| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/openssl_ssl_util.h" | 5 #include "net/ssl/openssl_ssl_util.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 | 8 |
| 9 #include <openssl/err.h> | 9 #include <openssl/err.h> |
| 10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 111 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: | 111 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: |
| 112 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: | 112 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: |
| 113 case SSL_R_EXCESSIVE_MESSAGE_SIZE: | 113 case SSL_R_EXCESSIVE_MESSAGE_SIZE: |
| 114 case SSL_R_EXTRA_DATA_IN_MESSAGE: | 114 case SSL_R_EXTRA_DATA_IN_MESSAGE: |
| 115 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: | 115 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: |
| 116 case SSL_R_INVALID_COMMAND: | 116 case SSL_R_INVALID_COMMAND: |
| 117 case SSL_R_INVALID_STATUS_RESPONSE: | 117 case SSL_R_INVALID_STATUS_RESPONSE: |
| 118 case SSL_R_INVALID_TICKET_KEYS_LENGTH: | 118 case SSL_R_INVALID_TICKET_KEYS_LENGTH: |
| 119 // SSL_do_handshake reports this error when the server responds to a | 119 // SSL_do_handshake reports this error when the server responds to a |
| 120 // ClientHello with a fatal close_notify alert. | 120 // ClientHello with a fatal close_notify alert. |
| 121 case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY: | 121 case SSL_R_SSLV3_ALERT_CLOSE_NOTIFY: |
| 122 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: | 122 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: |
| 123 // TODO(joth): SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the | |
| 124 // server after receiving ClientHello if there's no common supported cipher. | |
| 125 // Ideally we'd map that specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH | |
| 126 // to match the NSS implementation. See also http://goo.gl/oMtZW | |
| 127 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: | |
| 128 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: | 123 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: |
| 129 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: | 124 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: |
| 130 case SSL_R_TLSV1_ALERT_DECODE_ERROR: | 125 case SSL_R_TLSV1_ALERT_DECODE_ERROR: |
| 131 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: | 126 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: |
| 132 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: | 127 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: |
| 133 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: | 128 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: |
| 134 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: | 129 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: |
| 135 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: | 130 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: |
| 136 case SSL_R_TLSV1_ALERT_USER_CANCELLED: | 131 case SSL_R_TLSV1_ALERT_USER_CANCELLED: |
| 137 return ERR_SSL_PROTOCOL_ERROR; | 132 return ERR_SSL_PROTOCOL_ERROR; |
| 138 case SSL_R_CERTIFICATE_VERIFY_FAILED: | 133 case SSL_R_CERTIFICATE_VERIFY_FAILED: |
| 139 // The only way that the certificate verify callback can fail is if | 134 // The only way that the certificate verify callback can fail is if |
| 140 // the leaf certificate changed during a renegotiation. | 135 // the leaf certificate changed during a renegotiation. |
| 141 return ERR_SSL_SERVER_CERT_CHANGED; | 136 return ERR_SSL_SERVER_CERT_CHANGED; |
| 142 case SSL_AD_REASON_OFFSET + SSL3_AD_INAPPROPRIATE_FALLBACK: | 137 case SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK: |
| 143 return ERR_SSL_INAPPROPRIATE_FALLBACK; | 138 return ERR_SSL_INAPPROPRIATE_FALLBACK; |
| 139 // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after |
| 140 // receiving ClientHello if there's no common supported cipher. Map that |
| 141 // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS |
| 142 // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505. |
| 143 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: { |
| 144 uint32_t previous = ERR_peek_error(); |
| 145 if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL && |
| 146 ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) { |
| 147 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; |
| 148 } |
| 149 return ERR_SSL_PROTOCOL_ERROR; |
| 150 } |
| 144 default: | 151 default: |
| 145 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); | 152 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); |
| 146 return ERR_SSL_PROTOCOL_ERROR; | 153 return ERR_SSL_PROTOCOL_ERROR; |
| 147 } | 154 } |
| 148 } | 155 } |
| 149 | 156 |
| 150 base::Value* NetLogOpenSSLErrorCallback(int net_error, | 157 base::Value* NetLogOpenSSLErrorCallback(int net_error, |
| 151 int ssl_error, | 158 int ssl_error, |
| 152 const OpenSSLErrorInfo& error_info, | 159 const OpenSSLErrorInfo& error_info, |
| 153 NetLog::LogLevel /* log_level */) { | 160 NetLog::LogLevel /* log_level */) { |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 | 236 |
| 230 NetLog::ParametersCallback CreateNetLogOpenSSLErrorCallback( | 237 NetLog::ParametersCallback CreateNetLogOpenSSLErrorCallback( |
| 231 int net_error, | 238 int net_error, |
| 232 int ssl_error, | 239 int ssl_error, |
| 233 const OpenSSLErrorInfo& error_info) { | 240 const OpenSSLErrorInfo& error_info) { |
| 234 return base::Bind(&NetLogOpenSSLErrorCallback, | 241 return base::Bind(&NetLogOpenSSLErrorCallback, |
| 235 net_error, ssl_error, error_info); | 242 net_error, ssl_error, error_info); |
| 236 } | 243 } |
| 237 | 244 |
| 238 } // namespace net | 245 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 834313002:
Roll BoringSSL 306e520:aac2f6a (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master