diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-14 02:40:20 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-14 02:40:20 +0000 |
| commit | 4d3040f46e09714e92a155039b85ab7f089900cf (patch) | |
| tree | 2370c05ea57755b2bf6f7b643466e28bf3553e7c /net/socket | |
| parent | d2c1ed2dea1c06f0587a5a1d300c80e12c4e5e1e (diff) | |
| download | chromium_src-4d3040f46e09714e92a155039b85ab7f089900cf.zip chromium_src-4d3040f46e09714e92a155039b85ab7f089900cf.tar.gz chromium_src-4d3040f46e09714e92a155039b85ab7f089900cf.tar.bz2 | |
If the server's CertificateRequest message contains an empty
certificate_authorities list, it means client certificates issued by
any CA are acceptable. NSS_CmpCertChainWCANames returns SECFailure
in that case, so we need to test for that case.
Improve error code mapping.
Add a comment to note new NSS functions we can use in the future, and
add a missing LeaveFunction call.
R=agl
BUG=16830
TEST=Visit a server that sends a CertificateRequest message with an
empty certificate_authorities list. The client certificate selection
dialog should pop up with all client certificates shown as eligible.
Review URL: http://codereview.chromium.org/1589034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44442 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 15c11c1..cdb8fa8 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -113,6 +113,9 @@ class NSSSSLInitSingleton { // Use late binding to avoid scary but benign warning // "Symbol `SSL_ImplementedCiphers' has different size in shared object, // consider re-linking" + // TODO(wtc): Use the new SSL_GetImplementedCiphers and + // SSL_GetNumImplementedCiphers functions when we require NSS 3.12.6. + // See https://bugzilla.mozilla.org/show_bug.cgi?id=496993. const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); if (pSSL_ImplementedCiphers == NULL) { @@ -177,10 +180,14 @@ int MapNSPRError(PRErrorCode err) { case PR_ADDRESS_NOT_AVAILABLE_ERROR: return ERR_ADDRESS_INVALID; + case SSL_ERROR_SSL_DISABLED: + return ERR_NO_SSL_VERSIONS_ENABLED; case SSL_ERROR_NO_CYPHER_OVERLAP: case SSL_ERROR_UNSUPPORTED_VERSION: return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: + case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: + case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: return ERR_SSL_PROTOCOL_ERROR; default: { @@ -894,6 +901,8 @@ static PRErrorCode MapErrorToNSS(int result) { return PR_HOST_UNREACHABLE_ERROR; // Also PR_NETWORK_UNREACHABLE_ERROR. case ERR_ADDRESS_INVALID: return PR_ADDRESS_NOT_AVAILABLE_ERROR; + case ERR_NAME_NOT_RESOLVED: + return PR_DIRECTORY_LOOKUP_ERROR; default: LOG(WARNING) << "MapErrorToNSS " << result << " mapped to PR_UNKNOWN_ERROR"; @@ -1223,8 +1232,8 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( continue; // Only check unexpired certs. if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) == - secCertTimeValid && - NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess) { + secCertTimeValid && (!ca_names->nnames || + NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess)) { privkey = PK11_FindKeyByAnyCert(cert, wincx); if (privkey) { X509Certificate* x509_cert = X509Certificate::CreateFromHandle( @@ -1422,6 +1431,7 @@ int SSLClientSocketNSS::DoPayloadWrite() { } PRErrorCode prerr = PR_GetError(); if (prerr == PR_WOULD_BLOCK_ERROR) { + LeaveFunction(""); return ERR_IO_PENDING; } LeaveFunction(""); |