| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
| 11 #include <openssl/err.h> | 11 #include <openssl/err.h> |
| 12 #include <openssl/opensslv.h> | 12 #include <openssl/opensslv.h> |
| 13 | 13 |
| 14 #include "base/bind.h" | 14 #include "base/bind.h" |
| 15 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
| 16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 17 #include "base/metrics/histogram.h" | 17 #include "base/metrics/histogram.h" |
| 18 #include "base/synchronization/lock.h" | 18 #include "base/synchronization/lock.h" |
| 19 #include "crypto/openssl_util.h" | 19 #include "crypto/openssl_util.h" |
| 20 #include "net/base/cert_verifier.h" | 20 #include "net/base/cert_verifier.h" |
| 21 #include "net/base/net_errors.h" | 21 #include "net/base/net_errors.h" |
| 22 #include "net/base/openssl_private_key_store.h" | 22 #include "net/base/openssl_client_key_store.h" |
| 23 #include "net/base/single_request_cert_verifier.h" | 23 #include "net/base/single_request_cert_verifier.h" |
| 24 #include "net/base/ssl_cert_request_info.h" | 24 #include "net/base/ssl_cert_request_info.h" |
| 25 #include "net/base/ssl_connection_status_flags.h" | 25 #include "net/base/ssl_connection_status_flags.h" |
| 26 #include "net/base/ssl_info.h" | 26 #include "net/base/ssl_info.h" |
| 27 #include "net/base/x509_certificate_net_log_param.h" | 27 #include "net/base/x509_certificate_net_log_param.h" |
| 28 #include "net/socket/ssl_error_params.h" | 28 #include "net/socket/ssl_error_params.h" |
| 29 | 29 |
| 30 namespace net { | 30 namespace net { |
| 31 | 31 |
| 32 namespace { | 32 namespace { |
| (...skipping 550 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 583 reinterpret_cast<const char*>(str), | 583 reinterpret_cast<const char*>(str), |
| 584 static_cast<size_t>(length))); | 584 static_cast<size_t>(length))); |
| 585 OPENSSL_free(str); | 585 OPENSSL_free(str); |
| 586 } | 586 } |
| 587 | 587 |
| 588 return -1; // Suspends handshake. | 588 return -1; // Suspends handshake. |
| 589 } | 589 } |
| 590 | 590 |
| 591 // Second pass: a client certificate should have been selected. | 591 // Second pass: a client certificate should have been selected. |
| 592 if (ssl_config_.client_cert) { | 592 if (ssl_config_.client_cert) { |
| 593 EVP_PKEY* privkey = OpenSSLPrivateKeyStore::GetInstance()->FetchPrivateKey( | 593 // A note about ownership: FetchClientCertPrivateKey() increments |
| 594 X509_PUBKEY_get(X509_get_X509_PUBKEY( | 594 // the reference count of the EVP_PKEY. Ownership of this reference |
| 595 ssl_config_.client_cert->os_cert_handle()))); | 595 // is passed directly to OpenSSL, which will release the reference |
| 596 if (privkey) { | 596 // using EVP_PKEY_free() when the SSL object is destroyed. |
| 597 OpenSSLClientKeyStore::ScopedEVP_PKEY privkey; |
| 598 if (OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( |
| 599 ssl_config_.client_cert.get(), &privkey)) { |
| 597 // TODO(joth): (copied from NSS) We should wait for server certificate | 600 // TODO(joth): (copied from NSS) We should wait for server certificate |
| 598 // verification before sending our credentials. See http://crbug.com/13934 | 601 // verification before sending our credentials. See http://crbug.com/13934 |
| 599 *x509 = X509Certificate::DupOSCertHandle( | 602 *x509 = X509Certificate::DupOSCertHandle( |
| 600 ssl_config_.client_cert->os_cert_handle()); | 603 ssl_config_.client_cert->os_cert_handle()); |
| 601 *pkey = privkey; | 604 *pkey = privkey.release(); |
| 602 return 1; | 605 return 1; |
| 603 } | 606 } |
| 604 LOG(WARNING) << "Client cert found without private key"; | 607 LOG(WARNING) << "Client cert found without private key"; |
| 605 } | 608 } |
| 606 | 609 |
| 607 // Send no client certificate. | 610 // Send no client certificate. |
| 608 return 0; | 611 return 0; |
| 609 } | 612 } |
| 610 | 613 |
| 611 // SSLClientSocket methods | 614 // SSLClientSocket methods |
| (...skipping 804 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1416 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1419 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 1417 user_write_buf_->data()); | 1420 user_write_buf_->data()); |
| 1418 return rv; | 1421 return rv; |
| 1419 } | 1422 } |
| 1420 | 1423 |
| 1421 int err = SSL_get_error(ssl_, rv); | 1424 int err = SSL_get_error(ssl_, rv); |
| 1422 return MapOpenSSLError(err, err_tracer); | 1425 return MapOpenSSLError(err, err_tracer); |
| 1423 } | 1426 } |
| 1424 | 1427 |
| 1425 } // namespace net | 1428 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12220104:
Wire up SSL client authentication for OpenSSL/Android through the net/ stack (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master