diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-07 00:18:43 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-07 00:18:43 +0000 |
| commit | e538162a15cc5e0c3597ae4e8dff35894ff54654 (patch) | |
| tree | 5835e5b6585b9d2c0a3363dd2c15d5b0d2158e2e /net/socket | |
| parent | 9ce991d9315030b63ae9314b78528cf558059b17 (diff) | |
| download | chromium_src-e538162a15cc5e0c3597ae4e8dff35894ff54654.zip chromium_src-e538162a15cc5e0c3597ae4e8dff35894ff54654.tar.gz chromium_src-e538162a15cc5e0c3597ae4e8dff35894ff54654.tar.bz2 | |
Map the certificate related SSL alerts to ERR_BAD_SSL_CLIENT_AUTH_CERT
on the client side.
Move MapNSSHandshakeError to ssl_client_socket_nss.cc (and rename it
MapNSSClientHandshakeError) because it is specific to the client side.
R=rsleevi@chromium.org
BUG=129209
TEST=none
Review URL: https://chromiumcodereview.appspot.com/10332300
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140897 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/nss_ssl_util.cc | 13 | ||||
| -rw-r--r-- | net/socket/nss_ssl_util.h | 5 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 37 | ||||
| -rw-r--r-- | net/socket/ssl_server_socket_nss.cc | 2 |
4 files changed, 37 insertions, 20 deletions
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc index d818589..b92600a 100644 --- a/net/socket/nss_ssl_util.cc +++ b/net/socket/nss_ssl_util.cc @@ -179,6 +179,7 @@ int MapNSSError(PRErrorCode err) { case SSL_ERROR_SSL_DISABLED: return ERR_NO_SSL_VERSIONS_ENABLED; case SSL_ERROR_NO_CYPHER_OVERLAP: + case SSL_ERROR_PROTOCOL_VERSION_ALERT: case SSL_ERROR_UNSUPPORTED_VERSION: return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: @@ -219,18 +220,6 @@ int MapNSSError(PRErrorCode err) { } } -// Context-sensitive error mapping functions. -int MapNSSHandshakeError(PRErrorCode err) { - switch (err) { - // If the server closed on us, it is a protocol error. - // Some TLS-intolerant servers do this when we request TLS. - case PR_END_OF_FILE_ERROR: - return ERR_SSL_PROTOCOL_ERROR; - default: - return MapNSSError(err); - } -} - // Extra parameters to attach to the NetLog when we receive an error in response // to a call to an NSS function. Used instead of SSLErrorParams with // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. diff --git a/net/socket/nss_ssl_util.h b/net/socket/nss_ssl_util.h index 614ab5f..6c95661 100644 --- a/net/socket/nss_ssl_util.h +++ b/net/socket/nss_ssl_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -28,9 +28,6 @@ PRErrorCode MapErrorToNSS(int result); // Map NSS error code to network error code. int MapNSSError(PRErrorCode err); -// Map NSS error code from the first SSL handshake to network error code. -int MapNSSHandshakeError(PRErrorCode err); - } // namespace net #endif // NET_SOCKET_NSS_SSL_UTIL_H_ diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 49bd0b7..125df5d 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -554,6 +554,36 @@ struct HandshakeState { int ssl_connection_status; }; +// Client-side error mapping functions. + +// Map NSS error code to network error code. +int MapNSSClientError(PRErrorCode err) { + switch (err) { + case SSL_ERROR_BAD_CERT_ALERT: + case SSL_ERROR_UNSUPPORTED_CERT_ALERT: + case SSL_ERROR_REVOKED_CERT_ALERT: + case SSL_ERROR_EXPIRED_CERT_ALERT: + case SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT: + case SSL_ERROR_UNKNOWN_CA_ALERT: + case SSL_ERROR_ACCESS_DENIED_ALERT: + return ERR_BAD_SSL_CLIENT_AUTH_CERT; + default: + return MapNSSError(err); + } +} + +// Map NSS error code from the first SSL handshake to network error code. +int MapNSSClientHandshakeError(PRErrorCode err) { + switch (err) { + // If the server closed on us, it is a protocol error. + // Some TLS-intolerant servers do this when we request TLS. + case PR_END_OF_FILE_ERROR: + return ERR_SSL_PROTOCOL_ERROR; + default: + return MapNSSClientError(err); + } +} + } // namespace // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is @@ -1830,8 +1860,8 @@ int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, bool handshake_error) { DCHECK(OnNSSTaskRunner()); - int net_error = handshake_error ? MapNSSHandshakeError(nss_error) : - MapNSSError(nss_error); + int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) : + MapNSSClientError(nss_error); #if defined(OS_WIN) // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate @@ -2452,9 +2482,10 @@ int SSLClientSocketNSS::Core::ImportDBCertAndKey(CERTCertificate** cert, false, key, &public_key)) { + int error = MapNSSError(PORT_GetError()); CERT_DestroyCertificate(*cert); *cert = NULL; - return MapNSSError(PORT_GetError()); + return error; } SECKEY_DestroyPublicKey(public_key); break; diff --git a/net/socket/ssl_server_socket_nss.cc b/net/socket/ssl_server_socket_nss.cc index 76d5559..8fa246a 100644 --- a/net/socket/ssl_server_socket_nss.cc +++ b/net/socket/ssl_server_socket_nss.cc @@ -689,7 +689,7 @@ int SSLServerSocketNSS::DoHandshake() { completed_handshake_ = true; } else { PRErrorCode prerr = PR_GetError(); - net_error = MapNSSHandshakeError(prerr); + net_error = MapNSSError(prerr); // If not done, stay in this state if (net_error == ERR_IO_PENDING) { |