Chromium Code Reviews Chromium Code Reviews
Issue 1518613002:
Support for server session cache. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@client_certs| Index: net/socket/ssl_server_socket_openssl.cc |
| diff --git a/net/socket/ssl_server_socket_openssl.cc b/net/socket/ssl_server_socket_openssl.cc |
| index 9736b603753951373803b8fb27099e46f63883ab..ab917df911a3c4fa3c690bdf054afccbf736a77b 100644 |
| --- a/net/socket/ssl_server_socket_openssl.cc |
| +++ b/net/socket/ssl_server_socket_openssl.cc |
| @@ -19,7 +19,6 @@ |
| #include "net/cert/client_cert_verifier.h" |
| #include "net/cert/x509_util_openssl.h" |
| #include "net/ssl/openssl_ssl_util.h" |
| -#include "net/ssl/scoped_openssl_types.h" |
| #include "net/ssl/ssl_connection_status_flags.h" |
| #include "net/ssl/ssl_info.h" |
| @@ -63,32 +62,66 @@ void DoNothingOnCompletion(int ignore) {} |
| } // namespace |
| +scoped_ptr<SSLServerSocketContext> CreateSSLServerSocketContext( |
| + X509Certificate* certificate, |
| + const crypto::RSAPrivateKey& key, |
| + const SSLServerConfig& ssl_server_config) { |
| + crypto::EnsureOpenSSLInit(); |
| + return scoped_ptr<SSLServerSocketContext>( |
| + new SSLServerSocketContextOpenSSL(certificate, key, ssl_server_config)); |
| +} |
| + |
| void EnableSSLServerSockets() { |
| // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). |
| } |
| -scoped_ptr<SSLServerSocket> CreateSSLServerSocket( |
| - scoped_ptr<StreamSocket> socket, |
| - X509Certificate* certificate, |
| +SSLServerSocketContextOpenSSL::SSLServerSocketContextOpenSSL( |
| + scoped_refptr<X509Certificate> certificate, |
| const crypto::RSAPrivateKey& key, |
| - const SSLServerConfig& ssl_server_config) { |
| + const SSLServerConfig& ssl_server_config) |
| + : ssl_ctx_(SSL_CTX_new(SSLv23_server_method())), |
|
davidben
2016/01/22 23:57:48
Nit: It's the same thing, but this ought to be TLS
ryanchung
2016/01/29 23:28:15
Done.
|
| + ssl_server_config_(ssl_server_config), |
| + cert_(certificate), |
| + key_(key.Copy()) { |
| + SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); |
| + int session_ctx_id = 0; |
| + SSL_CTX_set_session_id_context( |
| + ssl_ctx_.get(), (unsigned char*)&session_ctx_id, sizeof(session_ctx_id)); |
|
davidben
2016/01/22 23:57:48
unsigned char -> uint8_t. Also C++-style casts. Bu
ryanchung
2016/01/29 23:28:15
Done.
|
| + |
| + if (ssl_server_config_.require_client_cert) { |
| + SSL_CTX_set_verify(ssl_ctx_.get(), |
| + SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
| + } |
| + SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), |
| + SSLServerSocketOpenSSL::CertVerifyCallback, |
| + ssl_server_config_.client_cert_verifier); |
| + CHECK(key_); |
|
davidben
2016/01/22 23:57:48
This probably should be the first line.
ryanchung
2016/01/29 23:28:16
Done.
|
| +} |
| + |
| +SSLServerSocketContextOpenSSL::~SSLServerSocketContextOpenSSL() {} |
| + |
| +scoped_ptr<SSLServerSocket> |
| +SSLServerSocketContextOpenSSL::CreateSSLServerSocket( |
| + scoped_ptr<StreamSocket> socket) { |
| crypto::EnsureOpenSSLInit(); |
| + SSL* ssl = SSL_new(ssl_ctx_.get()); |
| return scoped_ptr<SSLServerSocket>(new SSLServerSocketOpenSSL( |
| - std::move(socket), certificate, key, ssl_server_config)); |
| + std::move(socket), cert_.get(), *key_, ssl_server_config_, ssl)); |
| } |
| SSLServerSocketOpenSSL::SSLServerSocketOpenSSL( |
| scoped_ptr<StreamSocket> transport_socket, |
| scoped_refptr<X509Certificate> certificate, |
| const crypto::RSAPrivateKey& key, |
| - const SSLServerConfig& ssl_server_config) |
| + const SSLServerConfig& ssl_server_config, |
| + SSL* ssl) |
| : transport_send_busy_(false), |
| transport_recv_busy_(false), |
| transport_recv_eof_(false), |
| user_read_buf_len_(0), |
| user_write_buf_len_(0), |
| transport_write_error_(OK), |
| - ssl_(NULL), |
| + ssl_(ssl), |
| transport_bio_(NULL), |
| transport_socket_(std::move(transport_socket)), |
| ssl_server_config_(ssl_server_config), |
| @@ -681,19 +714,10 @@ void SSLServerSocketOpenSSL::DoWriteCallback(int rv) { |
| } |
| int SSLServerSocketOpenSSL::Init() { |
| - DCHECK(!ssl_); |
| DCHECK(!transport_bio_); |
| crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| - ScopedSSL_CTX ssl_ctx(SSL_CTX_new(SSLv23_server_method())); |
| - if (ssl_server_config_.require_client_cert) { |
| - SSL_CTX_set_verify(ssl_ctx.get(), |
| - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
| - } |
| - SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback, |
| - ssl_server_config_.client_cert_verifier); |
| - ssl_ = SSL_new(ssl_ctx.get()); |
| if (!ssl_) |
| return ERR_UNEXPECTED; |
| @@ -748,6 +772,7 @@ int SSLServerSocketOpenSSL::Init() { |
| // set everything we care about to an absolute value. |
| SslSetClearMask options; |
| options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true); |
| + options.ConfigureFlag(SSL_OP_NO_TICKET, true); |
|
davidben
2016/01/22 23:57:48
Why turn off tickets? I can't think of any reason
ryanchung
2016/01/29 23:28:15
Done. Should not be turned off. Line removed.
|
| SSL_set_options(ssl_, options.set_mask); |
| SSL_clear_options(ssl_, options.clear_mask); |
