diff options
| author | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-07-20 02:14:01 +0000 |
|---|---|---|
| committer | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-07-20 02:14:01 +0000 |
| commit | 3d5c1bdce6865b3e02cc58f0a8083eb1cbb77b47 (patch) | |
| tree | 1fcf95c5bb0b231cb97f7ef10e7078e0b4423be1 /net/socket | |
| parent | 492f1c3f1296aecc8a1a33e341094e922d6d2ba5 (diff) | |
| download | chromium_src-3d5c1bdce6865b3e02cc58f0a8083eb1cbb77b47.zip chromium_src-3d5c1bdce6865b3e02cc58f0a8083eb1cbb77b47.tar.gz chromium_src-3d5c1bdce6865b3e02cc58f0a8083eb1cbb77b47.tar.bz2 | |
Don't use X509Certificate in SSLConfig.
X509Certificate class depends in OS-dependant APIs and hense cannot
be created inside of sandbox. This change allows specifying
allow_bed_certs when running inside of sandbox.
BUG=80587
TEST=Unittests
Review URL: http://codereview.chromium.org/7401003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93153 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 32 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_server_socket_unittest.cc | 2 |
3 files changed, 25 insertions, 11 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index f0a4ee0..18fd378 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -478,11 +478,10 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { EnterFunction(""); ssl_info->Reset(); - if (!server_cert_) + if (!server_cert_nss_) return; ssl_info->cert_status = server_cert_verify_result_->cert_status; - DCHECK(server_cert_ != NULL); ssl_info->cert = server_cert_; ssl_info->connection_status = ssl_connection_status_; ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; @@ -1038,18 +1037,18 @@ int SSLClientSocketNSS::InitializeSSLPeerName() { // Sets server_cert_ and server_cert_nss_ if not yet set. -// Returns server_cert_. -X509Certificate *SSLClientSocketNSS::UpdateServerCert() { +void SSLClientSocketNSS::UpdateServerCert() { // We set the server_cert_ from HandshakeCallback(). if (server_cert_ == NULL) { server_cert_nss_ = SSL_PeerCertificate(nss_fd_); if (server_cert_nss_) { PeerCertificateChain certs(nss_fd_); + // This call may fail when SSL is used inside sandbox. In that + // case CreateFromDERCertChain() returns NULL. server_cert_ = X509Certificate::CreateFromDERCertChain( certs.AsStringPieceVector()); } } - return server_cert_; } // Sets ssl_connection_status_. @@ -1521,14 +1520,20 @@ int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { } int SSLClientSocketNSS::DoVerifyCert(int result) { - DCHECK(server_cert_); + DCHECK(server_cert_nss_); GotoState(STATE_VERIFY_CERT_COMPLETE); - // If the certificate is expected to be bad we can use the expectation as the - // cert status. + // If the certificate is expected to be bad we can use the + // expectation as the cert status. Don't use |server_cert_| here + // because it can be set to NULL in case we failed to create + // X509Certificate in UpdateServerCert(). This may happen when this + // code is used inside sandbox. + base::StringPiece der_cert( + reinterpret_cast<char*>(server_cert_nss_->derCert.data), + server_cert_nss_->derCert.len); int cert_status; - if (ssl_config_.IsAllowedBadCert(server_cert_, &cert_status)) { + if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { DCHECK(start_cert_verification_time_.is_null()); VLOG(1) << "Received an expected bad cert with status: " << cert_status; server_cert_verify_result_ = &local_server_cert_verify_result_; @@ -1537,6 +1542,15 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { return OK; } + // We may have failed to create X509Certificate object if we are + // running inside sandbox. + if (!server_cert_) { + server_cert_verify_result_ = &local_server_cert_verify_result_; + local_server_cert_verify_result_.Reset(); + local_server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; + return ERR_CERT_INVALID; + } + start_cert_verification_time_ = base::TimeTicks::Now(); if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() && diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 8573b48..8189949 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -102,7 +102,7 @@ class SSLClientSocketNSS : public SSLClientSocket { // Initializes the socket peer name in SSL. Returns a net error code. int InitializeSSLPeerName(); - X509Certificate* UpdateServerCert(); + void UpdateServerCert(); void UpdateConnectionStatus(); void DoReadCallback(int result); void DoWriteCallback(int result); diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc index de89c20..894bf98 100644 --- a/net/socket/ssl_server_socket_unittest.cc +++ b/net/socket/ssl_server_socket_unittest.cc @@ -262,7 +262,7 @@ class SSLServerSocketTest : public PlatformTest { // Certificate provided by the host doesn't need authority. net::SSLConfig::CertAndStatus cert_and_status; cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID; - cert_and_status.cert = cert; + cert_and_status.der_cert = cert_der; ssl_config.allowed_bad_certs.push_back(cert_and_status); net::HostPortPair host_and_pair("unittest", 0); |