| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_server_socket_openssl.h" | 5 #include "net/socket/ssl_server_socket_openssl.h" |
| 6 | 6 |
| 7 #include <openssl/err.h> | 7 #include <openssl/err.h> |
| 8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| 11 #include "base/callback_helpers.h" | 11 #include "base/callback_helpers.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/strings/string_util.h" | 13 #include "base/strings/string_util.h" |
| 14 #include "crypto/openssl_util.h" | 14 #include "crypto/openssl_util.h" |
| 15 #include "crypto/rsa_private_key.h" | 15 #include "crypto/rsa_private_key.h" |
| 16 #include "crypto/scoped_openssl_types.h" | 16 #include "crypto/scoped_openssl_types.h" |
| 17 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 18 #include "net/cert/cert_verify_result.h" | 18 #include "net/cert/cert_verify_result.h" |
| 19 #include "net/cert/client_cert_verifier.h" | 19 #include "net/cert/client_cert_verifier.h" |
| 20 #include "net/cert/x509_util_openssl.h" | 20 #include "net/cert/x509_util_openssl.h" |
| 21 #include "net/ssl/openssl_ssl_util.h" | 21 #include "net/ssl/openssl_ssl_util.h" |
| 22 #include "net/ssl/scoped_openssl_types.h" | |
| 23 #include "net/ssl/ssl_connection_status_flags.h" | 22 #include "net/ssl/ssl_connection_status_flags.h" |
| 24 #include "net/ssl/ssl_info.h" | 23 #include "net/ssl/ssl_info.h" |
| 25 | 24 |
| 26 #define GotoState(s) next_handshake_state_ = s | 25 #define GotoState(s) next_handshake_state_ = s |
| 27 | 26 |
| 28 namespace net { | 27 namespace net { |
| 29 | 28 |
| 30 namespace { | 29 namespace { |
| 31 | 30 |
| 32 // Creates an X509Certificate out of the concatenation of |cert|, if non-null, | 31 // Creates an X509Certificate out of the concatenation of |cert|, if non-null, |
| (...skipping 12 matching lines...) Expand all Loading... |
| 45 for (size_t i = 0; i < sk_X509_num(chain); ++i) { | 44 for (size_t i = 0; i < sk_X509_num(chain); ++i) { |
| 46 X509* x = sk_X509_value(chain, i); | 45 X509* x = sk_X509_value(chain, i); |
| 47 if (!x509_util::GetDER(x, &der_cert)) | 46 if (!x509_util::GetDER(x, &der_cert)) |
| 48 return nullptr; | 47 return nullptr; |
| 49 der_chain.push_back(der_cert); | 48 der_chain.push_back(der_cert); |
| 50 } | 49 } |
| 51 | 50 |
| 52 return X509Certificate::CreateFromDERCertChain(der_chain); | 51 return X509Certificate::CreateFromDERCertChain(der_chain); |
| 53 } | 52 } |
| 54 | 53 |
| 55 } // namespace | 54 class SSLServerSocketOpenSSL : public SSLServerSocket { |
| 55 public: |
| 56 // See comments on CreateSSLServerSocket for details of how these |
| 57 // parameters are used. |
| 58 SSLServerSocketOpenSSL(scoped_ptr<StreamSocket> socket, SSL* ssl); |
| 59 ~SSLServerSocketOpenSSL() override; |
| 56 | 60 |
| 57 void EnableSSLServerSockets() { | 61 // SSLServerSocket interface. |
| 58 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). | 62 int Handshake(const CompletionCallback& callback) override; |
| 59 } | |
| 60 | 63 |
| 61 scoped_ptr<SSLServerSocket> CreateSSLServerSocket( | 64 // SSLSocket interface. |
| 62 scoped_ptr<StreamSocket> socket, | 65 int ExportKeyingMaterial(const base::StringPiece& label, |
| 63 X509Certificate* certificate, | 66 bool has_context, |
| 64 const crypto::RSAPrivateKey& key, | 67 const base::StringPiece& context, |
| 65 const SSLServerConfig& ssl_server_config) { | 68 unsigned char* out, |
| 66 crypto::EnsureOpenSSLInit(); | 69 unsigned int outlen) override; |
| 67 return scoped_ptr<SSLServerSocket>(new SSLServerSocketOpenSSL( | 70 int GetTLSUniqueChannelBinding(std::string* out) override; |
| 68 std::move(socket), certificate, key, ssl_server_config)); | 71 |
| 69 } | 72 // Socket interface (via StreamSocket). |
| 73 int Read(IOBuffer* buf, |
| 74 int buf_len, |
| 75 const CompletionCallback& callback) override; |
| 76 int Write(IOBuffer* buf, |
| 77 int buf_len, |
| 78 const CompletionCallback& callback) override; |
| 79 int SetReceiveBufferSize(int32_t size) override; |
| 80 int SetSendBufferSize(int32_t size) override; |
| 81 |
| 82 // StreamSocket implementation. |
| 83 int Connect(const CompletionCallback& callback) override; |
| 84 void Disconnect() override; |
| 85 bool IsConnected() const override; |
| 86 bool IsConnectedAndIdle() const override; |
| 87 int GetPeerAddress(IPEndPoint* address) const override; |
| 88 int GetLocalAddress(IPEndPoint* address) const override; |
| 89 const BoundNetLog& NetLog() const override; |
| 90 void SetSubresourceSpeculation() override; |
| 91 void SetOmniboxSpeculation() override; |
| 92 bool WasEverUsed() const override; |
| 93 bool UsingTCPFastOpen() const override; |
| 94 bool WasNpnNegotiated() const override; |
| 95 NextProto GetNegotiatedProtocol() const override; |
| 96 bool GetSSLInfo(SSLInfo* ssl_info) override; |
| 97 void GetConnectionAttempts(ConnectionAttempts* out) const override; |
| 98 void ClearConnectionAttempts() override {} |
| 99 void AddConnectionAttempts(const ConnectionAttempts& attempts) override {} |
| 100 int64_t GetTotalReceivedBytes() const override; |
| 101 static int CertVerifyCallback(X509_STORE_CTX* store_ctx, void* arg); |
| 102 |
| 103 private: |
| 104 enum State { |
| 105 STATE_NONE, |
| 106 STATE_HANDSHAKE, |
| 107 }; |
| 108 |
| 109 void OnSendComplete(int result); |
| 110 void OnRecvComplete(int result); |
| 111 void OnHandshakeIOComplete(int result); |
| 112 |
| 113 int BufferSend(); |
| 114 void BufferSendComplete(int result); |
| 115 void TransportWriteComplete(int result); |
| 116 int BufferRecv(); |
| 117 void BufferRecvComplete(int result); |
| 118 int TransportReadComplete(int result); |
| 119 bool DoTransportIO(); |
| 120 int DoPayloadRead(); |
| 121 int DoPayloadWrite(); |
| 122 |
| 123 int DoHandshakeLoop(int last_io_result); |
| 124 int DoReadLoop(int result); |
| 125 int DoWriteLoop(int result); |
| 126 int DoHandshake(); |
| 127 void DoHandshakeCallback(int result); |
| 128 void DoReadCallback(int result); |
| 129 void DoWriteCallback(int result); |
| 130 |
| 131 int Init(); |
| 132 void ExtractClientCert(); |
| 133 |
| 134 // Members used to send and receive buffer. |
| 135 bool transport_send_busy_; |
| 136 bool transport_recv_busy_; |
| 137 bool transport_recv_eof_; |
| 138 |
| 139 scoped_refptr<DrainableIOBuffer> send_buffer_; |
| 140 scoped_refptr<IOBuffer> recv_buffer_; |
| 141 |
| 142 BoundNetLog net_log_; |
| 143 |
| 144 CompletionCallback user_handshake_callback_; |
| 145 CompletionCallback user_read_callback_; |
| 146 CompletionCallback user_write_callback_; |
| 147 |
| 148 // Used by Read function. |
| 149 scoped_refptr<IOBuffer> user_read_buf_; |
| 150 int user_read_buf_len_; |
| 151 |
| 152 // Used by Write function. |
| 153 scoped_refptr<IOBuffer> user_write_buf_; |
| 154 int user_write_buf_len_; |
| 155 |
| 156 // Used by TransportWriteComplete() and TransportReadComplete() to signify an |
| 157 // error writing to the transport socket. A value of OK indicates no error. |
| 158 int transport_write_error_; |
| 159 |
| 160 // OpenSSL stuff |
| 161 SSL* ssl_; |
| 162 BIO* transport_bio_; |
| 163 |
| 164 // StreamSocket for sending and receiving data. |
| 165 scoped_ptr<StreamSocket> transport_socket_; |
| 166 |
| 167 // Certificate for the client. |
| 168 scoped_refptr<X509Certificate> client_cert_; |
| 169 |
| 170 State next_handshake_state_; |
| 171 bool completed_handshake_; |
| 172 |
| 173 DISALLOW_COPY_AND_ASSIGN(SSLServerSocketOpenSSL); |
| 174 }; |
| 70 | 175 |
| 71 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL( | 176 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL( |
| 72 scoped_ptr<StreamSocket> transport_socket, | 177 scoped_ptr<StreamSocket> transport_socket, |
| 73 scoped_refptr<X509Certificate> certificate, | 178 SSL* ssl) |
| 74 const crypto::RSAPrivateKey& key, | |
| 75 const SSLServerConfig& ssl_server_config) | |
| 76 : transport_send_busy_(false), | 179 : transport_send_busy_(false), |
| 77 transport_recv_busy_(false), | 180 transport_recv_busy_(false), |
| 78 transport_recv_eof_(false), | 181 transport_recv_eof_(false), |
| 79 user_read_buf_len_(0), | 182 user_read_buf_len_(0), |
| 80 user_write_buf_len_(0), | 183 user_write_buf_len_(0), |
| 81 transport_write_error_(OK), | 184 transport_write_error_(OK), |
| 82 ssl_(NULL), | 185 ssl_(ssl), |
| 83 transport_bio_(NULL), | 186 transport_bio_(NULL), |
| 84 transport_socket_(std::move(transport_socket)), | 187 transport_socket_(std::move(transport_socket)), |
| 85 ssl_server_config_(ssl_server_config), | |
| 86 cert_(certificate), | |
| 87 key_(key.Copy()), | |
| 88 next_handshake_state_(STATE_NONE), | 188 next_handshake_state_(STATE_NONE), |
| 89 completed_handshake_(false) { | 189 completed_handshake_(false) {} |
| 90 CHECK(key_); | |
| 91 } | |
| 92 | 190 |
| 93 SSLServerSocketOpenSSL::~SSLServerSocketOpenSSL() { | 191 SSLServerSocketOpenSSL::~SSLServerSocketOpenSSL() { |
| 94 if (ssl_) { | 192 if (ssl_) { |
| 95 // Calling SSL_shutdown prevents the session from being marked as | 193 // Calling SSL_shutdown prevents the session from being marked as |
| 96 // unresumable. | 194 // unresumable. |
| 97 SSL_shutdown(ssl_); | 195 SSL_shutdown(ssl_); |
| 98 SSL_free(ssl_); | 196 SSL_free(ssl_); |
| 99 ssl_ = NULL; | 197 ssl_ = NULL; |
| 100 } | 198 } |
| 101 if (transport_bio_) { | 199 if (transport_bio_) { |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 153 return MapOpenSSLError(ssl_error, err_tracer); | 251 return MapOpenSSLError(ssl_error, err_tracer); |
| 154 } | 252 } |
| 155 return OK; | 253 return OK; |
| 156 } | 254 } |
| 157 | 255 |
| 158 int SSLServerSocketOpenSSL::GetTLSUniqueChannelBinding(std::string* out) { | 256 int SSLServerSocketOpenSSL::GetTLSUniqueChannelBinding(std::string* out) { |
| 159 NOTIMPLEMENTED(); | 257 NOTIMPLEMENTED(); |
| 160 return ERR_NOT_IMPLEMENTED; | 258 return ERR_NOT_IMPLEMENTED; |
| 161 } | 259 } |
| 162 | 260 |
| 163 int SSLServerSocketOpenSSL::Read(IOBuffer* buf, int buf_len, | 261 int SSLServerSocketOpenSSL::Read(IOBuffer* buf, |
| 262 int buf_len, |
| 164 const CompletionCallback& callback) { | 263 const CompletionCallback& callback) { |
| 165 DCHECK(user_read_callback_.is_null()); | 264 DCHECK(user_read_callback_.is_null()); |
| 166 DCHECK(user_handshake_callback_.is_null()); | 265 DCHECK(user_handshake_callback_.is_null()); |
| 167 DCHECK(!user_read_buf_); | 266 DCHECK(!user_read_buf_); |
| 168 DCHECK(!callback.is_null()); | 267 DCHECK(!callback.is_null()); |
| 169 | 268 |
| 170 user_read_buf_ = buf; | 269 user_read_buf_ = buf; |
| 171 user_read_buf_len_ = buf_len; | 270 user_read_buf_len_ = buf_len; |
| 172 | 271 |
| 173 DCHECK(completed_handshake_); | 272 DCHECK(completed_handshake_); |
| 174 | 273 |
| 175 int rv = DoReadLoop(OK); | 274 int rv = DoReadLoop(OK); |
| 176 | 275 |
| 177 if (rv == ERR_IO_PENDING) { | 276 if (rv == ERR_IO_PENDING) { |
| 178 user_read_callback_ = callback; | 277 user_read_callback_ = callback; |
| 179 } else { | 278 } else { |
| 180 user_read_buf_ = NULL; | 279 user_read_buf_ = NULL; |
| 181 user_read_buf_len_ = 0; | 280 user_read_buf_len_ = 0; |
| 182 } | 281 } |
| 183 | 282 |
| 184 return rv; | 283 return rv; |
| 185 } | 284 } |
| 186 | 285 |
| 187 int SSLServerSocketOpenSSL::Write(IOBuffer* buf, int buf_len, | 286 int SSLServerSocketOpenSSL::Write(IOBuffer* buf, |
| 287 int buf_len, |
| 188 const CompletionCallback& callback) { | 288 const CompletionCallback& callback) { |
| 189 DCHECK(user_write_callback_.is_null()); | 289 DCHECK(user_write_callback_.is_null()); |
| 190 DCHECK(!user_write_buf_); | 290 DCHECK(!user_write_buf_); |
| 191 DCHECK(!callback.is_null()); | 291 DCHECK(!callback.is_null()); |
| 192 | 292 |
| 193 user_write_buf_ = buf; | 293 user_write_buf_ = buf; |
| 194 user_write_buf_len_ = buf_len; | 294 user_write_buf_len_ = buf_len; |
| 195 | 295 |
| 196 int rv = DoWriteLoop(OK); | 296 int rv = DoWriteLoop(OK); |
| 197 | 297 |
| (...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 370 size_t max_read = BIO_pending(transport_bio_); | 470 size_t max_read = BIO_pending(transport_bio_); |
| 371 if (!max_read) | 471 if (!max_read) |
| 372 return 0; // Nothing pending in the OpenSSL write BIO. | 472 return 0; // Nothing pending in the OpenSSL write BIO. |
| 373 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); | 473 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); |
| 374 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read); | 474 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read); |
| 375 DCHECK_GT(read_bytes, 0); | 475 DCHECK_GT(read_bytes, 0); |
| 376 CHECK_EQ(static_cast<int>(max_read), read_bytes); | 476 CHECK_EQ(static_cast<int>(max_read), read_bytes); |
| 377 } | 477 } |
| 378 | 478 |
| 379 int rv = transport_socket_->Write( | 479 int rv = transport_socket_->Write( |
| 380 send_buffer_.get(), | 480 send_buffer_.get(), send_buffer_->BytesRemaining(), |
| 381 send_buffer_->BytesRemaining(), | |
| 382 base::Bind(&SSLServerSocketOpenSSL::BufferSendComplete, | 481 base::Bind(&SSLServerSocketOpenSSL::BufferSendComplete, |
| 383 base::Unretained(this))); | 482 base::Unretained(this))); |
| 384 if (rv == ERR_IO_PENDING) { | 483 if (rv == ERR_IO_PENDING) { |
| 385 transport_send_busy_ = true; | 484 transport_send_busy_ = true; |
| 386 } else { | 485 } else { |
| 387 TransportWriteComplete(rv); | 486 TransportWriteComplete(rv); |
| 388 } | 487 } |
| 389 return rv; | 488 return rv; |
| 390 } | 489 } |
| 391 | 490 |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 443 // (and constantly allocating new IOBuffers), a single Read() request to | 542 // (and constantly allocating new IOBuffers), a single Read() request to |
| 444 // fill |transport_bio_| is issued. As long as an SSL client socket cannot | 543 // fill |transport_bio_| is issued. As long as an SSL client socket cannot |
| 445 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL | 544 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL |
| 446 // traffic, this over-subscribed Read()ing will not cause issues. | 545 // traffic, this over-subscribed Read()ing will not cause issues. |
| 447 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_); | 546 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_); |
| 448 if (!max_write) | 547 if (!max_write) |
| 449 return ERR_IO_PENDING; | 548 return ERR_IO_PENDING; |
| 450 | 549 |
| 451 recv_buffer_ = new IOBuffer(max_write); | 550 recv_buffer_ = new IOBuffer(max_write); |
| 452 int rv = transport_socket_->Read( | 551 int rv = transport_socket_->Read( |
| 453 recv_buffer_.get(), | 552 recv_buffer_.get(), max_write, |
| 454 max_write, | |
| 455 base::Bind(&SSLServerSocketOpenSSL::BufferRecvComplete, | 553 base::Bind(&SSLServerSocketOpenSSL::BufferRecvComplete, |
| 456 base::Unretained(this))); | 554 base::Unretained(this))); |
| 457 if (rv == ERR_IO_PENDING) { | 555 if (rv == ERR_IO_PENDING) { |
| 458 transport_recv_busy_ = true; | 556 transport_recv_busy_ = true; |
| 459 } else { | 557 } else { |
| 460 rv = TransportReadComplete(rv); | 558 rv = TransportReadComplete(rv); |
| 461 } | 559 } |
| 462 return rv; | 560 return rv; |
| 463 } | 561 } |
| 464 | 562 |
| (...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 674 void SSLServerSocketOpenSSL::DoWriteCallback(int rv) { | 772 void SSLServerSocketOpenSSL::DoWriteCallback(int rv) { |
| 675 DCHECK(rv != ERR_IO_PENDING); | 773 DCHECK(rv != ERR_IO_PENDING); |
| 676 DCHECK(!user_write_callback_.is_null()); | 774 DCHECK(!user_write_callback_.is_null()); |
| 677 | 775 |
| 678 user_write_buf_ = NULL; | 776 user_write_buf_ = NULL; |
| 679 user_write_buf_len_ = 0; | 777 user_write_buf_len_ = 0; |
| 680 base::ResetAndReturn(&user_write_callback_).Run(rv); | 778 base::ResetAndReturn(&user_write_callback_).Run(rv); |
| 681 } | 779 } |
| 682 | 780 |
| 683 int SSLServerSocketOpenSSL::Init() { | 781 int SSLServerSocketOpenSSL::Init() { |
| 684 DCHECK(!ssl_); | |
| 685 DCHECK(!transport_bio_); | 782 DCHECK(!transport_bio_); |
| 686 | 783 |
| 687 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 784 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 688 | 785 |
| 689 ScopedSSL_CTX ssl_ctx(SSL_CTX_new(TLS_method())); | |
| 690 int verify_mode = 0; | |
| 691 switch (ssl_server_config_.client_cert_type) { | |
| 692 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: | |
| 693 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | |
| 694 // Fall-through | |
| 695 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: | |
| 696 verify_mode |= SSL_VERIFY_PEER; | |
| 697 SSL_CTX_set_verify(ssl_ctx.get(), verify_mode, nullptr); | |
| 698 SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback, | |
| 699 ssl_server_config_.client_cert_verifier); | |
| 700 break; | |
| 701 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: | |
| 702 break; | |
| 703 } | |
| 704 ssl_ = SSL_new(ssl_ctx.get()); | |
| 705 if (!ssl_) | 786 if (!ssl_) |
| 706 return ERR_UNEXPECTED; | 787 return ERR_UNEXPECTED; |
| 707 | 788 |
| 708 BIO* ssl_bio = NULL; | 789 BIO* ssl_bio = NULL; |
| 709 // 0 => use default buffer sizes. | 790 // 0 => use default buffer sizes. |
| 710 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) | 791 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) |
| 711 return ERR_UNEXPECTED; | 792 return ERR_UNEXPECTED; |
| 712 DCHECK(ssl_bio); | 793 DCHECK(ssl_bio); |
| 713 DCHECK(transport_bio_); | 794 DCHECK(transport_bio_); |
| 714 | 795 |
| 715 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | 796 SSL_set_bio(ssl_, ssl_bio, ssl_bio); |
| 716 | 797 |
| 798 return OK; |
| 799 } |
| 800 |
| 801 // static |
| 802 int SSLServerSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx, |
| 803 void* arg) { |
| 804 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); |
| 805 // If a verifier was not supplied, all certificates are accepted. |
| 806 if (!verifier) |
| 807 return 1; |
| 808 STACK_OF(X509)* chain = store_ctx->untrusted; |
| 809 scoped_refptr<X509Certificate> client_cert( |
| 810 CreateX509Certificate(nullptr, chain)); |
| 811 if (!client_cert.get()) { |
| 812 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); |
| 813 return 0; |
| 814 } |
| 815 // Asynchronous completion of Verify is currently not supported. |
| 816 // http://crbug.com/347402 |
| 817 // The API for Verify supports the parts needed for async completion |
| 818 // but is currently expected to complete synchronously. |
| 819 scoped_ptr<ClientCertVerifier::Request> ignore_async; |
| 820 int res = |
| 821 verifier->Verify(client_cert.get(), CompletionCallback(), &ignore_async); |
| 822 DCHECK_NE(res, ERR_IO_PENDING); |
| 823 |
| 824 if (res != OK) { |
| 825 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); |
| 826 return 0; |
| 827 } |
| 828 return 1; |
| 829 } |
| 830 |
| 831 } // namespace |
| 832 |
| 833 scoped_ptr<SSLServerContext> CreateSSLServerContext( |
| 834 X509Certificate* certificate, |
| 835 const crypto::RSAPrivateKey& key, |
| 836 const SSLServerConfig& ssl_server_config) { |
| 837 return scoped_ptr<SSLServerContext>( |
| 838 new SSLServerContextOpenSSL(certificate, key, ssl_server_config)); |
| 839 } |
| 840 |
| 841 SSLServerContextOpenSSL::SSLServerContextOpenSSL( |
| 842 X509Certificate* certificate, |
| 843 const crypto::RSAPrivateKey& key, |
| 844 const SSLServerConfig& ssl_server_config) |
| 845 : ssl_server_config_(ssl_server_config), |
| 846 cert_(certificate), |
| 847 key_(key.Copy()) { |
| 848 CHECK(key_); |
| 849 crypto::EnsureOpenSSLInit(); |
| 850 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); |
| 851 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); |
| 852 uint8_t session_ctx_id = 0; |
| 853 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, |
| 854 sizeof(session_ctx_id)); |
| 855 |
| 856 int verify_mode = 0; |
| 857 switch (ssl_server_config_.client_cert_type) { |
| 858 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: |
| 859 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 860 // Fall-through |
| 861 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: |
| 862 verify_mode |= SSL_VERIFY_PEER; |
| 863 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); |
| 864 SSL_CTX_set_cert_verify_callback( |
| 865 ssl_ctx_.get(), SSLServerSocketOpenSSL::CertVerifyCallback, |
| 866 ssl_server_config_.client_cert_verifier); |
| 867 break; |
| 868 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: |
| 869 break; |
| 870 } |
| 871 |
| 717 // Set certificate and private key. | 872 // Set certificate and private key. |
| 718 DCHECK(cert_->os_cert_handle()); | 873 DCHECK(cert_->os_cert_handle()); |
| 719 #if defined(USE_OPENSSL_CERTS) | 874 #if defined(USE_OPENSSL_CERTS) |
| 720 if (SSL_use_certificate(ssl_, cert_->os_cert_handle()) != 1) { | 875 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); |
| 721 LOG(ERROR) << "Cannot set certificate."; | |
| 722 return ERR_UNEXPECTED; | |
| 723 } | |
| 724 #else | 876 #else |
| 725 // Convert OSCertHandle to X509 structure. | 877 // Convert OSCertHandle to X509 structure. |
| 726 std::string der_string; | 878 std::string der_string; |
| 727 if (!X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)) | 879 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); |
| 728 return ERR_UNEXPECTED; | |
| 729 | 880 |
| 730 const unsigned char* der_string_array = | 881 const unsigned char* der_string_array = |
| 731 reinterpret_cast<const unsigned char*>(der_string.data()); | 882 reinterpret_cast<const unsigned char*>(der_string.data()); |
| 732 | 883 |
| 733 ScopedX509 x509(d2i_X509(NULL, &der_string_array, der_string.length())); | 884 ScopedX509 x509(d2i_X509(NULL, &der_string_array, der_string.length())); |
| 734 if (!x509) | 885 CHECK(x509); |
| 735 return ERR_UNEXPECTED; | |
| 736 | 886 |
| 737 // On success, SSL_use_certificate acquires a reference to |x509|. | 887 // On success, SSL_CTX_use_certificate acquires a reference to |x509|. |
| 738 if (SSL_use_certificate(ssl_, x509.get()) != 1) { | 888 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get())); |
| 739 LOG(ERROR) << "Cannot set certificate."; | |
| 740 return ERR_UNEXPECTED; | |
| 741 } | |
| 742 #endif // USE_OPENSSL_CERTS | 889 #endif // USE_OPENSSL_CERTS |
| 743 | 890 |
| 744 DCHECK(key_->key()); | 891 DCHECK(key_->key()); |
| 745 if (SSL_use_PrivateKey(ssl_, key_->key()) != 1) { | 892 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
| 746 LOG(ERROR) << "Cannot set private key."; | |
| 747 return ERR_UNEXPECTED; | |
| 748 } | |
| 749 | 893 |
| 750 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); | 894 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); |
| 751 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); | 895 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); |
| 752 SSL_set_min_version(ssl_, ssl_server_config_.version_min); | 896 SSL_CTX_set_min_version(ssl_ctx_.get(), ssl_server_config_.version_min); |
| 753 SSL_set_max_version(ssl_, ssl_server_config_.version_max); | 897 SSL_CTX_set_max_version(ssl_ctx_.get(), ssl_server_config_.version_max); |
| 754 | 898 |
| 755 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | 899 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, |
| 756 // set everything we care about to an absolute value. | 900 // set everything we care about to an absolute value. |
| 757 SslSetClearMask options; | 901 SslSetClearMask options; |
| 758 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true); | 902 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true); |
| 759 | 903 |
| 760 SSL_set_options(ssl_, options.set_mask); | 904 SSL_CTX_set_options(ssl_ctx_.get(), options.set_mask); |
| 761 SSL_clear_options(ssl_, options.clear_mask); | 905 SSL_CTX_clear_options(ssl_ctx_.get(), options.clear_mask); |
| 762 | 906 |
| 763 // Same as above, this time for the SSL mode. | 907 // Same as above, this time for the SSL mode. |
| 764 SslSetClearMask mode; | 908 SslSetClearMask mode; |
| 765 | 909 |
| 766 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); | 910 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); |
| 767 | 911 |
| 768 SSL_set_mode(ssl_, mode.set_mask); | 912 SSL_CTX_set_mode(ssl_ctx_.get(), mode.set_mask); |
| 769 SSL_clear_mode(ssl_, mode.clear_mask); | 913 SSL_CTX_clear_mode(ssl_ctx_.get(), mode.clear_mask); |
| 770 | 914 |
| 771 // See SSLServerConfig::disabled_cipher_suites for description of the suites | 915 // See SSLServerConfig::disabled_cipher_suites for description of the suites |
| 772 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 | 916 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 |
| 773 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 | 917 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 |
| 774 // as the handshake hash. | 918 // as the handshake hash. |
| 775 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK"); | 919 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK"); |
| 776 | 920 |
| 777 if (ssl_server_config_.require_ecdhe) | 921 if (ssl_server_config_.require_ecdhe) |
| 778 command.append(":!kRSA:!kDHE"); | 922 command.append(":!kRSA:!kDHE"); |
| 779 | 923 |
| 780 // Remove any disabled ciphers. | 924 // Remove any disabled ciphers. |
| 781 for (uint16_t id : ssl_server_config_.disabled_cipher_suites) { | 925 for (uint16_t id : ssl_server_config_.disabled_cipher_suites) { |
| 782 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); | 926 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); |
| 783 if (cipher) { | 927 if (cipher) { |
| 784 command.append(":!"); | 928 command.append(":!"); |
| 785 command.append(SSL_CIPHER_get_name(cipher)); | 929 command.append(SSL_CIPHER_get_name(cipher)); |
| 786 } | 930 } |
| 787 } | 931 } |
| 788 | 932 |
| 789 int rv = SSL_set_cipher_list(ssl_, command.c_str()); | 933 int rv = SSL_CTX_set_cipher_list(ssl_ctx_.get(), command.c_str()); |
| 790 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | 934 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. |
| 791 // This will almost certainly result in the socket failing to complete the | 935 // This will almost certainly result in the socket failing to complete the |
| 792 // handshake at which point the appropriate error is bubbled up to the client. | 936 // handshake at which point the appropriate error is bubbled up to the client. |
| 793 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command | 937 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command |
| 794 << "') returned " << rv; | 938 << "') returned " << rv; |
| 795 | 939 |
| 796 if (ssl_server_config_.client_cert_type != | 940 if (ssl_server_config_.client_cert_type != |
| 797 SSLServerConfig::ClientCertType::NO_CLIENT_CERT && | 941 SSLServerConfig::ClientCertType::NO_CLIENT_CERT && |
| 798 !ssl_server_config_.cert_authorities_.empty()) { | 942 !ssl_server_config_.cert_authorities_.empty()) { |
| 799 ScopedX509NameStack stack(sk_X509_NAME_new_null()); | 943 ScopedX509NameStack stack(sk_X509_NAME_new_null()); |
| 800 for (const auto& authority : ssl_server_config_.cert_authorities_) { | 944 for (const auto& authority : ssl_server_config_.cert_authorities_) { |
| 801 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); | 945 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); |
| 802 const uint8_t* name_start = name; | 946 const uint8_t* name_start = name; |
| 803 ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length())); | 947 ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length())); |
| 804 if (!subj || name != name_start + authority.length()) | 948 CHECK(subj && name == name_start + authority.length()); |
| 805 return ERR_UNEXPECTED; | |
| 806 sk_X509_NAME_push(stack.get(), subj.release()); | 949 sk_X509_NAME_push(stack.get(), subj.release()); |
| 807 } | 950 } |
| 808 SSL_set_client_CA_list(ssl_, stack.release()); | 951 SSL_CTX_set_client_CA_list(ssl_ctx_.get(), stack.release()); |
| 809 } | 952 } |
| 810 | |
| 811 return OK; | |
| 812 } | 953 } |
| 813 | 954 |
| 814 // static | 955 SSLServerContextOpenSSL::~SSLServerContextOpenSSL() {} |
| 815 int SSLServerSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx, | |
| 816 void* arg) { | |
| 817 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); | |
| 818 // If a verifier was not supplied, all certificates are accepted. | |
| 819 if (!verifier) | |
| 820 return 1; | |
| 821 STACK_OF(X509)* chain = store_ctx->untrusted; | |
| 822 scoped_refptr<X509Certificate> client_cert( | |
| 823 CreateX509Certificate(nullptr, chain)); | |
| 824 if (!client_cert.get()) { | |
| 825 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); | |
| 826 return 0; | |
| 827 } | |
| 828 // Asynchronous completion of Verify is currently not supported. | |
| 829 // http://crbug.com/347402 | |
| 830 // The API for Verify supports the parts needed for async completion | |
| 831 // but is currently expected to complete synchronously. | |
| 832 scoped_ptr<ClientCertVerifier::Request> ignore_async; | |
| 833 int res = | |
| 834 verifier->Verify(client_cert.get(), CompletionCallback(), &ignore_async); | |
| 835 DCHECK_NE(res, ERR_IO_PENDING); | |
| 836 | 956 |
| 837 if (res != OK) { | 957 scoped_ptr<SSLServerSocket> SSLServerContextOpenSSL::CreateSSLServerSocket( |
| 838 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); | 958 scoped_ptr<StreamSocket> socket) { |
| 839 return 0; | 959 SSL* ssl = SSL_new(ssl_ctx_.get()); |
| 840 } | 960 return scoped_ptr<SSLServerSocket>( |
| 841 return 1; | 961 new SSLServerSocketOpenSSL(std::move(socket), ssl)); |
| 962 } |
| 963 |
| 964 void EnableSSLServerSockets() { |
| 965 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). |
| 842 } | 966 } |
| 843 | 967 |
| 844 } // namespace net | 968 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1518613002:
Support for server session cache. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@client_certs