Chromium Code Reviews Chromium Code Reviews
Issue 994743003:
Support for client certs in ssl_server_socket.
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/nss_ssl_util.h" | 5 #include "net/socket/nss_ssl_util.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 #include <secerr.h> | 8 #include <secerr.h> |
| 9 #include <ssl.h> | 9 #include <ssl.h> |
| 10 #include <sslerr.h> | 10 #include <sslerr.h> |
| 11 #include <sslproto.h> | 11 #include <sslproto.h> |
| 12 | 12 |
| 13 #include <string> | 13 #include <string> |
| 14 | 14 |
| 15 #include "base/bind.h" | 15 #include "base/bind.h" |
| 16 #include "base/cpu.h" | 16 #include "base/cpu.h" |
| 17 #include "base/lazy_instance.h" | 17 #include "base/lazy_instance.h" |
| 18 #include "base/logging.h" | 18 #include "base/logging.h" |
| 19 #include "base/memory/singleton.h" | 19 #include "base/memory/singleton.h" |
| 20 #include "base/threading/thread_restrictions.h" | 20 #include "base/threading/thread_restrictions.h" |
| 21 #include "base/values.h" | 21 #include "base/values.h" |
| 22 #include "build/build_config.h" | 22 #include "build/build_config.h" |
| 23 #include "crypto/nss_util.h" | 23 #include "crypto/nss_util.h" |
| 24 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
| 25 #include "net/base/net_log.h" | 25 #include "net/base/net_log.h" |
| 26 #include "net/base/nss_memio.h" | 26 #include "net/base/nss_memio.h" |
| 27 #include "net/ssl/ssl_config.h" | |
| 28 #include "net/ssl/ssl_connection_status_flags.h" | |
| 27 | 29 |
| 28 #if defined(OS_WIN) | 30 #if defined(OS_WIN) |
| 29 #include "base/win/windows_version.h" | 31 #include "base/win/windows_version.h" |
| 30 #endif | 32 #endif |
| 31 | 33 |
| 32 namespace net { | 34 namespace net { |
| 33 | 35 |
| 34 namespace { | 36 namespace { |
| 35 | 37 |
| 36 // CiphersRemove takes a zero-terminated array of cipher suite ids in | 38 // CiphersRemove takes a zero-terminated array of cipher suite ids in |
| (...skipping 319 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 356 // General unsupported/unknown key algorithm error. | 358 // General unsupported/unknown key algorithm error. |
| 357 case SEC_ERROR_UNSUPPORTED_KEYALG: | 359 case SEC_ERROR_UNSUPPORTED_KEYALG: |
| 358 // General DER decoding errors. | 360 // General DER decoding errors. |
| 359 case SEC_ERROR_BAD_DER: | 361 case SEC_ERROR_BAD_DER: |
| 360 case SEC_ERROR_EXTRA_INPUT: | 362 case SEC_ERROR_EXTRA_INPUT: |
| 361 return ERR_SSL_BAD_PEER_PUBLIC_KEY; | 363 return ERR_SSL_BAD_PEER_PUBLIC_KEY; |
| 362 // During renegotiation, the server presented a different certificate than | 364 // During renegotiation, the server presented a different certificate than |
| 363 // was used earlier. | 365 // was used earlier. |
| 364 case SSL_ERROR_WRONG_CERTIFICATE: | 366 case SSL_ERROR_WRONG_CERTIFICATE: |
| 365 return ERR_SSL_SERVER_CERT_CHANGED; | 367 return ERR_SSL_SERVER_CERT_CHANGED; |
| 368 case SSL_ERROR_NO_CERTIFICATE: | |
| 369 return ERR_BAD_SSL_CLIENT_AUTH_CERT; | |
| 366 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT: | 370 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT: |
| 367 return ERR_SSL_INAPPROPRIATE_FALLBACK; | 371 return ERR_SSL_INAPPROPRIATE_FALLBACK; |
| 368 | 372 |
| 369 default: { | 373 default: { |
| 370 const char* err_name = PR_ErrorToName(err); | 374 const char* err_name = PR_ErrorToName(err); |
| 371 if (err_name == NULL) | 375 if (err_name == NULL) |
| 372 err_name = ""; | 376 err_name = ""; |
| 373 if (IS_SSL_ERROR(err)) { | 377 if (IS_SSL_ERROR(err)) { |
| 374 LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")" | 378 LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")" |
| 375 << " mapped to net::ERR_SSL_PROTOCOL_ERROR"; | 379 << " mapped to net::ERR_SSL_PROTOCOL_ERROR"; |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 407 NetLog::TYPE_SSL_NSS_ERROR, | 411 NetLog::TYPE_SSL_NSS_ERROR, |
| 408 base::Bind(&NetLogSSLFailedNSSFunctionCallback, | 412 base::Bind(&NetLogSSLFailedNSSFunctionCallback, |
| 409 function, param, PR_GetError())); | 413 function, param, PR_GetError())); |
| 410 } | 414 } |
| 411 | 415 |
| 412 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error, | 416 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error, |
| 413 int ssl_lib_error) { | 417 int ssl_lib_error) { |
| 414 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error); | 418 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error); |
| 415 } | 419 } |
| 416 | 420 |
| 421 void UpdateSSLConnectionStatus(PRFileDesc* nss_fd, | |
| 422 const SSLConfig& ssl_config, | |
| 423 int* ssl_connection_status) { | |
|
Ryan Sleevi
2015/03/19 04:38:24
This method fails to properly wipe |ssl_connection
| |
| 424 SSLChannelInfo channel_info; | |
| 425 SECStatus ok = | |
| 426 SSL_GetChannelInfo(nss_fd, &channel_info, sizeof(channel_info)); | |
| 427 if (ok == SECSuccess && channel_info.length == sizeof(channel_info) && | |
| 428 channel_info.cipherSuite) { | |
| 429 (*ssl_connection_status) |= static_cast<int>(channel_info.cipherSuite) & | |
| 430 SSL_CONNECTION_CIPHERSUITE_MASK; | |
| 431 | |
| 432 (*ssl_connection_status) |= | |
| 433 (static_cast<int>(channel_info.compressionMethod) & | |
| 434 SSL_CONNECTION_COMPRESSION_MASK) | |
| 435 << SSL_CONNECTION_COMPRESSION_SHIFT; | |
| 436 | |
| 437 // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't | |
| 438 // support it yet), so use 0x0303 directly. | |
| 439 int version = SSL_CONNECTION_VERSION_UNKNOWN; | |
| 440 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { | |
| 441 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL | |
| 442 // version 2. | |
| 443 version = SSL_CONNECTION_VERSION_SSL2; | |
| 444 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) { | |
| 445 version = SSL_CONNECTION_VERSION_SSL3; | |
| 446 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { | |
| 447 version = SSL_CONNECTION_VERSION_TLS1; | |
| 448 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) { | |
| 449 version = SSL_CONNECTION_VERSION_TLS1_1; | |
| 450 } else if (channel_info.protocolVersion == 0x0303) { | |
| 451 version = SSL_CONNECTION_VERSION_TLS1_2; | |
| 452 } | |
| 453 (*ssl_connection_status) |= (version & SSL_CONNECTION_VERSION_MASK) | |
| 454 << SSL_CONNECTION_VERSION_SHIFT; | |
| 455 } | |
| 456 | |
| 457 PRBool peer_supports_renego_ext; | |
| 458 ok = SSL_HandshakeNegotiatedExtension(nss_fd, ssl_renegotiation_info_xtn, | |
| 459 &peer_supports_renego_ext); | |
| 460 if (ok == SECSuccess) { | |
| 461 if (!peer_supports_renego_ext) { | |
| 462 (*ssl_connection_status) |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | |
| 463 } | |
| 464 } | |
| 465 | |
| 466 if (ssl_config.version_fallback) { | |
| 467 (*ssl_connection_status) |= SSL_CONNECTION_VERSION_FALLBACK; | |
| 468 } | |
| 469 } | |
| 470 | |
| 417 } // namespace net | 471 } // namespace net |
| OLD | NEW |
