Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(226)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 4963002: Refactor EnsureOpenSSLInit and openssl_util into base (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: rebased Created 10 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/x509_certificate_openssl.cc ('K') | « net/net.gyp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 3f01db21b342cfdcb0181e56391a195ffe3bbeed..e09f846f1fcfb84cece9e78f67990d3614b9af44 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -10,10 +10,10 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
-#include "net/base/cert_verifier.h"
#include "base/metrics/histogram.h"
+#include "base/openssl_util.h"
+#include "net/base/cert_verifier.h"
#include "net/base/net_errors.h"
-#include "net/base/openssl_util.h"
#include "net/base/ssl_connection_status_flags.h"
#include "net/base/ssl_info.h"
@@ -58,6 +58,29 @@ int MapOpenSSLError(int err) {
}
}
+// We do certificate verification after handshake, so we disable the default
+// by registering a no-op verify function.
+int NoOpVerifyCallback(X509_STORE_CTX*, void *) {
+ DVLOG(3) << "skipping cert verify";
+ return 1;
+}
+
+class OpenSSLContext {
+ public:
+ SSL_CTX* ssl_ctx() const { return ssl_ctx_.get(); }
+
+ private:
+ friend struct DefaultSingletonTraits<OpenSSLContext>;
+ OpenSSLContext()
+ : ssl_ctx_(SSL_CTX_new(SSLv23_client_method())) {
bulach 2010/11/16 14:23:50 see below, perhaps move out of the initializer lis
joth 2010/11/16 15:57:41 Done. ScopedSSL makes this a little more complex.
+ SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), NoOpVerifyCallback, NULL);
+ }
+
+ base::ScopedSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
+
+ DISALLOW_COPY_AND_ASSIGN(OpenSSLContext);
+};
+
} // namespace
SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
@@ -93,7 +116,8 @@ bool SSLClientSocketOpenSSL::Init() {
DCHECK(!ssl_);
DCHECK(!transport_bio_);
- ssl_ = SSL_new(GetOpenSSLInitSingleton()->ssl_ctx());
+ base::EnsureOpenSSLInit();
bulach 2010/11/16 14:23:50 it'd be better to move this to OpenSSLContext's ct
joth 2010/11/16 15:57:41 Done.
+ ssl_ = SSL_new(Singleton<OpenSSLContext>::get()->ssl_ctx());
if (!ssl_) {
MaybeLogSSLError();
return false;
@@ -394,7 +418,7 @@ void SSLClientSocketOpenSSL::InvalidateSessionIfBadCertificate() {
// see SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_CLIENT).
SSL_SESSION* session = SSL_get_session(ssl_);
LOG_IF(ERROR, session) << "Connection has a session?? " << session;
- int rv = SSL_CTX_remove_session(GetOpenSSLInitSingleton()->ssl_ctx(),
+ int rv = SSL_CTX_remove_session(Singleton<OpenSSLContext>::get()->ssl_ctx(),
session);
LOG_IF(ERROR, rv) << "Session was cached?? " << rv;
}
@@ -404,7 +428,7 @@ X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() {
if (server_cert_)
return server_cert_;
- ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_));
+ base::ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_));
if (!cert.get()) {
LOG(WARNING) << "SSL_get_peer_certificate returned NULL";
return NULL;
« net/base/x509_certificate_openssl.cc ('K') | « net/net.gyp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698