| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 908 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 919 // This will almost certainly result in the socket failing to complete the | 919 // This will almost certainly result in the socket failing to complete the |
| 920 // handshake at which point the appropriate error is bubbled up to the client. | 920 // handshake at which point the appropriate error is bubbled up to the client. |
| 921 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | 921 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " |
| 922 "returned " << rv; | 922 "returned " << rv; |
| 923 | 923 |
| 924 // TLS channel ids. | 924 // TLS channel ids. |
| 925 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { | 925 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { |
| 926 SSL_enable_tls_channel_id(ssl_); | 926 SSL_enable_tls_channel_id(ssl_); |
| 927 } | 927 } |
| 928 | 928 |
| 929 if (!ssl_config_.next_protos.empty()) { | 929 if (!ssl_config_.alpn_protos.empty()) { |
| 930 // Get list of ciphers that are enabled. | 930 // Get list of ciphers that are enabled. |
| 931 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); | 931 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); |
| 932 DCHECK(enabled_ciphers); | 932 DCHECK(enabled_ciphers); |
| 933 std::vector<uint16> enabled_ciphers_vector; | 933 std::vector<uint16> enabled_ciphers_vector; |
| 934 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { | 934 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { |
| 935 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); | 935 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); |
| 936 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); | 936 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); |
| 937 enabled_ciphers_vector.push_back(id); | 937 enabled_ciphers_vector.push_back(id); |
| 938 } | 938 } |
| 939 | 939 |
| 940 NextProtoVector next_protos = ssl_config_.next_protos; | 940 NextProtoVector alpn_protos = ssl_config_.alpn_protos; |
| 941 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || | 941 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || |
| 942 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { | 942 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { |
| 943 DisableHTTP2(&next_protos); | 943 DisableHTTP2(&alpn_protos); |
| 944 } | 944 } |
| 945 std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos); | 945 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); |
| 946 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], | 946 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], |
| 947 wire_protos.size()); | 947 wire_protos.size()); |
| 948 } | 948 } |
| 949 | 949 |
| 950 if (ssl_config_.signed_cert_timestamps_enabled) { | 950 if (ssl_config_.signed_cert_timestamps_enabled) { |
| 951 SSL_enable_signed_cert_timestamps(ssl_); | 951 SSL_enable_signed_cert_timestamps(ssl_); |
| 952 SSL_enable_ocsp_stapling(ssl_); | 952 SSL_enable_ocsp_stapling(ssl_); |
| 953 } | 953 } |
| 954 | 954 |
| 955 if (cert_verifier_->SupportsOCSPStapling()) | 955 if (cert_verifier_->SupportsOCSPStapling()) |
| (...skipping 929 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1885 } | 1885 } |
| 1886 | 1886 |
| 1887 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the | 1887 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the |
| 1888 // server supports NPN, selects a protocol from the list that the server | 1888 // server supports NPN, selects a protocol from the list that the server |
| 1889 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the | 1889 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the |
| 1890 // callback can assume that |in| is syntactically valid. | 1890 // callback can assume that |in| is syntactically valid. |
| 1891 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, | 1891 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, |
| 1892 unsigned char* outlen, | 1892 unsigned char* outlen, |
| 1893 const unsigned char* in, | 1893 const unsigned char* in, |
| 1894 unsigned int inlen) { | 1894 unsigned int inlen) { |
| 1895 if (ssl_config_.next_protos.empty()) { | 1895 if (ssl_config_.npn_protos.empty()) { |
| 1896 *out = reinterpret_cast<uint8*>( | 1896 *out = reinterpret_cast<uint8*>( |
| 1897 const_cast<char*>(kDefaultSupportedNPNProtocol)); | 1897 const_cast<char*>(kDefaultSupportedNPNProtocol)); |
| 1898 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; | 1898 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; |
| 1899 npn_status_ = kNextProtoUnsupported; | 1899 npn_status_ = kNextProtoUnsupported; |
| 1900 return SSL_TLSEXT_ERR_OK; | 1900 return SSL_TLSEXT_ERR_OK; |
| 1901 } | 1901 } |
| 1902 | 1902 |
| 1903 // Assume there's no overlap between our protocols and the server's list. | 1903 // Assume there's no overlap between our protocols and the server's list. |
| 1904 npn_status_ = kNextProtoNoOverlap; | 1904 npn_status_ = kNextProtoNoOverlap; |
| 1905 | 1905 |
| 1906 // For each protocol in server preference order, see if we support it. | 1906 // For each protocol in server preference order, see if we support it. |
| 1907 for (unsigned int i = 0; i < inlen; i += in[i] + 1) { | 1907 for (unsigned int i = 0; i < inlen; i += in[i] + 1) { |
| 1908 for (NextProto next_proto : ssl_config_.next_protos) { | 1908 for (NextProto next_proto : ssl_config_.npn_protos) { |
| 1909 const std::string proto = NextProtoToString(next_proto); | 1909 const std::string proto = NextProtoToString(next_proto); |
| 1910 if (in[i] == proto.size() && | 1910 if (in[i] == proto.size() && |
| 1911 memcmp(&in[i + 1], proto.data(), in[i]) == 0) { | 1911 memcmp(&in[i + 1], proto.data(), in[i]) == 0) { |
| 1912 // We found a match. | 1912 // We found a match. |
| 1913 *out = const_cast<unsigned char*>(in) + i + 1; | 1913 *out = const_cast<unsigned char*>(in) + i + 1; |
| 1914 *outlen = in[i]; | 1914 *outlen = in[i]; |
| 1915 npn_status_ = kNextProtoNegotiated; | 1915 npn_status_ = kNextProtoNegotiated; |
| 1916 break; | 1916 break; |
| 1917 } | 1917 } |
| 1918 } | 1918 } |
| 1919 if (npn_status_ == kNextProtoNegotiated) | 1919 if (npn_status_ == kNextProtoNegotiated) |
| 1920 break; | 1920 break; |
| 1921 } | 1921 } |
| 1922 | 1922 |
| 1923 // If we didn't find a protocol, we select the last one from our list. | 1923 // If we didn't find a protocol, we select the last one from our list. |
| 1924 if (npn_status_ == kNextProtoNoOverlap) { | 1924 if (npn_status_ == kNextProtoNoOverlap) { |
| 1925 // NextProtoToString returns a pointer to a static string. | 1925 // NextProtoToString returns a pointer to a static string. |
| 1926 const char* proto = NextProtoToString(ssl_config_.next_protos.back()); | 1926 const char* proto = NextProtoToString(ssl_config_.npn_protos.back()); |
| 1927 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); | 1927 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); |
| 1928 *outlen = strlen(proto); | 1928 *outlen = strlen(proto); |
| 1929 } | 1929 } |
| 1930 | 1930 |
| 1931 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen); | 1931 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen); |
| 1932 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1932 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
| 1933 set_negotiation_extension(kExtensionNPN); | 1933 set_negotiation_extension(kExtensionNPN); |
| 1934 return SSL_TLSEXT_ERR_OK; | 1934 return SSL_TLSEXT_ERR_OK; |
| 1935 } | 1935 } |
| 1936 | 1936 |
| (...skipping 214 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2151 OnHandshakeIOComplete(signature_result_); | 2151 OnHandshakeIOComplete(signature_result_); |
| 2152 return; | 2152 return; |
| 2153 } | 2153 } |
| 2154 | 2154 |
| 2155 // During a renegotiation, either Read or Write calls may be blocked on an | 2155 // During a renegotiation, either Read or Write calls may be blocked on an |
| 2156 // asynchronous private key operation. | 2156 // asynchronous private key operation. |
| 2157 PumpReadWriteEvents(); | 2157 PumpReadWriteEvents(); |
| 2158 } | 2158 } |
| 2159 | 2159 |
| 2160 } // namespace net | 2160 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1387363004:
Disable HTTP/2 over NPN (with OpenSSL). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master