OLD | NEW |
---|---|
1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code GetDefaultCertNickname(), derived from | 5 // This file includes code GetDefaultCertNickname(), derived from |
6 // nsNSSCertificate::defaultServerNickName() | 6 // nsNSSCertificate::defaultServerNickName() |
7 // in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp | 7 // in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp |
8 // and SSLClientSocketNSS::DoVerifyCertComplete() derived from | 8 // and SSLClientSocketNSS::DoVerifyCertComplete() derived from |
9 // AuthCertificateCallback() in | 9 // AuthCertificateCallback() in |
10 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 10 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
44 * decision by deleting the provisions above and replace them with the notice | 44 * decision by deleting the provisions above and replace them with the notice |
45 * and other provisions required by the GPL or the LGPL. If you do not delete | 45 * and other provisions required by the GPL or the LGPL. If you do not delete |
46 * the provisions above, a recipient may use your version of this file under | 46 * the provisions above, a recipient may use your version of this file under |
47 * the terms of any one of the MPL, the GPL or the LGPL. | 47 * the terms of any one of the MPL, the GPL or the LGPL. |
48 * | 48 * |
49 * ***** END LICENSE BLOCK ***** */ | 49 * ***** END LICENSE BLOCK ***** */ |
50 | 50 |
51 #include "net/socket/ssl_client_socket_nss.h" | 51 #include "net/socket/ssl_client_socket_nss.h" |
52 | 52 |
53 #include <certdb.h> | 53 #include <certdb.h> |
54 #include <key.h> | |
54 #include <nspr.h> | 55 #include <nspr.h> |
55 #include <nss.h> | 56 #include <nss.h> |
56 #include <secerr.h> | 57 #include <secerr.h> |
57 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | 58 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 |
58 // until NSS 3.12.2 comes out and we update to it. | 59 // until NSS 3.12.2 comes out and we update to it. |
59 #define Lock FOO_NSS_Lock | 60 #define Lock FOO_NSS_Lock |
60 #include <ssl.h> | 61 #include <ssl.h> |
61 #include <sslerr.h> | 62 #include <sslerr.h> |
62 #include <pk11pub.h> | 63 #include <pk11pub.h> |
63 #undef Lock | 64 #undef Lock |
64 | 65 |
65 #include "base/compiler_specific.h" | 66 #include "base/compiler_specific.h" |
66 #include "base/logging.h" | 67 #include "base/logging.h" |
67 #include "base/nss_init.h" | 68 #include "base/nss_init.h" |
68 #include "base/string_util.h" | 69 #include "base/string_util.h" |
69 #include "net/base/cert_verifier.h" | 70 #include "net/base/cert_verifier.h" |
70 #include "net/base/io_buffer.h" | 71 #include "net/base/io_buffer.h" |
71 #include "net/base/net_errors.h" | 72 #include "net/base/net_errors.h" |
73 #include "net/base/ssl_cert_request_info.h" | |
72 #include "net/base/ssl_info.h" | 74 #include "net/base/ssl_info.h" |
73 #include "net/ocsp/nss_ocsp.h" | 75 #include "net/ocsp/nss_ocsp.h" |
74 | 76 |
75 static const int kRecvBufferSize = 4096; | 77 static const int kRecvBufferSize = 4096; |
76 | 78 |
77 namespace net { | 79 namespace net { |
78 | 80 |
79 // State machines are easier to debug if you log state transitions. | 81 // State machines are easier to debug if you log state transitions. |
80 // Enable these if you want to see what's going on. | 82 // Enable these if you want to see what's going on. |
81 #if 1 | 83 #if 1 |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
193 buffer_recv_callback_(this, &SSLClientSocketNSS::BufferRecvComplete), | 195 buffer_recv_callback_(this, &SSLClientSocketNSS::BufferRecvComplete), |
194 transport_send_busy_(false), | 196 transport_send_busy_(false), |
195 transport_recv_busy_(false), | 197 transport_recv_busy_(false), |
196 io_callback_(this, &SSLClientSocketNSS::OnIOComplete), | 198 io_callback_(this, &SSLClientSocketNSS::OnIOComplete), |
197 transport_(transport_socket), | 199 transport_(transport_socket), |
198 hostname_(hostname), | 200 hostname_(hostname), |
199 ssl_config_(ssl_config), | 201 ssl_config_(ssl_config), |
200 user_connect_callback_(NULL), | 202 user_connect_callback_(NULL), |
201 user_callback_(NULL), | 203 user_callback_(NULL), |
202 user_buf_len_(0), | 204 user_buf_len_(0), |
205 client_auth_ca_names_(NULL), | |
206 client_auth_cert_needed_(false), | |
203 completed_handshake_(false), | 207 completed_handshake_(false), |
204 next_state_(STATE_NONE), | 208 next_state_(STATE_NONE), |
205 nss_fd_(NULL), | 209 nss_fd_(NULL), |
206 nss_bufs_(NULL) { | 210 nss_bufs_(NULL) { |
207 EnterFunction(""); | 211 EnterFunction(""); |
208 } | 212 } |
209 | 213 |
210 SSLClientSocketNSS::~SSLClientSocketNSS() { | 214 SSLClientSocketNSS::~SSLClientSocketNSS() { |
211 EnterFunction(""); | 215 EnterFunction(""); |
212 Disconnect(); | 216 Disconnect(); |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
304 #endif | 308 #endif |
305 | 309 |
306 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); | 310 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); |
307 if (rv != SECSuccess) | 311 if (rv != SECSuccess) |
308 return ERR_UNEXPECTED; | 312 return ERR_UNEXPECTED; |
309 | 313 |
310 rv = SSL_AuthCertificateHook(nss_fd_, OwnAuthCertHandler, this); | 314 rv = SSL_AuthCertificateHook(nss_fd_, OwnAuthCertHandler, this); |
311 if (rv != SECSuccess) | 315 if (rv != SECSuccess) |
312 return ERR_UNEXPECTED; | 316 return ERR_UNEXPECTED; |
313 | 317 |
318 rv = SSL_GetClientAuthDataHook(nss_fd_, ClientAuthHandler, this); | |
319 if (rv != SECSuccess) | |
320 return ERR_UNEXPECTED; | |
321 | |
314 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this); | 322 rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this); |
315 if (rv != SECSuccess) | 323 if (rv != SECSuccess) |
316 return ERR_UNEXPECTED; | 324 return ERR_UNEXPECTED; |
317 | 325 |
318 // Tell SSL the hostname we're trying to connect to. | 326 // Tell SSL the hostname we're trying to connect to. |
319 SSL_SetURL(nss_fd_, hostname_.c_str()); | 327 SSL_SetURL(nss_fd_, hostname_.c_str()); |
320 | 328 |
321 // Tell SSL we're a client; needed if not letting NSPR do socket I/O | 329 // Tell SSL we're a client; needed if not letting NSPR do socket I/O |
322 SSL_ResetHandshake(nss_fd_, 0); | 330 SSL_ResetHandshake(nss_fd_, 0); |
323 | 331 |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
356 transport_send_busy_ = false; | 364 transport_send_busy_ = false; |
357 transport_recv_busy_ = false; | 365 transport_recv_busy_ = false; |
358 user_connect_callback_ = NULL; | 366 user_connect_callback_ = NULL; |
359 user_callback_ = NULL; | 367 user_callback_ = NULL; |
360 user_buf_ = NULL; | 368 user_buf_ = NULL; |
361 user_buf_len_ = 0; | 369 user_buf_len_ = 0; |
362 server_cert_ = NULL; | 370 server_cert_ = NULL; |
363 server_cert_verify_result_.Reset(); | 371 server_cert_verify_result_.Reset(); |
364 completed_handshake_ = false; | 372 completed_handshake_ = false; |
365 nss_bufs_ = NULL; | 373 nss_bufs_ = NULL; |
374 client_auth_ca_names_ = NULL; | |
Jaime Soriano
2009/10/13 11:13:39
If client_auth_ca_names_ is freed here with CERT_F
| |
375 client_auth_cert_needed_ = false; | |
366 | 376 |
367 LeaveFunction(""); | 377 LeaveFunction(""); |
368 } | 378 } |
369 | 379 |
370 bool SSLClientSocketNSS::IsConnected() const { | 380 bool SSLClientSocketNSS::IsConnected() const { |
371 // Ideally, we should also check if we have received the close_notify alert | 381 // Ideally, we should also check if we have received the close_notify alert |
372 // message from the server, and return false in that case. We're not doing | 382 // message from the server, and return false in that case. We're not doing |
373 // that, so this function may return a false positive. Since the upper | 383 // that, so this function may return a false positive. Since the upper |
374 // layer (HttpNetworkTransaction) needs to handle a persistent connection | 384 // layer (HttpNetworkTransaction) needs to handle a persistent connection |
375 // closed by the server when we send a request anyway, a false positive in | 385 // closed by the server when we send a request anyway, a false positive in |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
481 UpdateServerCert(); | 491 UpdateServerCert(); |
482 } | 492 } |
483 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 493 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
484 DCHECK(server_cert_ != NULL); | 494 DCHECK(server_cert_ != NULL); |
485 ssl_info->cert = server_cert_; | 495 ssl_info->cert = server_cert_; |
486 LeaveFunction(""); | 496 LeaveFunction(""); |
487 } | 497 } |
488 | 498 |
489 void SSLClientSocketNSS::GetSSLCertRequestInfo( | 499 void SSLClientSocketNSS::GetSSLCertRequestInfo( |
490 SSLCertRequestInfo* cert_request_info) { | 500 SSLCertRequestInfo* cert_request_info) { |
491 // TODO(wtc): implement this. | 501 CERTCertNicknames *names; |
502 void *wincx = NULL; | |
503 CERTCertificate* cert = NULL; | |
504 X509Certificate* x509_cert = NULL; | |
505 SECKEYPrivateKey* privkey = NULL; | |
506 EnterFunction(""); | |
507 | |
508 cert_request_info->host_and_port = hostname_; | |
509 cert_request_info->client_certs.clear(); | |
510 | |
511 wincx = SSL_RevealPinArg(nss_fd_); | |
512 | |
513 names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), | |
514 SEC_CERT_NICKNAMES_USER, wincx); | |
515 | |
516 if (names != NULL) { | |
517 for (int i = 0; i < names->numnicknames; i++) { | |
518 cert = CERT_FindUserCertByUsage( | |
519 CERT_GetDefaultCertDB(), | |
520 names->nicknames[i], | |
521 certUsageSSLClient, | |
522 PR_FALSE, | |
523 wincx); | |
524 if (!cert) | |
525 continue; | |
526 // Only check unexpired certs | |
527 if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != | |
528 secCertTimeValid ) { | |
529 CERT_DestroyCertificate(cert); | |
530 continue; | |
531 } | |
532 if (NSS_CmpCertChainWCANames(cert, client_auth_ca_names_) == SECSuccess) { | |
533 privkey = PK11_FindKeyByAnyCert(cert, wincx); | |
534 if (privkey) { | |
535 x509_cert = X509Certificate::CreateFromHandle( | |
536 cert, X509Certificate::SOURCE_LONE_CERT_IMPORT); | |
537 cert_request_info->client_certs.push_back(x509_cert); | |
538 SECKEY_DestroyPrivateKey(privkey); | |
539 continue; | |
540 } | |
541 } | |
542 CERT_DestroyCertificate(cert); | |
543 } | |
544 CERT_FreeNicknames(names); | |
545 } | |
546 LeaveFunction(cert_request_info->client_certs.size()); | |
492 } | 547 } |
493 | 548 |
494 void SSLClientSocketNSS::DoCallback(int rv) { | 549 void SSLClientSocketNSS::DoCallback(int rv) { |
495 EnterFunction(rv); | 550 EnterFunction(rv); |
496 DCHECK(rv != ERR_IO_PENDING); | 551 DCHECK(rv != ERR_IO_PENDING); |
497 DCHECK(user_callback_); | 552 DCHECK(user_callback_); |
498 | 553 |
499 // Since Run may result in Read being called, clear |user_callback_| up front. | 554 // Since Run may result in Read being called, clear |user_callback_| up front. |
500 CompletionCallback* c = user_callback_; | 555 CompletionCallback* c = user_callback_; |
501 user_callback_ = NULL; | 556 user_callback_ = NULL; |
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
684 // in full handshake mode or in resumption handshake mode. | 739 // in full handshake mode or in resumption handshake mode. |
685 SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg, | 740 SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg, |
686 PRFileDesc* socket, | 741 PRFileDesc* socket, |
687 PRBool checksig, | 742 PRBool checksig, |
688 PRBool is_server) { | 743 PRBool is_server) { |
689 // Tell NSS to not verify the certificate. | 744 // Tell NSS to not verify the certificate. |
690 return SECSuccess; | 745 return SECSuccess; |
691 } | 746 } |
692 | 747 |
693 // static | 748 // static |
749 // NSS calls this if a client certificate is needed. | |
750 // Based on Mozilla's NSS_GetClientAuthData | |
751 SECStatus SSLClientSocketNSS::ClientAuthHandler( | |
752 void* arg, | |
753 PRFileDesc* socket, | |
754 CERTDistNames* ca_names, | |
755 CERTCertificate** result_certificate, | |
756 SECKEYPrivateKey** result_private_key) { | |
757 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | |
758 CERTCertificate* cert = NULL; | |
759 SECKEYPrivateKey* privkey = NULL; | |
760 PRArenaPool* arena = NULL; | |
761 CERTDistNames* ca_names_copy = NULL; | |
762 void *wincx = NULL; | |
763 | |
764 wincx = SSL_RevealPinArg(socket); | |
765 | |
766 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | |
767 | |
768 // Second pass, a client certificate should have been selected | |
769 if (that->ssl_config_.send_client_cert) { | |
770 if (that->ssl_config_.client_cert) { | |
771 cert = CERT_DupCertificate( | |
772 that->ssl_config_.client_cert->os_cert_handle()); | |
773 if (cert) { | |
774 privkey = PK11_FindKeyByAnyCert(cert, wincx); | |
775 if (privkey) { | |
776 // TODO(jsorianopastor): We should wait for server certificate | |
777 // verification before sending our credentials. | |
778 // (http://code.google.com/p/chromium/issues/detail?id=13934) | |
779 result_certificate[0] = cert; | |
780 result_private_key[0] = privkey; | |
781 return SECSuccess; | |
782 } else { | |
783 LOG(WARNING) << "Client cert found without private key"; | |
784 } | |
785 } else { | |
786 LOG(WARNING) << "Invalid client cert to send"; | |
787 } | |
788 } | |
789 // If not, client authentication failed | |
790 return SECFailure; | |
791 } | |
792 | |
793 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
794 ca_names_copy = PORT_ArenaZNew(arena, CERTDistNames); | |
795 | |
796 ca_names_copy->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
797 ca_names_copy->head = NULL; | |
798 ca_names_copy->nnames = ca_names->nnames; | |
799 ca_names_copy->names = SECITEM_ArenaDupItem(arena, ca_names->names); | |
800 | |
801 that->client_auth_ca_names_ = ca_names_copy; | |
Jaime Soriano
2009/10/13 11:13:39
I'm not sure if this is the correct way to duplica
| |
802 return SECFailure; | |
803 } | |
804 | |
805 // static | |
694 // NSS calls this when handshake is completed. | 806 // NSS calls this when handshake is completed. |
695 // After the SSL handshake is finished, use CertVerifier to verify | 807 // After the SSL handshake is finished, use CertVerifier to verify |
696 // the saved server certificate. | 808 // the saved server certificate. |
697 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, | 809 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, |
698 void* arg) { | 810 void* arg) { |
699 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 811 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
700 | 812 |
701 that->UpdateServerCert(); | 813 that->UpdateServerCert(); |
702 } | 814 } |
703 | 815 |
704 int SSLClientSocketNSS::DoHandshakeRead() { | 816 int SSLClientSocketNSS::DoHandshakeRead() { |
705 EnterFunction(""); | 817 EnterFunction(""); |
706 int net_error = net::OK; | 818 int net_error = net::OK; |
707 int rv = SSL_ForceHandshake(nss_fd_); | 819 int rv = SSL_ForceHandshake(nss_fd_); |
708 | 820 |
709 if (rv == SECSuccess) { | 821 if (rv == SECSuccess) { |
710 // SSL handshake is completed. Let's verify the certificate. | 822 if (client_auth_cert_needed_) { |
711 GotoState(STATE_VERIFY_CERT); | 823 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
712 // Done! | 824 if (SECSuccess != SSL_ReHandshake(nss_fd_, PR_TRUE)) { |
Jaime Soriano
2009/10/13 11:13:39
I tried to remove this, but then it didn't request
| |
825 LOG(WARNING) << "Couldn't restart handshake: " << PR_GetError(); | |
826 } | |
827 } else { | |
828 // SSL handshake is completed. Let's verify the certificate. | |
829 GotoState(STATE_VERIFY_CERT); | |
830 // Done! | |
831 } | |
713 } else { | 832 } else { |
714 PRErrorCode prerr = PR_GetError(); | 833 PRErrorCode prerr = PR_GetError(); |
715 | 834 |
716 // If the server closed on us, it is a protocol error. | 835 // If the server closed on us, it is a protocol error. |
717 // Some TLS-intolerant servers do this when we request TLS. | 836 // Some TLS-intolerant servers do this when we request TLS. |
718 if (prerr == PR_END_OF_FILE_ERROR) { | 837 if (prerr == PR_END_OF_FILE_ERROR) { |
719 net_error = ERR_SSL_PROTOCOL_ERROR; | 838 net_error = ERR_SSL_PROTOCOL_ERROR; |
720 } else { | 839 } else { |
721 net_error = NetErrorFromNSPRError(prerr); | 840 net_error = NetErrorFromNSPRError(prerr); |
722 } | 841 } |
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
843 if (prerr == PR_WOULD_BLOCK_ERROR) { | 962 if (prerr == PR_WOULD_BLOCK_ERROR) { |
844 GotoState(STATE_PAYLOAD_WRITE); | 963 GotoState(STATE_PAYLOAD_WRITE); |
845 return ERR_IO_PENDING; | 964 return ERR_IO_PENDING; |
846 } | 965 } |
847 user_buf_ = NULL; | 966 user_buf_ = NULL; |
848 LeaveFunction(""); | 967 LeaveFunction(""); |
849 return NetErrorFromNSPRError(prerr); | 968 return NetErrorFromNSPRError(prerr); |
850 } | 969 } |
851 | 970 |
852 } // namespace net | 971 } // namespace net |
OLD | NEW |