

34 return scoped_ptr<SSLServerSocket>(	67 return scoped_ptr<SSLServerSocket>(new SSLServerSocketOpenSSL(

35 new SSLServerSocketOpenSSL(socket.Pass(), certificate, key, ssl_config));	68 socket.Pass(), certificate, key, ssl_server_config));

36 }	69 }

37	70

38 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL(	71 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL(

39 scoped_ptr<StreamSocket> transport_socket,	72 scoped_ptr<StreamSocket> transport_socket,

40 scoped_refptr<X509Certificate> certificate,	73 scoped_refptr<X509Certificate> certificate,

41 crypto::RSAPrivateKey* key,	74 crypto::RSAPrivateKey* key,

42 const SSLServerConfig& ssl_config)	75 const SSLServerConfig& ssl_server_config)

43 : transport_send_busy_(false),	76 : transport_send_busy_(false),

44 transport_recv_busy_(false),	77 transport_recv_busy_(false),

45 transport_recv_eof_(false),	78 transport_recv_eof_(false),

46 user_read_buf_len_(0),	79 user_read_buf_len_(0),

47 user_write_buf_len_(0),	80 user_write_buf_len_(0),

48 transport_write_error_(OK),	81 transport_write_error_(OK),

49 ssl_(NULL),	82 ssl_(NULL),

50 transport_bio_(NULL),	83 transport_bio_(NULL),

51 transport_socket_(transport_socket.Pass()),	84 transport_socket_(transport_socket.Pass()),

52 ssl_config_(ssl_config),	85 ssl_server_config_(ssl_server_config),

53 cert_(certificate),	86 cert_(certificate),

54 next_handshake_state_(STATE_NONE),	87 next_handshake_state_(STATE_NONE),

55 completed_handshake_(false) {	88 completed_handshake_(false) {

56 // TODO(byungchul): Need a better way to clone a key.	89 // TODO(byungchul): Need a better way to clone a key.

57 std::vector<uint8> key_bytes;	90 std::vector<uint8> key_bytes;

58 CHECK(key->ExportPrivateKey(&key_bytes));	91 CHECK(key->ExportPrivateKey(&key_bytes));

59 key_.reset(crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_bytes));	92 key_.reset(crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_bytes));

60 CHECK(key_.get());	93 CHECK(key_.get());

61 }	94 }

62	95

(...skipping 173 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
236 bool SSLServerSocketOpenSSL::WasNpnNegotiated() const {	269 bool SSLServerSocketOpenSSL::WasNpnNegotiated() const {

237 NOTIMPLEMENTED();	270 NOTIMPLEMENTED();

238 return false;	271 return false;

239 }	272 }

240	273

241 NextProto SSLServerSocketOpenSSL::GetNegotiatedProtocol() const {	274 NextProto SSLServerSocketOpenSSL::GetNegotiatedProtocol() const {

242 // NPN is not supported by this class.	275 // NPN is not supported by this class.

243 return kProtoUnknown;	276 return kProtoUnknown;

244 }	277 }

245	278

246 bool SSLServerSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {	279 bool SSLServerSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
	Ryan Sleevi 2015/12/17 03:47:36 I'm pretty sure this is just a wrong interface for I'm pretty sure this is just a wrong interface for server sockets. It doesn't make sense when so much of SSLInfo is client-socket specific. ryanchung 2015/12/18 00:00:55 Should this be in a new interface like GetSSLServe Show quoted text On 2015/12/17 03:47:36, Ryan Sleevi wrote: > I'm pretty sure this is just a wrong interface for server sockets. It doesn't > make sense when so much of SSLInfo is client-socket specific. Should this be in a new interface like GetSSLServerInfo(SSLServerInfo*) where SSLServerInfo only has the server related info?
247 NOTIMPLEMENTED();	280 ssl_info->Reset();

248 return false;	281 if (!completed_handshake_) {

	282 return false;

	283 }
	Ryan Sleevi 2015/12/17 03:47:35 nit: We don't do braces for one-line if's in //net nit: We don't do braces for one-line if's in //net nit 2: Extra newline between return false and ExtractClientCert ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:35, Ryan Sleevi wrote: > nit: We don't do braces for one-line if's in //net > nit 2: Extra newline between return false and ExtractClientCert Done.
	284 ExtractClientCert();

	285 ssl_info->cert = client_cert_;

	286

	287 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);

	288 CHECK(cipher);

	289 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);

	290

	291 SSLConnectionStatusSetCipherSuite(

	292 static_cast<uint16>(SSL_CIPHER_get_id(cipher)),

	293 &ssl_info->connection_status);

	294 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_),

	295 &ssl_info->connection_status);

	296

	297 if (!SSL_get_secure_renegotiation_support(ssl_))

	298 ssl_info->connection_status \|= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;

	299

	300 ssl_info->handshake_type = SSL_session_reused(ssl_)

	301 ? SSLInfo::HANDSHAKE_RESUME

	302 : SSLInfo::HANDSHAKE_FULL;

	303

	304 return true;

249 }	305 }

250	306

251 void SSLServerSocketOpenSSL::GetConnectionAttempts(	307 void SSLServerSocketOpenSSL::GetConnectionAttempts(

252 ConnectionAttempts* out) const {	308 ConnectionAttempts* out) const {

253 out->clear();	309 out->clear();

254 }	310 }

255	311

256 int64_t SSLServerSocketOpenSSL::GetTotalReceivedBytes() const {	312 int64_t SSLServerSocketOpenSSL::GetTotalReceivedBytes() const {

257 return transport_socket_->GetTotalReceivedBytes();	313 return transport_socket_->GetTotalReceivedBytes();

258 }	314 }

(...skipping 302 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
561 return rv;	617 return rv;

562 }	618 }

563	619

564 int SSLServerSocketOpenSSL::DoHandshake() {	620 int SSLServerSocketOpenSSL::DoHandshake() {

565 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);	621 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

566 int net_error = OK;	622 int net_error = OK;

567 int rv = SSL_do_handshake(ssl_);	623 int rv = SSL_do_handshake(ssl_);

568	624

569 if (rv == 1) {	625 if (rv == 1) {

570 completed_handshake_ = true;	626 completed_handshake_ = true;

	627 ExtractClientCert();
	Ryan Sleevi 2015/12/17 03:47:35 This feels weird, in that it leaves multiple place This feels weird, in that it leaves multiple places for client_cert_ to be assigned. Why is that? I would logically expect it to just happen in the handshake. ryanchung 2015/12/18 00:00:55 This was supposed to be the only place this is cal Show quoted text On 2015/12/17 03:47:35, Ryan Sleevi wrote: > This feels weird, in that it leaves multiple places for client_cert_ to be > assigned. Why is that? I would logically expect it to just happen in the > handshake. This was supposed to be the only place this is called. I missed removing the call in GetSSLInfo(). Sorry.
571 } else {	628 } else {

572 int ssl_error = SSL_get_error(ssl_, rv);	629 int ssl_error = SSL_get_error(ssl_, rv);

573 OpenSSLErrorInfo error_info;	630 OpenSSLErrorInfo error_info;

574 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);	631 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);

575	632

	633 // This hack is necessary because the mapping of SSL error codes to

	634 // net_errors assumes (correctly for client sockets, but erroneously for

	635 // server sockets) that peer cert verification failure can only occur if

	636 // the cert changed during a renego. crbug.com/570351

	637 if (net_error == ERR_SSL_SERVER_CERT_CHANGED)

	638 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT;

	639

576 // If not done, stay in this state	640 // If not done, stay in this state

577 if (net_error == ERR_IO_PENDING) {	641 if (net_error == ERR_IO_PENDING) {

578 GotoState(STATE_HANDSHAKE);	642 GotoState(STATE_HANDSHAKE);

579 } else {	643 } else {

580 LOG(ERROR) << "handshake failed; returned " << rv	644 LOG(ERROR) << "handshake failed; returned " << rv

581 << ", SSL error code " << ssl_error	645 << ", SSL error code " << ssl_error

582 << ", net_error " << net_error;	646 << ", net_error " << net_error;

583 net_log_.AddEvent(	647 net_log_.AddEvent(

584 NetLog::TYPE_SSL_HANDSHAKE_ERROR,	648 NetLog::TYPE_SSL_HANDSHAKE_ERROR,

585 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));	649 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));

(...skipping 25 matching lines...) Expand all Loading...
611 ResetAndReturn(&user_write_callback_).Run(rv);	675 ResetAndReturn(&user_write_callback_).Run(rv);

612 }	676 }

613	677

614 int SSLServerSocketOpenSSL::Init() {	678 int SSLServerSocketOpenSSL::Init() {

615 DCHECK(!ssl_);	679 DCHECK(!ssl_);

616 DCHECK(!transport_bio_);	680 DCHECK(!transport_bio_);

617	681

618 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);	682 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

619	683

620 ScopedSSL_CTX ssl_ctx(SSL_CTX_new(SSLv23_server_method()));	684 ScopedSSL_CTX ssl_ctx(SSL_CTX_new(SSLv23_server_method()));

621	685 if (ssl_server_config_.require_client_cert)

622 if (ssl_config_.require_client_cert)	686 SSL_CTX_set_verify(ssl_ctx.get(),

623 SSL_CTX_set_verify(ssl_ctx.get(), SSL_VERIFY_PEER, NULL);	687 SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
	Ryan Sleevi 2015/12/17 03:47:36 Ironically, you should use braces here, even thoug Ironically, you should use braces here, even though it's multi-line in the parenthesis. ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:36, Ryan Sleevi wrote: > Ironically, you should use braces here, even though it's multi-line in the > parenthesis. Done.
624	688 SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback,

	689 ssl_server_config_.client_cert_verifier);

625 ssl_ = SSL_new(ssl_ctx.get());	690 ssl_ = SSL_new(ssl_ctx.get());

626 if (!ssl_)	691 if (!ssl_)

627 return ERR_UNEXPECTED;	692 return ERR_UNEXPECTED;

628	693

629 BIO* ssl_bio = NULL;	694 BIO* ssl_bio = NULL;

630 // 0 => use default buffer sizes.	695 // 0 => use default buffer sizes.

631 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))	696 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))

632 return ERR_UNEXPECTED;	697 return ERR_UNEXPECTED;

633 DCHECK(ssl_bio);	698 DCHECK(ssl_bio);

634 DCHECK(transport_bio_);	699 DCHECK(transport_bio_);

(...skipping 26 matching lines...) Expand all Loading...
661 return ERR_UNEXPECTED;	726 return ERR_UNEXPECTED;

662 }	727 }

663 #endif // USE_OPENSSL_CERTS	728 #endif // USE_OPENSSL_CERTS

664	729

665 DCHECK(key_->key());	730 DCHECK(key_->key());

666 if (SSL_use_PrivateKey(ssl_, key_->key()) != 1) {	731 if (SSL_use_PrivateKey(ssl_, key_->key()) != 1) {

667 LOG(ERROR) << "Cannot set private key.";	732 LOG(ERROR) << "Cannot set private key.";

668 return ERR_UNEXPECTED;	733 return ERR_UNEXPECTED;

669 }	734 }

670	735

671 DCHECK_LT(SSL3_VERSION, ssl_config_.version_min);	736 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min);

672 DCHECK_LT(SSL3_VERSION, ssl_config_.version_max);	737 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max);

673 SSL_set_min_version(ssl_, ssl_config_.version_min);	738 SSL_set_min_version(ssl_, ssl_server_config_.version_min);

674 SSL_set_max_version(ssl_, ssl_config_.version_max);	739 SSL_set_max_version(ssl_, ssl_server_config_.version_max);

675	740

676 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,	741 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,

677 // set everything we care about to an absolute value.	742 // set everything we care about to an absolute value.

678 SslSetClearMask options;	743 SslSetClearMask options;

679 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);	744 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);

680	745

681 SSL_set_options(ssl_, options.set_mask);	746 SSL_set_options(ssl_, options.set_mask);

682 SSL_clear_options(ssl_, options.clear_mask);	747 SSL_clear_options(ssl_, options.clear_mask);

683	748

684 // Same as above, this time for the SSL mode.	749 // Same as above, this time for the SSL mode.

685 SslSetClearMask mode;	750 SslSetClearMask mode;

686	751

687 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);	752 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);

688	753

689 SSL_set_mode(ssl_, mode.set_mask);	754 SSL_set_mode(ssl_, mode.set_mask);

690 SSL_clear_mode(ssl_, mode.clear_mask);	755 SSL_clear_mode(ssl_, mode.clear_mask);

691	756

692 // See SSLServerConfig::disabled_cipher_suites for description of the suites	757 // See SSLServerConfig::disabled_cipher_suites for description of the suites

693 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256	758 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256

694 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384	759 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384

695 // as the handshake hash.	760 // as the handshake hash.

696 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");	761 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");

697	762

698 if (ssl_config_.require_ecdhe)	763 if (ssl_server_config_.require_ecdhe)

699 command.append(":!kRSA:!kDHE");	764 command.append(":!kRSA:!kDHE");

700	765

701 // Remove any disabled ciphers.	766 // Remove any disabled ciphers.

702 for (uint16_t id : ssl_config_.disabled_cipher_suites) {	767 for (uint16_t id : ssl_server_config_.disabled_cipher_suites) {

703 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);	768 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);

704 if (cipher) {	769 if (cipher) {

705 command.append(":!");	770 command.append(":!");

706 command.append(SSL_CIPHER_get_name(cipher));	771 command.append(SSL_CIPHER_get_name(cipher));

707 }	772 }

708 }	773 }

709	774

710 int rv = SSL_set_cipher_list(ssl_, command.c_str());	775 int rv = SSL_set_cipher_list(ssl_, command.c_str());

711 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.	776 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.

712 // This will almost certainly result in the socket failing to complete the	777 // This will almost certainly result in the socket failing to complete the

713 // handshake at which point the appropriate error is bubbled up to the client.	778 // handshake at which point the appropriate error is bubbled up to the client.

714 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command	779 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command

715 << "') returned " << rv;	780 << "') returned " << rv;

716	781

	782 if (ssl_server_config_.require_client_cert) {

	783 if (!ssl_server_config_.client_cert_ca_list.empty()) {
	Ryan Sleevi 2015/12/17 03:47:36 Could you combine these two conditionals? Could you combine these two conditionals? ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:36, Ryan Sleevi wrote: > Could you combine these two conditionals? Done.
	784 ScopedX509_NAME_STACK stack(sk_X509_NAME_new_null());

	785 for (const auto& certificate : ssl_server_config_.client_cert_ca_list) {

	786 ScopedX509 ca_cert =

	787 OSCertHandleToOpenSSL(certificate->os_cert_handle());

	788 ScopedX509_NAME subj(X509_NAME_dup(ca_cert->cert_info->subject));

	789 sk_X509_NAME_push(stack.get(), subj.release());

	790 }

	791 SSL_set_client_CA_list(ssl_, stack.release());

	792 }

	793 }

	794

717 return OK;	795 return OK;

718 }	796 }

719	797

	798 void SSLServerSocketOpenSSL::ExtractClientCert() {

	799 X509* cert = SSL_get_peer_certificate(ssl_);

	800 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_);

	801 client_cert_ = CreateX509Certificate(cert, chain);

	802 }
	Ryan Sleevi 2015/12/17 03:47:36 This feels like a weird API contract; why not just This feels like a weird API contract; why not just do something like namespace { scoped_refptr<X509Certificate> GetClientCert(SSL* ssl) { ... } } and in DoHandshake something like client_cert_ = GetClientCert(ssl_) ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:36, Ryan Sleevi wrote: > This feels like a weird API contract; why not just do something like > > namespace { > scoped_refptr<X509Certificate> GetClientCert(SSL* ssl) { > ... > } > } > > and in DoHandshake something like > > client_cert_ = GetClientCert(ssl_) Done.
	803

	804 // static

	805 int SSLServerSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx,

	806 void* arg) {

	807 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg);

	808 // If a verifier was not supplied, all certificates are accepted.

	809 if (!verifier)

	810 return 1;

	811 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(

	812 store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));

	813 DCHECK(ssl);

	814 STACK_OF(X509)* chain = store_ctx->untrusted;

	815 scoped_refptr<X509Certificate> client_cert(

	816 CreateX509Certificate(nullptr, chain));

	817

	818 int res = verifier->Verify(client_cert.get());

	819 if (res == OK) {
	Ryan Sleevi 2015/12/17 03:47:36 DESIGN: Please handle errors first, which will red DESIGN: Please handle errors first, which will reduce indentation if (res != OK) { X509_STORE_CTX_set_error(...); return 0; } return 1; ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:36, Ryan Sleevi wrote: > DESIGN: Please handle errors first, which will reduce indentation > > if (res != OK) { > X509_STORE_CTX_set_error(...); > return 0; > } > > return 1; Done.
	820 return 1;

	821 } else {

	822 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED);

	823 return 0;

	824 }

	825 }

	826

720 } // namespace net	827 } // namespace net

OLD	NEW

« net/cert/client_cert_verifier.h ('K') | « net/socket/ssl_server_socket_openssl.h ('k') | net/socket/ssl_server_socket_unittest.cc » ('j') | net/socket/ssl_server_socket_unittest.cc » ('J')