| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/openssl_ssl_util.h" | 5 #include "net/ssl/openssl_ssl_util.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 91 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: | 91 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: |
| 92 return ERR_SSL_BAD_RECORD_MAC_ALERT; | 92 return ERR_SSL_BAD_RECORD_MAC_ALERT; |
| 93 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: | 93 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: |
| 94 return ERR_SSL_DECRYPT_ERROR_ALERT; | 94 return ERR_SSL_DECRYPT_ERROR_ALERT; |
| 95 case SSL_R_TLSV1_UNRECOGNIZED_NAME: | 95 case SSL_R_TLSV1_UNRECOGNIZED_NAME: |
| 96 return ERR_SSL_UNRECOGNIZED_NAME_ALERT; | 96 return ERR_SSL_UNRECOGNIZED_NAME_ALERT; |
| 97 case SSL_R_BAD_DH_P_LENGTH: | 97 case SSL_R_BAD_DH_P_LENGTH: |
| 98 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | 98 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; |
| 99 case SSL_R_SERVER_CERT_CHANGED: | 99 case SSL_R_SERVER_CERT_CHANGED: |
| 100 return ERR_SSL_SERVER_CERT_CHANGED; | 100 return ERR_SSL_SERVER_CERT_CHANGED; |
| 101 case SSL_R_CERTIFICATE_VERIFY_FAILED: | |
| 102 // The only way that the certificate verify callback can fail is if | |
| 103 // the leaf certificate changed during a renegotiation. | |
| 104 // | |
| 105 // TODO(davidben): This check has since moved within BoringSSL. Remove the | |
| 106 // Chromium-side machinery for it. | |
| 107 return ERR_SSL_SERVER_CERT_CHANGED; | |
| 108 // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after | 101 // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after |
| 109 // receiving ClientHello if there's no common supported cipher. Map that | 102 // receiving ClientHello if there's no common supported cipher. Map that |
| 110 // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS | 103 // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS |
| 111 // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505. | 104 // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505. |
| 112 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: { | 105 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: { |
| 113 uint32_t previous = ERR_peek_error(); | 106 uint32_t previous = ERR_peek_error(); |
| 114 if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL && | 107 if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL && |
| 115 ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) { | 108 ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) { |
| 116 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; | 109 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; |
| 117 } | 110 } |
| (...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 246 for (size_t i = 0; i < os_handles.size(); i++) { | 239 for (size_t i = 0; i < os_handles.size(); i++) { |
| 247 bssl::UniquePtr<X509> x509 = OSCertHandleToOpenSSL(os_handles[i]); | 240 bssl::UniquePtr<X509> x509 = OSCertHandleToOpenSSL(os_handles[i]); |
| 248 if (!x509) | 241 if (!x509) |
| 249 return nullptr; | 242 return nullptr; |
| 250 sk_X509_push(stack.get(), x509.release()); | 243 sk_X509_push(stack.get(), x509.release()); |
| 251 } | 244 } |
| 252 return stack; | 245 return stack; |
| 253 } | 246 } |
| 254 | 247 |
| 255 } // namespace net | 248 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2728823002:
Remove redundant 3-SHAKE mitigation. (Closed)
