diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:02:20 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:02:20 +0000 |
| commit | fd4f139fe08bc9596a7295fb5fee8300fb34856a (patch) | |
| tree | 1a01ad68092ad448907764d7d6c87ee48bcf4ad5 /net | |
| parent | 52f139e2c4189849974901c38aa47b739a40d98a (diff) | |
| download | chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.zip chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.tar.gz chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.tar.bz2 | |
Second attempt to land r49489.
Use NSS for SSL by default on Mac OS X.
To use Mac OS X Secure Transport in Chromium, specify the --use-system-ssl
command-line switch, which also replaced the --use-schannel command-line
switch for Windows. All other programs are hardcoded to use NSS for SSL.
If SSL client authentication is requested, fall back on Mac OS X Secure
Transport for now.
Original review URL: http://codereview.chromium.org/2747002/show
R=mark,mbelshe
BUG=30689
TEST=none
Review URL: http://codereview.chromium.org/2769012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49540 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/net.gyp | 18 | ||||
| -rw-r--r-- | net/socket/client_socket_factory.cc | 9 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac_factory.cc | 18 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac_factory.h | 20 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 34 |
5 files changed, 88 insertions, 11 deletions
diff --git a/net/net.gyp b/net/net.gyp index eb6686a..3dc5b4a 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -446,10 +446,12 @@ 'socket/ssl_client_socket.h', 'socket/ssl_client_socket_mac.cc', 'socket/ssl_client_socket_mac.h', - 'socket/ssl_client_socket_nss_factory.cc', - 'socket/ssl_client_socket_nss_factory.h', + 'socket/ssl_client_socket_mac_factory.cc', + 'socket/ssl_client_socket_mac_factory.h', 'socket/ssl_client_socket_nss.cc', 'socket/ssl_client_socket_nss.h', + 'socket/ssl_client_socket_nss_factory.cc', + 'socket/ssl_client_socket_nss_factory.h', 'socket/ssl_client_socket_win.cc', 'socket/ssl_client_socket_win.h', 'socket/tcp_client_socket.h', @@ -552,10 +554,6 @@ ], }], [ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', { - 'sources!': [ - 'socket/ssl_client_socket_nss_factory.cc', - 'socket/ssl_client_socket_nss_factory.h', - ], 'dependencies': [ '../build/linux/system.gyp:gconf', '../build/linux/system.gyp:gdk', @@ -588,6 +586,8 @@ { # else: OS != "win" 'sources!': [ 'proxy/proxy_resolver_winhttp.cc', + 'socket/ssl_client_socket_nss_factory.cc', + 'socket/ssl_client_socket_nss_factory.h', ], }, ], @@ -603,6 +603,12 @@ ] }, }, + { # else: OS != "mac" + 'sources!': [ + 'socket/ssl_client_socket_mac_factory.cc', + 'socket/ssl_client_socket_mac_factory.h', + ], + }, ], ], }, diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 24d9e39..db819db 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -12,6 +12,7 @@ #include "net/socket/ssl_client_socket_nss.h" #elif defined(OS_MACOSX) #include "net/socket/ssl_client_socket_mac.h" +#include "net/socket/ssl_client_socket_nss.h" #endif #include "net/socket/tcp_client_socket.h" @@ -28,7 +29,13 @@ SSLClientSocket* DefaultSSLClientSocketFactory( #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, hostname, ssl_config); #elif defined(OS_MACOSX) - return new SSLClientSocketMac(transport_socket, hostname, ssl_config); + // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using + // Mac OS X CDSA/CSSM yet (http://crbug.com/45369), so fall back on + // SSLClientSocketMac. + if (ssl_config.client_cert) + return new SSLClientSocketMac(transport_socket, hostname, ssl_config); + + return new SSLClientSocketNSS(transport_socket, hostname, ssl_config); #else NOTIMPLEMENTED(); return NULL; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc new file mode 100644 index 0000000..f2884e9 --- /dev/null +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -0,0 +1,18 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/client_socket_factory.h" + +#include "net/socket/ssl_client_socket_mac.h" + +namespace net { + +SSLClientSocket* SSLClientSocketMacFactory( + ClientSocket* transport_socket, + const std::string& hostname, + const SSLConfig& ssl_config) { + return new SSLClientSocketMac(transport_socket, hostname, ssl_config); +} + +} // namespace net diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h new file mode 100644 index 0000000..8a0fe0c --- /dev/null +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -0,0 +1,20 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_ +#define NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_ + +#include "net/socket/client_socket_factory.h" + +namespace net { + +// Creates SSLClientSocketMac objects. +SSLClientSocket* SSLClientSocketMacFactory( + ClientSocket* transport_socket, + const std::string& hostname, + const SSLConfig& ssl_config); + +} // namespace net + +#endif // NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_ diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 085e52c..44aa579 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1268,10 +1268,36 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. return SECWouldBlock; #elif defined(OS_MACOSX) - // TODO(wtc): see http://crbug.com/45369. - // Not implemented. Send no client certificate. - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); - return SECFailure; + if (that->ssl_config_.send_client_cert) { + // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using + // CDSA/CSSM yet (http://crbug.com/45369), so client_cert must be NULL. + DCHECK(!that->ssl_config_.client_cert); + // Send no client certificate. + return SECFailure; + } + + that->client_certs_.clear(); + + // First, get the cert issuer names allowed by the server. + std::vector<CertPrincipal> valid_issuers; + int n = ca_names->nnames; + for (int i = 0; i < n; i++) { + // Parse each name into a CertPrincipal object. + CertPrincipal p; + if (p.ParseDistinguishedName(ca_names->names[i].data, + ca_names->names[i].len)) { + valid_issuers.push_back(p); + } + } + + // Now get the available client certs whose issuers are allowed by the server. + X509Certificate::GetSSLClientCertificates(that->hostname_, + valid_issuers, + &that->client_certs_); + + // Tell NSS to suspend the client authentication. We will then abort the + // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. + return SECWouldBlock; #else CERTCertificate* cert = NULL; SECKEYPrivateKey* privkey = NULL; |