OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 825 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
836 } | 836 } |
837 | 837 |
838 if (cert_verifier_->SupportsOCSPStapling()) | 838 if (cert_verifier_->SupportsOCSPStapling()) |
839 SSL_enable_ocsp_stapling(ssl_); | 839 SSL_enable_ocsp_stapling(ssl_); |
840 | 840 |
841 // Enable fastradio padding. | 841 // Enable fastradio padding. |
842 SSL_enable_fastradio_padding(ssl_, | 842 SSL_enable_fastradio_padding(ssl_, |
843 ssl_config_.fastradio_padding_enabled && | 843 ssl_config_.fastradio_padding_enabled && |
844 ssl_config_.fastradio_padding_eligible); | 844 ssl_config_.fastradio_padding_eligible); |
845 | 845 |
| 846 // By default, renegotiations are rejected. After the initial handshake |
| 847 // completes, some application protocols may re-enable it. |
| 848 SSL_set_reject_peer_renegotiations(ssl_, 1); |
| 849 |
846 return OK; | 850 return OK; |
847 } | 851 } |
848 | 852 |
849 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { | 853 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { |
850 // Since Run may result in Read being called, clear |user_read_callback_| | 854 // Since Run may result in Read being called, clear |user_read_callback_| |
851 // up front. | 855 // up front. |
852 if (rv > 0) | 856 if (rv > 0) |
853 was_ever_used_ = true; | 857 was_ever_used_ = true; |
854 user_read_buf_ = NULL; | 858 user_read_buf_ = NULL; |
855 user_read_buf_len_ = 0; | 859 user_read_buf_len_ = 0; |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
942 | 946 |
943 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 947 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
944 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 948 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
945 } | 949 } |
946 | 950 |
947 const uint8_t* sct_list; | 951 const uint8_t* sct_list; |
948 size_t sct_list_len; | 952 size_t sct_list_len; |
949 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | 953 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); |
950 set_signed_cert_timestamps_received(sct_list_len != 0); | 954 set_signed_cert_timestamps_received(sct_list_len != 0); |
951 | 955 |
| 956 if (IsRenegotiationAllowed()) |
| 957 SSL_set_reject_peer_renegotiations(ssl_, 0); |
| 958 |
952 // Verify the certificate. | 959 // Verify the certificate. |
953 UpdateServerCert(); | 960 UpdateServerCert(); |
954 GotoState(STATE_VERIFY_CERT); | 961 GotoState(STATE_VERIFY_CERT); |
955 } else { | 962 } else { |
956 if (client_auth_cert_needed_) | 963 if (client_auth_cert_needed_) |
957 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 964 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
958 | 965 |
959 int ssl_error = SSL_get_error(ssl_, rv); | 966 int ssl_error = SSL_get_error(ssl_, rv); |
960 | 967 |
961 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | 968 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { |
(...skipping 917 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1879 NOTREACHED(); | 1886 NOTREACHED(); |
1880 } | 1887 } |
1881 | 1888 |
1882 result.append("/"); | 1889 result.append("/"); |
1883 if (ssl_config_.enable_deprecated_cipher_suites) | 1890 if (ssl_config_.enable_deprecated_cipher_suites) |
1884 result.append("deprecated"); | 1891 result.append("deprecated"); |
1885 | 1892 |
1886 return result; | 1893 return result; |
1887 } | 1894 } |
1888 | 1895 |
| 1896 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const { |
| 1897 if (npn_status_ == kNextProtoUnsupported) |
| 1898 return ssl_config_.renego_allowed_default; |
| 1899 |
| 1900 NextProto next_proto = NextProtoFromString(npn_proto_); |
| 1901 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { |
| 1902 if (next_proto == allowed) |
| 1903 return true; |
| 1904 } |
| 1905 return false; |
| 1906 } |
| 1907 |
1889 scoped_refptr<X509Certificate> | 1908 scoped_refptr<X509Certificate> |
1890 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1909 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1891 return server_cert_; | 1910 return server_cert_; |
1892 } | 1911 } |
1893 | 1912 |
1894 } // namespace net | 1913 } // namespace net |
OLD | NEW |