diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-05 02:02:08 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-05 02:02:08 +0000 |
| commit | a1cb2cdefd0aabd32581017079fc56eafe369756 (patch) | |
| tree | da2ccb1d07a8fd44226182c147a0f8bfe7e89685 /net/socket | |
| parent | 08397d5343ddaba1a32a5ac7e0bf3bc03bd3bdf8 (diff) | |
| download | chromium_src-a1cb2cdefd0aabd32581017079fc56eafe369756.zip chromium_src-a1cb2cdefd0aabd32581017079fc56eafe369756.tar.gz chromium_src-a1cb2cdefd0aabd32581017079fc56eafe369756.tar.bz2 | |
Return more specific error messages when performing a SSL client auth handshake and an error signing with the certificate private key is encountered, rather than using ERR_FAILED/ERR_SSL_PROTOCOL_ERROR.
BUG=69609
TEST=none
Review URL: http://codereview.chromium.org/6371014
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@73891 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/nss_ssl_util.cc | 16 | ||||
| -rw-r--r-- | net/socket/nss_ssl_util.h | 4 |
2 files changed, 14 insertions, 6 deletions
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc index 1ad1f1c..53318a6 100644 --- a/net/socket/nss_ssl_util.cc +++ b/net/socket/nss_ssl_util.cc @@ -9,6 +9,8 @@ #include <ssl.h> #include <sslerr.h> +#include <string> + #include "base/lazy_instance.h" #include "base/logging.h" #include "base/nss_util.h" @@ -155,6 +157,16 @@ int MapNSSError(PRErrorCode err) { case SEC_ERROR_INVALID_ARGS: return ERR_INVALID_ARGUMENT; + case SEC_ERROR_NO_KEY: + return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY; + case SEC_ERROR_INVALID_KEY: + case SSL_ERROR_SIGN_HASHES_FAILURE: + return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; + // A handshake (initial or renegotiation) may fail because some signature + // (for example, the signature in the ServerKeyExchange message for an + // ephemeral Diffie-Hellman cipher suite) is invalid. + case SEC_ERROR_BAD_SIGNATURE: + return ERR_SSL_PROTOCOL_ERROR; case SSL_ERROR_SSL_DISABLED: return ERR_NO_SSL_VERSIONS_ENABLED; @@ -193,10 +205,6 @@ int MapNSSHandshakeError(PRErrorCode err) { // If the server closed on us, it is a protocol error. // Some TLS-intolerant servers do this when we request TLS. case PR_END_OF_FILE_ERROR: - // The handshake may fail because some signature (for example, the - // signature in the ServerKeyExchange message for an ephemeral - // Diffie-Hellman cipher suite) is invalid. - case SEC_ERROR_BAD_SIGNATURE: return ERR_SSL_PROTOCOL_ERROR; default: return MapNSSError(err); diff --git a/net/socket/nss_ssl_util.h b/net/socket/nss_ssl_util.h index 64bf3cf..2a53fc7 100644 --- a/net/socket/nss_ssl_util.h +++ b/net/socket/nss_ssl_util.h @@ -6,7 +6,7 @@ // ssl_server_socket_nss.cc to share common functions of NSS. #ifndef NET_SOCKET_NSS_SSL_UTIL_H_ -#define NEt_SOCKET_NSS_SSL_UTIL_H_ +#define NET_SOCKET_NSS_SSL_UTIL_H_ #include <prerror.h> @@ -28,7 +28,7 @@ PRErrorCode MapErrorToNSS(int result); // Map NSS error code to network error code. int MapNSSError(PRErrorCode err); -// Map NSS handshake error to network error code. +// Map NSS error code from the first SSL handshake to network error code. int MapNSSHandshakeError(PRErrorCode err); } // namespace net |