OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
12 #include <openssl/bytestring.h> | |
12 #include <openssl/err.h> | 13 #include <openssl/err.h> |
14 #include <openssl/evp.h> | |
13 #include <openssl/mem.h> | 15 #include <openssl/mem.h> |
14 #include <openssl/ssl.h> | 16 #include <openssl/ssl.h> |
15 #include <string.h> | 17 #include <string.h> |
16 | 18 |
17 #include "base/bind.h" | 19 #include "base/bind.h" |
18 #include "base/callback_helpers.h" | 20 #include "base/callback_helpers.h" |
19 #include "base/environment.h" | 21 #include "base/environment.h" |
20 #include "base/lazy_instance.h" | 22 #include "base/lazy_instance.h" |
21 #include "base/memory/singleton.h" | 23 #include "base/memory/singleton.h" |
22 #include "base/metrics/histogram_macros.h" | 24 #include "base/metrics/histogram_macros.h" |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
72 // overlap with any value of the net::Error range, including net::OK). | 74 // overlap with any value of the net::Error range, including net::OK). |
73 const int kNoPendingResult = 1; | 75 const int kNoPendingResult = 1; |
74 | 76 |
75 // If a client doesn't have a list of protocols that it supports, but | 77 // If a client doesn't have a list of protocols that it supports, but |
76 // the server supports NPN, choosing "http/1.1" is the best answer. | 78 // the server supports NPN, choosing "http/1.1" is the best answer. |
77 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; | 79 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; |
78 | 80 |
79 // Default size of the internal BoringSSL buffers. | 81 // Default size of the internal BoringSSL buffers. |
80 const int KDefaultOpenSSLBufferSize = 17 * 1024; | 82 const int KDefaultOpenSSLBufferSize = 17 * 1024; |
81 | 83 |
84 // TLS extension number use for Token Binding. | |
85 const unsigned int kTbExtNum = 30033; | |
86 | |
87 // Token Binding ProtocolVersions supported. | |
88 const uint8_t kTbProtocolVersionMajor = 0; | |
89 const uint8_t kTbProtocolVersionMinor = 2; | |
90 const uint8_t kTbMinProtocolVersionMajor = 0; | |
91 const uint8_t kTbMinProtocolVersionMinor = 2; | |
92 | |
82 void FreeX509Stack(STACK_OF(X509)* ptr) { | 93 void FreeX509Stack(STACK_OF(X509)* ptr) { |
83 sk_X509_pop_free(ptr, X509_free); | 94 sk_X509_pop_free(ptr, X509_free); |
84 } | 95 } |
85 | 96 |
86 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | 97 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; |
87 | 98 |
88 // Used for encoding the |connection_status| field of an SSLInfo object. | 99 // Used for encoding the |connection_status| field of an SSLInfo object. |
89 int EncodeSSLConnectionStatus(uint16 cipher_suite, | 100 int EncodeSSLConnectionStatus(uint16 cipher_suite, |
90 int compression, | 101 int compression, |
91 int version) { | 102 int version) { |
(...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
248 !ssl_keylog_file.empty()) { | 259 !ssl_keylog_file.empty()) { |
249 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 260 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
250 BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a"); | 261 BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a"); |
251 if (!bio) { | 262 if (!bio) { |
252 LOG(ERROR) << "Failed to open " << ssl_keylog_file; | 263 LOG(ERROR) << "Failed to open " << ssl_keylog_file; |
253 ERR_print_errors_cb(&LogErrorCallback, NULL); | 264 ERR_print_errors_cb(&LogErrorCallback, NULL); |
254 } else { | 265 } else { |
255 SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio); | 266 SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio); |
256 } | 267 } |
257 } | 268 } |
269 | |
270 if (!RegisterTokenBindingExtensionCallbacks(ssl_ctx_.get())) { | |
271 NOTREACHED(); | |
272 } | |
davidben
2015/10/15 21:52:08
Nit: No curlies, even though I prefer them. :-(
nharper
2015/10/20 22:52:18
Done.
| |
258 } | 273 } |
259 | 274 |
260 static int ClientCertRequestCallback(SSL* ssl, void* arg) { | 275 static int ClientCertRequestCallback(SSL* ssl, void* arg) { |
261 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 276 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
262 DCHECK(socket); | 277 DCHECK(socket); |
263 return socket->ClientCertRequestCallback(ssl); | 278 return socket->ClientCertRequestCallback(ssl); |
264 } | 279 } |
265 | 280 |
266 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { | 281 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { |
267 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( | 282 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( |
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
453 disconnected_(false), | 468 disconnected_(false), |
454 npn_status_(kNextProtoUnsupported), | 469 npn_status_(kNextProtoUnsupported), |
455 channel_id_sent_(false), | 470 channel_id_sent_(false), |
456 session_pending_(false), | 471 session_pending_(false), |
457 certificate_verified_(false), | 472 certificate_verified_(false), |
458 ssl_failure_state_(SSL_FAILURE_NONE), | 473 ssl_failure_state_(SSL_FAILURE_NONE), |
459 signature_result_(kNoPendingResult), | 474 signature_result_(kNoPendingResult), |
460 transport_security_state_(context.transport_security_state), | 475 transport_security_state_(context.transport_security_state), |
461 policy_enforcer_(context.cert_policy_enforcer), | 476 policy_enforcer_(context.cert_policy_enforcer), |
462 net_log_(transport_->socket()->NetLog()), | 477 net_log_(transport_->socket()->NetLog()), |
463 weak_factory_(this) { | 478 weak_factory_(this) { |
davidben
2015/10/15 21:52:09
Initialize tb_was_negotiated_ and tb_negotiated_pa
nharper
2015/10/20 22:52:18
I'm initializing tb_was_negotiated_ to false here.
| |
464 DCHECK(cert_verifier_); | 479 DCHECK(cert_verifier_); |
465 } | 480 } |
466 | 481 |
467 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 482 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
468 Disconnect(); | 483 Disconnect(); |
469 } | 484 } |
470 | 485 |
471 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( | 486 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( |
472 SSLCertRequestInfo* cert_request_info) { | 487 SSLCertRequestInfo* cert_request_info) { |
473 cert_request_info->host_and_port = host_and_port_; | 488 cert_request_info->host_and_port = host_and_port_; |
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
608 | 623 |
609 channel_id_sent_ = false; | 624 channel_id_sent_ = false; |
610 session_pending_ = false; | 625 session_pending_ = false; |
611 certificate_verified_ = false; | 626 certificate_verified_ = false; |
612 channel_id_request_.Cancel(); | 627 channel_id_request_.Cancel(); |
613 ssl_failure_state_ = SSL_FAILURE_NONE; | 628 ssl_failure_state_ = SSL_FAILURE_NONE; |
614 | 629 |
615 private_key_.reset(); | 630 private_key_.reset(); |
616 signature_result_ = kNoPendingResult; | 631 signature_result_ = kNoPendingResult; |
617 signature_.clear(); | 632 signature_.clear(); |
618 } | 633 } |
davidben
2015/10/15 21:52:08
Reset tb_was_negotiated_ and tb_negotiated_param_.
nharper
2015/10/20 22:52:18
I'm resetting tb_was_negotiated_, but not tb_negot
| |
619 | 634 |
620 bool SSLClientSocketOpenSSL::IsConnected() const { | 635 bool SSLClientSocketOpenSSL::IsConnected() const { |
621 // If the handshake has not yet completed. | 636 // If the handshake has not yet completed. |
622 if (!completed_connect_) | 637 if (!completed_connect_) |
623 return false; | 638 return false; |
624 // If an asynchronous operation is still pending. | 639 // If an asynchronous operation is still pending. |
625 if (user_read_buf_.get() || user_write_buf_.get()) | 640 if (user_read_buf_.get() || user_write_buf_.get()) |
626 return true; | 641 return true; |
627 | 642 |
628 return transport_->socket()->IsConnected(); | 643 return transport_->socket()->IsConnected(); |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
697 ssl_info->cert = server_cert_verify_result_.verified_cert; | 712 ssl_info->cert = server_cert_verify_result_.verified_cert; |
698 ssl_info->unverified_cert = server_cert_; | 713 ssl_info->unverified_cert = server_cert_; |
699 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 714 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
700 ssl_info->is_issued_by_known_root = | 715 ssl_info->is_issued_by_known_root = |
701 server_cert_verify_result_.is_issued_by_known_root; | 716 server_cert_verify_result_.is_issued_by_known_root; |
702 ssl_info->public_key_hashes = | 717 ssl_info->public_key_hashes = |
703 server_cert_verify_result_.public_key_hashes; | 718 server_cert_verify_result_.public_key_hashes; |
704 ssl_info->client_cert_sent = | 719 ssl_info->client_cert_sent = |
705 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 720 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
706 ssl_info->channel_id_sent = channel_id_sent_; | 721 ssl_info->channel_id_sent = channel_id_sent_; |
722 ssl_info->token_binding_negotiated = tb_was_negotiated_; | |
723 ssl_info->token_binding_key_param = tb_negotiated_param_; | |
707 ssl_info->pinning_failure_log = pinning_failure_log_; | 724 ssl_info->pinning_failure_log = pinning_failure_log_; |
708 | 725 |
709 AddSCTInfoToSSLInfo(ssl_info); | 726 AddSCTInfoToSSLInfo(ssl_info); |
710 | 727 |
711 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 728 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
712 CHECK(cipher); | 729 CHECK(cipher); |
713 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 730 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
714 ssl_info->key_exchange_info = | 731 ssl_info->key_exchange_info = |
715 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 732 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
716 | 733 |
(...skipping 378 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1095 | 1112 |
1096 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { | 1113 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { |
1097 if (result < 0) | 1114 if (result < 0) |
1098 return result; | 1115 return result; |
1099 | 1116 |
1100 if (ssl_config_.version_fallback && | 1117 if (ssl_config_.version_fallback && |
1101 ssl_config_.version_max < ssl_config_.version_fallback_min) { | 1118 ssl_config_.version_max < ssl_config_.version_fallback_min) { |
1102 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | 1119 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; |
1103 } | 1120 } |
1104 | 1121 |
1122 // Check that if token binding was negotiated, then extended master secret | |
1123 // must also be negotiated. | |
1124 if (tb_was_negotiated_ && !ssl_->session->extended_master_secret) { | |
davidben
2015/10/15 21:52:08
This check also doesn't work unless we're forbiddi
davidben
2015/10/15 21:52:08
Use SSL_get_extms_support. (BoringSSL will interna
nharper
2015/10/20 22:52:18
Done.
nharper
2015/10/20 22:52:18
I've modified IsRenegotiationAllowed to return fal
| |
1125 return ERR_SSL_PROTOCOL_ERROR; | |
1126 } | |
davidben
2015/10/15 21:52:09
Nit: No curlies, even though I prefer them. :-(
nharper
2015/10/20 22:52:19
Done.
| |
1127 | |
1105 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. | 1128 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
1106 if (npn_status_ == kNextProtoUnsupported) { | 1129 if (npn_status_ == kNextProtoUnsupported) { |
1107 const uint8_t* alpn_proto = NULL; | 1130 const uint8_t* alpn_proto = NULL; |
1108 unsigned alpn_len = 0; | 1131 unsigned alpn_len = 0; |
1109 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | 1132 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
1110 if (alpn_len > 0) { | 1133 if (alpn_len > 0) { |
1111 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 1134 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
1112 npn_status_ = kNextProtoNegotiated; | 1135 npn_status_ = kNextProtoNegotiated; |
1113 set_negotiation_extension(kExtensionALPN); | 1136 set_negotiation_extension(kExtensionALPN); |
1114 } | 1137 } |
1115 } | 1138 } |
1116 | 1139 |
1117 RecordNegotiationExtension(); | 1140 RecordNegotiationExtension(); |
1118 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, | 1141 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
1119 ssl_config_.channel_id_enabled, | 1142 ssl_config_.channel_id_enabled, |
1120 crypto::ECPrivateKey::IsSupported()); | 1143 crypto::ECPrivateKey::IsSupported()); |
1144 RecordTokenBindingSupport(ssl_config_, channel_id_service_, | |
1145 tb_was_negotiated_); | |
1121 | 1146 |
1122 // Only record OCSP histograms if OCSP was requested. | 1147 // Only record OCSP histograms if OCSP was requested. |
1123 if (ssl_config_.signed_cert_timestamps_enabled || | 1148 if (ssl_config_.signed_cert_timestamps_enabled || |
1124 cert_verifier_->SupportsOCSPStapling()) { | 1149 cert_verifier_->SupportsOCSPStapling()) { |
1125 const uint8_t* ocsp_response; | 1150 const uint8_t* ocsp_response; |
1126 size_t ocsp_response_len; | 1151 size_t ocsp_response_len; |
1127 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); | 1152 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); |
1128 | 1153 |
1129 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 1154 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
1130 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 1155 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
(...skipping 1023 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2154 if (next_handshake_state_ == STATE_HANDSHAKE) { | 2179 if (next_handshake_state_ == STATE_HANDSHAKE) { |
2155 OnHandshakeIOComplete(signature_result_); | 2180 OnHandshakeIOComplete(signature_result_); |
2156 return; | 2181 return; |
2157 } | 2182 } |
2158 | 2183 |
2159 // During a renegotiation, either Read or Write calls may be blocked on an | 2184 // During a renegotiation, either Read or Write calls may be blocked on an |
2160 // asynchronous private key operation. | 2185 // asynchronous private key operation. |
2161 PumpReadWriteEvents(); | 2186 PumpReadWriteEvents(); |
2162 } | 2187 } |
2163 | 2188 |
2189 // static | |
2190 bool SSLClientSocketOpenSSL::RegisterTokenBindingExtensionCallbacks( | |
2191 SSL_CTX* ssl_ctx) { | |
2192 return SSL_CTX_add_client_custom_ext( | |
2193 ssl_ctx, kTbExtNum, &TokenBindingAddCallback, | |
2194 &TokenBindingFreeCallback, nullptr, &TokenBindingParseCallback, | |
2195 nullptr) != 0; | |
2196 } | |
2197 | |
2198 int SSLClientSocketOpenSSL::TokenBindingAdd(const uint8_t** out, | |
2199 size_t* out_len, | |
2200 int* out_alert_value) { | |
2201 if (ssl_config_.token_binding_params.empty()) { | |
2202 return 0; | |
2203 } | |
2204 CBB output, parameters_list; | |
davidben
2015/10/15 21:52:08
CBB_zero(&output); otherwise CBB_cleanup might act
nharper
2015/10/20 22:52:18
I've changed it to use a scoper. There isn't one t
| |
2205 int retval = -1; | |
2206 if (!CBB_init(&output, 7)) | |
davidben
2015/10/15 21:52:09
Nit: You can || this with the next block.
nharper
2015/10/20 22:52:19
This block is gone now.
| |
2207 goto end; | |
2208 if (!CBB_add_u8(&output, kTbProtocolVersionMajor) || | |
2209 !CBB_add_u8(&output, kTbProtocolVersionMinor) || | |
2210 !CBB_add_u8_length_prefixed(&output, ¶meters_list)) { | |
2211 goto end; | |
2212 } | |
2213 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) { | |
2214 if (!CBB_add_u8(¶meters_list, ssl_config_.token_binding_params[i])) { | |
2215 goto end; | |
2216 } | |
davidben
2015/10/15 21:52:09
Nit: No curlies, even though I prefer them. :-(
nharper
2015/10/20 22:52:18
Done.
| |
2217 } | |
davidben
2015/10/15 21:52:09
Optional: Since this was confusing before, perhaps
nharper
2015/10/20 22:52:19
Done.
| |
2218 if (!CBB_finish(&output, const_cast<uint8_t**>(out), out_len)) | |
2219 goto end; | |
2220 | |
2221 retval = 1; | |
2222 | |
2223 end: | |
2224 CBB_cleanup(&output); | |
2225 if (retval == -1) | |
2226 *out_alert_value = SSL_AD_INTERNAL_ERROR; | |
2227 return retval; | |
2228 } | |
2229 | |
2230 int SSLClientSocketOpenSSL::TokenBindingParse(const uint8_t* contents, | |
2231 size_t contents_len, | |
2232 int* out_alert_value) { | |
davidben
2015/10/15 21:52:08
So, this method may get called on a renego, and th
nharper
2015/10/20 22:52:18
Done.
| |
2233 CBS extension; | |
2234 CBS_init(&extension, contents, contents_len); | |
2235 | |
2236 CBS parameters_list; | |
2237 uint8_t version_major, version_minor, param; | |
2238 if (!CBS_get_u8(&extension, &version_major) || | |
2239 !CBS_get_u8(&extension, &version_minor) || | |
2240 version_major != kTbProtocolVersionMajor || | |
2241 version_minor != kTbProtocolVersionMinor || | |
2242 !CBS_get_u8_length_prefixed(&extension, ¶meters_list) || | |
2243 !CBS_get_u8(¶meters_list, ¶m) || CBS_len(&extension) > 0) { | |
2244 *out_alert_value = SSL_AD_DECODE_ERROR; | |
2245 return 0; | |
2246 } | |
2247 bool valid_param = false; | |
2248 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) { | |
2249 if (param == ssl_config_.token_binding_params[i]) { | |
2250 tb_negotiated_param_ = TokenBindingParam(param); | |
davidben
2015/10/15 21:52:08
static_cast<TokenBindingParam>(param).
That or ju
nharper
2015/10/20 22:52:19
Done.
| |
2251 valid_param = true; | |
2252 break; | |
2253 } | |
2254 } | |
2255 | |
2256 // The server-negotiated version must be less than or equal to our version. | |
2257 if (version_major > kTbProtocolVersionMajor || | |
2258 (version_minor > kTbProtocolVersionMinor && | |
2259 version_major == kTbProtocolVersionMajor)) { | |
2260 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2261 return 0; | |
2262 } | |
davidben
2015/10/15 21:52:09
This seems unnecessary now that you check equality
nharper
2015/10/20 22:52:18
That was a goof of checking equality for version_m
| |
2263 | |
2264 // Although the server returns the negotiated key param in a list, it must | |
2265 // only send one element in that list. | |
2266 if (CBS_len(¶meters_list) > 0 || !valid_param) { | |
davidben
2015/10/15 21:52:08
Optional: I would actually put the CBS_len check u
nharper
2015/10/20 22:52:19
I moved the version checks to before the check on
| |
2267 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2268 return 0; | |
2269 } | |
2270 | |
2271 // If the version the server negotiated is older than we support, don't fail | |
2272 // parsing the extension, but also don't set |negotiated_|. | |
2273 if (version_major < kTbMinProtocolVersionMajor || | |
2274 (version_minor < kTbMinProtocolVersionMinor && | |
2275 version_major == kTbMinProtocolVersionMajor)) { | |
2276 return 1; | |
2277 } | |
davidben
2015/10/15 21:52:09
This seems unnecessary now that you check equality
nharper
2015/10/20 22:52:18
Ditto.
| |
2278 | |
2279 tb_was_negotiated_ = true; | |
2280 return 1; | |
2281 } | |
2282 | |
2283 // static | |
2284 int SSLClientSocketOpenSSL::TokenBindingAddCallback( | |
2285 SSL* ssl, | |
2286 unsigned int extension_value, | |
2287 const uint8_t** out, | |
2288 size_t* out_len, | |
2289 int* out_alert_value, | |
2290 void* add_arg) { | |
2291 DCHECK(extension_value == kTbExtNum); | |
davidben
2015/10/15 21:52:08
DCHECK_EQ
nharper
2015/10/20 22:52:18
Done.
| |
2292 SSLClientSocketOpenSSL* socket = | |
2293 SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL( | |
2294 ssl); | |
2295 return socket->TokenBindingAdd(out, out_len, out_alert_value); | |
2296 } | |
2297 | |
2298 // static | |
2299 void SSLClientSocketOpenSSL::TokenBindingFreeCallback(SSL* ssl, | |
2300 unsigned extension_value, | |
2301 const uint8_t* out, | |
2302 void* add_arg) { | |
2303 DCHECK(extension_value == kTbExtNum); | |
davidben
2015/10/15 21:52:09
DCHECK_EQ
nharper
2015/10/20 22:52:19
Done.
| |
2304 OPENSSL_free(const_cast<unsigned char*>(out)); | |
2305 } | |
2306 | |
2307 // static | |
2308 int SSLClientSocketOpenSSL::TokenBindingParseCallback( | |
2309 SSL* ssl, | |
2310 unsigned int extension_value, | |
2311 const uint8_t* contents, | |
2312 size_t contents_len, | |
2313 int* out_alert_value, | |
2314 void* parse_arg) { | |
2315 DCHECK(extension_value == kTbExtNum); | |
davidben
2015/10/15 21:52:09
DCHECK_EQ
nharper
2015/10/20 22:52:18
Done.
| |
2316 SSLClientSocketOpenSSL* socket = | |
2317 SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL( | |
2318 ssl); | |
2319 return socket->TokenBindingParse(contents, contents_len, out_alert_value); | |
2320 } | |
2321 | |
2164 } // namespace net | 2322 } // namespace net |
OLD | NEW |