Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(328)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/nss_ssl_util.cc

Issue 994743003: Support for client certs in ssl_server_socket. Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Passing this CL to RyanChung for further work. Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/nss_ssl_util.h ('k') | net/socket/ssl_client_socket.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/nss_ssl_util.h" 5 #include "net/socket/nss_ssl_util.h"
6 6
7 #include <nss.h> 7 #include <nss.h>
8 #include <secerr.h> 8 #include <secerr.h>
9 #include <ssl.h> 9 #include <ssl.h>
10 #include <sslerr.h> 10 #include <sslerr.h>
11 #include <sslproto.h> 11 #include <sslproto.h>
12 12
13 #include <string> 13 #include <string>
14 14
15 #include "base/bind.h" 15 #include "base/bind.h"
16 #include "base/cpu.h" 16 #include "base/cpu.h"
17 #include "base/lazy_instance.h" 17 #include "base/lazy_instance.h"
18 #include "base/logging.h" 18 #include "base/logging.h"
19 #include "base/memory/singleton.h" 19 #include "base/memory/singleton.h"
20 #include "base/threading/thread_restrictions.h" 20 #include "base/threading/thread_restrictions.h"
21 #include "base/values.h" 21 #include "base/values.h"
22 #include "build/build_config.h" 22 #include "build/build_config.h"
23 #include "crypto/nss_util.h" 23 #include "crypto/nss_util.h"
24 #include "net/base/net_errors.h" 24 #include "net/base/net_errors.h"
25 #include "net/base/nss_memio.h" 25 #include "net/base/nss_memio.h"
26 #include "net/log/net_log.h" 26 #include "net/log/net_log.h"
27 #include "net/ssl/ssl_config.h"
28 #include "net/ssl/ssl_connection_status_flags.h"
27 29
28 #if defined(OS_WIN) 30 #if defined(OS_WIN)
29 #include "base/win/windows_version.h" 31 #include "base/win/windows_version.h"
30 #endif 32 #endif
31 33
32 namespace net { 34 namespace net {
33 35
34 namespace { 36 namespace {
35 37
36 // CiphersRemove takes a zero-terminated array of cipher suite ids in 38 // CiphersRemove takes a zero-terminated array of cipher suite ids in
(...skipping 314 matching lines...) Expand 10 before | Expand all | Expand 10 after
351 // General unsupported/unknown key algorithm error. 353 // General unsupported/unknown key algorithm error.
352 case SEC_ERROR_UNSUPPORTED_KEYALG: 354 case SEC_ERROR_UNSUPPORTED_KEYALG:
353 // General DER decoding errors. 355 // General DER decoding errors.
354 case SEC_ERROR_BAD_DER: 356 case SEC_ERROR_BAD_DER:
355 case SEC_ERROR_EXTRA_INPUT: 357 case SEC_ERROR_EXTRA_INPUT:
356 return ERR_SSL_BAD_PEER_PUBLIC_KEY; 358 return ERR_SSL_BAD_PEER_PUBLIC_KEY;
357 // During renegotiation, the server presented a different certificate than 359 // During renegotiation, the server presented a different certificate than
358 // was used earlier. 360 // was used earlier.
359 case SSL_ERROR_WRONG_CERTIFICATE: 361 case SSL_ERROR_WRONG_CERTIFICATE:
360 return ERR_SSL_SERVER_CERT_CHANGED; 362 return ERR_SSL_SERVER_CERT_CHANGED;
363 case SSL_ERROR_NO_CERTIFICATE:
364 return ERR_BAD_SSL_CLIENT_AUTH_CERT;
361 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT: 365 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
362 return ERR_SSL_INAPPROPRIATE_FALLBACK; 366 return ERR_SSL_INAPPROPRIATE_FALLBACK;
363 367
364 default: { 368 default: {
365 const char* err_name = PR_ErrorToName(err); 369 const char* err_name = PR_ErrorToName(err);
366 if (err_name == NULL) 370 if (err_name == NULL)
367 err_name = ""; 371 err_name = "";
368 if (IS_SSL_ERROR(err)) { 372 if (IS_SSL_ERROR(err)) {
369 LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")" 373 LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")"
370 << " mapped to net::ERR_SSL_PROTOCOL_ERROR"; 374 << " mapped to net::ERR_SSL_PROTOCOL_ERROR";
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
402 NetLog::TYPE_SSL_NSS_ERROR, 406 NetLog::TYPE_SSL_NSS_ERROR,
403 base::Bind(&NetLogSSLFailedNSSFunctionCallback, 407 base::Bind(&NetLogSSLFailedNSSFunctionCallback,
404 function, param, PR_GetError())); 408 function, param, PR_GetError()));
405 } 409 }
406 410
407 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error, 411 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error,
408 int ssl_lib_error) { 412 int ssl_lib_error) {
409 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error); 413 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error);
410 } 414 }
411 415
416 void UpdateSSLConnectionStatus(PRFileDesc* nss_fd,
417 const SSLConfig& ssl_config,
418 int* ssl_connection_status) {
419 SSLChannelInfo channel_info;
420 SECStatus ok =
421 SSL_GetChannelInfo(nss_fd, &channel_info, sizeof(channel_info));
422 if (ok == SECSuccess && channel_info.length == sizeof(channel_info) &&
423 channel_info.cipherSuite) {
424 (*ssl_connection_status) |= static_cast<int>(channel_info.cipherSuite) &
425 SSL_CONNECTION_CIPHERSUITE_MASK;
426
427 (*ssl_connection_status) |=
428 (static_cast<int>(channel_info.compressionMethod) &
429 SSL_CONNECTION_COMPRESSION_MASK)
430 << SSL_CONNECTION_COMPRESSION_SHIFT;
431
432 // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
433 // support it yet), so use 0x0303 directly.
434 int version = SSL_CONNECTION_VERSION_UNKNOWN;
435 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
436 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
437 // version 2.
438 version = SSL_CONNECTION_VERSION_SSL2;
439 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
440 version = SSL_CONNECTION_VERSION_SSL3;
441 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
442 version = SSL_CONNECTION_VERSION_TLS1;
443 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
444 version = SSL_CONNECTION_VERSION_TLS1_1;
445 } else if (channel_info.protocolVersion == 0x0303) {
446 version = SSL_CONNECTION_VERSION_TLS1_2;
447 }
448 (*ssl_connection_status) |= (version & SSL_CONNECTION_VERSION_MASK)
449 << SSL_CONNECTION_VERSION_SHIFT;
450 }
451
452 PRBool peer_supports_renego_ext;
453 ok = SSL_HandshakeNegotiatedExtension(nss_fd, ssl_renegotiation_info_xtn,
454 &peer_supports_renego_ext);
455 if (ok == SECSuccess) {
456 if (!peer_supports_renego_ext) {
457 (*ssl_connection_status) |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
458 }
459 }
460
461 if (ssl_config.version_fallback) {
462 (*ssl_connection_status) |= SSL_CONNECTION_VERSION_FALLBACK;
463 }
464 }
465
412 } // namespace net 466 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/nss_ssl_util.h ('k') | net/socket/ssl_client_socket.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698