| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 88 | 88 |
| 89 // TLS extension number use for Token Binding. | 89 // TLS extension number use for Token Binding. |
| 90 const unsigned int kTbExtNum = 30033; | 90 const unsigned int kTbExtNum = 30033; |
| 91 | 91 |
| 92 // Token Binding ProtocolVersions supported. | 92 // Token Binding ProtocolVersions supported. |
| 93 const uint8_t kTbProtocolVersionMajor = 0; | 93 const uint8_t kTbProtocolVersionMajor = 0; |
| 94 const uint8_t kTbProtocolVersionMinor = 3; | 94 const uint8_t kTbProtocolVersionMinor = 3; |
| 95 const uint8_t kTbMinProtocolVersionMajor = 0; | 95 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 96 const uint8_t kTbMinProtocolVersionMinor = 2; | 96 const uint8_t kTbMinProtocolVersionMinor = 2; |
| 97 | 97 |
| 98 void FreeX509Stack(STACK_OF(X509)* ptr) { | |
| 99 sk_X509_pop_free(ptr, X509_free); | |
| 100 } | |
| 101 | |
| 102 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | |
| 103 | |
| 104 // Used for encoding the |connection_status| field of an SSLInfo object. | |
| 105 int EncodeSSLConnectionStatus(uint16_t cipher_suite, | |
| 106 int compression, | |
| 107 int version) { | |
| 108 return cipher_suite | | |
| 109 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << | |
| 110 SSL_CONNECTION_COMPRESSION_SHIFT) | | |
| 111 ((version & SSL_CONNECTION_VERSION_MASK) << | |
| 112 SSL_CONNECTION_VERSION_SHIFT); | |
| 113 } | |
| 114 | |
| 115 // Returns the net SSL version number (see ssl_connection_status_flags.h) for | |
| 116 // this SSL connection. | |
| 117 int GetNetSSLVersion(SSL* ssl) { | |
| 118 switch (SSL_version(ssl)) { | |
| 119 case TLS1_VERSION: | |
| 120 return SSL_CONNECTION_VERSION_TLS1; | |
| 121 case TLS1_1_VERSION: | |
| 122 return SSL_CONNECTION_VERSION_TLS1_1; | |
| 123 case TLS1_2_VERSION: | |
| 124 return SSL_CONNECTION_VERSION_TLS1_2; | |
| 125 default: | |
| 126 NOTREACHED(); | |
| 127 return SSL_CONNECTION_VERSION_UNKNOWN; | |
| 128 } | |
| 129 } | |
| 130 | |
| 131 ScopedX509 OSCertHandleToOpenSSL( | |
| 132 X509Certificate::OSCertHandle os_handle) { | |
| 133 #if defined(USE_OPENSSL_CERTS) | |
| 134 return ScopedX509(X509Certificate::DupOSCertHandle(os_handle)); | |
| 135 #else // !defined(USE_OPENSSL_CERTS) | |
| 136 std::string der_encoded; | |
| 137 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | |
| 138 return ScopedX509(); | |
| 139 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); | |
| 140 return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size())); | |
| 141 #endif // defined(USE_OPENSSL_CERTS) | |
| 142 } | |
| 143 | |
| 144 ScopedX509Stack OSCertHandlesToOpenSSL( | |
| 145 const X509Certificate::OSCertHandles& os_handles) { | |
| 146 ScopedX509Stack stack(sk_X509_new_null()); | |
| 147 for (size_t i = 0; i < os_handles.size(); i++) { | |
| 148 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); | |
| 149 if (!x509) | |
| 150 return ScopedX509Stack(); | |
| 151 sk_X509_push(stack.get(), x509.release()); | |
| 152 } | |
| 153 return stack; | |
| 154 } | |
| 155 | |
| 156 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 98 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 157 switch (EVP_MD_type(md)) { | 99 switch (EVP_MD_type(md)) { |
| 158 case NID_md5_sha1: | 100 case NID_md5_sha1: |
| 159 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 101 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 160 return true; | 102 return true; |
| 161 case NID_sha1: | 103 case NID_sha1: |
| 162 *hash = SSLPrivateKey::Hash::SHA1; | 104 *hash = SSLPrivateKey::Hash::SHA1; |
| 163 return true; | 105 return true; |
| 164 case NID_sha256: | 106 case NID_sha256: |
| 165 *hash = SSLPrivateKey::Hash::SHA256; | 107 *hash = SSLPrivateKey::Hash::SHA256; |
| (...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 800 ssl_info->pinning_failure_log = pinning_failure_log_; | 742 ssl_info->pinning_failure_log = pinning_failure_log_; |
| 801 | 743 |
| 802 AddSCTInfoToSSLInfo(ssl_info); | 744 AddSCTInfoToSSLInfo(ssl_info); |
| 803 | 745 |
| 804 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 746 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 805 CHECK(cipher); | 747 CHECK(cipher); |
| 806 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 748 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 807 ssl_info->key_exchange_info = | 749 ssl_info->key_exchange_info = |
| 808 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 750 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
| 809 | 751 |
| 810 ssl_info->connection_status = EncodeSSLConnectionStatus( | 752 SSLConnectionStatusSetCipherSuite( |
| 811 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 753 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), |
| 812 GetNetSSLVersion(ssl_)); | 754 &ssl_info->connection_status); |
| 755 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), |
| 756 &ssl_info->connection_status); |
| 813 | 757 |
| 814 if (!SSL_get_secure_renegotiation_support(ssl_)) | 758 if (!SSL_get_secure_renegotiation_support(ssl_)) |
| 815 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 759 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 816 | 760 |
| 817 if (ssl_config_.version_fallback) | 761 if (ssl_config_.version_fallback) |
| 818 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; | 762 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; |
| 819 | 763 |
| 820 ssl_info->handshake_type = SSL_session_reused(ssl_) ? | 764 ssl_info->handshake_type = SSL_session_reused(ssl_) ? |
| 821 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; | 765 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; |
| 822 | 766 |
| (...skipping 1481 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2304 tb_was_negotiated_ = true; | 2248 tb_was_negotiated_ = true; |
| 2305 return 1; | 2249 return 1; |
| 2306 } | 2250 } |
| 2307 } | 2251 } |
| 2308 | 2252 |
| 2309 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2253 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2310 return 0; | 2254 return 0; |
| 2311 } | 2255 } |
| 2312 | 2256 |
| 2313 } // namespace net | 2257 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master