OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 299 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
310 | 310 |
311 private: | 311 private: |
312 const std::string function_; | 312 const std::string function_; |
313 const std::string param_; | 313 const std::string param_; |
314 const PRErrorCode ssl_lib_error_; | 314 const PRErrorCode ssl_lib_error_; |
315 }; | 315 }; |
316 | 316 |
317 void LogFailedNSSFunction(const BoundNetLog& net_log, | 317 void LogFailedNSSFunction(const BoundNetLog& net_log, |
318 const char* function, | 318 const char* function, |
319 const char* param) { | 319 const char* param) { |
320 net_log.AddEvent(NetLog::TYPE_SSL_NSS_ERROR, | 320 net_log.AddEvent( |
321 new SSLFailedNSSFunctionParams(function, param)); | 321 NetLog::TYPE_SSL_NSS_ERROR, |
| 322 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); |
322 } | 323 } |
323 | 324 |
324 #if defined(OS_WIN) | 325 #if defined(OS_WIN) |
325 | 326 |
326 // This callback is intended to be used with CertFindChainInStore. In addition | 327 // This callback is intended to be used with CertFindChainInStore. In addition |
327 // to filtering by extended/enhanced key usage, we do not show expired | 328 // to filtering by extended/enhanced key usage, we do not show expired |
328 // certificates and require digital signature usage in the key usage | 329 // certificates and require digital signature usage in the key usage |
329 // extension. | 330 // extension. |
330 // | 331 // |
331 // This matches our behavior on Mac OS X and that of NSS. It also matches the | 332 // This matches our behavior on Mac OS X and that of NSS. It also matches the |
(...skipping 1205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1537 EnterFunction(""); | 1538 EnterFunction(""); |
1538 DCHECK(completed_handshake_); | 1539 DCHECK(completed_handshake_); |
1539 DCHECK(next_handshake_state_ == STATE_NONE); | 1540 DCHECK(next_handshake_state_ == STATE_NONE); |
1540 | 1541 |
1541 if (result < 0) | 1542 if (result < 0) |
1542 return result; | 1543 return result; |
1543 | 1544 |
1544 if (!nss_bufs_) { | 1545 if (!nss_bufs_) { |
1545 LOG(DFATAL) << "!nss_bufs_"; | 1546 LOG(DFATAL) << "!nss_bufs_"; |
1546 int rv = ERR_UNEXPECTED; | 1547 int rv = ERR_UNEXPECTED; |
1547 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, new SSLErrorParams(rv, 0)); | 1548 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, |
| 1549 make_scoped_refptr(new SSLErrorParams(rv, 0))); |
1548 return rv; | 1550 return rv; |
1549 } | 1551 } |
1550 | 1552 |
1551 bool network_moved; | 1553 bool network_moved; |
1552 int rv; | 1554 int rv; |
1553 do { | 1555 do { |
1554 rv = DoPayloadRead(); | 1556 rv = DoPayloadRead(); |
1555 network_moved = DoTransportIO(); | 1557 network_moved = DoTransportIO(); |
1556 } while (rv == ERR_IO_PENDING && network_moved); | 1558 } while (rv == ERR_IO_PENDING && network_moved); |
1557 | 1559 |
1558 LeaveFunction(""); | 1560 LeaveFunction(""); |
1559 return rv; | 1561 return rv; |
1560 } | 1562 } |
1561 | 1563 |
1562 int SSLClientSocketNSS::DoWriteLoop(int result) { | 1564 int SSLClientSocketNSS::DoWriteLoop(int result) { |
1563 EnterFunction(""); | 1565 EnterFunction(""); |
1564 DCHECK(completed_handshake_); | 1566 DCHECK(completed_handshake_); |
1565 DCHECK(next_handshake_state_ == STATE_NONE); | 1567 DCHECK(next_handshake_state_ == STATE_NONE); |
1566 | 1568 |
1567 if (result < 0) | 1569 if (result < 0) |
1568 return result; | 1570 return result; |
1569 | 1571 |
1570 if (!nss_bufs_) { | 1572 if (!nss_bufs_) { |
1571 LOG(DFATAL) << "!nss_bufs_"; | 1573 LOG(DFATAL) << "!nss_bufs_"; |
1572 int rv = ERR_UNEXPECTED; | 1574 int rv = ERR_UNEXPECTED; |
1573 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, new SSLErrorParams(rv, 0)); | 1575 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, |
| 1576 make_scoped_refptr(new SSLErrorParams(rv, 0))); |
1574 return rv; | 1577 return rv; |
1575 } | 1578 } |
1576 | 1579 |
1577 bool network_moved; | 1580 bool network_moved; |
1578 int rv; | 1581 int rv; |
1579 do { | 1582 do { |
1580 rv = DoPayloadWrite(); | 1583 rv = DoPayloadWrite(); |
1581 network_moved = DoTransportIO(); | 1584 network_moved = DoTransportIO(); |
1582 } while (rv == ERR_IO_PENDING && network_moved); | 1585 } while (rv == ERR_IO_PENDING && network_moved); |
1583 | 1586 |
(...skipping 308 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1892 } | 1895 } |
1893 | 1896 |
1894 int SSLClientSocketNSS::DoHandshake() { | 1897 int SSLClientSocketNSS::DoHandshake() { |
1895 EnterFunction(""); | 1898 EnterFunction(""); |
1896 int net_error = net::OK; | 1899 int net_error = net::OK; |
1897 SECStatus rv = SSL_ForceHandshake(nss_fd_); | 1900 SECStatus rv = SSL_ForceHandshake(nss_fd_); |
1898 | 1901 |
1899 if (client_auth_cert_needed_) { | 1902 if (client_auth_cert_needed_) { |
1900 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1903 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1901 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1904 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1902 new SSLErrorParams(net_error, 0)); | 1905 make_scoped_refptr(new SSLErrorParams(net_error, 0))); |
1903 // If the handshake already succeeded (because the server requests but | 1906 // If the handshake already succeeded (because the server requests but |
1904 // doesn't require a client cert), we need to invalidate the SSL session | 1907 // doesn't require a client cert), we need to invalidate the SSL session |
1905 // so that we won't try to resume the non-client-authenticated session in | 1908 // so that we won't try to resume the non-client-authenticated session in |
1906 // the next handshake. This will cause the server to ask for a client | 1909 // the next handshake. This will cause the server to ask for a client |
1907 // cert again. | 1910 // cert again. |
1908 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { | 1911 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { |
1909 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1912 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
1910 } | 1913 } |
1911 } else if (rv == SECSuccess) { | 1914 } else if (rv == SECSuccess) { |
1912 if (handshake_callback_called_) { | 1915 if (handshake_callback_called_) { |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1949 GotoState(STATE_VERIFY_DNSSEC); | 1952 GotoState(STATE_VERIFY_DNSSEC); |
1950 } | 1953 } |
1951 } | 1954 } |
1952 // Done! | 1955 // Done! |
1953 } else { | 1956 } else { |
1954 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - | 1957 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - |
1955 // SSL_ForceHandshake returned SECSuccess prematurely. | 1958 // SSL_ForceHandshake returned SECSuccess prematurely. |
1956 rv = SECFailure; | 1959 rv = SECFailure; |
1957 net_error = ERR_SSL_PROTOCOL_ERROR; | 1960 net_error = ERR_SSL_PROTOCOL_ERROR; |
1958 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1961 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1959 new SSLErrorParams(net_error, 0)); | 1962 make_scoped_refptr(new SSLErrorParams(net_error, 0))); |
1960 } | 1963 } |
1961 } else { | 1964 } else { |
1962 PRErrorCode prerr = PR_GetError(); | 1965 PRErrorCode prerr = PR_GetError(); |
1963 net_error = MapHandshakeError(prerr); | 1966 net_error = MapHandshakeError(prerr); |
1964 | 1967 |
1965 // If not done, stay in this state | 1968 // If not done, stay in this state |
1966 if (net_error == ERR_IO_PENDING) { | 1969 if (net_error == ERR_IO_PENDING) { |
1967 GotoState(STATE_HANDSHAKE); | 1970 GotoState(STATE_HANDSHAKE); |
1968 } else { | 1971 } else { |
1969 LOG(ERROR) << "handshake failed; NSS error code " << prerr | 1972 LOG(ERROR) << "handshake failed; NSS error code " << prerr |
1970 << ", net_error " << net_error; | 1973 << ", net_error " << net_error; |
1971 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1974 net_log_.AddEvent( |
1972 new SSLErrorParams(net_error, prerr)); | 1975 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 1976 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); |
1973 } | 1977 } |
1974 } | 1978 } |
1975 | 1979 |
1976 LeaveFunction(""); | 1980 LeaveFunction(""); |
1977 return net_error; | 1981 return net_error; |
1978 } | 1982 } |
1979 | 1983 |
1980 // DNSValidationResult enumerates the possible outcomes from processing a | 1984 // DNSValidationResult enumerates the possible outcomes from processing a |
1981 // set of DNS records. | 1985 // set of DNS records. |
1982 enum DNSValidationResult { | 1986 enum DNSValidationResult { |
(...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2280 EnterFunction(user_read_buf_len_); | 2284 EnterFunction(user_read_buf_len_); |
2281 DCHECK(user_read_buf_); | 2285 DCHECK(user_read_buf_); |
2282 DCHECK_GT(user_read_buf_len_, 0); | 2286 DCHECK_GT(user_read_buf_len_, 0); |
2283 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_); | 2287 int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_); |
2284 if (client_auth_cert_needed_) { | 2288 if (client_auth_cert_needed_) { |
2285 // We don't need to invalidate the non-client-authenticated SSL session | 2289 // We don't need to invalidate the non-client-authenticated SSL session |
2286 // because the server will renegotiate anyway. | 2290 // because the server will renegotiate anyway. |
2287 LeaveFunction(""); | 2291 LeaveFunction(""); |
2288 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 2292 rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
2289 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, | 2293 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, |
2290 new SSLErrorParams(rv, 0)); | 2294 make_scoped_refptr(new SSLErrorParams(rv, 0))); |
2291 return rv; | 2295 return rv; |
2292 } | 2296 } |
2293 if (rv >= 0) { | 2297 if (rv >= 0) { |
2294 LogData(user_read_buf_->data(), rv); | 2298 LogData(user_read_buf_->data(), rv); |
2295 LeaveFunction(""); | 2299 LeaveFunction(""); |
2296 return rv; | 2300 return rv; |
2297 } | 2301 } |
2298 PRErrorCode prerr = PR_GetError(); | 2302 PRErrorCode prerr = PR_GetError(); |
2299 if (prerr == PR_WOULD_BLOCK_ERROR) { | 2303 if (prerr == PR_WOULD_BLOCK_ERROR) { |
2300 LeaveFunction(""); | 2304 LeaveFunction(""); |
2301 return ERR_IO_PENDING; | 2305 return ERR_IO_PENDING; |
2302 } | 2306 } |
2303 LeaveFunction(""); | 2307 LeaveFunction(""); |
2304 rv = MapNSPRError(prerr); | 2308 rv = MapNSPRError(prerr); |
2305 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, new SSLErrorParams(rv, prerr)); | 2309 net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR, |
| 2310 make_scoped_refptr(new SSLErrorParams(rv, prerr))); |
2306 return rv; | 2311 return rv; |
2307 } | 2312 } |
2308 | 2313 |
2309 int SSLClientSocketNSS::DoPayloadWrite() { | 2314 int SSLClientSocketNSS::DoPayloadWrite() { |
2310 EnterFunction(user_write_buf_len_); | 2315 EnterFunction(user_write_buf_len_); |
2311 DCHECK(user_write_buf_); | 2316 DCHECK(user_write_buf_); |
2312 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); | 2317 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); |
2313 if (rv >= 0) { | 2318 if (rv >= 0) { |
2314 LogData(user_write_buf_->data(), rv); | 2319 LogData(user_write_buf_->data(), rv); |
2315 LeaveFunction(""); | 2320 LeaveFunction(""); |
2316 return rv; | 2321 return rv; |
2317 } | 2322 } |
2318 PRErrorCode prerr = PR_GetError(); | 2323 PRErrorCode prerr = PR_GetError(); |
2319 if (prerr == PR_WOULD_BLOCK_ERROR) { | 2324 if (prerr == PR_WOULD_BLOCK_ERROR) { |
2320 LeaveFunction(""); | 2325 LeaveFunction(""); |
2321 return ERR_IO_PENDING; | 2326 return ERR_IO_PENDING; |
2322 } | 2327 } |
2323 LeaveFunction(""); | 2328 LeaveFunction(""); |
2324 rv = MapNSPRError(prerr); | 2329 rv = MapNSPRError(prerr); |
2325 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, | 2330 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, |
2326 new SSLErrorParams(rv, prerr)); | 2331 make_scoped_refptr(new SSLErrorParams(rv, prerr))); |
2327 return rv; | 2332 return rv; |
2328 } | 2333 } |
2329 | 2334 |
2330 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 2335 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
2331 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 2336 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
2332 if (server_cert_verify_result_->has_md5) | 2337 if (server_cert_verify_result_->has_md5) |
2333 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); | 2338 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); |
2334 if (server_cert_verify_result_->has_md2) | 2339 if (server_cert_verify_result_->has_md2) |
2335 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); | 2340 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); |
2336 if (server_cert_verify_result_->has_md4) | 2341 if (server_cert_verify_result_->has_md4) |
(...skipping 16 matching lines...) Expand all Loading... |
2353 case SSL_CONNECTION_VERSION_TLS1_1: | 2358 case SSL_CONNECTION_VERSION_TLS1_1: |
2354 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 2359 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
2355 break; | 2360 break; |
2356 case SSL_CONNECTION_VERSION_TLS1_2: | 2361 case SSL_CONNECTION_VERSION_TLS1_2: |
2357 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 2362 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
2358 break; | 2363 break; |
2359 }; | 2364 }; |
2360 } | 2365 } |
2361 | 2366 |
2362 } // namespace net | 2367 } // namespace net |
OLD | NEW |