Support for server session cache.

net/socket/ssl_server_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_server_socket_openssl.h"
 
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <utility>
 
 #include "base/callback_helpers.h"
 #include "base/logging.h"
 #include "base/strings/string_util.h"
 #include "crypto/openssl_util.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/client_cert_verifier.h"
 #include "net/cert/x509_util_openssl.h"
 #include "net/ssl/openssl_ssl_util.h"
-#include "net/ssl/scoped_openssl_types.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 
 #define GotoState(s) next_handshake_state_ = s
 
 namespace net {
 
 namespace {
 
 scoped_refptr<X509Certificate> CreateX509Certificate(X509* cert,
@@ skipping 23 matching lines @@
 scoped_refptr<X509Certificate> GetClientCert(SSL* ssl) {
   X509* cert = SSL_get_peer_certificate(ssl);
   STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl);
   return CreateX509Certificate(cert, chain);
 }
 
 void DoNothingOnCompletion(int ignore) {}
 
 }  // namespace
 
+scoped_ptr<SSLServerSocketContext> CreateSSLServerSocketContext(
+    X509Certificate* certificate,
+    const crypto::RSAPrivateKey& key,
+    const SSLServerConfig& ssl_server_config) {
+  crypto::EnsureOpenSSLInit();
+  return scoped_ptr<SSLServerSocketContext>(
+      new SSLServerSocketContextOpenSSL(certificate, key, ssl_server_config));
+}
+
 void EnableSSLServerSockets() {
   // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit().
 }
 
-scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
-    scoped_ptr<StreamSocket> socket,
-    X509Certificate* certificate,
+SSLServerSocketContextOpenSSL::SSLServerSocketContextOpenSSL(
+    scoped_refptr<X509Certificate> certificate,
     const crypto::RSAPrivateKey& key,
-    const SSLServerConfig& ssl_server_config) {
+    const SSLServerConfig& ssl_server_config)
+    : ssl_ctx_(SSL_CTX_new(SSLv23_server_method())),

[davidben, 2016/01/22 23:57:48]

Nit: It's the same thing, but this ought to be TLS_method().

[ryanchung, 2016/01/29 23:28:15]

Done.

+      ssl_server_config_(ssl_server_config),
+      cert_(certificate),
+      key_(key.Copy()) {
+  SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER);
+  int session_ctx_id = 0;
+  SSL_CTX_set_session_id_context(
+      ssl_ctx_.get(), (unsigned char*)&session_ctx_id, sizeof(session_ctx_id));

[davidben, 2016/01/22 23:57:48]

unsigned char -> uint8_t. Also C++-style casts. But since any old garbage would
do, you can avoid the cast by just making session_ctx_id a uint8_t.

(It's in my queue to see if we can get rid of this as it's a little weird.)

[ryanchung, 2016/01/29 23:28:15]

Done.

+
+  if (ssl_server_config_.require_client_cert) {
+    SSL_CTX_set_verify(ssl_ctx_.get(),
+                       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+  }
+  SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(),
+                                   SSLServerSocketOpenSSL::CertVerifyCallback,
+                                   ssl_server_config_.client_cert_verifier);
+  CHECK(key_);

[davidben, 2016/01/22 23:57:48]

This probably should be the first line.

[ryanchung, 2016/01/29 23:28:16]

Done.

+}
+
+SSLServerSocketContextOpenSSL::~SSLServerSocketContextOpenSSL() {}
+
+scoped_ptr<SSLServerSocket>
+SSLServerSocketContextOpenSSL::CreateSSLServerSocket(
+    scoped_ptr<StreamSocket> socket) {
   crypto::EnsureOpenSSLInit();
+  SSL* ssl = SSL_new(ssl_ctx_.get());
   return scoped_ptr<SSLServerSocket>(new SSLServerSocketOpenSSL(
-      std::move(socket), certificate, key, ssl_server_config));
+      std::move(socket), cert_.get(), *key_, ssl_server_config_, ssl));
 }
 
 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL(
     scoped_ptr<StreamSocket> transport_socket,
     scoped_refptr<X509Certificate> certificate,
     const crypto::RSAPrivateKey& key,
-    const SSLServerConfig& ssl_server_config)
+    const SSLServerConfig& ssl_server_config,
+    SSL* ssl)
     : transport_send_busy_(false),
       transport_recv_busy_(false),
       transport_recv_eof_(false),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       transport_write_error_(OK),
-      ssl_(NULL),
+      ssl_(ssl),
       transport_bio_(NULL),
       transport_socket_(std::move(transport_socket)),
       ssl_server_config_(ssl_server_config),
       cert_(certificate),
       key_(key.Copy()),
       next_handshake_state_(STATE_NONE),
       completed_handshake_(false) {
   CHECK(key_);
 }
 
@@ skipping 572 matching lines @@
 void SSLServerSocketOpenSSL::DoWriteCallback(int rv) {
   DCHECK(rv != ERR_IO_PENDING);
   DCHECK(!user_write_callback_.is_null());
 
   user_write_buf_ = NULL;
   user_write_buf_len_ = 0;
   ResetAndReturn(&user_write_callback_).Run(rv);
 }
 
 int SSLServerSocketOpenSSL::Init() {
-  DCHECK(!ssl_);
   DCHECK(!transport_bio_);
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
-  ScopedSSL_CTX ssl_ctx(SSL_CTX_new(SSLv23_server_method()));
-  if (ssl_server_config_.require_client_cert) {
-    SSL_CTX_set_verify(ssl_ctx.get(),
-                       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
-  }
-  SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback,
-                                   ssl_server_config_.client_cert_verifier);
-  ssl_ = SSL_new(ssl_ctx.get());
   if (!ssl_)
     return ERR_UNEXPECTED;
 
   BIO* ssl_bio = NULL;
   // 0 => use default buffer sizes.
   if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))
     return ERR_UNEXPECTED;
   DCHECK(ssl_bio);
   DCHECK(transport_bio_);
 
   SSL_set_bio(ssl_, ssl_bio, ssl_bio);
 
   // Set certificate and private key.

[davidben, 2016/01/22 23:57:48]

Just about everything from hear onwards should be configured on the SSL_CTX, not
each SSL individually. It'll be more efficient and you won't need to pass as
many things to the socket.

[ryanchung, 2016/01/29 23:28:16]

Done. I moved the configuration steps to the constructor of the
SSLServerContext. Or should they be in a separate Init for the context? Having
them in the constructor, I changed all the "return ERR_UNEXPECTED;" to CHECK()s.

   DCHECK(cert_->os_cert_handle());
 #if defined(USE_OPENSSL_CERTS)
   if (SSL_use_certificate(ssl_, cert_->os_cert_handle()) != 1) {
     LOG(ERROR) << "Cannot set certificate.";
     return ERR_UNEXPECTED;
   }
 #else
   // Convert OSCertHandle to X509 structure.
   std::string der_string;
   if (!X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string))
@@ skipping 21 matching lines @@
 
   DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min);
   DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max);
   SSL_set_min_version(ssl_, ssl_server_config_.version_min);
   SSL_set_max_version(ssl_, ssl_server_config_.version_max);
 
   // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
   // set everything we care about to an absolute value.
   SslSetClearMask options;
   options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
+  options.ConfigureFlag(SSL_OP_NO_TICKET, true);

[davidben, 2016/01/22 23:57:48]

Why turn off tickets? I can't think of any reason why you'd want to do that.

[ryanchung, 2016/01/29 23:28:15]

Done. Should not be turned off. Line removed.

 
   SSL_set_options(ssl_, options.set_mask);
   SSL_clear_options(ssl_, options.clear_mask);
 
   // Same as above, this time for the SSL mode.
   SslSetClearMask mode;
 
   mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
 
   SSL_set_mode(ssl_, mode.set_mask);
@@ skipping 57 matching lines @@
   int res = verifier->Verify(client_cert.get(),
                              base::Bind(&DoNothingOnCompletion), &ignore_async);
   if (res != OK) {
     X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED);
     return 0;
   }
   return 1;
 }
 
 }  // namespace net