| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 85 | 85 |
| 86 // TLS extension number use for Token Binding. | 86 // TLS extension number use for Token Binding. |
| 87 const unsigned int kTbExtNum = 30033; | 87 const unsigned int kTbExtNum = 30033; |
| 88 | 88 |
| 89 // Token Binding ProtocolVersions supported. | 89 // Token Binding ProtocolVersions supported. |
| 90 const uint8_t kTbProtocolVersionMajor = 0; | 90 const uint8_t kTbProtocolVersionMajor = 0; |
| 91 const uint8_t kTbProtocolVersionMinor = 3; | 91 const uint8_t kTbProtocolVersionMinor = 3; |
| 92 const uint8_t kTbMinProtocolVersionMajor = 0; | 92 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 93 const uint8_t kTbMinProtocolVersionMinor = 2; | 93 const uint8_t kTbMinProtocolVersionMinor = 2; |
| 94 | 94 |
| 95 void FreeX509Stack(STACK_OF(X509)* ptr) { | |
| 96 sk_X509_pop_free(ptr, X509_free); | |
| 97 } | |
| 98 | |
| 99 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | |
| 100 | |
| 101 // Used for encoding the |connection_status| field of an SSLInfo object. | |
| 102 int EncodeSSLConnectionStatus(uint16 cipher_suite, | |
| 103 int compression, | |
| 104 int version) { | |
| 105 return cipher_suite | | |
| 106 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << | |
| 107 SSL_CONNECTION_COMPRESSION_SHIFT) | | |
| 108 ((version & SSL_CONNECTION_VERSION_MASK) << | |
| 109 SSL_CONNECTION_VERSION_SHIFT); | |
| 110 } | |
| 111 | |
| 112 // Returns the net SSL version number (see ssl_connection_status_flags.h) for | |
| 113 // this SSL connection. | |
| 114 int GetNetSSLVersion(SSL* ssl) { | |
| 115 switch (SSL_version(ssl)) { | |
| 116 case TLS1_VERSION: | |
| 117 return SSL_CONNECTION_VERSION_TLS1; | |
| 118 case TLS1_1_VERSION: | |
| 119 return SSL_CONNECTION_VERSION_TLS1_1; | |
| 120 case TLS1_2_VERSION: | |
| 121 return SSL_CONNECTION_VERSION_TLS1_2; | |
| 122 default: | |
| 123 NOTREACHED(); | |
| 124 return SSL_CONNECTION_VERSION_UNKNOWN; | |
| 125 } | |
| 126 } | |
| 127 | |
| 128 ScopedX509 OSCertHandleToOpenSSL( | |
| 129 X509Certificate::OSCertHandle os_handle) { | |
| 130 #if defined(USE_OPENSSL_CERTS) | |
| 131 return ScopedX509(X509Certificate::DupOSCertHandle(os_handle)); | |
| 132 #else // !defined(USE_OPENSSL_CERTS) | |
| 133 std::string der_encoded; | |
| 134 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | |
| 135 return ScopedX509(); | |
| 136 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); | |
| 137 return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size())); | |
| 138 #endif // defined(USE_OPENSSL_CERTS) | |
| 139 } | |
| 140 | |
| 141 ScopedX509Stack OSCertHandlesToOpenSSL( | |
| 142 const X509Certificate::OSCertHandles& os_handles) { | |
| 143 ScopedX509Stack stack(sk_X509_new_null()); | |
| 144 for (size_t i = 0; i < os_handles.size(); i++) { | |
| 145 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); | |
| 146 if (!x509) | |
| 147 return ScopedX509Stack(); | |
| 148 sk_X509_push(stack.get(), x509.release()); | |
| 149 } | |
| 150 return stack.Pass(); | |
| 151 } | |
| 152 | |
| 153 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 95 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 154 switch (EVP_MD_type(md)) { | 96 switch (EVP_MD_type(md)) { |
| 155 case NID_md5_sha1: | 97 case NID_md5_sha1: |
| 156 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 98 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 157 return true; | 99 return true; |
| 158 case NID_sha1: | 100 case NID_sha1: |
| 159 *hash = SSLPrivateKey::Hash::SHA1; | 101 *hash = SSLPrivateKey::Hash::SHA1; |
| 160 return true; | 102 return true; |
| 161 case NID_sha256: | 103 case NID_sha256: |
| 162 *hash = SSLPrivateKey::Hash::SHA256; | 104 *hash = SSLPrivateKey::Hash::SHA256; |
| (...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 405 bool empty() const { | 347 bool empty() const { |
| 406 return size() == 0; | 348 return size() == 0; |
| 407 } | 349 } |
| 408 | 350 |
| 409 X509* Get(size_t index) const { | 351 X509* Get(size_t index) const { |
| 410 DCHECK_LT(index, size()); | 352 DCHECK_LT(index, size()); |
| 411 return sk_X509_value(openssl_chain_.get(), index); | 353 return sk_X509_value(openssl_chain_.get(), index); |
| 412 } | 354 } |
| 413 | 355 |
| 414 private: | 356 private: |
| 415 ScopedX509Stack openssl_chain_; | 357 ScopedX509_STACK openssl_chain_; |
| 416 }; | 358 }; |
| 417 | 359 |
| 418 SSLClientSocketOpenSSL::PeerCertificateChain& | 360 SSLClientSocketOpenSSL::PeerCertificateChain& |
| 419 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( | 361 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( |
| 420 const PeerCertificateChain& other) { | 362 const PeerCertificateChain& other) { |
| 421 if (this == &other) | 363 if (this == &other) |
| 422 return *this; | 364 return *this; |
| 423 | 365 |
| 424 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get())); | 366 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get())); |
| 425 return *this; | 367 return *this; |
| (...skipping 331 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 757 ssl_info->pinning_failure_log = pinning_failure_log_; | 699 ssl_info->pinning_failure_log = pinning_failure_log_; |
| 758 | 700 |
| 759 AddSCTInfoToSSLInfo(ssl_info); | 701 AddSCTInfoToSSLInfo(ssl_info); |
| 760 | 702 |
| 761 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 703 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 762 CHECK(cipher); | 704 CHECK(cipher); |
| 763 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 705 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 764 ssl_info->key_exchange_info = | 706 ssl_info->key_exchange_info = |
| 765 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 707 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
| 766 | 708 |
| 767 ssl_info->connection_status = EncodeSSLConnectionStatus( | 709 SSLConnectionStatusSetCipherSuite( |
| 768 static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 710 static_cast<uint16>(SSL_CIPHER_get_id(cipher)), |
| 769 GetNetSSLVersion(ssl_)); | 711 &ssl_info->connection_status); |
| 712 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), |
| 713 &ssl_info->connection_status); |
| 770 | 714 |
| 771 if (!SSL_get_secure_renegotiation_support(ssl_)) | 715 if (!SSL_get_secure_renegotiation_support(ssl_)) |
| 772 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 716 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 773 | 717 |
| 774 if (ssl_config_.version_fallback) | 718 if (ssl_config_.version_fallback) |
| 775 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; | 719 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; |
| 776 | 720 |
| 777 ssl_info->handshake_type = SSL_session_reused(ssl_) ? | 721 ssl_info->handshake_type = SSL_session_reused(ssl_) ? |
| 778 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; | 722 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; |
| 779 | 723 |
| (...skipping 1049 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1829 // Second pass: a client certificate should have been selected. | 1773 // Second pass: a client certificate should have been selected. |
| 1830 if (ssl_config_.client_cert.get()) { | 1774 if (ssl_config_.client_cert.get()) { |
| 1831 ScopedX509 leaf_x509 = | 1775 ScopedX509 leaf_x509 = |
| 1832 OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle()); | 1776 OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle()); |
| 1833 if (!leaf_x509) { | 1777 if (!leaf_x509) { |
| 1834 LOG(WARNING) << "Failed to import certificate"; | 1778 LOG(WARNING) << "Failed to import certificate"; |
| 1835 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1779 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1836 return -1; | 1780 return -1; |
| 1837 } | 1781 } |
| 1838 | 1782 |
| 1839 ScopedX509Stack chain = OSCertHandlesToOpenSSL( | 1783 ScopedX509_STACK chain = OSCertHandlesToOpenSSL( |
| 1840 ssl_config_.client_cert->GetIntermediateCertificates()); | 1784 ssl_config_.client_cert->GetIntermediateCertificates()); |
| 1841 if (!chain) { | 1785 if (!chain) { |
| 1842 LOG(WARNING) << "Failed to import intermediate certificates"; | 1786 LOG(WARNING) << "Failed to import intermediate certificates"; |
| 1843 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1787 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1844 return -1; | 1788 return -1; |
| 1845 } | 1789 } |
| 1846 | 1790 |
| 1847 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || | 1791 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || |
| 1848 !SSL_set1_chain(ssl_, chain.get())) { | 1792 !SSL_set1_chain(ssl_, chain.get())) { |
| 1849 LOG(WARNING) << "Failed to set client certificate"; | 1793 LOG(WARNING) << "Failed to set client certificate"; |
| (...skipping 412 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2262 tb_was_negotiated_ = true; | 2206 tb_was_negotiated_ = true; |
| 2263 return 1; | 2207 return 1; |
| 2264 } | 2208 } |
| 2265 } | 2209 } |
| 2266 | 2210 |
| 2267 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2211 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2268 return 0; | 2212 return 0; |
| 2269 } | 2213 } |
| 2270 | 2214 |
| 2271 } // namespace net | 2215 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master