diff options
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/client_socket_pool_manager_impl.cc | 12 | ||||
| -rw-r--r-- | net/socket/client_socket_pool_manager_impl.h | 8 | ||||
| -rw-r--r-- | net/socket/socket_test_util.cc | 22 | ||||
| -rw-r--r-- | net/socket/socket_test_util.h | 16 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket.cc | 14 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket.h | 34 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 4 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 102 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 40 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 6 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool.cc | 4 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool_unittest.cc | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_win.cc | 4 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_win.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_server_socket_unittest.cc | 2 |
18 files changed, 140 insertions, 138 deletions
diff --git a/net/socket/client_socket_pool_manager_impl.cc b/net/socket/client_socket_pool_manager_impl.cc index 19e0442..ccd3965 100644 --- a/net/socket/client_socket_pool_manager_impl.cc +++ b/net/socket/client_socket_pool_manager_impl.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -37,7 +37,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( ClientSocketFactory* socket_factory, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -47,7 +47,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( socket_factory_(socket_factory), host_resolver_(host_resolver), cert_verifier_(cert_verifier), - origin_bound_cert_service_(origin_bound_cert_service), + server_bound_cert_service_(server_bound_cert_service), transport_security_state_(transport_security_state), ssl_host_info_factory_(ssl_host_info_factory), ssl_session_cache_shard_(ssl_session_cache_shard), @@ -66,7 +66,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( &ssl_pool_histograms_, host_resolver, cert_verifier, - origin_bound_cert_service, + server_bound_cert_service, transport_security_state, ssl_host_info_factory, ssl_session_cache_shard, @@ -286,7 +286,7 @@ ClientSocketPoolManagerImpl::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, cert_verifier_, - origin_bound_cert_service_, + server_bound_cert_service_, transport_security_state_, ssl_host_info_factory_, ssl_session_cache_shard_, @@ -325,7 +325,7 @@ SSLClientSocketPool* ClientSocketPoolManagerImpl::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, cert_verifier_, - origin_bound_cert_service_, + server_bound_cert_service_, transport_security_state_, ssl_host_info_factory_, ssl_session_cache_shard_, diff --git a/net/socket/client_socket_pool_manager_impl.h b/net/socket/client_socket_pool_manager_impl.h index 96caa31..2559aad 100644 --- a/net/socket/client_socket_pool_manager_impl.h +++ b/net/socket/client_socket_pool_manager_impl.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -26,7 +26,7 @@ class ClientSocketPoolHistograms; class HttpProxyClientSocketPool; class HostResolver; class NetLog; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class SOCKSClientSocketPool; class SSLClientSocketPool; @@ -61,7 +61,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe, ClientSocketFactory* socket_factory, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -107,7 +107,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe, ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; CertVerifier* const cert_verifier_; - OriginBoundCertService* const origin_bound_cert_service_; + ServerBoundCertService* const server_bound_cert_service_; TransportSecurityState* const transport_security_state_; SSLHostInfoFactory* const ssl_host_info_factory_; const std::string ssl_session_cache_shard_; diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index ef5b0db..f5236ab 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -242,7 +242,7 @@ SSLSocketDataProvider::SSLSocketDataProvider(IoMode mode, int result) protocol_negotiated(SSLClientSocket::kProtoUnknown), client_cert_sent(false), cert_request_info(NULL), - origin_bound_cert_type(CLIENT_CERT_INVALID_TYPE) { + domain_bound_cert_type(CLIENT_CERT_INVALID_TYPE) { } SSLSocketDataProvider::~SSLSocketDataProvider() { @@ -696,7 +696,7 @@ int MockClientSocket::ExportKeyingMaterial(const base::StringPiece& label, return OK; } -OriginBoundCertService* MockClientSocket::GetOriginBoundCertService() const { +ServerBoundCertService* MockClientSocket::GetServerBoundCertService() const { NOTREACHED(); return NULL; } @@ -1132,7 +1132,7 @@ base::TimeDelta MockSSLClientSocket::GetConnectTimeMicros() const { void MockSSLClientSocket::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->Reset(); ssl_info->cert = data_->cert; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || data_->client_cert_sent; } @@ -1178,21 +1178,21 @@ void MockSSLClientSocket::set_protocol_negotiated( protocol_negotiated_ = protocol_negotiated; } -bool MockSSLClientSocket::WasOriginBoundCertSent() const { - return data_->origin_bound_cert_type != CLIENT_CERT_INVALID_TYPE; +bool MockSSLClientSocket::WasDomainBoundCertSent() const { + return data_->domain_bound_cert_type != CLIENT_CERT_INVALID_TYPE; } -SSLClientCertType MockSSLClientSocket::origin_bound_cert_type() const { - return data_->origin_bound_cert_type; +SSLClientCertType MockSSLClientSocket::domain_bound_cert_type() const { + return data_->domain_bound_cert_type; } -SSLClientCertType MockSSLClientSocket::set_origin_bound_cert_type( +SSLClientCertType MockSSLClientSocket::set_domain_bound_cert_type( SSLClientCertType type) { - return data_->origin_bound_cert_type = type; + return data_->domain_bound_cert_type = type; } -OriginBoundCertService* MockSSLClientSocket::GetOriginBoundCertService() const { - return data_->origin_bound_cert_service; +ServerBoundCertService* MockSSLClientSocket::GetServerBoundCertService() const { + return data_->server_bound_cert_service; } void MockSSLClientSocket::OnReadComplete(const MockRead& data) { diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index ecd671c..f678614 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -48,7 +48,7 @@ enum { class AsyncSocket; class MockClientSocket; -class OriginBoundCertService; +class ServerBoundCertService; class SSLClientSocket; class SSLHostInfo; class StreamSocket; @@ -280,8 +280,8 @@ struct SSLSocketDataProvider { bool client_cert_sent; SSLCertRequestInfo* cert_request_info; scoped_refptr<X509Certificate> cert; - SSLClientCertType origin_bound_cert_type; - OriginBoundCertService* origin_bound_cert_service; + SSLClientCertType domain_bound_cert_type; + ServerBoundCertService* server_bound_cert_service; }; // A DataProvider where the client must write a request before the reads (e.g. @@ -602,7 +602,7 @@ class MockClientSocket : public SSLClientSocket { unsigned int outlen) OVERRIDE; virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; protected: virtual ~MockClientSocket(); @@ -757,11 +757,11 @@ class MockSSLClientSocket : public MockClientSocket, public AsyncSocket { // This MockSocket does not implement the manual async IO feature. virtual void OnReadComplete(const MockRead& data) OVERRIDE; - virtual bool WasOriginBoundCertSent() const OVERRIDE; - virtual SSLClientCertType origin_bound_cert_type() const OVERRIDE; - virtual SSLClientCertType set_origin_bound_cert_type( + virtual bool WasDomainBoundCertSent() const OVERRIDE; + virtual SSLClientCertType domain_bound_cert_type() const OVERRIDE; + virtual SSLClientCertType set_domain_bound_cert_type( SSLClientCertType type) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; private: static void ConnectCallback(MockSSLClientSocket *ssl_client_socket, diff --git a/net/socket/ssl_client_socket.cc b/net/socket/ssl_client_socket.cc index ecee79b..10873ae 100644 --- a/net/socket/ssl_client_socket.cc +++ b/net/socket/ssl_client_socket.cc @@ -12,7 +12,7 @@ SSLClientSocket::SSLClientSocket() : was_npn_negotiated_(false), was_spdy_negotiated_(false), protocol_negotiated_(kProtoUnknown), - origin_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) { + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) { } SSLClientSocket::NextProto SSLClientSocket::NextProtoFromString( @@ -124,17 +124,17 @@ void SSLClientSocket::set_protocol_negotiated( protocol_negotiated_ = protocol_negotiated; } -bool SSLClientSocket::WasOriginBoundCertSent() const { - return origin_bound_cert_type_ != CLIENT_CERT_INVALID_TYPE; +bool SSLClientSocket::WasDomainBoundCertSent() const { + return domain_bound_cert_type_ != CLIENT_CERT_INVALID_TYPE; } -SSLClientCertType SSLClientSocket::origin_bound_cert_type() const { - return origin_bound_cert_type_; +SSLClientCertType SSLClientSocket::domain_bound_cert_type() const { + return domain_bound_cert_type_; } -SSLClientCertType SSLClientSocket::set_origin_bound_cert_type( +SSLClientCertType SSLClientSocket::set_domain_bound_cert_type( SSLClientCertType type) { - return origin_bound_cert_type_ = type; + return domain_bound_cert_type_ = type; } } // namespace net diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h index bafe1d4..6b86900 100644 --- a/net/socket/ssl_client_socket.h +++ b/net/socket/ssl_client_socket.h @@ -18,7 +18,7 @@ namespace net { class CertVerifier; -class OriginBoundCertService; +class ServerBoundCertService; class SSLCertRequestInfo; class SSLHostInfo; class SSLHostInfoFactory; @@ -30,23 +30,23 @@ class TransportSecurityState; struct SSLClientSocketContext { SSLClientSocketContext() : cert_verifier(NULL), - origin_bound_cert_service(NULL), + server_bound_cert_service(NULL), transport_security_state(NULL), ssl_host_info_factory(NULL) {} SSLClientSocketContext(CertVerifier* cert_verifier_arg, - OriginBoundCertService* origin_bound_cert_service_arg, + ServerBoundCertService* server_bound_cert_service_arg, TransportSecurityState* transport_security_state_arg, SSLHostInfoFactory* ssl_host_info_factory_arg, const std::string& ssl_session_cache_shard_arg) : cert_verifier(cert_verifier_arg), - origin_bound_cert_service(origin_bound_cert_service_arg), + server_bound_cert_service(server_bound_cert_service_arg), transport_security_state(transport_security_state_arg), ssl_host_info_factory(ssl_host_info_factory_arg), ssl_session_cache_shard(ssl_session_cache_shard_arg) {} CertVerifier* cert_verifier; - OriginBoundCertService* origin_bound_cert_service; + ServerBoundCertService* server_bound_cert_service; TransportSecurityState* transport_security_state; SSLHostInfoFactory* ssl_host_info_factory; // ssl_session_cache_shard is an opaque string that identifies a shard of the @@ -142,21 +142,21 @@ class NET_EXPORT SSLClientSocket : public SSLSocket { virtual void set_protocol_negotiated( SSLClientSocket::NextProto protocol_negotiated); - // Returns the OriginBoundCertService used by this socket, or NULL if - // origin bound certificates are not supported. - virtual OriginBoundCertService* GetOriginBoundCertService() const = 0; + // Returns the ServerBoundCertService used by this socket, or NULL if + // server bound certificates are not supported. + virtual ServerBoundCertService* GetServerBoundCertService() const = 0; - // Returns true if an origin bound certificate was sent on this connection. + // Returns true if a domain bound certificate was sent on this connection. // This may be useful for protocols, like SPDY, which allow the same - // connection to be shared between multiple origins, each of which need - // an origin bound certificate. - virtual bool WasOriginBoundCertSent() const; + // connection to be shared between multiple domains, each of which need + // a domain bound certificate. + virtual bool WasDomainBoundCertSent() const; - // Returns the type of the origin bound cert that was sent, or + // Returns the type of the domain bound cert that was sent, or // CLIENT_CERT_INVALID_TYPE if none was sent. - virtual SSLClientCertType origin_bound_cert_type() const; + virtual SSLClientCertType domain_bound_cert_type() const; - virtual SSLClientCertType set_origin_bound_cert_type(SSLClientCertType type); + virtual SSLClientCertType set_domain_bound_cert_type(SSLClientCertType type); private: // True if NPN was responded to, independent of selecting SPDY or HTTP. @@ -165,9 +165,9 @@ class NET_EXPORT SSLClientSocket : public SSLSocket { bool was_spdy_negotiated_; // Protocol that we negotiated with the server. SSLClientSocket::NextProto protocol_negotiated_; - // Type of the origin bound cert that was sent, or CLIENT_CERT_INVALID_TYPE + // Type of the domain bound cert that was sent, or CLIENT_CERT_INVALID_TYPE // if none was sent. - SSLClientCertType origin_bound_cert_type_; + SSLClientCertType domain_bound_cert_type_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index a89d689..7bb1dcd 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -724,7 +724,7 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); // security info @@ -793,7 +793,7 @@ SSLClientSocketMac::GetNextProto(std::string* proto, return kNextProtoUnsupported; } -OriginBoundCertService* SSLClientSocketMac::GetOriginBoundCertService() const { +ServerBoundCertService* SSLClientSocketMac::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_mac.h b/net/socket/ssl_client_socket_mac.h index ec2b51a..4559dd7 100644 --- a/net/socket/ssl_client_socket_mac.h +++ b/net/socket/ssl_client_socket_mac.h @@ -51,7 +51,7 @@ class SSLClientSocketMac : public SSLClientSocket { unsigned int outlen) OVERRIDE; virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback) OVERRIDE; diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 2b9c73d..0d712e3 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -447,10 +447,10 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, ssl_connection_status_(0), client_auth_cert_needed_(false), cert_verifier_(context.cert_verifier), - ob_cert_xtn_negotiated_(false), - origin_bound_cert_service_(context.origin_bound_cert_service), - ob_cert_type_(CLIENT_CERT_INVALID_TYPE), - ob_cert_request_handle_(NULL), + domain_bound_cert_xtn_negotiated_(false), + server_bound_cert_service_(context.server_bound_cert_service), + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE), + domain_bound_cert_request_handle_(NULL), handshake_callback_called_(false), completed_handshake_(false), ssl_session_cache_shard_(context.ssl_session_cache_shard), @@ -500,7 +500,7 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { } ssl_info->is_issued_by_known_root = server_cert_verify_result_->is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); PRUint16 cipher_suite = @@ -622,9 +622,10 @@ void SSLClientSocketNSS::Disconnect() { verifier_.reset(); transport_->socket()->Disconnect(); - if (ob_cert_request_handle_ != NULL) { - origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_); - ob_cert_request_handle_ = NULL; + if (domain_bound_cert_request_handle_ != NULL) { + server_bound_cert_service_->CancelRequest( + domain_bound_cert_request_handle_); + domain_bound_cert_request_handle_ = NULL; } // TODO(wtc): Send SSL close_notify alert. @@ -658,7 +659,7 @@ void SSLClientSocketNSS::Disconnect() { nss_bufs_ = NULL; client_certs_.clear(); client_auth_cert_needed_ = false; - ob_cert_xtn_negotiated_ = false; + domain_bound_cert_xtn_negotiated_ = false; LeaveFunction(""); } @@ -971,16 +972,16 @@ int SSLClientSocketNSS::InitializeSSLOptions() { #ifdef SSL_ENABLE_OB_CERTS rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, - ssl_config_.origin_bound_certs_enabled); + ssl_config_.domain_bound_certs_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); #endif #ifdef SSL_ENCRYPT_CLIENT_CERTS // For now, enable the encrypted client certificates extension only if - // origin-bound certificates are enabled. + // server-bound certificates are enabled. rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, - ssl_config_.origin_bound_certs_enabled); + ssl_config_.domain_bound_certs_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); #endif @@ -1282,8 +1283,8 @@ int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) { case STATE_HANDSHAKE: rv = DoHandshake(); break; - case STATE_GET_OB_CERT_COMPLETE: - rv = DoGetOBCertComplete(rv); + case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE: + rv = DoGetDBCertComplete(rv); break; case STATE_VERIFY_DNSSEC: rv = DoVerifyDNSSEC(rv); @@ -1430,14 +1431,14 @@ int SSLClientSocketNSS::DoHandshake() { int net_error = net::OK; SECStatus rv = SSL_ForceHandshake(nss_fd_); - // TODO(rkn): Handle the case in which origin-bound cert generation takes + // TODO(rkn): Handle the case in which server-bound cert generation takes // too long and the server has closed the connection. Report some new error // code so that the higher level code will attempt to delete the socket and // redo the handshake. if (client_auth_cert_needed_) { - if (ob_cert_xtn_negotiated_) { - GotoState(STATE_GET_OB_CERT_COMPLETE); + if (domain_bound_cert_xtn_negotiated_) { + GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); net_error = ERR_IO_PENDING; } else { net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; @@ -1552,12 +1553,12 @@ int SSLClientSocketNSS::DoHandshake() { return net_error; } -int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, +int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key) { // Set the certificate. SECItem cert_item; - cert_item.data = (unsigned char*) ob_cert_.data(); - cert_item.len = ob_cert_.size(); + cert_item.data = (unsigned char*) domain_bound_cert_.data(); + cert_item.len = domain_bound_cert_.size(); *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &cert_item, NULL, @@ -1567,13 +1568,14 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, return MapNSSError(PORT_GetError()); // Set the private key. - switch (ob_cert_type_) { + switch (domain_bound_cert_type_) { case CLIENT_CERT_ECDSA_SIGN: { SECKEYPublicKey* public_key = NULL; if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, - reinterpret_cast<const unsigned char*>(ob_private_key_.data()), - ob_private_key_.size(), + ServerBoundCertService::kEPKIPassword, + reinterpret_cast<const unsigned char*>( + domain_bound_private_key_.data()), + domain_bound_private_key_.size(), &(*cert)->subjectPublicKeyInfo, false, false, @@ -1595,18 +1597,18 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, return OK; } -int SSLClientSocketNSS::DoGetOBCertComplete(int result) { - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, +int SSLClientSocketNSS::DoGetDBCertComplete(int result) { + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result); client_auth_cert_needed_ = false; - ob_cert_request_handle_ = NULL; + domain_bound_cert_request_handle_ = NULL; if (result != OK) return result; CERTCertificate* cert; SECKEYPrivateKey* key; - int error = ImportOBCertAndKey(&cert, &key); + int error = ImportDBCertAndKey(&cert, &key); if (error != OK) return error; @@ -1622,7 +1624,7 @@ int SSLClientSocketNSS::DoGetOBCertComplete(int result) { return MapNSSError(PORT_GetError()); GotoState(STATE_HANDSHAKE); - set_origin_bound_cert_type(ob_cert_type_); + set_domain_bound_cert_type(domain_bound_cert_type_); return OK; } @@ -2173,7 +2175,7 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg, } // static -bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { +bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) { PRBool xtn_negotiated = PR_FALSE; SECStatus rv = SSL_HandshakeNegotiatedExtension( socket, ssl_ob_cert_xtn, &xtn_negotiated); @@ -2182,42 +2184,42 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { return xtn_negotiated ? true : false; } -SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( +SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler( const SECItem* cert_types, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key) { - ob_cert_xtn_negotiated_ = true; + domain_bound_cert_xtn_negotiated_ = true; - // We have negotiated the origin-bound certificate extension. + // We have negotiated the domain-bound certificate extension. std::string origin = "https://" + host_and_port_.ToString(); std::vector<uint8> requested_cert_types(cert_types->data, cert_types->data + cert_types->len); - net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); - int error = origin_bound_cert_service_->GetOriginBoundCert( + net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL); + int error = server_bound_cert_service_->GetDomainBoundCert( origin, requested_cert_types, - &ob_cert_type_, - &ob_private_key_, - &ob_cert_, + &domain_bound_cert_type_, + &domain_bound_private_key_, + &domain_bound_cert_, base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, base::Unretained(this)), - &ob_cert_request_handle_); + &domain_bound_cert_request_handle_); if (error == ERR_IO_PENDING) { // Asynchronous case. client_auth_cert_needed_ = true; return SECWouldBlock; } - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error); SECStatus rv = SECSuccess; if (error == OK) { // Synchronous success. - int result = ImportOBCertAndKey(result_certificate, + int result = ImportDBCertAndKey(result_certificate, result_private_key); if (result == OK) { - set_origin_bound_cert_type(ob_cert_type_); + set_domain_bound_cert_type(domain_bound_cert_type_); } else { rv = SECFailure; } @@ -2249,9 +2251,9 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler( const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); - // Check if an origin-bound certificate is requested. - if (OriginBoundCertNegotiated(socket)) { - return that->OriginBoundClientAuthHandler( + // Check if a domain-bound certificate is requested. + if (DomainBoundCertNegotiated(socket)) { + return that->DomainBoundClientAuthHandler( cert_types, result_nss_certificate, result_nss_private_key); } @@ -2555,9 +2557,9 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); - // Check if an origin-bound certificate is requested. - if (OriginBoundCertNegotiated(socket)) { - return that->OriginBoundClientAuthHandler( + // Check if a domain-bound certificate is requested. + if (DomainBoundCertNegotiated(socket)) { + return that->DomainBoundClientAuthHandler( cert_types, result_certificate, result_private_key); } @@ -2711,8 +2713,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const { return valid_thread_id_ == base::PlatformThread::CurrentId(); } -OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const { - return origin_bound_cert_service_; +ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { + return server_bound_cert_service_; } } // namespace net diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 1582f37..49343d1 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -35,7 +35,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class OriginBoundCertService; +class ServerBoundCertService; class SingleRequestCertVerifier; class SSLHostInfo; class TransportSecurityState; @@ -93,14 +93,14 @@ class SSLClientSocketNSS : public SSLClientSocket { const CompletionCallback& callback) OVERRIDE; virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; virtual bool SetSendBufferSize(int32 size) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; private: enum State { STATE_NONE, STATE_LOAD_SSL_HOST_INFO, STATE_HANDSHAKE, - STATE_GET_OB_CERT_COMPLETE, + STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, STATE_VERIFY_DNSSEC, STATE_VERIFY_CERT, STATE_VERIFY_CERT_COMPLETE, @@ -132,14 +132,14 @@ class SSLClientSocketNSS : public SSLClientSocket { int DoHandshake(); - // ImportOBCertAndKey is a helper function for turning a DER-encoded cert and + // ImportDBCertAndKey is a helper function for turning a DER-encoded cert and // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success // and an error code otherwise. - // Requires |ob_private_key_| and |ob_cert_| to have been set by a call to - // OriginBoundCertService->GetOriginBoundCert. The caller takes ownership of - // the |*cert| and |*key|. - int ImportOBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); - int DoGetOBCertComplete(int result); + // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been + // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller + // takes ownership of the |*cert| and |*key|. + int ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); + int DoGetDBCertComplete(int result); int DoVerifyDNSSEC(int result); int DoVerifyCert(int result); int DoVerifyCertComplete(int result); @@ -163,11 +163,11 @@ class SSLClientSocketNSS : public SSLClientSocket { // argument. static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, PRBool checksig, PRBool is_server); - // Returns true if connection negotiated the origin bound cert extension. - static bool OriginBoundCertNegotiated(PRFileDesc* socket); - // Origin bound cert client auth handler. + // Returns true if connection negotiated the domain bound cert extension. + static bool DomainBoundCertNegotiated(PRFileDesc* socket); + // Domain bound cert client auth handler. // Returns the value the ClientAuthHandler function should return. - SECStatus OriginBoundClientAuthHandler( + SECStatus DomainBoundClientAuthHandler( const SECItem* cert_types, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key); @@ -256,13 +256,13 @@ class SSLClientSocketNSS : public SSLClientSocket { CertVerifier* const cert_verifier_; scoped_ptr<SingleRequestCertVerifier> verifier_; - // For origin bound certificates in client auth. - bool ob_cert_xtn_negotiated_; - OriginBoundCertService* origin_bound_cert_service_; - SSLClientCertType ob_cert_type_; - std::string ob_private_key_; - std::string ob_cert_; - OriginBoundCertService::RequestHandle ob_cert_request_handle_; + // For domain bound certificates in client auth. + bool domain_bound_cert_xtn_negotiated_; + ServerBoundCertService* server_bound_cert_service_; + SSLClientCertType domain_bound_cert_type_; + std::string domain_bound_private_key_; + std::string domain_bound_cert_; + ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; // True if NSS has called HandshakeCallback. bool handshake_callback_called_; diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index a29acf6..d691f22 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -587,7 +587,7 @@ void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { server_cert_verify_result_.is_issued_by_known_root; ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); @@ -653,8 +653,8 @@ SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( return npn_status_; } -OriginBoundCertService* -SSLClientSocketOpenSSL::GetOriginBoundCertService() const { +ServerBoundCertService* +SSLClientSocketOpenSSL::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 69f03c9..f2739d4 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -65,7 +65,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { unsigned int outlen); virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos); - virtual OriginBoundCertService* GetOriginBoundCertService() const; + virtual ServerBoundCertService* GetServerBoundCertService() const; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback); diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 0c96546..71a5b0d 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -448,7 +448,7 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -471,7 +471,7 @@ SSLClientSocketPool::SSLClientSocketPool( host_resolver, SSLClientSocketContext( cert_verifier, - origin_bound_cert_service, + server_bound_cert_service, transport_security_state, ssl_host_info_factory, ssl_session_cache_shard), diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index bd667ff..d80ace9 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -176,7 +176,7 @@ class NET_EXPORT_PRIVATE SSLClientSocketPool ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index d77e157..c6896ec 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -96,7 +96,7 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL /* host_resolver */, NULL /* cert_verifier */, - NULL /* origin_bound_cert_service */, + NULL /* server_bound_cert_service */, NULL /* transport_security_state */, NULL /* ssl_host_info_factory */, "" /* ssl_session_cache_shard */, diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 4e61c6f..b2054eb 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -412,7 +412,7 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); SecPkgContext_ConnectionInfo connection_info; SECURITY_STATUS status = QueryContextAttributes( @@ -555,7 +555,7 @@ SSLClientSocketWin::GetNextProto(std::string* proto, return kNextProtoUnsupported; } -OriginBoundCertService* SSLClientSocketWin::GetOriginBoundCertService() const { +ServerBoundCertService* SSLClientSocketWin::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_win.h b/net/socket/ssl_client_socket_win.h index e1ca1120..e9a74fe 100644 --- a/net/socket/ssl_client_socket_win.h +++ b/net/socket/ssl_client_socket_win.h @@ -55,7 +55,7 @@ class SSLClientSocketWin : public SSLClientSocket { unsigned int outlen); virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos); - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback) OVERRIDE; diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc index 11276d1..ce998e4 100644 --- a/net/socket/ssl_server_socket_unittest.cc +++ b/net/socket/ssl_server_socket_unittest.cc @@ -281,7 +281,7 @@ class SSLServerSocketTest : public PlatformTest { net::SSLConfig ssl_config; ssl_config.cached_info_enabled = false; ssl_config.false_start_enabled = false; - ssl_config.origin_bound_certs_enabled = false; + ssl_config.domain_bound_certs_enabled = false; ssl_config.ssl3_enabled = true; ssl_config.tls1_enabled = true; |