OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 908 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
919 // This will almost certainly result in the socket failing to complete the | 919 // This will almost certainly result in the socket failing to complete the |
920 // handshake at which point the appropriate error is bubbled up to the client. | 920 // handshake at which point the appropriate error is bubbled up to the client. |
921 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | 921 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " |
922 "returned " << rv; | 922 "returned " << rv; |
923 | 923 |
924 // TLS channel ids. | 924 // TLS channel ids. |
925 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { | 925 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { |
926 SSL_enable_tls_channel_id(ssl_); | 926 SSL_enable_tls_channel_id(ssl_); |
927 } | 927 } |
928 | 928 |
929 if (!ssl_config_.next_protos.empty()) { | 929 if (!ssl_config_.alpn_protos.empty()) { |
930 // Get list of ciphers that are enabled. | 930 // Get list of ciphers that are enabled. |
931 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); | 931 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); |
932 DCHECK(enabled_ciphers); | 932 DCHECK(enabled_ciphers); |
933 std::vector<uint16> enabled_ciphers_vector; | 933 std::vector<uint16> enabled_ciphers_vector; |
934 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { | 934 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { |
935 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); | 935 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); |
936 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); | 936 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); |
937 enabled_ciphers_vector.push_back(id); | 937 enabled_ciphers_vector.push_back(id); |
938 } | 938 } |
939 | 939 |
940 NextProtoVector next_protos = ssl_config_.next_protos; | 940 NextProtoVector alpn_protos = ssl_config_.alpn_protos; |
941 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || | 941 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || |
942 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { | 942 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { |
943 DisableHTTP2(&next_protos); | 943 DisableHTTP2(&alpn_protos); |
944 } | 944 } |
945 std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos); | 945 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); |
946 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], | 946 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], |
947 wire_protos.size()); | 947 wire_protos.size()); |
948 } | 948 } |
949 | 949 |
950 if (ssl_config_.signed_cert_timestamps_enabled) { | 950 if (ssl_config_.signed_cert_timestamps_enabled) { |
951 SSL_enable_signed_cert_timestamps(ssl_); | 951 SSL_enable_signed_cert_timestamps(ssl_); |
952 SSL_enable_ocsp_stapling(ssl_); | 952 SSL_enable_ocsp_stapling(ssl_); |
953 } | 953 } |
954 | 954 |
955 if (cert_verifier_->SupportsOCSPStapling()) | 955 if (cert_verifier_->SupportsOCSPStapling()) |
(...skipping 929 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1885 } | 1885 } |
1886 | 1886 |
1887 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the | 1887 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the |
1888 // server supports NPN, selects a protocol from the list that the server | 1888 // server supports NPN, selects a protocol from the list that the server |
1889 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the | 1889 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the |
1890 // callback can assume that |in| is syntactically valid. | 1890 // callback can assume that |in| is syntactically valid. |
1891 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, | 1891 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, |
1892 unsigned char* outlen, | 1892 unsigned char* outlen, |
1893 const unsigned char* in, | 1893 const unsigned char* in, |
1894 unsigned int inlen) { | 1894 unsigned int inlen) { |
1895 if (ssl_config_.next_protos.empty()) { | 1895 if (ssl_config_.npn_protos.empty()) { |
1896 *out = reinterpret_cast<uint8*>( | 1896 *out = reinterpret_cast<uint8*>( |
1897 const_cast<char*>(kDefaultSupportedNPNProtocol)); | 1897 const_cast<char*>(kDefaultSupportedNPNProtocol)); |
1898 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; | 1898 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; |
1899 npn_status_ = kNextProtoUnsupported; | 1899 npn_status_ = kNextProtoUnsupported; |
1900 return SSL_TLSEXT_ERR_OK; | 1900 return SSL_TLSEXT_ERR_OK; |
1901 } | 1901 } |
1902 | 1902 |
1903 // Assume there's no overlap between our protocols and the server's list. | 1903 // Assume there's no overlap between our protocols and the server's list. |
1904 npn_status_ = kNextProtoNoOverlap; | 1904 npn_status_ = kNextProtoNoOverlap; |
1905 | 1905 |
1906 // For each protocol in server preference order, see if we support it. | 1906 // For each protocol in server preference order, see if we support it. |
1907 for (unsigned int i = 0; i < inlen; i += in[i] + 1) { | 1907 for (unsigned int i = 0; i < inlen; i += in[i] + 1) { |
1908 for (NextProto next_proto : ssl_config_.next_protos) { | 1908 for (NextProto next_proto : ssl_config_.npn_protos) { |
1909 const std::string proto = NextProtoToString(next_proto); | 1909 const std::string proto = NextProtoToString(next_proto); |
1910 if (in[i] == proto.size() && | 1910 if (in[i] == proto.size() && |
1911 memcmp(&in[i + 1], proto.data(), in[i]) == 0) { | 1911 memcmp(&in[i + 1], proto.data(), in[i]) == 0) { |
1912 // We found a match. | 1912 // We found a match. |
1913 *out = const_cast<unsigned char*>(in) + i + 1; | 1913 *out = const_cast<unsigned char*>(in) + i + 1; |
1914 *outlen = in[i]; | 1914 *outlen = in[i]; |
1915 npn_status_ = kNextProtoNegotiated; | 1915 npn_status_ = kNextProtoNegotiated; |
1916 break; | 1916 break; |
1917 } | 1917 } |
1918 } | 1918 } |
1919 if (npn_status_ == kNextProtoNegotiated) | 1919 if (npn_status_ == kNextProtoNegotiated) |
1920 break; | 1920 break; |
1921 } | 1921 } |
1922 | 1922 |
1923 // If we didn't find a protocol, we select the last one from our list. | 1923 // If we didn't find a protocol, we select the last one from our list. |
1924 if (npn_status_ == kNextProtoNoOverlap) { | 1924 if (npn_status_ == kNextProtoNoOverlap) { |
1925 // NextProtoToString returns a pointer to a static string. | 1925 // NextProtoToString returns a pointer to a static string. |
1926 const char* proto = NextProtoToString(ssl_config_.next_protos.back()); | 1926 const char* proto = NextProtoToString(ssl_config_.npn_protos.back()); |
1927 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); | 1927 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); |
1928 *outlen = strlen(proto); | 1928 *outlen = strlen(proto); |
1929 } | 1929 } |
1930 | 1930 |
1931 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen); | 1931 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen); |
1932 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1932 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
1933 set_negotiation_extension(kExtensionNPN); | 1933 set_negotiation_extension(kExtensionNPN); |
1934 return SSL_TLSEXT_ERR_OK; | 1934 return SSL_TLSEXT_ERR_OK; |
1935 } | 1935 } |
1936 | 1936 |
(...skipping 214 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2151 OnHandshakeIOComplete(signature_result_); | 2151 OnHandshakeIOComplete(signature_result_); |
2152 return; | 2152 return; |
2153 } | 2153 } |
2154 | 2154 |
2155 // During a renegotiation, either Read or Write calls may be blocked on an | 2155 // During a renegotiation, either Read or Write calls may be blocked on an |
2156 // asynchronous private key operation. | 2156 // asynchronous private key operation. |
2157 PumpReadWriteEvents(); | 2157 PumpReadWriteEvents(); |
2158 } | 2158 } |
2159 | 2159 |
2160 } // namespace net | 2160 } // namespace net |
OLD | NEW |