From 3fd49f9bdbe56a9648cddc015bdb8bac02fe1a7b Mon Sep 17 00:00:00 2001 From: "markus@chromium.org" Date: Mon, 30 Mar 2009 21:09:30 +0000 Subject: Change the bad-certificate handler for SSL (using NSS) to return an error. This requires a few additional changes in the rest of the code. In particular, we now have to teach HttpNetworkTransaction about how to restart connections with bad certificates. This was originally intended to be done by ReconnectIgnoringLastError(), but that API turns out be very difficult to implement in the SSLClientSocket. So, instead, we just create a completely new SSLClientSocket. We also have to be careful to store a copy of the certificate from within the bad-certificate handler, as it won't be available by the time GetSSLInfo() is called. And we fix a bug that would cause us to erroneously talk SSL on reconnected TCP sockets, even though we were still supposed to negotiate a proxy tunnel first. Review URL: http://codereview.chromium.org/43115 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12809 0039d316-1c4b-4281-b951-d872f2087c98 --- net/base/ssl_client_socket_nss.h | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'net/base/ssl_client_socket_nss.h') diff --git a/net/base/ssl_client_socket_nss.h b/net/base/ssl_client_socket_nss.h index 9b77f94..89fe99e 100644 --- a/net/base/ssl_client_socket_nss.h +++ b/net/base/ssl_client_socket_nss.h @@ -17,6 +17,8 @@ namespace net { +class X509Certificate; + // An SSL client socket implemented with Mozilla NSS. class SSLClientSocketNSS : public SSLClientSocket { public: @@ -34,7 +36,6 @@ class SSLClientSocketNSS : public SSLClientSocket { // ClientSocket methods: virtual int Connect(CompletionCallback* callback); - virtual int ReconnectIgnoringLastError(CompletionCallback* callback); virtual void Disconnect(); virtual bool IsConnected() const; virtual bool IsConnectedAndIdle() const; @@ -44,6 +45,8 @@ class SSLClientSocketNSS : public SSLClientSocket { virtual int Write(const char* buf, int buf_len, CompletionCallback* callback); private: + void InvalidateSessionIfBadCertificate(); + X509Certificate* UpdateServerCert(); void DoCallback(int result); void OnIOComplete(int result); @@ -59,7 +62,12 @@ class SSLClientSocketNSS : public SSLClientSocket { void BufferSendComplete(int result); void BufferRecvComplete(int result); - // nss calls this on error. We pass 'this' as the first argument. + // NSS calls this when checking certificates. We pass 'this' as the first + // argument. + static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, + PRBool checksig, PRBool is_server); + + // NSS calls this on error. We pass 'this' as the first argument. static SECStatus OwnBadCertHandler(void* arg, PRFileDesc* socket); CompletionCallbackImpl buffer_send_callback_; @@ -81,6 +89,9 @@ class SSLClientSocketNSS : public SSLClientSocket { // Set when handshake finishes. Value is net error code, see net_errors.h int server_cert_error_; + // Set during handshake. + scoped_refptr server_cert_; + bool completed_handshake_; enum State { -- cgit v1.1