OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 693 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
704 CERTCertificate** result_nss_certificate, | 704 CERTCertificate** result_nss_certificate, |
705 SECKEYPrivateKey** result_nss_private_key); | 705 SECKEYPrivateKey** result_nss_private_key); |
706 #else | 706 #else |
707 static SECStatus ClientAuthHandler(void* arg, | 707 static SECStatus ClientAuthHandler(void* arg, |
708 PRFileDesc* socket, | 708 PRFileDesc* socket, |
709 CERTDistNames* ca_names, | 709 CERTDistNames* ca_names, |
710 CERTCertificate** result_certificate, | 710 CERTCertificate** result_certificate, |
711 SECKEYPrivateKey** result_private_key); | 711 SECKEYPrivateKey** result_private_key); |
712 #endif | 712 #endif |
713 | 713 |
714 // Called by NSS once the handshake has completed. | 714 // Called once the handshake has completed. |
715 void HandshakeSucceeded(); | |
716 | |
717 // Called by NSS to determine if we can false start. | |
agl
2013/09/13 15:03:29
In other comments, "false start" is written as "Fa
wtc
2013/09/18 22:57:23
Done.
| |
715 // |arg| contains a pointer to the current SSLClientSocketNSS::Core. | 718 // |arg| contains a pointer to the current SSLClientSocketNSS::Core. |
716 static void HandshakeCallback(PRFileDesc* socket, void* arg); | 719 static SECStatus CanFalseStartCallback(PRFileDesc* socket, |
720 void* arg, | |
721 PRBool* can_false_start); | |
717 | 722 |
718 // Handles an NSS error generated while handshaking or performing IO. | 723 // Handles an NSS error generated while handshaking or performing IO. |
719 // Returns a network error code mapped from the original NSS error. | 724 // Returns a network error code mapped from the original NSS error. |
720 int HandleNSSError(PRErrorCode error, bool handshake_error); | 725 int HandleNSSError(PRErrorCode error, bool handshake_error); |
721 | 726 |
722 int DoHandshakeLoop(int last_io_result); | 727 int DoHandshakeLoop(int last_io_result); |
723 int DoReadLoop(int result); | 728 int DoReadLoop(int result); |
724 int DoWriteLoop(int result); | 729 int DoWriteLoop(int result); |
725 | 730 |
726 int DoHandshake(); | 731 int DoHandshake(); |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
859 std::vector<std::string> predicted_certs_; | 864 std::vector<std::string> predicted_certs_; |
860 | 865 |
861 State next_handshake_state_; | 866 State next_handshake_state_; |
862 | 867 |
863 // True if channel ID extension was negotiated. | 868 // True if channel ID extension was negotiated. |
864 bool channel_id_xtn_negotiated_; | 869 bool channel_id_xtn_negotiated_; |
865 // True if the handshake state machine was interrupted for channel ID. | 870 // True if the handshake state machine was interrupted for channel ID. |
866 bool channel_id_needed_; | 871 bool channel_id_needed_; |
867 // True if the handshake state machine was interrupted for client auth. | 872 // True if the handshake state machine was interrupted for client auth. |
868 bool client_auth_cert_needed_; | 873 bool client_auth_cert_needed_; |
869 // True if NSS has called HandshakeCallback. | |
870 bool handshake_callback_called_; | |
871 | 874 |
872 HandshakeState nss_handshake_state_; | 875 HandshakeState nss_handshake_state_; |
873 | 876 |
874 bool transport_recv_busy_; | 877 bool transport_recv_busy_; |
875 bool transport_recv_eof_; | 878 bool transport_recv_eof_; |
876 bool transport_send_busy_; | 879 bool transport_send_busy_; |
877 | 880 |
878 // Used by Read function. | 881 // Used by Read function. |
879 scoped_refptr<IOBuffer> user_read_buf_; | 882 scoped_refptr<IOBuffer> user_read_buf_; |
880 int user_read_buf_len_; | 883 int user_read_buf_len_; |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
927 host_and_port_(host_and_port), | 930 host_and_port_(host_and_port), |
928 ssl_config_(ssl_config), | 931 ssl_config_(ssl_config), |
929 nss_fd_(NULL), | 932 nss_fd_(NULL), |
930 nss_bufs_(NULL), | 933 nss_bufs_(NULL), |
931 pending_read_result_(kNoPendingReadResult), | 934 pending_read_result_(kNoPendingReadResult), |
932 pending_read_nss_error_(0), | 935 pending_read_nss_error_(0), |
933 next_handshake_state_(STATE_NONE), | 936 next_handshake_state_(STATE_NONE), |
934 channel_id_xtn_negotiated_(false), | 937 channel_id_xtn_negotiated_(false), |
935 channel_id_needed_(false), | 938 channel_id_needed_(false), |
936 client_auth_cert_needed_(false), | 939 client_auth_cert_needed_(false), |
937 handshake_callback_called_(false), | |
938 transport_recv_busy_(false), | 940 transport_recv_busy_(false), |
939 transport_recv_eof_(false), | 941 transport_recv_eof_(false), |
940 transport_send_busy_(false), | 942 transport_send_busy_(false), |
941 user_read_buf_len_(0), | 943 user_read_buf_len_(0), |
942 user_write_buf_len_(0), | 944 user_write_buf_len_(0), |
943 network_task_runner_(network_task_runner), | 945 network_task_runner_(network_task_runner), |
944 nss_task_runner_(nss_task_runner), | 946 nss_task_runner_(nss_task_runner), |
945 weak_net_log_(weak_net_log_factory_.GetWeakPtr()) { | 947 weak_net_log_(weak_net_log_factory_.GetWeakPtr()) { |
946 } | 948 } |
947 | 949 |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1022 DVLOG(1) << "System time is weird, not enabling channel ID."; | 1024 DVLOG(1) << "System time is weird, not enabling channel ID."; |
1023 } else { | 1025 } else { |
1024 rv = SSL_SetClientChannelIDCallback( | 1026 rv = SSL_SetClientChannelIDCallback( |
1025 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this); | 1027 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this); |
1026 if (rv != SECSuccess) | 1028 if (rv != SECSuccess) |
1027 LogFailedNSSFunction(*weak_net_log_, "SSL_SetClientChannelIDCallback", | 1029 LogFailedNSSFunction(*weak_net_log_, "SSL_SetClientChannelIDCallback", |
1028 ""); | 1030 ""); |
1029 } | 1031 } |
1030 } | 1032 } |
1031 | 1033 |
1032 rv = SSL_HandshakeCallback( | 1034 rv = SSL_SetCanFalseStartCallback( |
1033 nss_fd_, SSLClientSocketNSS::Core::HandshakeCallback, this); | 1035 nss_fd_, SSLClientSocketNSS::Core::CanFalseStartCallback, this); |
1034 if (rv != SECSuccess) { | 1036 if (rv != SECSuccess) { |
1035 LogFailedNSSFunction(*weak_net_log_, "SSL_HandshakeCallback", ""); | 1037 LogFailedNSSFunction(*weak_net_log_, "SSL_SetCanFalseStartCallback", ""); |
1036 return false; | 1038 return false; |
1037 } | 1039 } |
1038 | 1040 |
1039 return true; | 1041 return true; |
1040 } | 1042 } |
1041 | 1043 |
1042 void SSLClientSocketNSS::Core::SetPredictedCertificates( | 1044 void SSLClientSocketNSS::Core::SetPredictedCertificates( |
1043 const std::vector<std::string>& predicted_certs) { | 1045 const std::vector<std::string>& predicted_certs) { |
1044 if (predicted_certs.empty()) | 1046 if (predicted_certs.empty()) |
1045 return; | 1047 return; |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1148 base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf), | 1150 base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf), |
1149 buf_len, callback)); | 1151 buf_len, callback)); |
1150 if (!posted) { | 1152 if (!posted) { |
1151 nss_is_closed_ = true; | 1153 nss_is_closed_ = true; |
1152 nss_waiting_read_ = false; | 1154 nss_waiting_read_ = false; |
1153 } | 1155 } |
1154 return posted ? ERR_IO_PENDING : ERR_ABORTED; | 1156 return posted ? ERR_IO_PENDING : ERR_ABORTED; |
1155 } | 1157 } |
1156 | 1158 |
1157 DCHECK(OnNSSTaskRunner()); | 1159 DCHECK(OnNSSTaskRunner()); |
1158 DCHECK(handshake_callback_called_); | |
1159 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1160 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
1160 DCHECK(user_read_callback_.is_null()); | 1161 DCHECK(user_read_callback_.is_null()); |
1161 DCHECK(user_connect_callback_.is_null()); | 1162 DCHECK(user_connect_callback_.is_null()); |
1162 DCHECK(!user_read_buf_.get()); | 1163 DCHECK(!user_read_buf_.get()); |
1163 DCHECK(nss_bufs_); | 1164 DCHECK(nss_bufs_); |
1164 | 1165 |
1165 user_read_buf_ = buf; | 1166 user_read_buf_ = buf; |
1166 user_read_buf_len_ = buf_len; | 1167 user_read_buf_len_ = buf_len; |
1167 | 1168 |
1168 int rv = DoReadLoop(OK); | 1169 int rv = DoReadLoop(OK); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1202 base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf), | 1203 base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf), |
1203 buf_len, callback)); | 1204 buf_len, callback)); |
1204 if (!posted) { | 1205 if (!posted) { |
1205 nss_is_closed_ = true; | 1206 nss_is_closed_ = true; |
1206 nss_waiting_write_ = false; | 1207 nss_waiting_write_ = false; |
1207 } | 1208 } |
1208 return posted ? ERR_IO_PENDING : ERR_ABORTED; | 1209 return posted ? ERR_IO_PENDING : ERR_ABORTED; |
1209 } | 1210 } |
1210 | 1211 |
1211 DCHECK(OnNSSTaskRunner()); | 1212 DCHECK(OnNSSTaskRunner()); |
1212 DCHECK(handshake_callback_called_); | |
1213 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1213 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
1214 DCHECK(user_write_callback_.is_null()); | 1214 DCHECK(user_write_callback_.is_null()); |
1215 DCHECK(user_connect_callback_.is_null()); | 1215 DCHECK(user_connect_callback_.is_null()); |
1216 DCHECK(!user_write_buf_.get()); | 1216 DCHECK(!user_write_buf_.get()); |
1217 DCHECK(nss_bufs_); | 1217 DCHECK(nss_bufs_); |
1218 | 1218 |
1219 user_write_buf_ = buf; | 1219 user_write_buf_ = buf; |
1220 user_write_buf_len_ = buf_len; | 1220 user_write_buf_len_ = buf_len; |
1221 | 1221 |
1222 int rv = DoWriteLoop(OK); | 1222 int rv = DoWriteLoop(OK); |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1264 bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const { | 1264 bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const { |
1265 return network_task_runner_->RunsTasksOnCurrentThread(); | 1265 return network_task_runner_->RunsTasksOnCurrentThread(); |
1266 } | 1266 } |
1267 | 1267 |
1268 // static | 1268 // static |
1269 SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( | 1269 SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( |
1270 void* arg, | 1270 void* arg, |
1271 PRFileDesc* socket, | 1271 PRFileDesc* socket, |
1272 PRBool checksig, | 1272 PRBool checksig, |
1273 PRBool is_server) { | 1273 PRBool is_server) { |
1274 Core* core = reinterpret_cast<Core*>(arg); | |
1275 if (!core->handshake_callback_called_) { | |
1276 // Only need to turn off False Start in the initial handshake. Also, it is | |
1277 // unsafe to call SSL_OptionSet in a renegotiation because the "first | |
1278 // handshake" lock isn't already held, which will result in an assertion | |
1279 // failure in the ssl_Get1stHandshakeLock call in SSL_OptionSet. | |
1280 PRBool negotiated_extension; | |
1281 SECStatus rv = SSL_HandshakeNegotiatedExtension(socket, | |
1282 ssl_app_layer_protocol_xtn, | |
1283 &negotiated_extension); | |
1284 if (rv != SECSuccess || !negotiated_extension) { | |
1285 rv = SSL_HandshakeNegotiatedExtension(socket, | |
1286 ssl_next_proto_nego_xtn, | |
1287 &negotiated_extension); | |
1288 } | |
1289 if (rv != SECSuccess || !negotiated_extension) { | |
1290 // If the server doesn't support NPN or ALPN, then we don't do False | |
1291 // Start with it. | |
1292 SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); | |
1293 } | |
1294 } | |
1295 | |
1296 // Tell NSS to not verify the certificate. | 1274 // Tell NSS to not verify the certificate. |
1297 return SECSuccess; | 1275 return SECSuccess; |
1298 } | 1276 } |
1299 | 1277 |
1300 #if defined(NSS_PLATFORM_CLIENT_AUTH) | 1278 #if defined(NSS_PLATFORM_CLIENT_AUTH) |
1301 // static | 1279 // static |
1302 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler( | 1280 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler( |
1303 void* arg, | 1281 void* arg, |
1304 PRFileDesc* socket, | 1282 PRFileDesc* socket, |
1305 CERTDistNames* ca_names, | 1283 CERTDistNames* ca_names, |
(...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1598 core->PostOrRunCallback( | 1576 core->PostOrRunCallback( |
1599 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, | 1577 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, |
1600 core->nss_handshake_state_)); | 1578 core->nss_handshake_state_)); |
1601 | 1579 |
1602 // Tell NSS to suspend the client authentication. We will then abort the | 1580 // Tell NSS to suspend the client authentication. We will then abort the |
1603 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | 1581 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
1604 return SECWouldBlock; | 1582 return SECWouldBlock; |
1605 } | 1583 } |
1606 #endif // NSS_PLATFORM_CLIENT_AUTH | 1584 #endif // NSS_PLATFORM_CLIENT_AUTH |
1607 | 1585 |
1608 // static | 1586 void SSLClientSocketNSS::Core::HandshakeSucceeded() { |
1609 void SSLClientSocketNSS::Core::HandshakeCallback( | 1587 DCHECK(OnNSSTaskRunner()); |
1610 PRFileDesc* socket, | |
1611 void* arg) { | |
1612 Core* core = reinterpret_cast<Core*>(arg); | |
1613 DCHECK(core->OnNSSTaskRunner()); | |
1614 | |
1615 core->handshake_callback_called_ = true; | |
1616 | |
1617 HandshakeState* nss_state = &core->nss_handshake_state_; | |
1618 | 1588 |
1619 PRBool last_handshake_resumed; | 1589 PRBool last_handshake_resumed; |
1620 SECStatus rv = SSL_HandshakeResumedSession(socket, &last_handshake_resumed); | 1590 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); |
1621 if (rv == SECSuccess && last_handshake_resumed) { | 1591 if (rv == SECSuccess && last_handshake_resumed) { |
1622 nss_state->resumed_handshake = true; | 1592 nss_handshake_state_.resumed_handshake = true; |
1623 } else { | 1593 } else { |
1624 nss_state->resumed_handshake = false; | 1594 nss_handshake_state_.resumed_handshake = false; |
1625 } | 1595 } |
1626 | 1596 |
1627 core->RecordChannelIDSupport(); | 1597 RecordChannelIDSupport(); |
1628 core->UpdateServerCert(); | 1598 UpdateServerCert(); |
1629 core->UpdateConnectionStatus(); | 1599 UpdateConnectionStatus(); |
1630 core->UpdateNextProto(); | 1600 UpdateNextProto(); |
1631 | 1601 |
1632 // Update the network task runners view of the handshake state whenever | 1602 // Update the network task runners view of the handshake state whenever |
1633 // a handshake has completed. | 1603 // a handshake has completed. |
1634 core->PostOrRunCallback( | 1604 PostOrRunCallback( |
1635 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, | 1605 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, |
1636 *nss_state)); | 1606 nss_handshake_state_)); |
1607 } | |
1608 | |
1609 // static | |
1610 SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback( | |
1611 PRFileDesc* socket, | |
1612 void* arg, | |
1613 PRBool* can_false_start) { | |
1614 // If the server doesn't support NPN or ALPN, then we don't do False Start | |
1615 // with it. | |
1616 PRBool negotiated_extension; | |
1617 SECStatus rv = SSL_HandshakeNegotiatedExtension(socket, | |
1618 ssl_app_layer_protocol_xtn, | |
1619 &negotiated_extension); | |
1620 if (rv != SECSuccess || !negotiated_extension) { | |
1621 rv = SSL_HandshakeNegotiatedExtension(socket, | |
1622 ssl_next_proto_nego_xtn, | |
1623 &negotiated_extension); | |
1624 } | |
1625 if (rv != SECSuccess || !negotiated_extension) { | |
1626 *can_false_start = PR_FALSE; | |
1627 return SECSuccess; | |
1628 } | |
1629 | |
1630 return SSL_DefaultCanFalseStart(socket, can_false_start); | |
1637 } | 1631 } |
1638 | 1632 |
1639 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, | 1633 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, |
1640 bool handshake_error) { | 1634 bool handshake_error) { |
1641 DCHECK(OnNSSTaskRunner()); | 1635 DCHECK(OnNSSTaskRunner()); |
1642 | 1636 |
1643 int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) : | 1637 int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) : |
1644 MapNSSClientError(nss_error); | 1638 MapNSSClientError(nss_error); |
1645 | 1639 |
1646 #if defined(OS_WIN) | 1640 #if defined(OS_WIN) |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1701 // the transport IO may allow DoHandshake to make progress. | 1695 // the transport IO may allow DoHandshake to make progress. |
1702 DCHECK(rv == OK || rv == ERR_IO_PENDING); | 1696 DCHECK(rv == OK || rv == ERR_IO_PENDING); |
1703 rv = OK; // This causes us to stay in the loop. | 1697 rv = OK; // This causes us to stay in the loop. |
1704 } | 1698 } |
1705 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); | 1699 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); |
1706 return rv; | 1700 return rv; |
1707 } | 1701 } |
1708 | 1702 |
1709 int SSLClientSocketNSS::Core::DoReadLoop(int result) { | 1703 int SSLClientSocketNSS::Core::DoReadLoop(int result) { |
1710 DCHECK(OnNSSTaskRunner()); | 1704 DCHECK(OnNSSTaskRunner()); |
1711 DCHECK(handshake_callback_called_); | |
1712 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1705 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
1713 | 1706 |
1714 if (result < 0) | 1707 if (result < 0) |
1715 return result; | 1708 return result; |
1716 | 1709 |
1717 if (!nss_bufs_) { | 1710 if (!nss_bufs_) { |
1718 LOG(DFATAL) << "!nss_bufs_"; | 1711 LOG(DFATAL) << "!nss_bufs_"; |
1719 int rv = ERR_UNEXPECTED; | 1712 int rv = ERR_UNEXPECTED; |
1720 PostOrRunCallback( | 1713 PostOrRunCallback( |
1721 FROM_HERE, | 1714 FROM_HERE, |
1722 base::Bind(&AddLogEventWithCallback, weak_net_log_, | 1715 base::Bind(&AddLogEventWithCallback, weak_net_log_, |
1723 NetLog::TYPE_SSL_READ_ERROR, | 1716 NetLog::TYPE_SSL_READ_ERROR, |
1724 CreateNetLogSSLErrorCallback(rv, 0))); | 1717 CreateNetLogSSLErrorCallback(rv, 0))); |
1725 return rv; | 1718 return rv; |
1726 } | 1719 } |
1727 | 1720 |
1728 bool network_moved; | 1721 bool network_moved; |
1729 int rv; | 1722 int rv; |
1730 do { | 1723 do { |
1731 rv = DoPayloadRead(); | 1724 rv = DoPayloadRead(); |
1732 network_moved = DoTransportIO(); | 1725 network_moved = DoTransportIO(); |
1733 } while (rv == ERR_IO_PENDING && network_moved); | 1726 } while (rv == ERR_IO_PENDING && network_moved); |
1734 | 1727 |
1735 return rv; | 1728 return rv; |
1736 } | 1729 } |
1737 | 1730 |
1738 int SSLClientSocketNSS::Core::DoWriteLoop(int result) { | 1731 int SSLClientSocketNSS::Core::DoWriteLoop(int result) { |
1739 DCHECK(OnNSSTaskRunner()); | 1732 DCHECK(OnNSSTaskRunner()); |
1740 DCHECK(handshake_callback_called_); | |
1741 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1733 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
1742 | 1734 |
1743 if (result < 0) | 1735 if (result < 0) |
1744 return result; | 1736 return result; |
1745 | 1737 |
1746 if (!nss_bufs_) { | 1738 if (!nss_bufs_) { |
1747 LOG(DFATAL) << "!nss_bufs_"; | 1739 LOG(DFATAL) << "!nss_bufs_"; |
1748 int rv = ERR_UNEXPECTED; | 1740 int rv = ERR_UNEXPECTED; |
1749 PostOrRunCallback( | 1741 PostOrRunCallback( |
1750 FROM_HERE, | 1742 FROM_HERE, |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1786 CreateNetLogSSLErrorCallback(net_error, 0))); | 1778 CreateNetLogSSLErrorCallback(net_error, 0))); |
1787 | 1779 |
1788 // If the handshake already succeeded (because the server requests but | 1780 // If the handshake already succeeded (because the server requests but |
1789 // doesn't require a client cert), we need to invalidate the SSL session | 1781 // doesn't require a client cert), we need to invalidate the SSL session |
1790 // so that we won't try to resume the non-client-authenticated session in | 1782 // so that we won't try to resume the non-client-authenticated session in |
1791 // the next handshake. This will cause the server to ask for a client | 1783 // the next handshake. This will cause the server to ask for a client |
1792 // cert again. | 1784 // cert again. |
1793 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) | 1785 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) |
1794 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1786 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
1795 } else if (rv == SECSuccess) { | 1787 } else if (rv == SECSuccess) { |
1796 if (!handshake_callback_called_) { | 1788 HandshakeSucceeded(); |
1797 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - | |
1798 // SSL_ForceHandshake returned SECSuccess prematurely. | |
1799 rv = SECFailure; | |
1800 net_error = ERR_SSL_PROTOCOL_ERROR; | |
1801 PostOrRunCallback( | |
1802 FROM_HERE, | |
1803 base::Bind(&AddLogEventWithCallback, weak_net_log_, | |
1804 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | |
1805 CreateNetLogSSLErrorCallback(net_error, 0))); | |
1806 } else { | |
1807 #if defined(SSL_ENABLE_OCSP_STAPLING) | 1789 #if defined(SSL_ENABLE_OCSP_STAPLING) |
1808 // TODO(agl): figure out how to plumb an OCSP response into the Mac | 1790 // TODO(agl): figure out how to plumb an OCSP response into the Mac |
1809 // system library and update IsOCSPStaplingSupported for Mac. | 1791 // system library and update IsOCSPStaplingSupported for Mac. |
1810 if (IsOCSPStaplingSupported()) { | 1792 if (IsOCSPStaplingSupported()) { |
1811 const SECItemArray* ocsp_responses = | 1793 const SECItemArray* ocsp_responses = |
1812 SSL_PeerStapledOCSPResponses(nss_fd_); | 1794 SSL_PeerStapledOCSPResponses(nss_fd_); |
1813 if (ocsp_responses->len) { | 1795 if (ocsp_responses->len) { |
1814 #if defined(OS_WIN) | 1796 #if defined(OS_WIN) |
1815 if (nss_handshake_state_.server_cert) { | 1797 if (nss_handshake_state_.server_cert) { |
1816 CRYPT_DATA_BLOB ocsp_response_blob; | 1798 CRYPT_DATA_BLOB ocsp_response_blob; |
1817 ocsp_response_blob.cbData = ocsp_responses->items[0].len; | 1799 ocsp_response_blob.cbData = ocsp_responses->items[0].len; |
1818 ocsp_response_blob.pbData = ocsp_responses->items[0].data; | 1800 ocsp_response_blob.pbData = ocsp_responses->items[0].data; |
1819 BOOL ok = CertSetCertificateContextProperty( | 1801 BOOL ok = CertSetCertificateContextProperty( |
1820 nss_handshake_state_.server_cert->os_cert_handle(), | 1802 nss_handshake_state_.server_cert->os_cert_handle(), |
1821 CERT_OCSP_RESPONSE_PROP_ID, | 1803 CERT_OCSP_RESPONSE_PROP_ID, |
1822 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, | 1804 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, |
1823 &ocsp_response_blob); | 1805 &ocsp_response_blob); |
1824 if (!ok) { | 1806 if (!ok) { |
1825 VLOG(1) << "Failed to set OCSP response property: " | 1807 VLOG(1) << "Failed to set OCSP response property: " |
1826 << GetLastError(); | 1808 << GetLastError(); |
1827 } | |
1828 } | 1809 } |
1810 } | |
1829 #elif defined(USE_NSS) | 1811 #elif defined(USE_NSS) |
1830 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = | 1812 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = |
1831 GetCacheOCSPResponseFromSideChannelFunction(); | 1813 GetCacheOCSPResponseFromSideChannelFunction(); |
1832 | 1814 |
1833 cache_ocsp_response( | 1815 cache_ocsp_response( |
1834 CERT_GetDefaultCertDB(), | 1816 CERT_GetDefaultCertDB(), |
1835 nss_handshake_state_.server_cert_chain[0], PR_Now(), | 1817 nss_handshake_state_.server_cert_chain[0], PR_Now(), |
1836 &ocsp_responses->items[0], NULL); | 1818 &ocsp_responses->items[0], NULL); |
1837 #endif | 1819 #endif |
1838 } | |
1839 } | 1820 } |
1821 } | |
1840 #endif | 1822 #endif |
1841 } | |
1842 // Done! | 1823 // Done! |
1843 } else { | 1824 } else { |
1844 PRErrorCode prerr = PR_GetError(); | 1825 PRErrorCode prerr = PR_GetError(); |
1845 net_error = HandleNSSError(prerr, true); | 1826 net_error = HandleNSSError(prerr, true); |
1846 | 1827 |
1847 // Some network devices that inspect application-layer packets seem to | 1828 // Some network devices that inspect application-layer packets seem to |
1848 // inject TCP reset packets to break the connections when they see | 1829 // inject TCP reset packets to break the connections when they see |
1849 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. | 1830 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. |
1850 // | 1831 // |
1851 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or | 1832 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or |
(...skipping 1643 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3495 EnsureThreadIdAssigned(); | 3476 EnsureThreadIdAssigned(); |
3496 base::AutoLock auto_lock(lock_); | 3477 base::AutoLock auto_lock(lock_); |
3497 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3478 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
3498 } | 3479 } |
3499 | 3480 |
3500 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3481 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
3501 return server_bound_cert_service_; | 3482 return server_bound_cert_service_; |
3502 } | 3483 } |
3503 | 3484 |
3504 } // namespace net | 3485 } // namespace net |
OLD | NEW |