| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 536 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 547 bool predicted_cert_chain_correct; | 547 bool predicted_cert_chain_correct; |
| 548 | 548 |
| 549 // True if the current handshake was the result of TLS session resumption. | 549 // True if the current handshake was the result of TLS session resumption. |
| 550 bool resumed_handshake; | 550 bool resumed_handshake; |
| 551 | 551 |
| 552 // The negotiated security parameters (TLS version, cipher, extensions) of | 552 // The negotiated security parameters (TLS version, cipher, extensions) of |
| 553 // the SSL connection. | 553 // the SSL connection. |
| 554 int ssl_connection_status; | 554 int ssl_connection_status; |
| 555 }; | 555 }; |
| 556 | 556 |
| 557 // Client-side error mapping functions. |
| 558 |
| 559 // Map NSS error code to network error code. |
| 560 int MapNSSClientError(PRErrorCode err) { |
| 561 switch (err) { |
| 562 case SSL_ERROR_BAD_CERT_ALERT: |
| 563 case SSL_ERROR_UNSUPPORTED_CERT_ALERT: |
| 564 case SSL_ERROR_REVOKED_CERT_ALERT: |
| 565 case SSL_ERROR_EXPIRED_CERT_ALERT: |
| 566 case SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT: |
| 567 case SSL_ERROR_UNKNOWN_CA_ALERT: |
| 568 case SSL_ERROR_ACCESS_DENIED_ALERT: |
| 569 return ERR_BAD_SSL_CLIENT_AUTH_CERT; |
| 570 default: |
| 571 return MapNSSError(err); |
| 572 } |
| 573 } |
| 574 |
| 575 // Map NSS error code from the first SSL handshake to network error code. |
| 576 int MapNSSClientHandshakeError(PRErrorCode err) { |
| 577 switch (err) { |
| 578 // If the server closed on us, it is a protocol error. |
| 579 // Some TLS-intolerant servers do this when we request TLS. |
| 580 case PR_END_OF_FILE_ERROR: |
| 581 return ERR_SSL_PROTOCOL_ERROR; |
| 582 default: |
| 583 return MapNSSClientError(err); |
| 584 } |
| 585 } |
| 586 |
| 557 } // namespace | 587 } // namespace |
| 558 | 588 |
| 559 // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is | 589 // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is |
| 560 // able to marshal data between NSS functions and an underlying transport | 590 // able to marshal data between NSS functions and an underlying transport |
| 561 // socket. | 591 // socket. |
| 562 // | 592 // |
| 563 // All public functions are meant to be called from the network task runner, | 593 // All public functions are meant to be called from the network task runner, |
| 564 // and any callbacks supplied will be invoked there as well, provided that | 594 // and any callbacks supplied will be invoked there as well, provided that |
| 565 // Detach() has not been called yet. | 595 // Detach() has not been called yet. |
| 566 // | 596 // |
| (...skipping 1256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1823 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, | 1853 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, |
| 1824 *nss_state)); | 1854 *nss_state)); |
| 1825 | 1855 |
| 1826 return SECSuccess; | 1856 return SECSuccess; |
| 1827 } | 1857 } |
| 1828 | 1858 |
| 1829 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, | 1859 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, |
| 1830 bool handshake_error) { | 1860 bool handshake_error) { |
| 1831 DCHECK(OnNSSTaskRunner()); | 1861 DCHECK(OnNSSTaskRunner()); |
| 1832 | 1862 |
| 1833 int net_error = handshake_error ? MapNSSHandshakeError(nss_error) : | 1863 int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) : |
| 1834 MapNSSError(nss_error); | 1864 MapNSSClientError(nss_error); |
| 1835 | 1865 |
| 1836 #if defined(OS_WIN) | 1866 #if defined(OS_WIN) |
| 1837 // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate | 1867 // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate |
| 1838 // os_cert_handle() as an optimization. However, if the certificate | 1868 // os_cert_handle() as an optimization. However, if the certificate |
| 1839 // private key is stored on a smart card, and the smart card is removed, | 1869 // private key is stored on a smart card, and the smart card is removed, |
| 1840 // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again, | 1870 // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again, |
| 1841 // preventing client certificate authentication. Because the | 1871 // preventing client certificate authentication. Because the |
| 1842 // X509Certificate may outlive the individual SSLClientSocketNSS, due to | 1872 // X509Certificate may outlive the individual SSLClientSocketNSS, due to |
| 1843 // caching in X509Certificate, this failure ends up preventing client | 1873 // caching in X509Certificate, this failure ends up preventing client |
| 1844 // certificate authentication with the same certificate for all future | 1874 // certificate authentication with the same certificate for all future |
| (...skipping 600 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2445 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( | 2475 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( |
| 2446 ServerBoundCertService::kEPKIPassword, | 2476 ServerBoundCertService::kEPKIPassword, |
| 2447 reinterpret_cast<const unsigned char*>( | 2477 reinterpret_cast<const unsigned char*>( |
| 2448 domain_bound_private_key_.data()), | 2478 domain_bound_private_key_.data()), |
| 2449 domain_bound_private_key_.size(), | 2479 domain_bound_private_key_.size(), |
| 2450 &(*cert)->subjectPublicKeyInfo, | 2480 &(*cert)->subjectPublicKeyInfo, |
| 2451 false, | 2481 false, |
| 2452 false, | 2482 false, |
| 2453 key, | 2483 key, |
| 2454 &public_key)) { | 2484 &public_key)) { |
| 2485 int error = MapNSSError(PORT_GetError()); |
| 2455 CERT_DestroyCertificate(*cert); | 2486 CERT_DestroyCertificate(*cert); |
| 2456 *cert = NULL; | 2487 *cert = NULL; |
| 2457 return MapNSSError(PORT_GetError()); | 2488 return error; |
| 2458 } | 2489 } |
| 2459 SECKEY_DestroyPublicKey(public_key); | 2490 SECKEY_DestroyPublicKey(public_key); |
| 2460 break; | 2491 break; |
| 2461 } | 2492 } |
| 2462 | 2493 |
| 2463 default: | 2494 default: |
| 2464 NOTREACHED(); | 2495 NOTREACHED(); |
| 2465 return ERR_INVALID_ARGUMENT; | 2496 return ERR_INVALID_ARGUMENT; |
| 2466 } | 2497 } |
| 2467 | 2498 |
| (...skipping 1168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3636 EnsureThreadIdAssigned(); | 3667 EnsureThreadIdAssigned(); |
| 3637 base::AutoLock auto_lock(lock_); | 3668 base::AutoLock auto_lock(lock_); |
| 3638 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3669 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 3639 } | 3670 } |
| 3640 | 3671 |
| 3641 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3672 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
| 3642 return server_bound_cert_service_; | 3673 return server_bound_cert_service_; |
| 3643 } | 3674 } |
| 3644 | 3675 |
| 3645 } // namespace net | 3676 } // namespace net |
| OLD | NEW |