OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 364 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
375 cert_transparency_verifier_(context.cert_transparency_verifier), | 375 cert_transparency_verifier_(context.cert_transparency_verifier), |
376 channel_id_service_(context.channel_id_service), | 376 channel_id_service_(context.channel_id_service), |
377 ssl_(NULL), | 377 ssl_(NULL), |
378 transport_bio_(NULL), | 378 transport_bio_(NULL), |
379 transport_(transport_socket.Pass()), | 379 transport_(transport_socket.Pass()), |
380 host_and_port_(host_and_port), | 380 host_and_port_(host_and_port), |
381 ssl_config_(ssl_config), | 381 ssl_config_(ssl_config), |
382 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 382 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
383 next_handshake_state_(STATE_NONE), | 383 next_handshake_state_(STATE_NONE), |
384 npn_status_(kNextProtoUnsupported), | 384 npn_status_(kNextProtoUnsupported), |
385 channel_id_xtn_negotiated_(false), | 385 channel_id_sent_(false), |
386 handshake_completed_(false), | 386 handshake_completed_(false), |
387 certificate_verified_(false), | 387 certificate_verified_(false), |
388 transport_security_state_(context.transport_security_state), | 388 transport_security_state_(context.transport_security_state), |
389 policy_enforcer_(context.cert_policy_enforcer), | 389 policy_enforcer_(context.cert_policy_enforcer), |
390 net_log_(transport_->socket()->NetLog()), | 390 net_log_(transport_->socket()->NetLog()), |
391 weak_factory_(this) { | 391 weak_factory_(this) { |
392 } | 392 } |
393 | 393 |
394 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 394 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
395 Disconnect(); | 395 Disconnect(); |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
510 | 510 |
511 cert_authorities_.clear(); | 511 cert_authorities_.clear(); |
512 cert_key_types_.clear(); | 512 cert_key_types_.clear(); |
513 client_auth_cert_needed_ = false; | 513 client_auth_cert_needed_ = false; |
514 | 514 |
515 start_cert_verification_time_ = base::TimeTicks(); | 515 start_cert_verification_time_ = base::TimeTicks(); |
516 | 516 |
517 npn_status_ = kNextProtoUnsupported; | 517 npn_status_ = kNextProtoUnsupported; |
518 npn_proto_.clear(); | 518 npn_proto_.clear(); |
519 | 519 |
520 channel_id_xtn_negotiated_ = false; | 520 channel_id_sent_ = false; |
521 channel_id_request_handle_.Cancel(); | 521 channel_id_request_handle_.Cancel(); |
522 } | 522 } |
523 | 523 |
524 bool SSLClientSocketOpenSSL::IsConnected() const { | 524 bool SSLClientSocketOpenSSL::IsConnected() const { |
525 // If the handshake has not yet completed. | 525 // If the handshake has not yet completed. |
526 if (!completed_connect_) | 526 if (!completed_connect_) |
527 return false; | 527 return false; |
528 // If an asynchronous operation is still pending. | 528 // If an asynchronous operation is still pending. |
529 if (user_read_buf_.get() || user_write_buf_.get()) | 529 if (user_read_buf_.get() || user_write_buf_.get()) |
530 return true; | 530 return true; |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
599 return false; | 599 return false; |
600 | 600 |
601 ssl_info->cert = server_cert_verify_result_.verified_cert; | 601 ssl_info->cert = server_cert_verify_result_.verified_cert; |
602 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 602 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
603 ssl_info->is_issued_by_known_root = | 603 ssl_info->is_issued_by_known_root = |
604 server_cert_verify_result_.is_issued_by_known_root; | 604 server_cert_verify_result_.is_issued_by_known_root; |
605 ssl_info->public_key_hashes = | 605 ssl_info->public_key_hashes = |
606 server_cert_verify_result_.public_key_hashes; | 606 server_cert_verify_result_.public_key_hashes; |
607 ssl_info->client_cert_sent = | 607 ssl_info->client_cert_sent = |
608 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 608 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
609 ssl_info->channel_id_sent = WasChannelIDSent(); | 609 ssl_info->channel_id_sent = channel_id_sent_; |
610 ssl_info->pinning_failure_log = pinning_failure_log_; | 610 ssl_info->pinning_failure_log = pinning_failure_log_; |
611 | 611 |
612 AddSCTInfoToSSLInfo(ssl_info); | 612 AddSCTInfoToSSLInfo(ssl_info); |
613 | 613 |
614 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 614 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
615 CHECK(cipher); | 615 CHECK(cipher); |
616 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 616 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
617 | 617 |
618 ssl_info->connection_status = EncodeSSLConnectionStatus( | 618 ssl_info->connection_status = EncodeSSLConnectionStatus( |
619 static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 619 static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, |
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
933 unsigned alpn_len = 0; | 933 unsigned alpn_len = 0; |
934 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | 934 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
935 if (alpn_len > 0) { | 935 if (alpn_len > 0) { |
936 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 936 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
937 npn_status_ = kNextProtoNegotiated; | 937 npn_status_ = kNextProtoNegotiated; |
938 set_negotiation_extension(kExtensionALPN); | 938 set_negotiation_extension(kExtensionALPN); |
939 } | 939 } |
940 } | 940 } |
941 | 941 |
942 RecordNegotiationExtension(); | 942 RecordNegotiationExtension(); |
943 RecordChannelIDSupport(channel_id_service_, | 943 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
944 channel_id_xtn_negotiated_, | |
945 ssl_config_.channel_id_enabled, | 944 ssl_config_.channel_id_enabled, |
946 crypto::ECPrivateKey::IsSupported()); | 945 crypto::ECPrivateKey::IsSupported()); |
947 | 946 |
948 // Only record OCSP histograms if OCSP was requested. | 947 // Only record OCSP histograms if OCSP was requested. |
949 if (ssl_config_.signed_cert_timestamps_enabled || | 948 if (ssl_config_.signed_cert_timestamps_enabled || |
950 IsOCSPStaplingSupported()) { | 949 IsOCSPStaplingSupported()) { |
951 const uint8_t* ocsp_response; | 950 const uint8_t* ocsp_response; |
952 size_t ocsp_response_len; | 951 size_t ocsp_response_len; |
953 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); | 952 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); |
954 | 953 |
(...skipping 11 matching lines...) Expand all Loading... |
966 GotoState(STATE_VERIFY_CERT); | 965 GotoState(STATE_VERIFY_CERT); |
967 } else { | 966 } else { |
968 if (client_auth_cert_needed_) | 967 if (client_auth_cert_needed_) |
969 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 968 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
970 | 969 |
971 int ssl_error = SSL_get_error(ssl_, rv); | 970 int ssl_error = SSL_get_error(ssl_, rv); |
972 | 971 |
973 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | 972 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { |
974 // The server supports channel ID. Stop to look one up before returning to | 973 // The server supports channel ID. Stop to look one up before returning to |
975 // the handshake. | 974 // the handshake. |
976 channel_id_xtn_negotiated_ = true; | |
977 GotoState(STATE_CHANNEL_ID_LOOKUP); | 975 GotoState(STATE_CHANNEL_ID_LOOKUP); |
978 return OK; | 976 return OK; |
979 } | 977 } |
980 | 978 |
981 OpenSSLErrorInfo error_info; | 979 OpenSSLErrorInfo error_info; |
982 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | 980 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
983 | 981 |
984 // If not done, stay in this state | 982 // If not done, stay in this state |
985 if (net_error == ERR_IO_PENDING) { | 983 if (net_error == ERR_IO_PENDING) { |
986 GotoState(STATE_HANDSHAKE); | 984 GotoState(STATE_HANDSHAKE); |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1036 // type. | 1034 // type. |
1037 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1035 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
1038 int rv = SSL_set1_tls_channel_id(ssl_, ec_private_key->key()); | 1036 int rv = SSL_set1_tls_channel_id(ssl_, ec_private_key->key()); |
1039 if (!rv) { | 1037 if (!rv) { |
1040 LOG(ERROR) << "Failed to set Channel ID."; | 1038 LOG(ERROR) << "Failed to set Channel ID."; |
1041 int err = SSL_get_error(ssl_, rv); | 1039 int err = SSL_get_error(ssl_, rv); |
1042 return MapOpenSSLError(err, err_tracer); | 1040 return MapOpenSSLError(err, err_tracer); |
1043 } | 1041 } |
1044 | 1042 |
1045 // Return to the handshake. | 1043 // Return to the handshake. |
1046 set_channel_id_sent(true); | 1044 channel_id_sent_ = true; |
1047 net_log_.AddEvent(NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED); | 1045 net_log_.AddEvent(NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED); |
1048 GotoState(STATE_HANDSHAKE); | 1046 GotoState(STATE_HANDSHAKE); |
1049 return OK; | 1047 return OK; |
1050 } | 1048 } |
1051 | 1049 |
1052 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { | 1050 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { |
1053 DCHECK(!server_cert_chain_->empty()); | 1051 DCHECK(!server_cert_chain_->empty()); |
1054 DCHECK(start_cert_verification_time_.is_null()); | 1052 DCHECK(start_cert_verification_time_.is_null()); |
1055 | 1053 |
1056 GotoState(STATE_VERIFY_CERT_COMPLETE); | 1054 GotoState(STATE_VERIFY_CERT_COMPLETE); |
(...skipping 862 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1919 | 1917 |
1920 return result; | 1918 return result; |
1921 } | 1919 } |
1922 | 1920 |
1923 scoped_refptr<X509Certificate> | 1921 scoped_refptr<X509Certificate> |
1924 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1922 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1925 return server_cert_; | 1923 return server_cert_; |
1926 } | 1924 } |
1927 | 1925 |
1928 } // namespace net | 1926 } // namespace net |
OLD | NEW |