OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/openssl_ssl_util.h" | 5 #include "net/ssl/openssl_ssl_util.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 | 8 |
9 #include <openssl/err.h> | 9 #include <openssl/err.h> |
10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
111 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: | 111 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: |
112 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: | 112 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: |
113 case SSL_R_EXCESSIVE_MESSAGE_SIZE: | 113 case SSL_R_EXCESSIVE_MESSAGE_SIZE: |
114 case SSL_R_EXTRA_DATA_IN_MESSAGE: | 114 case SSL_R_EXTRA_DATA_IN_MESSAGE: |
115 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: | 115 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: |
116 case SSL_R_INVALID_COMMAND: | 116 case SSL_R_INVALID_COMMAND: |
117 case SSL_R_INVALID_STATUS_RESPONSE: | 117 case SSL_R_INVALID_STATUS_RESPONSE: |
118 case SSL_R_INVALID_TICKET_KEYS_LENGTH: | 118 case SSL_R_INVALID_TICKET_KEYS_LENGTH: |
119 // SSL_do_handshake reports this error when the server responds to a | 119 // SSL_do_handshake reports this error when the server responds to a |
120 // ClientHello with a fatal close_notify alert. | 120 // ClientHello with a fatal close_notify alert. |
121 case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY: | 121 case SSL_R_SSLV3_ALERT_CLOSE_NOTIFY: |
122 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: | 122 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: |
123 // TODO(joth): SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the | |
124 // server after receiving ClientHello if there's no common supported cipher. | |
125 // Ideally we'd map that specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH | |
126 // to match the NSS implementation. See also http://goo.gl/oMtZW | |
127 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: | |
128 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: | 123 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: |
129 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: | 124 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: |
130 case SSL_R_TLSV1_ALERT_DECODE_ERROR: | 125 case SSL_R_TLSV1_ALERT_DECODE_ERROR: |
131 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: | 126 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: |
132 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: | 127 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: |
133 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: | 128 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: |
134 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: | 129 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: |
135 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: | 130 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: |
136 case SSL_R_TLSV1_ALERT_USER_CANCELLED: | 131 case SSL_R_TLSV1_ALERT_USER_CANCELLED: |
137 return ERR_SSL_PROTOCOL_ERROR; | 132 return ERR_SSL_PROTOCOL_ERROR; |
138 case SSL_R_CERTIFICATE_VERIFY_FAILED: | 133 case SSL_R_CERTIFICATE_VERIFY_FAILED: |
139 // The only way that the certificate verify callback can fail is if | 134 // The only way that the certificate verify callback can fail is if |
140 // the leaf certificate changed during a renegotiation. | 135 // the leaf certificate changed during a renegotiation. |
141 return ERR_SSL_SERVER_CERT_CHANGED; | 136 return ERR_SSL_SERVER_CERT_CHANGED; |
142 case SSL_AD_REASON_OFFSET + SSL3_AD_INAPPROPRIATE_FALLBACK: | 137 case SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK: |
143 return ERR_SSL_INAPPROPRIATE_FALLBACK; | 138 return ERR_SSL_INAPPROPRIATE_FALLBACK; |
| 139 // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after |
| 140 // receiving ClientHello if there's no common supported cipher. Map that |
| 141 // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS |
| 142 // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505. |
| 143 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: { |
| 144 uint32_t previous = ERR_peek_error(); |
| 145 if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL && |
| 146 ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) { |
| 147 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; |
| 148 } |
| 149 return ERR_SSL_PROTOCOL_ERROR; |
| 150 } |
144 default: | 151 default: |
145 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); | 152 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); |
146 return ERR_SSL_PROTOCOL_ERROR; | 153 return ERR_SSL_PROTOCOL_ERROR; |
147 } | 154 } |
148 } | 155 } |
149 | 156 |
150 base::Value* NetLogOpenSSLErrorCallback(int net_error, | 157 base::Value* NetLogOpenSSLErrorCallback(int net_error, |
151 int ssl_error, | 158 int ssl_error, |
152 const OpenSSLErrorInfo& error_info, | 159 const OpenSSLErrorInfo& error_info, |
153 NetLog::LogLevel /* log_level */) { | 160 NetLog::LogLevel /* log_level */) { |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
229 | 236 |
230 NetLog::ParametersCallback CreateNetLogOpenSSLErrorCallback( | 237 NetLog::ParametersCallback CreateNetLogOpenSSLErrorCallback( |
231 int net_error, | 238 int net_error, |
232 int ssl_error, | 239 int ssl_error, |
233 const OpenSSLErrorInfo& error_info) { | 240 const OpenSSLErrorInfo& error_info) { |
234 return base::Bind(&NetLogOpenSSLErrorCallback, | 241 return base::Bind(&NetLogOpenSSLErrorCallback, |
235 net_error, ssl_error, error_info); | 242 net_error, ssl_error, error_info); |
236 } | 243 } |
237 | 244 |
238 } // namespace net | 245 } // namespace net |
OLD | NEW |