diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-14 01:06:05 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-14 01:06:05 +0000 |
| commit | 01c553f08001332cb00cdb7bb7f02256a0146fe0 (patch) | |
| tree | f1d204c01f56f8cdd304f75a0b9d7f5d6b52e261 /net/base | |
| parent | 7be0e1710c92420e5b15b3d0d1850a09848cf217 (diff) | |
| download | chromium_src-01c553f08001332cb00cdb7bb7f02256a0146fe0.zip chromium_src-01c553f08001332cb00cdb7bb7f02256a0146fe0.tar.gz chromium_src-01c553f08001332cb00cdb7bb7f02256a0146fe0.tar.bz2 | |
If Schannel's InitializeSecurityContext calls return
certificate errors, do not map them to our (server)
certificate errors because the errors are referring to the
(missing) client certificate. If we incorrectly handle
them as server certificate errors, we will crash because
we can't get the server certificate from Schannel when the
handshake fails.
Fumitoshi Ukai of Google tracked down the bug and proposed
an alternative fix.
R=rvargas,ukai
BUG=http://crbug.com/11646
TEST=Visit https://www.cdep.ro/. Chromium should not crash.
Review URL: http://codereview.chromium.org/113375
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16026 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/ssl_client_socket_win.cc | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/net/base/ssl_client_socket_win.cc b/net/base/ssl_client_socket_win.cc index e732e86..62790d5 100644 --- a/net/base/ssl_client_socket_win.cc +++ b/net/base/ssl_client_socket_win.cc @@ -612,8 +612,23 @@ int SSLClientSocketWin::DidCallInitializeSecurityContext() { return DidCompleteHandshake(); } - if (FAILED(isc_status_)) - return MapSecurityError(isc_status_); + if (FAILED(isc_status_)) { + int result = MapSecurityError(isc_status_); + // We told Schannel to not verify the server certificate + // (SCH_CRED_MANUAL_CRED_VALIDATION), so any certificate error returned by + // InitializeSecurityContext must be referring to the (missing) client + // certificate. + if (IsCertificateError(result)) { + // TODO(wtc): When we support SSL client authentication, we will need to + // add new error codes for client certificate errors reported by the + // server using SSL/TLS alert messages. See http://crbug.com/318. See + // also the MSDN page "Schannel Error Codes for TLS and SSL Alerts", + // which maps TLS alert messages to Windows error codes: + // http://msdn.microsoft.com/en-us/library/dd721886%28VS.85%29.aspx + return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; + } + return result; + } if (isc_status_ == SEC_I_INCOMPLETE_CREDENTIALS) { // We don't support SSL client authentication yet. For now we just set |