| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 | 84 |
| 85 // TLS extension number use for Token Binding. | 85 // TLS extension number use for Token Binding. |
| 86 const unsigned int kTbExtNum = 30033; | 86 const unsigned int kTbExtNum = 30033; |
| 87 | 87 |
| 88 // Token Binding ProtocolVersions supported. | 88 // Token Binding ProtocolVersions supported. |
| 89 const uint8_t kTbProtocolVersionMajor = 0; | 89 const uint8_t kTbProtocolVersionMajor = 0; |
| 90 const uint8_t kTbProtocolVersionMinor = 4; | 90 const uint8_t kTbProtocolVersionMinor = 4; |
| 91 const uint8_t kTbMinProtocolVersionMajor = 0; | 91 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 92 const uint8_t kTbMinProtocolVersionMinor = 3; | 92 const uint8_t kTbMinProtocolVersionMinor = 3; |
| 93 | 93 |
| 94 void FreeX509Stack(STACK_OF(X509)* ptr) { | |
| 95 sk_X509_pop_free(ptr, X509_free); | |
| 96 } | |
| 97 | |
| 98 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | |
| 99 | |
| 100 // Used for encoding the |connection_status| field of an SSLInfo object. | |
| 101 int EncodeSSLConnectionStatus(uint16_t cipher_suite, | |
| 102 int compression, | |
| 103 int version) { | |
| 104 return cipher_suite | | |
| 105 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << | |
| 106 SSL_CONNECTION_COMPRESSION_SHIFT) | | |
| 107 ((version & SSL_CONNECTION_VERSION_MASK) << | |
| 108 SSL_CONNECTION_VERSION_SHIFT); | |
| 109 } | |
| 110 | |
| 111 // Returns the net SSL version number (see ssl_connection_status_flags.h) for | |
| 112 // this SSL connection. | |
| 113 int GetNetSSLVersion(SSL* ssl) { | |
| 114 switch (SSL_version(ssl)) { | |
| 115 case TLS1_VERSION: | |
| 116 return SSL_CONNECTION_VERSION_TLS1; | |
| 117 case TLS1_1_VERSION: | |
| 118 return SSL_CONNECTION_VERSION_TLS1_1; | |
| 119 case TLS1_2_VERSION: | |
| 120 return SSL_CONNECTION_VERSION_TLS1_2; | |
| 121 default: | |
| 122 NOTREACHED(); | |
| 123 return SSL_CONNECTION_VERSION_UNKNOWN; | |
| 124 } | |
| 125 } | |
| 126 | |
| 127 ScopedX509 OSCertHandleToOpenSSL( | |
| 128 X509Certificate::OSCertHandle os_handle) { | |
| 129 #if defined(USE_OPENSSL_CERTS) | |
| 130 return ScopedX509(X509Certificate::DupOSCertHandle(os_handle)); | |
| 131 #else // !defined(USE_OPENSSL_CERTS) | |
| 132 std::string der_encoded; | |
| 133 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | |
| 134 return ScopedX509(); | |
| 135 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); | |
| 136 return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size())); | |
| 137 #endif // defined(USE_OPENSSL_CERTS) | |
| 138 } | |
| 139 | |
| 140 ScopedX509Stack OSCertHandlesToOpenSSL( | |
| 141 const X509Certificate::OSCertHandles& os_handles) { | |
| 142 ScopedX509Stack stack(sk_X509_new_null()); | |
| 143 for (size_t i = 0; i < os_handles.size(); i++) { | |
| 144 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); | |
| 145 if (!x509) | |
| 146 return ScopedX509Stack(); | |
| 147 sk_X509_push(stack.get(), x509.release()); | |
| 148 } | |
| 149 return stack; | |
| 150 } | |
| 151 | |
| 152 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 94 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 153 switch (EVP_MD_type(md)) { | 95 switch (EVP_MD_type(md)) { |
| 154 case NID_md5_sha1: | 96 case NID_md5_sha1: |
| 155 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 97 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 156 return true; | 98 return true; |
| 157 case NID_sha1: | 99 case NID_sha1: |
| 158 *hash = SSLPrivateKey::Hash::SHA1; | 100 *hash = SSLPrivateKey::Hash::SHA1; |
| 159 return true; | 101 return true; |
| 160 case NID_sha256: | 102 case NID_sha256: |
| 161 *hash = SSLPrivateKey::Hash::SHA256; | 103 *hash = SSLPrivateKey::Hash::SHA256; |
| (...skipping 676 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 838 ssl_info->pinning_failure_log = pinning_failure_log_; | 780 ssl_info->pinning_failure_log = pinning_failure_log_; |
| 839 | 781 |
| 840 AddSCTInfoToSSLInfo(ssl_info); | 782 AddSCTInfoToSSLInfo(ssl_info); |
| 841 | 783 |
| 842 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 784 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 843 CHECK(cipher); | 785 CHECK(cipher); |
| 844 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 786 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 845 ssl_info->key_exchange_info = | 787 ssl_info->key_exchange_info = |
| 846 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 788 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
| 847 | 789 |
| 848 ssl_info->connection_status = EncodeSSLConnectionStatus( | 790 SSLConnectionStatusSetCipherSuite( |
| 849 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 791 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), |
| 850 GetNetSSLVersion(ssl_)); | 792 &ssl_info->connection_status); |
| 793 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), |
| 794 &ssl_info->connection_status); |
| 851 | 795 |
| 852 if (!SSL_get_secure_renegotiation_support(ssl_)) | 796 if (!SSL_get_secure_renegotiation_support(ssl_)) |
| 853 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 797 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 854 | 798 |
| 855 if (ssl_config_.version_fallback) | 799 if (ssl_config_.version_fallback) |
| 856 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; | 800 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; |
| 857 | 801 |
| 858 ssl_info->handshake_type = SSL_session_reused(ssl_) ? | 802 ssl_info->handshake_type = SSL_session_reused(ssl_) ? |
| 859 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; | 803 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; |
| 860 | 804 |
| (...skipping 1469 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2330 tb_was_negotiated_ = true; | 2274 tb_was_negotiated_ = true; |
| 2331 return 1; | 2275 return 1; |
| 2332 } | 2276 } |
| 2333 } | 2277 } |
| 2334 | 2278 |
| 2335 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2279 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2336 return 0; | 2280 return 0; |
| 2337 } | 2281 } |
| 2338 | 2282 |
| 2339 } // namespace net | 2283 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master