diff options
| author | wtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-10-14 01:05:14 +0000 |
|---|---|---|
| committer | wtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-10-14 01:05:14 +0000 |
| commit | e69d8f8ec81cf42a69a42b4beab5d1b79fa1c146 (patch) | |
| tree | 185c2d3a96f0ae6a7716f59d7d36a7d500b9ba26 /net/base | |
| parent | 25ab0c6f7454bc7a8a61478f0ef39082dc75bf1e (diff) | |
| download | chromium_src-e69d8f8ec81cf42a69a42b4beab5d1b79fa1c146.zip chromium_src-e69d8f8ec81cf42a69a42b4beab5d1b79fa1c146.tar.gz chromium_src-e69d8f8ec81cf42a69a42b4beab5d1b79fa1c146.tar.bz2 | |
Support servers that request but don't require SSL
client authentication.
R=rvargas
BUG=166
Review URL: http://codereview.chromium.org/7291
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@3337 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/ssl_client_socket.cc | 22 | ||||
| -rw-r--r-- | net/base/ssl_client_socket.h | 3 |
2 files changed, 24 insertions, 1 deletions
diff --git a/net/base/ssl_client_socket.cc b/net/base/ssl_client_socket.cc index 8380664..d155009 100644 --- a/net/base/ssl_client_socket.cc +++ b/net/base/ssl_client_socket.cc @@ -111,7 +111,8 @@ SSLClientSocket::SSLClientSocket(ClientSocket* transport_socket, received_ptr_(NULL), bytes_received_(0), completed_handshake_(false), - ignore_ok_result_(false) { + ignore_ok_result_(false), + no_client_cert_(false) { memset(&stream_sizes_, 0, sizeof(stream_sizes_)); memset(&send_buffer_, 0, sizeof(send_buffer_)); memset(&creds_, 0, sizeof(creds_)); @@ -467,6 +468,16 @@ int SSLClientSocket::DoHandshakeReadComplete(int result) { ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; + // When InitializeSecurityContext returns SEC_I_INCOMPLETE_CREDENTIALS, + // John Banes (a Microsoft security developer) said we need to pass in the + // ISC_REQ_USE_SUPPLIED_CREDS flag if we skip finding a client certificate + // and just call InitializeSecurityContext again. (See + // (http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2004-08/0187.html.) + // My testing on XP SP2 and Vista SP1 shows that it still works without + // passing in this flag, but I pass it in to be safe. + if (no_client_cert_) + flags |= ISC_REQ_USE_SUPPLIED_CREDS; + SecBufferDesc in_buffer_desc, out_buffer_desc; SecBuffer in_buffers[2]; @@ -540,6 +551,15 @@ int SSLClientSocket::DoHandshakeReadComplete(int result) { if (FAILED(status)) return MapSecurityError(status); + if (status == SEC_I_INCOMPLETE_CREDENTIALS) { + // We don't support SSL client authentication yet. For now we just set + // no_client_cert_ to true and call InitializeSecurityContext again. + no_client_cert_ = true; + next_state_ = STATE_HANDSHAKE_READ_COMPLETE; + ignore_ok_result_ = true; // OK doesn't mean EOF. + return OK; + } + DCHECK(status == SEC_I_CONTINUE_NEEDED); if (in_buffers[1].BufferType == SECBUFFER_EXTRA) { memmove(&recv_buffer_[0], diff --git a/net/base/ssl_client_socket.h b/net/base/ssl_client_socket.h index bd72928..100e514 100644 --- a/net/base/ssl_client_socket.h +++ b/net/base/ssl_client_socket.h @@ -142,6 +142,9 @@ class SSLClientSocket : public ClientSocket { // We have to pass a 'result' of OK to the DoLoop method, and don't want it // to be interpreted as EOF. bool ignore_ok_result_; + + // True if the user has no client certificate. + bool no_client_cert_; }; } // namespace net |