| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 1269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1280 if (rv != SECSuccess || !negotiated_extension) { | 1280 if (rv != SECSuccess || !negotiated_extension) { |
| 1281 rv = SSL_HandshakeNegotiatedExtension(socket, | 1281 rv = SSL_HandshakeNegotiatedExtension(socket, |
| 1282 ssl_next_proto_nego_xtn, | 1282 ssl_next_proto_nego_xtn, |
| 1283 &negotiated_extension); | 1283 &negotiated_extension); |
| 1284 } | 1284 } |
| 1285 if (rv != SECSuccess || !negotiated_extension) { | 1285 if (rv != SECSuccess || !negotiated_extension) { |
| 1286 // If the server doesn't support NPN or ALPN, then we don't do False | 1286 // If the server doesn't support NPN or ALPN, then we don't do False |
| 1287 // Start with it. | 1287 // Start with it. |
| 1288 SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); | 1288 SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); |
| 1289 } | 1289 } |
| 1290 } else { |
| 1291 // Disallow the server certificate to change in a renegotiation. |
| 1292 CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0]; |
| 1293 CERTCertificate* new_cert = SSL_PeerCertificate(socket); |
| 1294 if (new_cert->derCert.len != old_cert->derCert.len || |
| 1295 memcmp(new_cert->derCert.data, old_cert->derCert.data, |
| 1296 new_cert->derCert.len) != 0) { |
| 1297 // NSS doesn't have an error code that indicates the server certificate |
| 1298 // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using) |
| 1299 // for this purpose. |
| 1300 PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE); |
| 1301 return SECFailure; |
| 1302 } |
| 1290 } | 1303 } |
| 1291 | 1304 |
| 1292 // Tell NSS to not verify the certificate. | 1305 // Tell NSS to not verify the certificate. |
| 1293 return SECSuccess; | 1306 return SECSuccess; |
| 1294 } | 1307 } |
| 1295 | 1308 |
| 1296 #if defined(NSS_PLATFORM_CLIENT_AUTH) | 1309 #if defined(NSS_PLATFORM_CLIENT_AUTH) |
| 1297 // static | 1310 // static |
| 1298 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler( | 1311 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler( |
| 1299 void* arg, | 1312 void* arg, |
| (...skipping 2191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3491 EnsureThreadIdAssigned(); | 3504 EnsureThreadIdAssigned(); |
| 3492 base::AutoLock auto_lock(lock_); | 3505 base::AutoLock auto_lock(lock_); |
| 3493 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3506 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 3494 } | 3507 } |
| 3495 | 3508 |
| 3496 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3509 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
| 3497 return server_bound_cert_service_; | 3510 return server_bound_cert_service_; |
| 3498 } | 3511 } |
| 3499 | 3512 |
| 3500 } // namespace net | 3513 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27266002:
Do not allow the server certificate to change in a renegotiation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/