Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(189)

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1131763002: Reject renegotiations in SSLClientSocket by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: NSS greediness... Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/ssl/ssl_config.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 825 matching lines...) Expand 10 before | Expand all | Expand 10 after
836 } 836 }
837 837
838 if (cert_verifier_->SupportsOCSPStapling()) 838 if (cert_verifier_->SupportsOCSPStapling())
839 SSL_enable_ocsp_stapling(ssl_); 839 SSL_enable_ocsp_stapling(ssl_);
840 840
841 // Enable fastradio padding. 841 // Enable fastradio padding.
842 SSL_enable_fastradio_padding(ssl_, 842 SSL_enable_fastradio_padding(ssl_,
843 ssl_config_.fastradio_padding_enabled && 843 ssl_config_.fastradio_padding_enabled &&
844 ssl_config_.fastradio_padding_eligible); 844 ssl_config_.fastradio_padding_eligible);
845 845
846 // By default, renegotiations are rejected. After the initial handshake
847 // completes, some application protocols may re-enable it.
848 SSL_set_reject_peer_renegotiations(ssl_, 1);
849
846 return OK; 850 return OK;
847 } 851 }
848 852
849 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { 853 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
850 // Since Run may result in Read being called, clear |user_read_callback_| 854 // Since Run may result in Read being called, clear |user_read_callback_|
851 // up front. 855 // up front.
852 if (rv > 0) 856 if (rv > 0)
853 was_ever_used_ = true; 857 was_ever_used_ = true;
854 user_read_buf_ = NULL; 858 user_read_buf_ = NULL;
855 user_read_buf_len_ = 0; 859 user_read_buf_len_ = 0;
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
942 946
943 set_stapled_ocsp_response_received(ocsp_response_len != 0); 947 set_stapled_ocsp_response_received(ocsp_response_len != 0);
944 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); 948 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
945 } 949 }
946 950
947 const uint8_t* sct_list; 951 const uint8_t* sct_list;
948 size_t sct_list_len; 952 size_t sct_list_len;
949 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); 953 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len);
950 set_signed_cert_timestamps_received(sct_list_len != 0); 954 set_signed_cert_timestamps_received(sct_list_len != 0);
951 955
956 if (IsRenegotiationAllowed())
957 SSL_set_reject_peer_renegotiations(ssl_, 0);
958
952 // Verify the certificate. 959 // Verify the certificate.
953 UpdateServerCert(); 960 UpdateServerCert();
954 GotoState(STATE_VERIFY_CERT); 961 GotoState(STATE_VERIFY_CERT);
955 } else { 962 } else {
956 if (client_auth_cert_needed_) 963 if (client_auth_cert_needed_)
957 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; 964 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
958 965
959 int ssl_error = SSL_get_error(ssl_, rv); 966 int ssl_error = SSL_get_error(ssl_, rv);
960 967
961 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { 968 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
(...skipping 917 matching lines...) Expand 10 before | Expand all | Expand 10 after
1879 NOTREACHED(); 1886 NOTREACHED();
1880 } 1887 }
1881 1888
1882 result.append("/"); 1889 result.append("/");
1883 if (ssl_config_.enable_deprecated_cipher_suites) 1890 if (ssl_config_.enable_deprecated_cipher_suites)
1884 result.append("deprecated"); 1891 result.append("deprecated");
1885 1892
1886 return result; 1893 return result;
1887 } 1894 }
1888 1895
1896 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
1897 if (npn_status_ == kNextProtoUnsupported)
1898 return ssl_config_.renego_allowed_default;
1899
1900 NextProto next_proto = NextProtoFromString(npn_proto_);
1901 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
1902 if (next_proto == allowed)
1903 return true;
1904 }
1905 return false;
1906 }
1907
1889 scoped_refptr<X509Certificate> 1908 scoped_refptr<X509Certificate>
1890 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { 1909 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
1891 return server_cert_; 1910 return server_cert_;
1892 } 1911 }
1893 1912
1894 } // namespace net 1913 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/ssl/ssl_config.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698