Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
@@ skipping 77 matching lines @@
 
 // TLS extension number use for Token Binding.
 const unsigned int kTbExtNum = 30033;
 
 // Token Binding ProtocolVersions supported.
 const uint8_t kTbProtocolVersionMajor = 0;
 const uint8_t kTbProtocolVersionMinor = 3;
 const uint8_t kTbMinProtocolVersionMajor = 0;
 const uint8_t kTbMinProtocolVersionMinor = 2;
 
-void FreeX509Stack(STACK_OF(X509)* ptr) {
-  sk_X509_pop_free(ptr, X509_free);
-}
-
-using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>;
-
-// Used for encoding the |connection_status| field of an SSLInfo object.
-int EncodeSSLConnectionStatus(uint16_t cipher_suite,
-                              int compression,
-                              int version) {
-  return cipher_suite |
-         ((compression & SSL_CONNECTION_COMPRESSION_MASK) <<
-          SSL_CONNECTION_COMPRESSION_SHIFT) |
-         ((version & SSL_CONNECTION_VERSION_MASK) <<
-          SSL_CONNECTION_VERSION_SHIFT);
-}
-
-// Returns the net SSL version number (see ssl_connection_status_flags.h) for
-// this SSL connection.
-int GetNetSSLVersion(SSL* ssl) {
-  switch (SSL_version(ssl)) {
-    case TLS1_VERSION:
-      return SSL_CONNECTION_VERSION_TLS1;
-    case TLS1_1_VERSION:
-      return SSL_CONNECTION_VERSION_TLS1_1;
-    case TLS1_2_VERSION:
-      return SSL_CONNECTION_VERSION_TLS1_2;
-    default:
-      NOTREACHED();
-      return SSL_CONNECTION_VERSION_UNKNOWN;
-  }
-}
-
-ScopedX509 OSCertHandleToOpenSSL(
-    X509Certificate::OSCertHandle os_handle) {
-#if defined(USE_OPENSSL_CERTS)
-  return ScopedX509(X509Certificate::DupOSCertHandle(os_handle));
-#else  // !defined(USE_OPENSSL_CERTS)
-  std::string der_encoded;
-  if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded))
-    return ScopedX509();
-  const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
-  return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size()));
-#endif  // defined(USE_OPENSSL_CERTS)
-}
-
-ScopedX509Stack OSCertHandlesToOpenSSL(
-    const X509Certificate::OSCertHandles& os_handles) {
-  ScopedX509Stack stack(sk_X509_new_null());
-  for (size_t i = 0; i < os_handles.size(); i++) {
-    ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]);
-    if (!x509)
-      return ScopedX509Stack();
-    sk_X509_push(stack.get(), x509.release());
-  }
-  return stack;
-}
-
 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
   switch (EVP_MD_type(md)) {
     case NID_md5_sha1:
       *hash = SSLPrivateKey::Hash::MD5_SHA1;
       return true;
     case NID_sha1:
       *hash = SSLPrivateKey::Hash::SHA1;
       return true;
     case NID_sha256:
       *hash = SSLPrivateKey::Hash::SHA256;
@@ skipping 282 matching lines @@
   bool empty() const {
     return size() == 0;
   }
 
   X509* Get(size_t index) const {
     DCHECK_LT(index, size());
     return sk_X509_value(openssl_chain_.get(), index);
   }
 
  private:
-  ScopedX509Stack openssl_chain_;
+  ScopedX509_STACK openssl_chain_;
 };
 
 SSLClientSocketOpenSSL::PeerCertificateChain&
 SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
     const PeerCertificateChain& other) {
   if (this == &other)
     return *this;
 
   openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get()));
   return *this;
@@ skipping 331 matching lines @@
   ssl_info->pinning_failure_log = pinning_failure_log_;
 
   AddSCTInfoToSSLInfo(ssl_info);
 
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
   CHECK(cipher);
   ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
   ssl_info->key_exchange_info =
       SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_));
 
-  ssl_info->connection_status = EncodeSSLConnectionStatus(
-      static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */,
-      GetNetSSLVersion(ssl_));
+  SSLConnectionStatusSetCipherSuite(
+      static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
+      &ssl_info->connection_status);
+  SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_),
+                                &ssl_info->connection_status);

[davidben, 2016/01/25 20:56:10]

Why did this change?

[ryanchung, 2016/01/29 23:22:12]

You mentioned compression doesn't exists anymore and that there's
SSLConnectionStatusSetCipherSuite and SSLConnectionStatusSetVersion so I
interpreted that I should remove EncodeSSLConnectionStatus. Please correct me if
I interpreted this wrong.

Quote:

[davidben, 2016/02/04 00:40:11]

Derp! Sorry, my bad. I wasn't paying attention and completely forgot
EncodeSSLConnectionStatus was part of this file.

 
   if (!SSL_get_secure_renegotiation_support(ssl_))
     ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
 
   if (ssl_config_.version_fallback)
     ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK;
 
   ssl_info->handshake_type = SSL_session_reused(ssl_) ?
       SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
 
@@ skipping 1045 matching lines @@
   // Second pass: a client certificate should have been selected.
   if (ssl_config_.client_cert.get()) {
     ScopedX509 leaf_x509 =
         OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle());
     if (!leaf_x509) {
       LOG(WARNING) << "Failed to import certificate";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
       return -1;
     }
 
-    ScopedX509Stack chain = OSCertHandlesToOpenSSL(
+    ScopedX509_STACK chain = OSCertHandlesToOpenSSL(
         ssl_config_.client_cert->GetIntermediateCertificates());
     if (!chain) {
       LOG(WARNING) << "Failed to import intermediate certificates";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
       return -1;
     }
 
     if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
         !SSL_set1_chain(ssl_, chain.get())) {
       LOG(WARNING) << "Failed to set client certificate";
@@ skipping 415 matching lines @@
       tb_was_negotiated_ = true;
       return 1;
     }
   }
 
   *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
   return 0;
 }
 
 }  // namespace net