| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 | 87 |
| 88 // TLS extension number use for Token Binding. | 88 // TLS extension number use for Token Binding. |
| 89 const unsigned int kTbExtNum = 30033; | 89 const unsigned int kTbExtNum = 30033; |
| 90 | 90 |
| 91 // Token Binding ProtocolVersions supported. | 91 // Token Binding ProtocolVersions supported. |
| 92 const uint8_t kTbProtocolVersionMajor = 0; | 92 const uint8_t kTbProtocolVersionMajor = 0; |
| 93 const uint8_t kTbProtocolVersionMinor = 3; | 93 const uint8_t kTbProtocolVersionMinor = 3; |
| 94 const uint8_t kTbMinProtocolVersionMajor = 0; | 94 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 95 const uint8_t kTbMinProtocolVersionMinor = 2; | 95 const uint8_t kTbMinProtocolVersionMinor = 2; |
| 96 | 96 |
| 97 void FreeX509Stack(STACK_OF(X509)* ptr) { | |
| 98 sk_X509_pop_free(ptr, X509_free); | |
| 99 } | |
| 100 | |
| 101 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | |
| 102 | |
| 103 // Used for encoding the |connection_status| field of an SSLInfo object. | |
| 104 int EncodeSSLConnectionStatus(uint16 cipher_suite, | |
| 105 int compression, | |
| 106 int version) { | |
| 107 return cipher_suite | | |
| 108 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << | |
| 109 SSL_CONNECTION_COMPRESSION_SHIFT) | | |
| 110 ((version & SSL_CONNECTION_VERSION_MASK) << | |
| 111 SSL_CONNECTION_VERSION_SHIFT); | |
| 112 } | |
| 113 | |
| 114 // Returns the net SSL version number (see ssl_connection_status_flags.h) for | |
| 115 // this SSL connection. | |
| 116 int GetNetSSLVersion(SSL* ssl) { | |
| 117 switch (SSL_version(ssl)) { | |
| 118 case TLS1_VERSION: | |
| 119 return SSL_CONNECTION_VERSION_TLS1; | |
| 120 case TLS1_1_VERSION: | |
| 121 return SSL_CONNECTION_VERSION_TLS1_1; | |
| 122 case TLS1_2_VERSION: | |
| 123 return SSL_CONNECTION_VERSION_TLS1_2; | |
| 124 default: | |
| 125 NOTREACHED(); | |
| 126 return SSL_CONNECTION_VERSION_UNKNOWN; | |
| 127 } | |
| 128 } | |
| 129 | |
| 130 ScopedX509 OSCertHandleToOpenSSL( | |
| 131 X509Certificate::OSCertHandle os_handle) { | |
| 132 #if defined(USE_OPENSSL_CERTS) | |
| 133 return ScopedX509(X509Certificate::DupOSCertHandle(os_handle)); | |
| 134 #else // !defined(USE_OPENSSL_CERTS) | |
| 135 std::string der_encoded; | |
| 136 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | |
| 137 return ScopedX509(); | |
| 138 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); | |
| 139 return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size())); | |
| 140 #endif // defined(USE_OPENSSL_CERTS) | |
| 141 } | |
| 142 | |
| 143 ScopedX509Stack OSCertHandlesToOpenSSL( | |
| 144 const X509Certificate::OSCertHandles& os_handles) { | |
| 145 ScopedX509Stack stack(sk_X509_new_null()); | |
| 146 for (size_t i = 0; i < os_handles.size(); i++) { | |
| 147 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); | |
| 148 if (!x509) | |
| 149 return ScopedX509Stack(); | |
| 150 sk_X509_push(stack.get(), x509.release()); | |
| 151 } | |
| 152 return stack.Pass(); | |
| 153 } | |
| 154 | |
| 155 int LogErrorCallback(const char* str, size_t len, void* context) { | 97 int LogErrorCallback(const char* str, size_t len, void* context) { |
| 156 LOG(ERROR) << base::StringPiece(str, len); | 98 LOG(ERROR) << base::StringPiece(str, len); |
| 157 return 1; | 99 return 1; |
| 158 } | 100 } |
| 159 | 101 |
| 160 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 102 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 161 switch (EVP_MD_type(md)) { | 103 switch (EVP_MD_type(md)) { |
| 162 case NID_md5_sha1: | 104 case NID_md5_sha1: |
| 163 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 105 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 164 return true; | 106 return true; |
| (...skipping 1701 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1866 LOG(WARNING) << "Failed to set client certificate"; | 1808 LOG(WARNING) << "Failed to set client certificate"; |
| 1867 return -1; | 1809 return -1; |
| 1868 } | 1810 } |
| 1869 | 1811 |
| 1870 #if defined(OS_NACL) | 1812 #if defined(OS_NACL) |
| 1871 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1813 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1872 return -1; | 1814 return -1; |
| 1873 #else | 1815 #else |
| 1874 // TODO(davidben): Lift this call up to the embedder so we can actually test | 1816 // TODO(davidben): Lift this call up to the embedder so we can actually test |
| 1875 // this code. https://crbug.com/394131 | 1817 // this code. https://crbug.com/394131 |
| 1876 private_key_ = FetchClientCertPrivateKey( | 1818 if (!private_key_) { |
| 1877 ssl_config_.client_cert.get(), | 1819 private_key_ = FetchClientCertPrivateKey( |
| 1878 g_platform_key_task_runner.Get().task_runner()); | 1820 ssl_config_.client_cert.get(), |
| 1821 g_platform_key_task_runner.Get().task_runner()); |
| 1822 } |
| 1879 if (!private_key_) { | 1823 if (!private_key_) { |
| 1880 // Could not find the private key. Fail the handshake and surface an | 1824 // Could not find the private key. Fail the handshake and surface an |
| 1881 // appropriate error to the caller. | 1825 // appropriate error to the caller. |
| 1882 LOG(WARNING) << "Client cert found without private key"; | 1826 LOG(WARNING) << "Client cert found without private key"; |
| 1883 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1827 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1884 return -1; | 1828 return -1; |
| 1885 } | 1829 } |
| 1886 | 1830 |
| 1887 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); | 1831 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); |
| 1888 | 1832 |
| (...skipping 418 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2307 tb_negotiated_param_ = ssl_config_.token_binding_params[i]; | 2251 tb_negotiated_param_ = ssl_config_.token_binding_params[i]; |
| 2308 tb_was_negotiated_ = true; | 2252 tb_was_negotiated_ = true; |
| 2309 return 1; | 2253 return 1; |
| 2310 } | 2254 } |
| 2311 } | 2255 } |
| 2312 | 2256 |
| 2313 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2257 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2314 return 0; | 2258 return 0; |
| 2315 } | 2259 } |
| 2316 | 2260 |
| 2261 void SSLClientSocketOpenSSL::ForceClientCertificateAndKeyForTesting( |
| 2262 const scoped_refptr<X509Certificate>& client_cert, |
| 2263 scoped_ptr<SSLPrivateKey> client_private_key) { |
| 2264 ssl_config_.send_client_cert = true; |
| 2265 ssl_config_.client_cert = client_cert; |
| 2266 private_key_ = client_private_key.Pass(); |
| 2267 } |
| 2268 |
| 2317 } // namespace net | 2269 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master