| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 825 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 836 } | 836 } |
| 837 | 837 |
| 838 if (cert_verifier_->SupportsOCSPStapling()) | 838 if (cert_verifier_->SupportsOCSPStapling()) |
| 839 SSL_enable_ocsp_stapling(ssl_); | 839 SSL_enable_ocsp_stapling(ssl_); |
| 840 | 840 |
| 841 // Enable fastradio padding. | 841 // Enable fastradio padding. |
| 842 SSL_enable_fastradio_padding(ssl_, | 842 SSL_enable_fastradio_padding(ssl_, |
| 843 ssl_config_.fastradio_padding_enabled && | 843 ssl_config_.fastradio_padding_enabled && |
| 844 ssl_config_.fastradio_padding_eligible); | 844 ssl_config_.fastradio_padding_eligible); |
| 845 | 845 |
| 846 // By default, renegotiations are rejected. After the initial handshake |
| 847 // completes, some application protocols may re-enable it. |
| 848 SSL_set_reject_peer_renegotiations(ssl_, 1); |
| 849 |
| 846 return OK; | 850 return OK; |
| 847 } | 851 } |
| 848 | 852 |
| 849 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { | 853 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { |
| 850 // Since Run may result in Read being called, clear |user_read_callback_| | 854 // Since Run may result in Read being called, clear |user_read_callback_| |
| 851 // up front. | 855 // up front. |
| 852 if (rv > 0) | 856 if (rv > 0) |
| 853 was_ever_used_ = true; | 857 was_ever_used_ = true; |
| 854 user_read_buf_ = NULL; | 858 user_read_buf_ = NULL; |
| 855 user_read_buf_len_ = 0; | 859 user_read_buf_len_ = 0; |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 942 | 946 |
| 943 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 947 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
| 944 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 948 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
| 945 } | 949 } |
| 946 | 950 |
| 947 const uint8_t* sct_list; | 951 const uint8_t* sct_list; |
| 948 size_t sct_list_len; | 952 size_t sct_list_len; |
| 949 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | 953 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); |
| 950 set_signed_cert_timestamps_received(sct_list_len != 0); | 954 set_signed_cert_timestamps_received(sct_list_len != 0); |
| 951 | 955 |
| 956 if (IsRenegotiationAllowed()) |
| 957 SSL_set_reject_peer_renegotiations(ssl_, 0); |
| 958 |
| 952 // Verify the certificate. | 959 // Verify the certificate. |
| 953 UpdateServerCert(); | 960 UpdateServerCert(); |
| 954 GotoState(STATE_VERIFY_CERT); | 961 GotoState(STATE_VERIFY_CERT); |
| 955 } else { | 962 } else { |
| 956 if (client_auth_cert_needed_) | 963 if (client_auth_cert_needed_) |
| 957 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 964 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 958 | 965 |
| 959 int ssl_error = SSL_get_error(ssl_, rv); | 966 int ssl_error = SSL_get_error(ssl_, rv); |
| 960 | 967 |
| 961 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | 968 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { |
| (...skipping 917 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1879 NOTREACHED(); | 1886 NOTREACHED(); |
| 1880 } | 1887 } |
| 1881 | 1888 |
| 1882 result.append("/"); | 1889 result.append("/"); |
| 1883 if (ssl_config_.enable_deprecated_cipher_suites) | 1890 if (ssl_config_.enable_deprecated_cipher_suites) |
| 1884 result.append("deprecated"); | 1891 result.append("deprecated"); |
| 1885 | 1892 |
| 1886 return result; | 1893 return result; |
| 1887 } | 1894 } |
| 1888 | 1895 |
| 1896 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const { |
| 1897 if (npn_status_ == kNextProtoUnsupported) |
| 1898 return ssl_config_.renego_allowed_default; |
| 1899 |
| 1900 NextProto next_proto = NextProtoFromString(npn_proto_); |
| 1901 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { |
| 1902 if (next_proto == allowed) |
| 1903 return true; |
| 1904 } |
| 1905 return false; |
| 1906 } |
| 1907 |
| 1889 scoped_refptr<X509Certificate> | 1908 scoped_refptr<X509Certificate> |
| 1890 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1909 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1891 return server_cert_; | 1910 return server_cert_; |
| 1892 } | 1911 } |
| 1893 | 1912 |
| 1894 } // namespace net | 1913 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1131763002:
Reject renegotiations in SSLClientSocket by default. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master