| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
| (...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 195 } | 195 } |
| 196 | 196 |
| 197 // This is the index used with SSL_get_ex_data to retrieve the owner | 197 // This is the index used with SSL_get_ex_data to retrieve the owner |
| 198 // SSLClientSocketOpenSSL object from an SSL instance. | 198 // SSLClientSocketOpenSSL object from an SSL instance. |
| 199 int ssl_socket_data_index_; | 199 int ssl_socket_data_index_; |
| 200 | 200 |
| 201 base::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; | 201 base::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; |
| 202 SSLSessionCache session_cache_; | 202 SSLSessionCache session_cache_; |
| 203 }; | 203 }; |
| 204 | 204 |
| 205 // Utility to construct the appropriate set & clear masks for use the OpenSSL |
| 206 // options and mode configuration functions. (SSL_set_options etc) |
| 207 struct SslSetClearMask { |
| 208 SslSetClearMask() : set_mask(0), clear_mask(0) {} |
| 209 void ConfigureFlag(long flag, bool state) { |
| 210 (state ? set_mask : clear_mask) |= flag; |
| 211 // Make sure we haven't got any intersection in the set & clear options. |
| 212 DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state; |
| 213 } |
| 214 long set_mask; |
| 215 long clear_mask; |
| 216 }; |
| 217 |
| 205 } // namespace | 218 } // namespace |
| 206 | 219 |
| 207 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 220 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
| 208 ClientSocketHandle* transport_socket, | 221 ClientSocketHandle* transport_socket, |
| 209 const HostPortPair& host_and_port, | 222 const HostPortPair& host_and_port, |
| 210 const SSLConfig& ssl_config) | 223 const SSLConfig& ssl_config) |
| 211 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( | 224 : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( |
| 212 this, &SSLClientSocketOpenSSL::BufferSendComplete)), | 225 this, &SSLClientSocketOpenSSL::BufferSendComplete)), |
| 213 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( | 226 ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( |
| 214 this, &SSLClientSocketOpenSSL::BufferRecvComplete)), | 227 this, &SSLClientSocketOpenSSL::BufferRecvComplete)), |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 253 | 266 |
| 254 BIO* ssl_bio = NULL; | 267 BIO* ssl_bio = NULL; |
| 255 // 0 => use default buffer sizes. | 268 // 0 => use default buffer sizes. |
| 256 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) | 269 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) |
| 257 return false; | 270 return false; |
| 258 DCHECK(ssl_bio); | 271 DCHECK(ssl_bio); |
| 259 DCHECK(transport_bio_); | 272 DCHECK(transport_bio_); |
| 260 | 273 |
| 261 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | 274 SSL_set_bio(ssl_, ssl_bio, ssl_bio); |
| 262 | 275 |
| 263 #define SET_SSL_CONFIG_OPTION(option, value) \ | |
| 264 (((value) ? set_mask : clear_mask) |= (option)) | |
| 265 | |
| 266 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | 276 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, |
| 267 // set everything we care about to an absolute value. | 277 // set everything we care about to an absolute value. |
| 268 long set_mask = 0; | 278 SslSetClearMask options; |
| 269 long clear_mask = 0; | 279 options.ConfigureFlag(SSL_OP_NO_SSLv2, true); |
| 270 SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, true); | 280 options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled); |
| 271 SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled); | 281 options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled); |
| 272 SET_SSL_CONFIG_OPTION(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled); | 282 |
| 283 #if defined(SSL_OP_NO_COMPRESSION) |
| 284 // If TLS was disabled also disable compression, to provide maximum site |
| 285 // compatibility in the case of protocol fallback. See http://crbug.com/31628 |
| 286 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, !ssl_config_.tls1_enabled); |
| 287 #endif |
| 273 | 288 |
| 274 // TODO(joth): Set this conditionally, see http://crbug.com/55410 | 289 // TODO(joth): Set this conditionally, see http://crbug.com/55410 |
| 275 SET_SSL_CONFIG_OPTION(SSL_OP_LEGACY_SERVER_CONNECT, true); | 290 options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true); |
| 276 | 291 |
| 277 // Make sure we haven't got any intersection in the set & clear options. | 292 SSL_set_options(ssl_, options.set_mask); |
| 278 DCHECK_EQ(0, set_mask & clear_mask); | 293 SSL_clear_options(ssl_, options.clear_mask); |
| 279 | 294 |
| 280 SSL_set_options(ssl_, set_mask); | 295 // Same as above, this time for the SSL mode. |
| 281 SSL_clear_options(ssl_, clear_mask); | 296 SslSetClearMask mode; |
| 282 #undef SET_SSL_CONFIG_OPTION | |
| 283 | 297 |
| 298 #if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) |
| 299 mode.ConfigureFlag(SSL_MODE_HANDSHAKE_CUTTHROUGH, |
| 300 ssl_config_.false_start_enabled && |
| 301 !SSLConfigService::IsKnownFalseStartIncompatibleServer( |
| 302 host_and_port_.host())); |
| 303 #endif |
| 304 |
| 305 #if defined(SSL_MODE_RELEASE_BUFFERS) |
| 306 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); |
| 307 #endif |
| 308 |
| 309 #if defined(SSL_MODE_SMALL_BUFFERS) |
| 310 mode.ConfigureFlag(SSL_MODE_SMALL_BUFFERS, true); |
| 311 #endif |
| 312 |
| 313 SSL_set_mode(ssl_, mode.set_mask); |
| 314 SSL_clear_mode(ssl_, mode.clear_mask); |
| 284 return true; | 315 return true; |
| 285 } | 316 } |
| 286 | 317 |
| 287 // SSLClientSocket methods | 318 // SSLClientSocket methods |
| 288 | 319 |
| 289 void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { | 320 void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { |
| 290 ssl_info->Reset(); | 321 ssl_info->Reset(); |
| 291 if (!server_cert_) | 322 if (!server_cert_) |
| 292 return; | 323 return; |
| 293 | 324 |
| (...skipping 571 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 865 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 896 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); |
| 866 | 897 |
| 867 if (rv >= 0) | 898 if (rv >= 0) |
| 868 return rv; | 899 return rv; |
| 869 | 900 |
| 870 int err = SSL_get_error(ssl_, rv); | 901 int err = SSL_get_error(ssl_, rv); |
| 871 return MapOpenSSLError(err); | 902 return MapOpenSSLError(err); |
| 872 } | 903 } |
| 873 | 904 |
| 874 } // namespace net | 905 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 5451001:
Add support for some advanced SLL modes & options (where present) (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src