From 01c553f08001332cb00cdb7bb7f02256a0146fe0 Mon Sep 17 00:00:00 2001
From: "wtc@chromium.org"
 <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 14 May 2009 01:06:05 +0000
Subject: If Schannel's InitializeSecurityContext calls return certificate
 errors, do not map them to our (server) certificate errors because the errors
 are referring to the (missing) client certificate.  If we incorrectly handle
 them as server certificate errors, we will crash because we can't get the
 server certificate from Schannel when the handshake fails.

Fumitoshi Ukai of Google tracked down the bug and proposed
an alternative fix.

R=rvargas,ukai
BUG=http://crbug.com/11646
TEST=Visit https://www.cdep.ro/.  Chromium should not crash.
Review URL: http://codereview.chromium.org/113375

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16026 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/base/ssl_client_socket_win.cc | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'net/base')

diff --git a/net/base/ssl_client_socket_win.cc b/net/base/ssl_client_socket_win.cc
index e732e86..62790d5 100644
--- a/net/base/ssl_client_socket_win.cc
+++ b/net/base/ssl_client_socket_win.cc
@@ -612,8 +612,23 @@ int SSLClientSocketWin::DidCallInitializeSecurityContext() {
     return DidCompleteHandshake();
   }
 
-  if (FAILED(isc_status_))
-    return MapSecurityError(isc_status_);
+  if (FAILED(isc_status_)) {
+    int result = MapSecurityError(isc_status_);
+    // We told Schannel to not verify the server certificate
+    // (SCH_CRED_MANUAL_CRED_VALIDATION), so any certificate error returned by
+    // InitializeSecurityContext must be referring to the (missing) client
+    // certificate.
+    if (IsCertificateError(result)) {
+      // TODO(wtc): When we support SSL client authentication, we will need to
+      // add new error codes for client certificate errors reported by the
+      // server using SSL/TLS alert messages.  See http://crbug.com/318.  See
+      // also the MSDN page "Schannel Error Codes for TLS and SSL Alerts",
+      // which maps TLS alert messages to Windows error codes:
+      // http://msdn.microsoft.com/en-us/library/dd721886%28VS.85%29.aspx
+      return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
+    }
+    return result;
+  }
 
   if (isc_status_ == SEC_I_INCOMPLETE_CREDENTIALS) {
     // We don't support SSL client authentication yet.  For now we just set
-- 
cgit v1.1