summaryrefslogtreecommitdiffstats
path: root/net/socket/ssl_client_socket_mac.h
diff options
context:
space:
mode:
authorrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-10-08 04:50:51 +0000
committerrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-10-08 04:50:51 +0000
commit463d474661abf3f3ed431eb73457efa7a6946201 (patch)
treeae68db331391c7ee1e31e37c85d3d4fa109cd29d /net/socket/ssl_client_socket_mac.h
parenteef1877c0252e116b2b90290061febc9e4022e33 (diff)
downloadchromium_src-463d474661abf3f3ed431eb73457efa7a6946201.zip
chromium_src-463d474661abf3f3ed431eb73457efa7a6946201.tar.gz
chromium_src-463d474661abf3f3ed431eb73457efa7a6946201.tar.bz2
Fix server initiated SSL renegotiation for SSLClientSocketMac
The use of kSSLSessionOptionBreakOnServerAuth/kSSLSessionoptionbreakOnCertRequested is bugged on OS X 10.5.8+, and will prevent server-initiated renegotiation (eg: to request a certificate) from working. Further, the implementation of SSLClientSocketMac, when used on 10.6+, cause it to abort the connection if, after the initial handshake, a certificate is requested (eg: during a re-handshake). Finally, if a renegotiation happens after the initial certificate has been validated, we do not update the server certificate with the new value, nor is it revalidated, which is different than what happens on Windows/NSS. This removes the use of both options, and changes the state machine to detect when a renegotiation/rehandshake is underway, and re-verify the server certificate before continuing with application data. R=wtc BUG=45576 TEST=Visit any site that requests SSL client auth over renegotiation. Review URL: http://codereview.chromium.org/3120036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61917 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_mac.h')
-rw-r--r--net/socket/ssl_client_socket_mac.h33
1 files changed, 24 insertions, 9 deletions
diff --git a/net/socket/ssl_client_socket_mac.h b/net/socket/ssl_client_socket_mac.h
index 05b9735..00438fc 100644
--- a/net/socket/ssl_client_socket_mac.h
+++ b/net/socket/ssl_client_socket_mac.h
@@ -58,11 +58,12 @@ class SSLClientSocketMac : public SSLClientSocket {
virtual bool SetSendBufferSize(int32 size);
private:
+ bool completed_handshake() const {
+ return next_handshake_state_ == STATE_COMPLETED_HANDSHAKE;
+ }
// Initializes the SSLContext. Returns a net error code.
int InitializeSSLContext();
- OSStatus EnableBreakOnAuth(bool enabled);
-
void DoConnectCallback(int result);
void DoReadCallback(int result);
void DoWriteCallback(int result);
@@ -74,11 +75,13 @@ class SSLClientSocketMac : public SSLClientSocket {
int DoPayloadRead();
int DoPayloadWrite();
- int DoHandshakeStart();
+ int DoHandshake();
int DoVerifyCert();
int DoVerifyCertComplete(int result);
- int DoHandshakeFinish();
- void HandshakeFinished();
+ int DoCompletedRenegotiation(int result);
+
+ void DidCompleteRenegotiation();
+ int DidCompleteHandshake();
int SetClientCert();
@@ -111,10 +114,21 @@ class SSLClientSocketMac : public SSLClientSocket {
enum State {
STATE_NONE,
- STATE_HANDSHAKE_START,
+ STATE_HANDSHAKE,
STATE_VERIFY_CERT,
STATE_VERIFY_CERT_COMPLETE,
- STATE_HANDSHAKE_FINISH,
+ STATE_COMPLETED_RENEGOTIATION,
+ STATE_COMPLETED_HANDSHAKE,
+ // After the handshake, the socket remains in the
+ // STATE_COMPLETED_HANDSHAKE state until renegotiation is requested by
+ // the server. When renegotiation is requested, the state machine
+ // restarts at STATE_HANDSHAKE, advances through to
+ // STATE_VERIFY_CERT_COMPLETE, and then continues to
+ // STATE_COMPLETED_RENEGOTIATION. After STATE_COMPLETED_RENEGOTIATION
+ // has been processed, it goes back to STATE_COMPLETED_HANDSHAKE and
+ // will remain there until the server requests renegotiation again.
+ // During the initial handshake, STATE_COMPLETED_RENEGOTIATION is
+ // skipped.
};
State next_handshake_state_;
@@ -122,8 +136,9 @@ class SSLClientSocketMac : public SSLClientSocket {
scoped_ptr<CertVerifier> verifier_;
CertVerifyResult server_cert_verify_result_;
- bool completed_handshake_;
- bool handshake_interrupted_;
+ // The initial handshake has already completed, and the current handshake
+ // is server-initiated renegotiation.
+ bool renegotiating_;
bool client_cert_requested_;
SSLContextRef ssl_context_;