| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/mem.h> | 13 #include <openssl/mem.h> |
| 14 #include <openssl/ssl.h> | 14 #include <openssl/ssl.h> |
| 15 #include <string.h> | 15 #include <string.h> |
| 16 | 16 |
| 17 #include "base/bind.h" | 17 #include "base/bind.h" |
| 18 #include "base/callback_helpers.h" | 18 #include "base/callback_helpers.h" |
| 19 #include "base/environment.h" | 19 #include "base/environment.h" |
| 20 #include "base/lazy_instance.h" |
| 20 #include "base/memory/singleton.h" | 21 #include "base/memory/singleton.h" |
| 21 #include "base/metrics/histogram_macros.h" | 22 #include "base/metrics/histogram_macros.h" |
| 22 #include "base/profiler/scoped_tracker.h" | 23 #include "base/profiler/scoped_tracker.h" |
| 24 #include "base/stl_util.h" |
| 23 #include "base/strings/string_piece.h" | 25 #include "base/strings/string_piece.h" |
| 24 #include "base/synchronization/lock.h" | 26 #include "base/synchronization/lock.h" |
| 27 #include "base/threading/sequenced_worker_pool.h" |
| 25 #include "base/threading/thread_local.h" | 28 #include "base/threading/thread_local.h" |
| 26 #include "base/values.h" | 29 #include "base/values.h" |
| 27 #include "crypto/ec_private_key.h" | 30 #include "crypto/ec_private_key.h" |
| 28 #include "crypto/openssl_util.h" | 31 #include "crypto/openssl_util.h" |
| 29 #include "crypto/scoped_openssl_types.h" | 32 #include "crypto/scoped_openssl_types.h" |
| 30 #include "net/base/ip_address_number.h" | 33 #include "net/base/ip_address_number.h" |
| 31 #include "net/base/net_errors.h" | 34 #include "net/base/net_errors.h" |
| 32 #include "net/cert/cert_policy_enforcer.h" | 35 #include "net/cert/cert_policy_enforcer.h" |
| 33 #include "net/cert/cert_verifier.h" | 36 #include "net/cert/cert_verifier.h" |
| 34 #include "net/cert/ct_ev_whitelist.h" | 37 #include "net/cert/ct_ev_whitelist.h" |
| 35 #include "net/cert/ct_verifier.h" | 38 #include "net/cert/ct_verifier.h" |
| 36 #include "net/cert/x509_certificate_net_log_param.h" | 39 #include "net/cert/x509_certificate_net_log_param.h" |
| 37 #include "net/cert/x509_util_openssl.h" | 40 #include "net/cert/x509_util_openssl.h" |
| 38 #include "net/http/transport_security_state.h" | 41 #include "net/http/transport_security_state.h" |
| 39 #include "net/ssl/scoped_openssl_types.h" | 42 #include "net/ssl/scoped_openssl_types.h" |
| 40 #include "net/ssl/ssl_cert_request_info.h" | 43 #include "net/ssl/ssl_cert_request_info.h" |
| 41 #include "net/ssl/ssl_client_session_cache_openssl.h" | 44 #include "net/ssl/ssl_client_session_cache_openssl.h" |
| 42 #include "net/ssl/ssl_connection_status_flags.h" | 45 #include "net/ssl/ssl_connection_status_flags.h" |
| 43 #include "net/ssl/ssl_failure_state.h" | 46 #include "net/ssl/ssl_failure_state.h" |
| 44 #include "net/ssl/ssl_info.h" | 47 #include "net/ssl/ssl_info.h" |
| 48 #include "net/ssl/ssl_private_key.h" |
| 45 | 49 |
| 46 #if defined(OS_WIN) | 50 #if defined(OS_WIN) |
| 47 #include "base/win/windows_version.h" | 51 #include "base/win/windows_version.h" |
| 48 #endif | 52 #endif |
| 49 | 53 |
| 50 #if defined(USE_OPENSSL_CERTS) | 54 #if defined(USE_OPENSSL_CERTS) |
| 51 #include "net/ssl/openssl_client_key_store.h" | 55 #include "net/ssl/openssl_client_key_store.h" |
| 52 #else | 56 #else |
| 53 #include "net/ssl/openssl_platform_key.h" | 57 #include "net/ssl/ssl_platform_key.h" |
| 54 #endif | 58 #endif |
| 55 | 59 |
| 56 namespace net { | 60 namespace net { |
| 57 | 61 |
| 58 namespace { | 62 namespace { |
| 59 | 63 |
| 60 // Enable this to see logging for state machine state transitions. | 64 // Enable this to see logging for state machine state transitions. |
| 61 #if 0 | 65 #if 0 |
| 62 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ | 66 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ |
| 63 " jump to state " << s; \ | 67 " jump to state " << s; \ |
| 64 next_handshake_state_ = s; } while (0) | 68 next_handshake_state_ = s; } while (0) |
| 65 #else | 69 #else |
| 66 #define GotoState(s) next_handshake_state_ = s | 70 #define GotoState(s) next_handshake_state_ = s |
| 67 #endif | 71 #endif |
| 68 | 72 |
| 69 // This constant can be any non-negative/non-zero value (eg: it does not | 73 // This constant can be any non-negative/non-zero value (eg: it does not |
| 70 // overlap with any value of the net::Error range, including net::OK). | 74 // overlap with any value of the net::Error range, including net::OK). |
| 71 const int kNoPendingReadResult = 1; | 75 const int kNoPendingResult = 1; |
| 72 | 76 |
| 73 // If a client doesn't have a list of protocols that it supports, but | 77 // If a client doesn't have a list of protocols that it supports, but |
| 74 // the server supports NPN, choosing "http/1.1" is the best answer. | 78 // the server supports NPN, choosing "http/1.1" is the best answer. |
| 75 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; | 79 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; |
| 76 | 80 |
| 77 // Default size of the internal BoringSSL buffers. | 81 // Default size of the internal BoringSSL buffers. |
| 78 const int KDefaultOpenSSLBufferSize = 17 * 1024; | 82 const int KDefaultOpenSSLBufferSize = 17 * 1024; |
| 79 | 83 |
| 80 void FreeX509Stack(STACK_OF(X509)* ptr) { | 84 void FreeX509Stack(STACK_OF(X509)* ptr) { |
| 81 sk_X509_pop_free(ptr, X509_free); | 85 sk_X509_pop_free(ptr, X509_free); |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 138 sk_X509_push(stack.get(), x509.release()); | 142 sk_X509_push(stack.get(), x509.release()); |
| 139 } | 143 } |
| 140 return stack.Pass(); | 144 return stack.Pass(); |
| 141 } | 145 } |
| 142 | 146 |
| 143 int LogErrorCallback(const char* str, size_t len, void* context) { | 147 int LogErrorCallback(const char* str, size_t len, void* context) { |
| 144 LOG(ERROR) << base::StringPiece(str, len); | 148 LOG(ERROR) << base::StringPiece(str, len); |
| 145 return 1; | 149 return 1; |
| 146 } | 150 } |
| 147 | 151 |
| 152 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 153 switch (EVP_MD_type(md)) { |
| 154 case NID_md5_sha1: |
| 155 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 156 return true; |
| 157 case NID_sha1: |
| 158 *hash = SSLPrivateKey::Hash::SHA1; |
| 159 return true; |
| 160 case NID_sha256: |
| 161 *hash = SSLPrivateKey::Hash::SHA256; |
| 162 return true; |
| 163 case NID_sha384: |
| 164 *hash = SSLPrivateKey::Hash::SHA384; |
| 165 return true; |
| 166 case NID_sha512: |
| 167 *hash = SSLPrivateKey::Hash::SHA512; |
| 168 return true; |
| 169 default: |
| 170 return false; |
| 171 } |
| 172 } |
| 173 |
| 174 #if !defined(USE_OPENSSL_CERTS) |
| 175 class PlatformKeyTaskRunner { |
| 176 public: |
| 177 PlatformKeyTaskRunner() { |
| 178 // Serialize all the private key operations on a single background |
| 179 // thread to avoid problems with buggy smartcards. |
| 180 worker_pool_ = new base::SequencedWorkerPool(1, "Platform Key Thread"); |
| 181 task_runner_ = worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior( |
| 182 worker_pool_->GetSequenceToken(), |
| 183 base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN); |
| 184 } |
| 185 |
| 186 scoped_refptr<base::SequencedTaskRunner> task_runner() { |
| 187 return task_runner_; |
| 188 } |
| 189 |
| 190 private: |
| 191 scoped_refptr<base::SequencedWorkerPool> worker_pool_; |
| 192 scoped_refptr<base::SequencedTaskRunner> task_runner_; |
| 193 |
| 194 DISALLOW_COPY_AND_ASSIGN(PlatformKeyTaskRunner); |
| 195 }; |
| 196 |
| 197 base::LazyInstance<PlatformKeyTaskRunner>::Leaky g_platform_key_task_runner = |
| 198 LAZY_INSTANCE_INITIALIZER; |
| 199 #endif // !USE_OPENSSL_CERTS |
| 200 |
| 148 } // namespace | 201 } // namespace |
| 149 | 202 |
| 150 class SSLClientSocketOpenSSL::SSLContext { | 203 class SSLClientSocketOpenSSL::SSLContext { |
| 151 public: | 204 public: |
| 152 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } | 205 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } |
| 153 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 206 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
| 154 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; } | 207 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; } |
| 155 | 208 |
| 156 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { | 209 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { |
| 157 DCHECK(ssl); | 210 DCHECK(ssl); |
| 158 SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>( | 211 SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>( |
| 159 SSL_get_ex_data(ssl, ssl_socket_data_index_)); | 212 SSL_get_ex_data(ssl, ssl_socket_data_index_)); |
| 160 DCHECK(socket); | 213 DCHECK(socket); |
| 161 return socket; | 214 return socket; |
| 162 } | 215 } |
| 163 | 216 |
| 164 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) { | 217 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) { |
| 165 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0; | 218 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0; |
| 166 } | 219 } |
| 167 | 220 |
| 221 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod; |
| 222 |
| 168 private: | 223 private: |
| 169 friend struct DefaultSingletonTraits<SSLContext>; | 224 friend struct DefaultSingletonTraits<SSLContext>; |
| 170 | 225 |
| 171 SSLContext() : session_cache_(SSLClientSessionCacheOpenSSL::Config()) { | 226 SSLContext() : session_cache_(SSLClientSessionCacheOpenSSL::Config()) { |
| 172 crypto::EnsureOpenSSLInit(); | 227 crypto::EnsureOpenSSLInit(); |
| 173 ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0); | 228 ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0); |
| 174 DCHECK_NE(ssl_socket_data_index_, -1); | 229 DCHECK_NE(ssl_socket_data_index_, -1); |
| 175 ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method())); | 230 ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method())); |
| 176 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL); | 231 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL); |
| 177 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL); | 232 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL); |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 unsigned int inlen, void* arg) { | 284 unsigned int inlen, void* arg) { |
| 230 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 285 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 231 return socket->SelectNextProtoCallback(out, outlen, in, inlen); | 286 return socket->SelectNextProtoCallback(out, outlen, in, inlen); |
| 232 } | 287 } |
| 233 | 288 |
| 234 static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) { | 289 static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) { |
| 235 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 290 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 236 return socket->NewSessionCallback(session); | 291 return socket->NewSessionCallback(session); |
| 237 } | 292 } |
| 238 | 293 |
| 294 static int PrivateKeyTypeCallback(SSL* ssl) { |
| 295 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 296 return socket->PrivateKeyTypeCallback(); |
| 297 } |
| 298 |
| 299 static int PrivateKeySupportsDigestCallback(SSL* ssl, const EVP_MD* md) { |
| 300 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 301 return socket->PrivateKeySupportsDigestCallback(md); |
| 302 } |
| 303 |
| 304 static size_t PrivateKeyMaxSignatureLenCallback(SSL* ssl) { |
| 305 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 306 return socket->PrivateKeyMaxSignatureLenCallback(); |
| 307 } |
| 308 |
| 309 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl, |
| 310 uint8_t* out, |
| 311 size_t* out_len, |
| 312 size_t max_out, |
| 313 const EVP_MD* md, |
| 314 const uint8_t* in, |
| 315 size_t in_len) { |
| 316 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 317 return socket->PrivateKeySignCallback(out, out_len, max_out, md, in, |
| 318 in_len); |
| 319 } |
| 320 |
| 321 static ssl_private_key_result_t PrivateKeySignCompleteCallback( |
| 322 SSL* ssl, |
| 323 uint8_t* out, |
| 324 size_t* out_len, |
| 325 size_t max_out) { |
| 326 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 327 return socket->PrivateKeySignCompleteCallback(out, out_len, max_out); |
| 328 } |
| 329 |
| 239 // This is the index used with SSL_get_ex_data to retrieve the owner | 330 // This is the index used with SSL_get_ex_data to retrieve the owner |
| 240 // SSLClientSocketOpenSSL object from an SSL instance. | 331 // SSLClientSocketOpenSSL object from an SSL instance. |
| 241 int ssl_socket_data_index_; | 332 int ssl_socket_data_index_; |
| 242 | 333 |
| 243 ScopedSSL_CTX ssl_ctx_; | 334 ScopedSSL_CTX ssl_ctx_; |
| 244 | 335 |
| 245 // TODO(davidben): Use a separate cache per URLRequestContext. | 336 // TODO(davidben): Use a separate cache per URLRequestContext. |
| 246 // https://crbug.com/458365 | 337 // https://crbug.com/458365 |
| 247 // | 338 // |
| 248 // TODO(davidben): Sessions should be invalidated on fatal | 339 // TODO(davidben): Sessions should be invalidated on fatal |
| 249 // alerts. https://crbug.com/466352 | 340 // alerts. https://crbug.com/466352 |
| 250 SSLClientSessionCacheOpenSSL session_cache_; | 341 SSLClientSessionCacheOpenSSL session_cache_; |
| 251 }; | 342 }; |
| 252 | 343 |
| 344 const SSL_PRIVATE_KEY_METHOD |
| 345 SSLClientSocketOpenSSL::SSLContext::kPrivateKeyMethod = { |
| 346 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyTypeCallback, |
| 347 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySupportsDigestCallback, |
| 348 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyMaxSignatureLenCallback, |
| 349 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCallback, |
| 350 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCompleteCallback, |
| 351 }; |
| 352 |
| 253 // PeerCertificateChain is a helper object which extracts the certificate | 353 // PeerCertificateChain is a helper object which extracts the certificate |
| 254 // chain, as given by the server, from an OpenSSL socket and performs the needed | 354 // chain, as given by the server, from an OpenSSL socket and performs the needed |
| 255 // resource management. The first element of the chain is the leaf certificate | 355 // resource management. The first element of the chain is the leaf certificate |
| 256 // and the other elements are in the order given by the server. | 356 // and the other elements are in the order given by the server. |
| 257 class SSLClientSocketOpenSSL::PeerCertificateChain { | 357 class SSLClientSocketOpenSSL::PeerCertificateChain { |
| 258 public: | 358 public: |
| 259 explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); } | 359 explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); } |
| 260 PeerCertificateChain(const PeerCertificateChain& other) { *this = other; } | 360 PeerCertificateChain(const PeerCertificateChain& other) { *this = other; } |
| 261 ~PeerCertificateChain() {} | 361 ~PeerCertificateChain() {} |
| 262 PeerCertificateChain& operator=(const PeerCertificateChain& other); | 362 PeerCertificateChain& operator=(const PeerCertificateChain& other); |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 343 return SSL_PROTOCOL_VERSION_TLS1_2; | 443 return SSL_PROTOCOL_VERSION_TLS1_2; |
| 344 } | 444 } |
| 345 | 445 |
| 346 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 446 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
| 347 scoped_ptr<ClientSocketHandle> transport_socket, | 447 scoped_ptr<ClientSocketHandle> transport_socket, |
| 348 const HostPortPair& host_and_port, | 448 const HostPortPair& host_and_port, |
| 349 const SSLConfig& ssl_config, | 449 const SSLConfig& ssl_config, |
| 350 const SSLClientSocketContext& context) | 450 const SSLClientSocketContext& context) |
| 351 : transport_send_busy_(false), | 451 : transport_send_busy_(false), |
| 352 transport_recv_busy_(false), | 452 transport_recv_busy_(false), |
| 353 pending_read_error_(kNoPendingReadResult), | 453 pending_read_error_(kNoPendingResult), |
| 354 pending_read_ssl_error_(SSL_ERROR_NONE), | 454 pending_read_ssl_error_(SSL_ERROR_NONE), |
| 355 transport_read_error_(OK), | 455 transport_read_error_(OK), |
| 356 transport_write_error_(OK), | 456 transport_write_error_(OK), |
| 357 server_cert_chain_(new PeerCertificateChain(NULL)), | 457 server_cert_chain_(new PeerCertificateChain(NULL)), |
| 358 completed_connect_(false), | 458 completed_connect_(false), |
| 359 was_ever_used_(false), | 459 was_ever_used_(false), |
| 360 cert_verifier_(context.cert_verifier), | 460 cert_verifier_(context.cert_verifier), |
| 361 cert_transparency_verifier_(context.cert_transparency_verifier), | 461 cert_transparency_verifier_(context.cert_transparency_verifier), |
| 362 channel_id_service_(context.channel_id_service), | 462 channel_id_service_(context.channel_id_service), |
| 363 ssl_(NULL), | 463 ssl_(NULL), |
| 364 transport_bio_(NULL), | 464 transport_bio_(NULL), |
| 365 transport_(transport_socket.Pass()), | 465 transport_(transport_socket.Pass()), |
| 366 host_and_port_(host_and_port), | 466 host_and_port_(host_and_port), |
| 367 ssl_config_(ssl_config), | 467 ssl_config_(ssl_config), |
| 368 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 468 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 369 next_handshake_state_(STATE_NONE), | 469 next_handshake_state_(STATE_NONE), |
| 370 npn_status_(kNextProtoUnsupported), | 470 npn_status_(kNextProtoUnsupported), |
| 371 channel_id_sent_(false), | 471 channel_id_sent_(false), |
| 372 session_pending_(false), | 472 session_pending_(false), |
| 373 certificate_verified_(false), | 473 certificate_verified_(false), |
| 374 ssl_failure_state_(SSL_FAILURE_NONE), | 474 ssl_failure_state_(SSL_FAILURE_NONE), |
| 475 signature_result_(kNoPendingResult), |
| 375 transport_security_state_(context.transport_security_state), | 476 transport_security_state_(context.transport_security_state), |
| 376 policy_enforcer_(context.cert_policy_enforcer), | 477 policy_enforcer_(context.cert_policy_enforcer), |
| 377 net_log_(transport_->socket()->NetLog()), | 478 net_log_(transport_->socket()->NetLog()), |
| 378 weak_factory_(this) { | 479 weak_factory_(this) { |
| 379 DCHECK(cert_verifier_); | 480 DCHECK(cert_verifier_); |
| 380 } | 481 } |
| 381 | 482 |
| 382 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 483 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
| 383 Disconnect(); | 484 Disconnect(); |
| 384 } | 485 } |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 486 recv_buffer_ = NULL; | 587 recv_buffer_ = NULL; |
| 487 | 588 |
| 488 user_connect_callback_.Reset(); | 589 user_connect_callback_.Reset(); |
| 489 user_read_callback_.Reset(); | 590 user_read_callback_.Reset(); |
| 490 user_write_callback_.Reset(); | 591 user_write_callback_.Reset(); |
| 491 user_read_buf_ = NULL; | 592 user_read_buf_ = NULL; |
| 492 user_read_buf_len_ = 0; | 593 user_read_buf_len_ = 0; |
| 493 user_write_buf_ = NULL; | 594 user_write_buf_ = NULL; |
| 494 user_write_buf_len_ = 0; | 595 user_write_buf_len_ = 0; |
| 495 | 596 |
| 496 pending_read_error_ = kNoPendingReadResult; | 597 pending_read_error_ = kNoPendingResult; |
| 497 pending_read_ssl_error_ = SSL_ERROR_NONE; | 598 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| 498 pending_read_error_info_ = OpenSSLErrorInfo(); | 599 pending_read_error_info_ = OpenSSLErrorInfo(); |
| 499 | 600 |
| 500 transport_read_error_ = OK; | 601 transport_read_error_ = OK; |
| 501 transport_write_error_ = OK; | 602 transport_write_error_ = OK; |
| 502 | 603 |
| 503 server_cert_verify_result_.Reset(); | 604 server_cert_verify_result_.Reset(); |
| 504 completed_connect_ = false; | 605 completed_connect_ = false; |
| 505 | 606 |
| 506 cert_authorities_.clear(); | 607 cert_authorities_.clear(); |
| 507 cert_key_types_.clear(); | 608 cert_key_types_.clear(); |
| 508 | 609 |
| 509 start_cert_verification_time_ = base::TimeTicks(); | 610 start_cert_verification_time_ = base::TimeTicks(); |
| 510 | 611 |
| 511 npn_status_ = kNextProtoUnsupported; | 612 npn_status_ = kNextProtoUnsupported; |
| 512 npn_proto_.clear(); | 613 npn_proto_.clear(); |
| 513 | 614 |
| 514 channel_id_sent_ = false; | 615 channel_id_sent_ = false; |
| 515 session_pending_ = false; | 616 session_pending_ = false; |
| 516 certificate_verified_ = false; | 617 certificate_verified_ = false; |
| 517 channel_id_request_.Cancel(); | 618 channel_id_request_.Cancel(); |
| 518 ssl_failure_state_ = SSL_FAILURE_NONE; | 619 ssl_failure_state_ = SSL_FAILURE_NONE; |
| 620 |
| 621 private_key_.reset(); |
| 622 signature_result_ = kNoPendingResult; |
| 623 signature_.clear(); |
| 519 } | 624 } |
| 520 | 625 |
| 521 bool SSLClientSocketOpenSSL::IsConnected() const { | 626 bool SSLClientSocketOpenSSL::IsConnected() const { |
| 522 // If the handshake has not yet completed. | 627 // If the handshake has not yet completed. |
| 523 if (!completed_connect_) | 628 if (!completed_connect_) |
| 524 return false; | 629 return false; |
| 525 // If an asynchronous operation is still pending. | 630 // If an asynchronous operation is still pending. |
| 526 if (user_read_buf_.get() || user_write_buf_.get()) | 631 if (user_read_buf_.get() || user_write_buf_.get()) |
| 527 return true; | 632 return true; |
| 528 | 633 |
| (...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 930 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | 1035 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { |
| 931 // The server supports channel ID. Stop to look one up before returning to | 1036 // The server supports channel ID. Stop to look one up before returning to |
| 932 // the handshake. | 1037 // the handshake. |
| 933 GotoState(STATE_CHANNEL_ID_LOOKUP); | 1038 GotoState(STATE_CHANNEL_ID_LOOKUP); |
| 934 return OK; | 1039 return OK; |
| 935 } | 1040 } |
| 936 if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP && | 1041 if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP && |
| 937 !ssl_config_.send_client_cert) { | 1042 !ssl_config_.send_client_cert) { |
| 938 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1043 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 939 } | 1044 } |
| 1045 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) { |
| 1046 DCHECK(private_key_); |
| 1047 DCHECK_NE(kNoPendingResult, signature_result_); |
| 1048 GotoState(STATE_HANDSHAKE); |
| 1049 return ERR_IO_PENDING; |
| 1050 } |
| 940 | 1051 |
| 941 OpenSSLErrorInfo error_info; | 1052 OpenSSLErrorInfo error_info; |
| 942 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | 1053 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 943 if (net_error == ERR_IO_PENDING) { | 1054 if (net_error == ERR_IO_PENDING) { |
| 944 // If not done, stay in this state | 1055 // If not done, stay in this state |
| 945 GotoState(STATE_HANDSHAKE); | 1056 GotoState(STATE_HANDSHAKE); |
| 946 return ERR_IO_PENDING; | 1057 return ERR_IO_PENDING; |
| 947 } | 1058 } |
| 948 | 1059 |
| 949 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " | 1060 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " |
| (...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1247 } | 1358 } |
| 1248 } | 1359 } |
| 1249 | 1360 |
| 1250 void SSLClientSocketOpenSSL::OnSendComplete(int result) { | 1361 void SSLClientSocketOpenSSL::OnSendComplete(int result) { |
| 1251 if (next_handshake_state_ == STATE_HANDSHAKE) { | 1362 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| 1252 // In handshake phase. | 1363 // In handshake phase. |
| 1253 OnHandshakeIOComplete(result); | 1364 OnHandshakeIOComplete(result); |
| 1254 return; | 1365 return; |
| 1255 } | 1366 } |
| 1256 | 1367 |
| 1257 // OnSendComplete may need to call DoPayloadRead while the renegotiation | 1368 // During a renegotiation, a Read call may also be blocked on a transport |
| 1258 // handshake is in progress. | 1369 // write, so retry both operations. |
| 1259 int rv_read = ERR_IO_PENDING; | 1370 PumpReadWriteEvents(); |
| 1260 int rv_write = ERR_IO_PENDING; | |
| 1261 bool network_moved; | |
| 1262 do { | |
| 1263 if (user_read_buf_.get()) | |
| 1264 rv_read = DoPayloadRead(); | |
| 1265 if (user_write_buf_.get()) | |
| 1266 rv_write = DoPayloadWrite(); | |
| 1267 network_moved = DoTransportIO(); | |
| 1268 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING && | |
| 1269 (user_read_buf_.get() || user_write_buf_.get()) && network_moved); | |
| 1270 | |
| 1271 // Performing the Read callback may cause |this| to be deleted. If this | |
| 1272 // happens, the Write callback should not be invoked. Guard against this by | |
| 1273 // holding a WeakPtr to |this| and ensuring it's still valid. | |
| 1274 base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr()); | |
| 1275 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING) | |
| 1276 DoReadCallback(rv_read); | |
| 1277 | |
| 1278 if (!guard.get()) | |
| 1279 return; | |
| 1280 | |
| 1281 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING) | |
| 1282 DoWriteCallback(rv_write); | |
| 1283 } | 1371 } |
| 1284 | 1372 |
| 1285 void SSLClientSocketOpenSSL::OnRecvComplete(int result) { | 1373 void SSLClientSocketOpenSSL::OnRecvComplete(int result) { |
| 1286 if (next_handshake_state_ == STATE_HANDSHAKE) { | 1374 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| 1287 // In handshake phase. | 1375 // In handshake phase. |
| 1288 OnHandshakeIOComplete(result); | 1376 OnHandshakeIOComplete(result); |
| 1289 return; | 1377 return; |
| 1290 } | 1378 } |
| 1291 | 1379 |
| 1292 // Network layer received some data, check if client requested to read | 1380 // Network layer received some data, check if client requested to read |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1370 return rv; | 1458 return rv; |
| 1371 } | 1459 } |
| 1372 | 1460 |
| 1373 int SSLClientSocketOpenSSL::DoPayloadRead() { | 1461 int SSLClientSocketOpenSSL::DoPayloadRead() { |
| 1374 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1462 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1375 | 1463 |
| 1376 DCHECK_LT(0, user_read_buf_len_); | 1464 DCHECK_LT(0, user_read_buf_len_); |
| 1377 DCHECK(user_read_buf_.get()); | 1465 DCHECK(user_read_buf_.get()); |
| 1378 | 1466 |
| 1379 int rv; | 1467 int rv; |
| 1380 if (pending_read_error_ != kNoPendingReadResult) { | 1468 if (pending_read_error_ != kNoPendingResult) { |
| 1381 rv = pending_read_error_; | 1469 rv = pending_read_error_; |
| 1382 pending_read_error_ = kNoPendingReadResult; | 1470 pending_read_error_ = kNoPendingResult; |
| 1383 if (rv == 0) { | 1471 if (rv == 0) { |
| 1384 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, | 1472 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, |
| 1385 rv, user_read_buf_->data()); | 1473 rv, user_read_buf_->data()); |
| 1386 } else { | 1474 } else { |
| 1387 net_log_.AddEvent( | 1475 net_log_.AddEvent( |
| 1388 NetLog::TYPE_SSL_READ_ERROR, | 1476 NetLog::TYPE_SSL_READ_ERROR, |
| 1389 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, | 1477 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, |
| 1390 pending_read_error_info_)); | 1478 pending_read_error_info_)); |
| 1391 } | 1479 } |
| 1392 pending_read_ssl_error_ = SSL_ERROR_NONE; | 1480 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| (...skipping 21 matching lines...) Expand all Loading... |
| 1414 // | 1502 // |
| 1415 // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED | 1503 // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED |
| 1416 // error, so it does not occur. The second and third are distinguished by | 1504 // error, so it does not occur. The second and third are distinguished by |
| 1417 // SSL_ERROR_ZERO_RETURN. | 1505 // SSL_ERROR_ZERO_RETURN. |
| 1418 pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret); | 1506 pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret); |
| 1419 if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) { | 1507 if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) { |
| 1420 pending_read_error_ = 0; | 1508 pending_read_error_ = 0; |
| 1421 } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP && | 1509 } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP && |
| 1422 !ssl_config_.send_client_cert) { | 1510 !ssl_config_.send_client_cert) { |
| 1423 pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1511 pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 1512 } else if (pending_read_ssl_error_ == |
| 1513 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) { |
| 1514 DCHECK(private_key_); |
| 1515 DCHECK_NE(kNoPendingResult, signature_result_); |
| 1516 pending_read_error_ = ERR_IO_PENDING; |
| 1424 } else { | 1517 } else { |
| 1425 pending_read_error_ = MapOpenSSLErrorWithDetails( | 1518 pending_read_error_ = MapOpenSSLErrorWithDetails( |
| 1426 pending_read_ssl_error_, err_tracer, &pending_read_error_info_); | 1519 pending_read_ssl_error_, err_tracer, &pending_read_error_info_); |
| 1427 } | 1520 } |
| 1428 | 1521 |
| 1429 // Many servers do not reliably send a close_notify alert when shutting down | 1522 // Many servers do not reliably send a close_notify alert when shutting down |
| 1430 // a connection, and instead terminate the TCP connection. This is reported | 1523 // a connection, and instead terminate the TCP connection. This is reported |
| 1431 // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a | 1524 // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a |
| 1432 // graceful EOF, instead of treating it as an error as it should be. | 1525 // graceful EOF, instead of treating it as an error as it should be. |
| 1433 if (pending_read_error_ == ERR_CONNECTION_CLOSED) | 1526 if (pending_read_error_ == ERR_CONNECTION_CLOSED) |
| 1434 pending_read_error_ = 0; | 1527 pending_read_error_ = 0; |
| 1435 } | 1528 } |
| 1436 | 1529 |
| 1437 if (total_bytes_read > 0) { | 1530 if (total_bytes_read > 0) { |
| 1438 // Return any bytes read to the caller. The error will be deferred to the | 1531 // Return any bytes read to the caller. The error will be deferred to the |
| 1439 // next call of DoPayloadRead. | 1532 // next call of DoPayloadRead. |
| 1440 rv = total_bytes_read; | 1533 rv = total_bytes_read; |
| 1441 | 1534 |
| 1442 // Do not treat insufficient data as an error to return in the next call to | 1535 // Do not treat insufficient data as an error to return in the next call to |
| 1443 // DoPayloadRead() - instead, let the call fall through to check SSL_read() | 1536 // DoPayloadRead() - instead, let the call fall through to check SSL_read() |
| 1444 // again. This is because DoTransportIO() may complete in between the next | 1537 // again. This is because DoTransportIO() may complete in between the next |
| 1445 // call to DoPayloadRead(), and thus it is important to check SSL_read() on | 1538 // call to DoPayloadRead(), and thus it is important to check SSL_read() on |
| 1446 // subsequent invocations to see if a complete record may now be read. | 1539 // subsequent invocations to see if a complete record may now be read. |
| 1447 if (pending_read_error_ == ERR_IO_PENDING) | 1540 if (pending_read_error_ == ERR_IO_PENDING) |
| 1448 pending_read_error_ = kNoPendingReadResult; | 1541 pending_read_error_ = kNoPendingResult; |
| 1449 } else { | 1542 } else { |
| 1450 // No bytes were returned. Return the pending read error immediately. | 1543 // No bytes were returned. Return the pending read error immediately. |
| 1451 DCHECK_NE(kNoPendingReadResult, pending_read_error_); | 1544 DCHECK_NE(kNoPendingResult, pending_read_error_); |
| 1452 rv = pending_read_error_; | 1545 rv = pending_read_error_; |
| 1453 pending_read_error_ = kNoPendingReadResult; | 1546 pending_read_error_ = kNoPendingResult; |
| 1454 } | 1547 } |
| 1455 | 1548 |
| 1456 if (rv >= 0) { | 1549 if (rv >= 0) { |
| 1457 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, | 1550 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, |
| 1458 user_read_buf_->data()); | 1551 user_read_buf_->data()); |
| 1459 } else if (rv != ERR_IO_PENDING) { | 1552 } else if (rv != ERR_IO_PENDING) { |
| 1460 net_log_.AddEvent( | 1553 net_log_.AddEvent( |
| 1461 NetLog::TYPE_SSL_READ_ERROR, | 1554 NetLog::TYPE_SSL_READ_ERROR, |
| 1462 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, | 1555 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, |
| 1463 pending_read_error_info_)); | 1556 pending_read_error_info_)); |
| 1464 pending_read_ssl_error_ = SSL_ERROR_NONE; | 1557 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| 1465 pending_read_error_info_ = OpenSSLErrorInfo(); | 1558 pending_read_error_info_ = OpenSSLErrorInfo(); |
| 1466 } | 1559 } |
| 1467 return rv; | 1560 return rv; |
| 1468 } | 1561 } |
| 1469 | 1562 |
| 1470 int SSLClientSocketOpenSSL::DoPayloadWrite() { | 1563 int SSLClientSocketOpenSSL::DoPayloadWrite() { |
| 1471 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1564 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1472 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 1565 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); |
| 1473 | 1566 |
| 1474 if (rv >= 0) { | 1567 if (rv >= 0) { |
| 1475 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1568 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 1476 user_write_buf_->data()); | 1569 user_write_buf_->data()); |
| 1477 return rv; | 1570 return rv; |
| 1478 } | 1571 } |
| 1479 | 1572 |
| 1480 int ssl_error = SSL_get_error(ssl_, rv); | 1573 int ssl_error = SSL_get_error(ssl_, rv); |
| 1574 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) |
| 1575 return ERR_IO_PENDING; |
| 1481 OpenSSLErrorInfo error_info; | 1576 OpenSSLErrorInfo error_info; |
| 1482 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, | 1577 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, |
| 1483 &error_info); | 1578 &error_info); |
| 1484 | 1579 |
| 1485 if (net_error != ERR_IO_PENDING) { | 1580 if (net_error != ERR_IO_PENDING) { |
| 1486 net_log_.AddEvent( | 1581 net_log_.AddEvent( |
| 1487 NetLog::TYPE_SSL_WRITE_ERROR, | 1582 NetLog::TYPE_SSL_WRITE_ERROR, |
| 1488 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 1583 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 1489 } | 1584 } |
| 1490 return net_error; | 1585 return net_error; |
| 1491 } | 1586 } |
| 1492 | 1587 |
| 1588 void SSLClientSocketOpenSSL::PumpReadWriteEvents() { |
| 1589 int rv_read = ERR_IO_PENDING; |
| 1590 int rv_write = ERR_IO_PENDING; |
| 1591 bool network_moved; |
| 1592 do { |
| 1593 if (user_read_buf_.get()) |
| 1594 rv_read = DoPayloadRead(); |
| 1595 if (user_write_buf_.get()) |
| 1596 rv_write = DoPayloadWrite(); |
| 1597 network_moved = DoTransportIO(); |
| 1598 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING && |
| 1599 (user_read_buf_.get() || user_write_buf_.get()) && network_moved); |
| 1600 |
| 1601 // Performing the Read callback may cause |this| to be deleted. If this |
| 1602 // happens, the Write callback should not be invoked. Guard against this by |
| 1603 // holding a WeakPtr to |this| and ensuring it's still valid. |
| 1604 base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr()); |
| 1605 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING) |
| 1606 DoReadCallback(rv_read); |
| 1607 |
| 1608 if (!guard.get()) |
| 1609 return; |
| 1610 |
| 1611 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING) |
| 1612 DoWriteCallback(rv_write); |
| 1613 } |
| 1614 |
| 1493 int SSLClientSocketOpenSSL::BufferSend(void) { | 1615 int SSLClientSocketOpenSSL::BufferSend(void) { |
| 1494 if (transport_send_busy_) | 1616 if (transport_send_busy_) |
| 1495 return ERR_IO_PENDING; | 1617 return ERR_IO_PENDING; |
| 1496 | 1618 |
| 1497 size_t buffer_read_offset; | 1619 size_t buffer_read_offset; |
| 1498 uint8_t* read_buf; | 1620 uint8_t* read_buf; |
| 1499 size_t max_read; | 1621 size_t max_read; |
| 1500 int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf, | 1622 int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf, |
| 1501 &buffer_read_offset, &max_read); | 1623 &buffer_read_offset, &max_read); |
| 1502 DCHECK_EQ(status, 1); // Should never fail. | 1624 DCHECK_EQ(status, 1); // Should never fail. |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1666 } | 1788 } |
| 1667 | 1789 |
| 1668 ScopedX509Stack chain = OSCertHandlesToOpenSSL( | 1790 ScopedX509Stack chain = OSCertHandlesToOpenSSL( |
| 1669 ssl_config_.client_cert->GetIntermediateCertificates()); | 1791 ssl_config_.client_cert->GetIntermediateCertificates()); |
| 1670 if (!chain) { | 1792 if (!chain) { |
| 1671 LOG(WARNING) << "Failed to import intermediate certificates"; | 1793 LOG(WARNING) << "Failed to import intermediate certificates"; |
| 1672 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1794 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1673 return -1; | 1795 return -1; |
| 1674 } | 1796 } |
| 1675 | 1797 |
| 1676 // TODO(davidben): With Linux client auth support, this should be | 1798 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || |
| 1677 // conditioned on OS_ANDROID and then, with https://crbug.com/394131, | 1799 !SSL_set1_chain(ssl_, chain.get())) { |
| 1678 // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the | 1800 LOG(WARNING) << "Failed to set client certificate"; |
| 1679 // net/ client auth API lacking a private key handle. | 1801 return -1; |
| 1802 } |
| 1803 |
| 1680 #if defined(USE_OPENSSL_CERTS) | 1804 #if defined(USE_OPENSSL_CERTS) |
| 1805 // TODO(davidben): Move Android to the SSLPrivateKey codepath and disable |
| 1806 // client auth on NaCl altogether. |
| 1681 crypto::ScopedEVP_PKEY privkey = | 1807 crypto::ScopedEVP_PKEY privkey = |
| 1682 OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | 1808 OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( |
| 1683 ssl_config_.client_cert.get()); | 1809 ssl_config_.client_cert.get()); |
| 1684 #else // !defined(USE_OPENSSL_CERTS) | |
| 1685 crypto::ScopedEVP_PKEY privkey = | |
| 1686 FetchClientCertPrivateKey(ssl_config_.client_cert.get()); | |
| 1687 #endif // defined(USE_OPENSSL_CERTS) | |
| 1688 if (!privkey) { | 1810 if (!privkey) { |
| 1689 // Could not find the private key. Fail the handshake and surface an | 1811 // Could not find the private key. Fail the handshake and surface an |
| 1690 // appropriate error to the caller. | 1812 // appropriate error to the caller. |
| 1691 LOG(WARNING) << "Client cert found without private key"; | 1813 LOG(WARNING) << "Client cert found without private key"; |
| 1692 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1814 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1693 return -1; | 1815 return -1; |
| 1694 } | 1816 } |
| 1817 if (!SSL_use_PrivateKey(ssl_, privkey.get())) { |
| 1818 LOG(WARNING) << "Failed to set private key"; |
| 1819 return -1; |
| 1820 } |
| 1821 #else // !USE_OPENSSL_CERTS |
| 1822 // TODO(davidben): Lift this call up to the embedder so we can actually test |
| 1823 // this code. https://crbug.com/394131 |
| 1824 private_key_ = FetchClientCertPrivateKey( |
| 1825 ssl_config_.client_cert.get(), |
| 1826 g_platform_key_task_runner.Get().task_runner()); |
| 1827 if (!private_key_) { |
| 1828 // Could not find the private key. Fail the handshake and surface an |
| 1829 // appropriate error to the caller. |
| 1830 LOG(WARNING) << "Client cert found without private key"; |
| 1831 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1832 return -1; |
| 1833 } |
| 1695 | 1834 |
| 1696 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || | 1835 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); |
| 1697 !SSL_use_PrivateKey(ssl_, privkey.get()) || | 1836 #endif // USE_OPENSSL_CERTS |
| 1698 !SSL_set1_chain(ssl_, chain.get())) { | |
| 1699 LOG(WARNING) << "Failed to set client certificate"; | |
| 1700 return -1; | |
| 1701 } | |
| 1702 | 1837 |
| 1703 int cert_count = 1 + sk_X509_num(chain.get()); | 1838 int cert_count = 1 + sk_X509_num(chain.get()); |
| 1704 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 1839 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
| 1705 NetLog::IntegerCallback("cert_count", cert_count)); | 1840 NetLog::IntegerCallback("cert_count", cert_count)); |
| 1706 return 1; | 1841 return 1; |
| 1707 } | 1842 } |
| 1708 #endif // defined(OS_IOS) | 1843 #endif // defined(OS_IOS) |
| 1709 | 1844 |
| 1710 // Send no client certificate. | 1845 // Send no client certificate. |
| 1711 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 1846 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
| (...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1917 return ssl_config_.renego_allowed_default; | 2052 return ssl_config_.renego_allowed_default; |
| 1918 | 2053 |
| 1919 NextProto next_proto = NextProtoFromString(npn_proto_); | 2054 NextProto next_proto = NextProtoFromString(npn_proto_); |
| 1920 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { | 2055 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { |
| 1921 if (next_proto == allowed) | 2056 if (next_proto == allowed) |
| 1922 return true; | 2057 return true; |
| 1923 } | 2058 } |
| 1924 return false; | 2059 return false; |
| 1925 } | 2060 } |
| 1926 | 2061 |
| 2062 int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() { |
| 2063 switch (private_key_->GetType()) { |
| 2064 case SSLPrivateKey::Type::RSA: |
| 2065 return EVP_PKEY_RSA; |
| 2066 case SSLPrivateKey::Type::ECDSA: |
| 2067 return EVP_PKEY_EC; |
| 2068 } |
| 2069 NOTREACHED(); |
| 2070 return EVP_PKEY_NONE; |
| 2071 } |
| 2072 |
| 2073 int SSLClientSocketOpenSSL::PrivateKeySupportsDigestCallback(const EVP_MD* md) { |
| 2074 SSLPrivateKey::Hash hash; |
| 2075 return EVP_MDToPrivateKeyHash(md, &hash) && private_key_->SupportsHash(hash); |
| 2076 } |
| 2077 |
| 2078 size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback() { |
| 2079 return private_key_->GetMaxSignatureLengthInBytes(); |
| 2080 } |
| 2081 |
| 2082 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback( |
| 2083 uint8_t* out, |
| 2084 size_t* out_len, |
| 2085 size_t max_out, |
| 2086 const EVP_MD* md, |
| 2087 const uint8_t* in, |
| 2088 size_t in_len) { |
| 2089 DCHECK_EQ(kNoPendingResult, signature_result_); |
| 2090 DCHECK(signature_.empty()); |
| 2091 DCHECK(private_key_); |
| 2092 |
| 2093 net_log_.BeginEvent(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION); |
| 2094 |
| 2095 SSLPrivateKey::Hash hash; |
| 2096 if (!EVP_MDToPrivateKeyHash(md, &hash)) { |
| 2097 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED); |
| 2098 return ssl_private_key_failure; |
| 2099 } |
| 2100 |
| 2101 signature_result_ = ERR_IO_PENDING; |
| 2102 private_key_->SignDigest( |
| 2103 hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len), |
| 2104 base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete, |
| 2105 weak_factory_.GetWeakPtr())); |
| 2106 return ssl_private_key_retry; |
| 2107 } |
| 2108 |
| 2109 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback( |
| 2110 uint8_t* out, |
| 2111 size_t* out_len, |
| 2112 size_t max_out) { |
| 2113 DCHECK_NE(kNoPendingResult, signature_result_); |
| 2114 DCHECK(private_key_); |
| 2115 |
| 2116 if (signature_result_ == ERR_IO_PENDING) |
| 2117 return ssl_private_key_retry; |
| 2118 if (signature_result_ != OK) { |
| 2119 OpenSSLPutNetError(FROM_HERE, signature_result_); |
| 2120 return ssl_private_key_failure; |
| 2121 } |
| 2122 if (signature_.size() > max_out) { |
| 2123 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED); |
| 2124 return ssl_private_key_failure; |
| 2125 } |
| 2126 memcpy(out, vector_as_array(&signature_), signature_.size()); |
| 2127 *out_len = signature_.size(); |
| 2128 signature_.clear(); |
| 2129 return ssl_private_key_success; |
| 2130 } |
| 2131 |
| 2132 void SSLClientSocketOpenSSL::OnPrivateKeySignComplete( |
| 2133 Error error, |
| 2134 const std::vector<uint8_t>& signature) { |
| 2135 DCHECK_EQ(ERR_IO_PENDING, signature_result_); |
| 2136 DCHECK(signature_.empty()); |
| 2137 DCHECK(private_key_); |
| 2138 |
| 2139 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION, |
| 2140 error); |
| 2141 |
| 2142 signature_result_ = error; |
| 2143 if (signature_result_ == OK) |
| 2144 signature_ = signature; |
| 2145 |
| 2146 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| 2147 OnHandshakeIOComplete(signature_result_); |
| 2148 return; |
| 2149 } |
| 2150 |
| 2151 // During a renegotiation, either Read or Write calls may be blocked on an |
| 2152 // asynchronous private key operation. |
| 2153 PumpReadWriteEvents(); |
| 2154 } |
| 2155 |
| 1927 } // namespace net | 2156 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1178193002:
Sign CertificateVerify messages on a background thread. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master