| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
| (...skipping 567 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 578 reinterpret_cast<const char*>(str), | 578 reinterpret_cast<const char*>(str), |
| 579 static_cast<size_t>(length))); | 579 static_cast<size_t>(length))); |
| 580 OPENSSL_free(str); | 580 OPENSSL_free(str); |
| 581 } | 581 } |
| 582 | 582 |
| 583 return -1; // Suspends handshake. | 583 return -1; // Suspends handshake. |
| 584 } | 584 } |
| 585 | 585 |
| 586 // Second pass: a client certificate should have been selected. | 586 // Second pass: a client certificate should have been selected. |
| 587 if (ssl_config_.client_cert) { | 587 if (ssl_config_.client_cert) { |
| 588 EVP_PKEY* privkey = OpenSSLPrivateKeyStore::GetInstance()->FetchPrivateKey( | 588 // A note about ownership: FetchClientCertPrivateKey() increments |
| 589 X509_PUBKEY_get(X509_get_X509_PUBKEY( | 589 // the reference count of the returned EVP_PKEY, which is later |
| 590 ssl_config_.client_cert->os_cert_handle()))); | 590 // passed directly to OpenSSL. The library will later call |
| 591 if (privkey) { | 591 // EVP_PKEY_free() on it when the SSL object is destroyed. |
| 592 OpenSSLPrivateKeyStore::ScopedEVP_PKEY privkey; |
| 593 if (OpenSSLPrivateKeyStore::GetInstance()->FetchClientCertPrivateKey( |
| 594 ssl_config_.client_cert.get(), &privkey)) { |
| 592 // TODO(joth): (copied from NSS) We should wait for server certificate | 595 // TODO(joth): (copied from NSS) We should wait for server certificate |
| 593 // verification before sending our credentials. See http://crbug.com/13934 | 596 // verification before sending our credentials. See http://crbug.com/13934 |
| 594 *x509 = X509Certificate::DupOSCertHandle( | 597 *x509 = X509Certificate::DupOSCertHandle( |
| 595 ssl_config_.client_cert->os_cert_handle()); | 598 ssl_config_.client_cert->os_cert_handle()); |
| 596 *pkey = privkey; | 599 *pkey = privkey.release(); |
| 597 return 1; | 600 return 1; |
| 598 } | 601 } |
| 599 LOG(WARNING) << "Client cert found without private key"; | 602 LOG(WARNING) << "Client cert found without private key"; |
| 600 } | 603 } |
| 601 | 604 |
| 602 // Send no client certificate. | 605 // Send no client certificate. |
| 603 return 0; | 606 return 0; |
| 604 } | 607 } |
| 605 | 608 |
| 606 // SSLClientSocket methods | 609 // SSLClientSocket methods |
| 607 | 610 |
| 608 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { | 611 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { |
| 609 ssl_info->Reset(); | 612 ssl_info->Reset(); |
| 613 |
| 614 ssl_info->client_cert_sent = |
| 615 ssl_config_.send_client_cert && ssl_config_.client_cert; |
| 616 |
| 610 if (!server_cert_) | 617 if (!server_cert_) |
| 611 return false; | 618 return false; |
| 612 | 619 |
| 613 ssl_info->cert = server_cert_verify_result_.verified_cert; | 620 ssl_info->cert = server_cert_verify_result_.verified_cert; |
| 614 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 621 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
| 615 ssl_info->is_issued_by_known_root = | 622 ssl_info->is_issued_by_known_root = |
| 616 server_cert_verify_result_.is_issued_by_known_root; | 623 server_cert_verify_result_.is_issued_by_known_root; |
| 617 ssl_info->public_key_hashes = | 624 ssl_info->public_key_hashes = |
| 618 server_cert_verify_result_.public_key_hashes; | 625 server_cert_verify_result_.public_key_hashes; |
| 619 ssl_info->client_cert_sent = | |
| 620 ssl_config_.send_client_cert && ssl_config_.client_cert; | |
| 621 ssl_info->channel_id_sent = WasChannelIDSent(); | 626 ssl_info->channel_id_sent = WasChannelIDSent(); |
| 622 | 627 |
| 623 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 628 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 624 CHECK(cipher); | 629 CHECK(cipher); |
| 625 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 630 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 626 const COMP_METHOD* compression = SSL_get_current_compression(ssl_); | 631 const COMP_METHOD* compression = SSL_get_current_compression(ssl_); |
| 627 | 632 |
| 628 ssl_info->connection_status = EncodeSSLConnectionStatus( | 633 ssl_info->connection_status = EncodeSSLConnectionStatus( |
| 629 SSL_CIPHER_get_id(cipher), | 634 SSL_CIPHER_get_id(cipher), |
| 630 compression ? compression->type : 0, | 635 compression ? compression->type : 0, |
| (...skipping 733 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1364 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1369 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 1365 user_write_buf_->data()); | 1370 user_write_buf_->data()); |
| 1366 return rv; | 1371 return rv; |
| 1367 } | 1372 } |
| 1368 | 1373 |
| 1369 int err = SSL_get_error(ssl_, rv); | 1374 int err = SSL_get_error(ssl_, rv); |
| 1370 return MapOpenSSLError(err, err_tracer); | 1375 return MapOpenSSLError(err, err_tracer); |
| 1371 } | 1376 } |
| 1372 | 1377 |
| 1373 } // namespace net | 1378 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12220104:
Wire up SSL client authentication for OpenSSL/Android through the net/ stack (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master