Synchronize the mappings between Windows/Mac error codes and their net:: error code counter-parts, ensuring they both will return the same values when either --use-system-ssl is specified or when performing client certificate authentication.

R=wtc
BUG=56330
TEST=None

Review URL: http://codereview.chromium.org/3683002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62108 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 58 insertions, 12 deletions

diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index 2df29e7..884555c 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -155,13 +155,21 @@ int NetErrorFromOSStatus(OSStatus status) {
       return ERR_CONNECTION_ABORTED;
     case errSSLInternal:
       return ERR_UNEXPECTED;
+    case errSSLBadRecordMac:
     case errSSLCrypto:
+    case errSSLConnectionRefused:
+    case errSSLDecryptionFail:
     case errSSLFatalAlert:
     case errSSLIllegalParam:  // Received an illegal_parameter alert.
+    case errSSLPeerDecodeError:  // Received a decode_error alert.
+    case errSSLPeerDecryptError:  // Received a decrypt_error alert.
+    case errSSLPeerExportRestriction:  // Received an export_restriction alert.
+    case errSSLPeerHandshakeFail:  // Received a handshake_failure alert.
+    case errSSLPeerNoRenegotiation:  // Received a no_renegotiation alert
     case errSSLPeerUnexpectedMsg:  // Received an unexpected_message alert.
+    case errSSLPeerUserCancelled:  // Received a user_cancelled alert.
     case errSSLProtocol:
-    case errSSLPeerHandshakeFail:  // Received a handshake_failure alert.
-    case errSSLConnectionRefused:
+    case errSSLRecordOverflow:
       return ERR_SSL_PROTOCOL_ERROR;
     case errSSLHostNameMismatch:
       return ERR_CERT_COMMON_NAME_INVALID;
@@ -179,19 +187,25 @@ int NetErrorFromOSStatus(OSStatus status) {
     case noErr:
       return OK;
 
+    // (Note that all errSSLPeer* codes indicate errors reported by the peer,
+    // so the cert-related ones refer to my _client_ cert.)
     case errSSLPeerCertUnknown...errSSLPeerBadCert:
-    case errSSLPeerInsufficientSecurity...errSSLPeerUnknownCA:
-      // (Note that all errSSLPeer* codes indicate errors reported by the
-      // peer, so the cert-related ones refer to my _client_ cert.)
+    case errSSLPeerUnknownCA:
+    // TODO(rsleevi): Add a new error code for access_denied - the peer has
+    // accepted the certificate as valid, but denied access to the requested
+    // resource. Returning ERR_BAD_SSL_CLIENT_AUTH simply gives the user a
+    // chance to select a new certificate, if they have one, and try again.
+    case errSSLPeerAccessDenied:
       LOG(WARNING) << "Server rejected client cert (OSStatus=" << status << ")";
       return ERR_BAD_SSL_CLIENT_AUTH_CERT;
 
-    case errSSLBadRecordMac:
+    case errSSLPeerInsufficientSecurity:
+    case errSSLPeerProtocolVersion:
+      return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
+
     case errSSLBufferOverflow:
-    case errSSLDecryptionFail:
     case errSSLModuleAttach:
     case errSSLNegotiation:
-    case errSSLRecordOverflow:
     case errSSLSessionNotFound:
     default:
       LOG(WARNING) << "Unknown error " << status <<
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index 67e3f3f..c43f354 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -38,29 +38,61 @@ static int MapSecurityError(SECURITY_STATUS err) {
     case SEC_E_WRONG_PRINCIPAL:  // Schannel
     case CERT_E_CN_NO_MATCH:  // CryptoAPI
       return ERR_CERT_COMMON_NAME_INVALID;
-    case SEC_E_UNTRUSTED_ROOT:  // Schannel
+    case SEC_E_UNTRUSTED_ROOT:  // Schannel - unknown_ca alert
     case CERT_E_UNTRUSTEDROOT:  // CryptoAPI
       return ERR_CERT_AUTHORITY_INVALID;
-    case SEC_E_CERT_EXPIRED:  // Schannel
+    case SEC_E_CERT_EXPIRED:  // Schannel - certificate_expired alert
     case CERT_E_EXPIRED:  // CryptoAPI
       return ERR_CERT_DATE_INVALID;
     case CRYPT_E_NO_REVOCATION_CHECK:
       return ERR_CERT_NO_REVOCATION_MECHANISM;
     case CRYPT_E_REVOCATION_OFFLINE:
       return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
-    case CRYPT_E_REVOKED:  // Schannel and CryptoAPI
+    case CRYPT_E_REVOKED:  // CryptoAPI and Schannel certificate_revoked alert
       return ERR_CERT_REVOKED;
+
+    // We received one of the following alert messages from the server:
+    //   bad_certificate
+    //   unsupported_certificate
+    //   certificate_unknown
     case SEC_E_CERT_UNKNOWN:
     case CERT_E_ROLE:
       return ERR_CERT_INVALID;
+
     // We received one of the following alert messages from the server:
+    //   decode_error
+    //   export_restriction
     //   handshake_failure
     //   illegal_parameter
+    //   record_overflow
     //   unexpected_message
+    // and all other TLS alerts not explicitly specified elsewhere.
     case SEC_E_ILLEGAL_MESSAGE:
+    // We received one of the following alert messages from the server:
+    //   decrypt_error
+    //   decryption_failed
+    case SEC_E_DECRYPT_FAILURE:
+    // We received one of the following alert messages from the server:
+    //   bad_record_mac
+    //   decompression_failure
+    case SEC_E_MESSAGE_ALTERED:
+    // TODO(rsleevi): Add SEC_E_INTERNAL_ERROR, which corresponds to an
+    // internal_error alert message being received. However, it is also used
+    // by Schannel for authentication errors that happen locally, so it has
+    // been omitted to prevent masking them as protocol errors.
       return ERR_SSL_PROTOCOL_ERROR;
-    case SEC_E_ALGORITHM_MISMATCH:
+
+    // TODO(rsleevi): Add a new error code for access_denied - the peer has
+    // accepted the certificate as valid, but denied access to the requested
+    // resource. Returning ERR_BAD_SSL_CLIENT_AUTH simply gives the user a
+    // chance to select a new certificate, if they have one, and try again.
+    case SEC_E_LOGON_DENIED:  // Received a access_denied alert.
+      return ERR_BAD_SSL_CLIENT_AUTH_CERT;
+
+    case SEC_E_UNSUPPORTED_FUNCTION:  // Received a protocol_version alert.
+    case SEC_E_ALGORITHM_MISMATCH:  // Received an insufficient_security alert.
       return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
+
     case SEC_E_INVALID_HANDLE:
     case SEC_E_INVALID_TOKEN:
       LOG(ERROR) << "Unexpected error " << err;