| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/mem.h> | 13 #include <openssl/mem.h> |
| 14 #include <openssl/ssl.h> | 14 #include <openssl/ssl.h> |
| 15 #include <string.h> | 15 #include <string.h> |
| 16 | 16 |
| 17 #include "base/bind.h" | 17 #include "base/bind.h" |
| 18 #include "base/callback_helpers.h" | 18 #include "base/callback_helpers.h" |
| 19 #include "base/environment.h" | 19 #include "base/environment.h" |
| 20 #include "base/lazy_instance.h" | |
| 21 #include "base/memory/singleton.h" | 20 #include "base/memory/singleton.h" |
| 22 #include "base/metrics/histogram_macros.h" | 21 #include "base/metrics/histogram_macros.h" |
| 23 #include "base/profiler/scoped_tracker.h" | 22 #include "base/profiler/scoped_tracker.h" |
| 24 #include "base/stl_util.h" | 23 #include "base/stl_util.h" |
| 25 #include "base/strings/string_piece.h" | 24 #include "base/strings/string_piece.h" |
| 26 #include "base/synchronization/lock.h" | 25 #include "base/synchronization/lock.h" |
| 27 #include "base/threading/sequenced_worker_pool.h" | |
| 28 #include "base/threading/thread_local.h" | 26 #include "base/threading/thread_local.h" |
| 29 #include "base/values.h" | 27 #include "base/values.h" |
| 30 #include "crypto/ec_private_key.h" | 28 #include "crypto/ec_private_key.h" |
| 31 #include "crypto/openssl_util.h" | 29 #include "crypto/openssl_util.h" |
| 32 #include "crypto/scoped_openssl_types.h" | 30 #include "crypto/scoped_openssl_types.h" |
| 33 #include "net/base/ip_address_number.h" | 31 #include "net/base/ip_address_number.h" |
| 34 #include "net/base/net_errors.h" | 32 #include "net/base/net_errors.h" |
| 35 #include "net/cert/cert_policy_enforcer.h" | 33 #include "net/cert/cert_policy_enforcer.h" |
| 36 #include "net/cert/cert_verifier.h" | 34 #include "net/cert/cert_verifier.h" |
| 37 #include "net/cert/ct_ev_whitelist.h" | 35 #include "net/cert/ct_ev_whitelist.h" |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 161 *hash = SSLPrivateKey::Hash::SHA384; | 159 *hash = SSLPrivateKey::Hash::SHA384; |
| 162 return true; | 160 return true; |
| 163 case NID_sha512: | 161 case NID_sha512: |
| 164 *hash = SSLPrivateKey::Hash::SHA512; | 162 *hash = SSLPrivateKey::Hash::SHA512; |
| 165 return true; | 163 return true; |
| 166 default: | 164 default: |
| 167 return false; | 165 return false; |
| 168 } | 166 } |
| 169 } | 167 } |
| 170 | 168 |
| 171 #if !defined(OS_NACL) | |
| 172 class PlatformKeyTaskRunner { | |
| 173 public: | |
| 174 PlatformKeyTaskRunner() { | |
| 175 // Serialize all the private key operations on a single background | |
| 176 // thread to avoid problems with buggy smartcards. | |
| 177 worker_pool_ = new base::SequencedWorkerPool(1, "Platform Key Thread"); | |
| 178 task_runner_ = worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior( | |
| 179 worker_pool_->GetSequenceToken(), | |
| 180 base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN); | |
| 181 } | |
| 182 | |
| 183 scoped_refptr<base::SequencedTaskRunner> task_runner() { | |
| 184 return task_runner_; | |
| 185 } | |
| 186 | |
| 187 private: | |
| 188 scoped_refptr<base::SequencedWorkerPool> worker_pool_; | |
| 189 scoped_refptr<base::SequencedTaskRunner> task_runner_; | |
| 190 | |
| 191 DISALLOW_COPY_AND_ASSIGN(PlatformKeyTaskRunner); | |
| 192 }; | |
| 193 | |
| 194 base::LazyInstance<PlatformKeyTaskRunner>::Leaky g_platform_key_task_runner = | |
| 195 LAZY_INSTANCE_INITIALIZER; | |
| 196 #endif | |
| 197 | |
| 198 } // namespace | 169 } // namespace |
| 199 | 170 |
| 200 class SSLClientSocketOpenSSL::SSLContext { | 171 class SSLClientSocketOpenSSL::SSLContext { |
| 201 public: | 172 public: |
| 202 static SSLContext* GetInstance() { | 173 static SSLContext* GetInstance() { |
| 203 return base::Singleton<SSLContext>::get(); | 174 return base::Singleton<SSLContext>::get(); |
| 204 } | 175 } |
| 205 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 176 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
| 206 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; } | 177 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; } |
| 207 | 178 |
| (...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 609 | 580 |
| 610 npn_status_ = kNextProtoUnsupported; | 581 npn_status_ = kNextProtoUnsupported; |
| 611 npn_proto_.clear(); | 582 npn_proto_.clear(); |
| 612 | 583 |
| 613 channel_id_sent_ = false; | 584 channel_id_sent_ = false; |
| 614 session_pending_ = false; | 585 session_pending_ = false; |
| 615 certificate_verified_ = false; | 586 certificate_verified_ = false; |
| 616 channel_id_request_.Cancel(); | 587 channel_id_request_.Cancel(); |
| 617 ssl_failure_state_ = SSL_FAILURE_NONE; | 588 ssl_failure_state_ = SSL_FAILURE_NONE; |
| 618 | 589 |
| 619 private_key_.reset(); | |
| 620 signature_result_ = kNoPendingResult; | 590 signature_result_ = kNoPendingResult; |
| 621 signature_.clear(); | 591 signature_.clear(); |
| 622 } | 592 } |
| 623 | 593 |
| 624 bool SSLClientSocketOpenSSL::IsConnected() const { | 594 bool SSLClientSocketOpenSSL::IsConnected() const { |
| 625 // If the handshake has not yet completed. | 595 // If the handshake has not yet completed. |
| 626 if (!completed_connect_) | 596 if (!completed_connect_) |
| 627 return false; | 597 return false; |
| 628 // If an asynchronous operation is still pending. | 598 // If an asynchronous operation is still pending. |
| 629 if (user_read_buf_.get() || user_write_buf_.get()) | 599 if (user_read_buf_.get() || user_write_buf_.get()) |
| (...skipping 1160 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1790 return -1; | 1760 return -1; |
| 1791 } | 1761 } |
| 1792 | 1762 |
| 1793 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || | 1763 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || |
| 1794 !SSL_set1_chain(ssl_, chain.get())) { | 1764 !SSL_set1_chain(ssl_, chain.get())) { |
| 1795 LOG(WARNING) << "Failed to set client certificate"; | 1765 LOG(WARNING) << "Failed to set client certificate"; |
| 1796 return -1; | 1766 return -1; |
| 1797 } | 1767 } |
| 1798 | 1768 |
| 1799 #if defined(OS_NACL) | 1769 #if defined(OS_NACL) |
| 1800 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1770 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1801 return -1; | 1771 return -1; |
| 1802 #else | 1772 #else |
| 1803 // TODO(davidben): Lift this call up to the embedder so we can actually test | 1773 private_key_ = ssl_config_.client_private_key; |
| 1804 // this code. https://crbug.com/394131 | 1774 |
| 1805 private_key_ = FetchClientCertPrivateKey( | |
| 1806 ssl_config_.client_cert.get(), | |
| 1807 g_platform_key_task_runner.Get().task_runner()); | |
| 1808 if (!private_key_) { | 1775 if (!private_key_) { |
| 1809 // Could not find the private key. Fail the handshake and surface an | 1776 // The caller supplied a null private key. Fail the handshake and surface |
| 1810 // appropriate error to the caller. | 1777 // an appropriate error to the caller. |
| 1811 LOG(WARNING) << "Client cert found without private key"; | 1778 LOG(WARNING) << "Client cert found without private key"; |
| 1812 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1779 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1813 return -1; | 1780 return -1; |
| 1814 } | 1781 } |
| 1815 | 1782 |
| 1816 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); | 1783 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); |
| 1817 | 1784 |
| 1818 std::vector<SSLPrivateKey::Hash> digest_prefs = | 1785 std::vector<SSLPrivateKey::Hash> digest_prefs = |
| 1819 private_key_->GetDigestPreferences(); | 1786 private_key_->GetDigestPreferences(); |
| 1820 | 1787 |
| (...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2151 OnHandshakeIOComplete(signature_result_); | 2118 OnHandshakeIOComplete(signature_result_); |
| 2152 return; | 2119 return; |
| 2153 } | 2120 } |
| 2154 | 2121 |
| 2155 // During a renegotiation, either Read or Write calls may be blocked on an | 2122 // During a renegotiation, either Read or Write calls may be blocked on an |
| 2156 // asynchronous private key operation. | 2123 // asynchronous private key operation. |
| 2157 PumpReadWriteEvents(); | 2124 PumpReadWriteEvents(); |
| 2158 } | 2125 } |
| 2159 | 2126 |
| 2160 } // namespace net | 2127 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1304143010:
Plumbing SSLPrivateKey
Base URL: https://chromium.googlesource.com/chromium/src.git@master