| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/bytestring.h> | 12 #include <openssl/bytestring.h> |
| 13 #include <openssl/err.h> | 13 #include <openssl/err.h> |
| 14 #include <openssl/evp.h> | 14 #include <openssl/evp.h> |
| 15 #include <openssl/mem.h> | 15 #include <openssl/mem.h> |
| 16 #include <openssl/ssl.h> | 16 #include <openssl/ssl.h> |
| 17 #include <string.h> | 17 #include <string.h> |
| 18 | 18 |
| 19 #include "base/bind.h" | 19 #include "base/bind.h" |
| 20 #include "base/callback_helpers.h" | 20 #include "base/callback_helpers.h" |
| 21 #include "base/lazy_instance.h" | 21 #include "base/lazy_instance.h" |
| 22 #include "base/macros.h" |
| 22 #include "base/memory/singleton.h" | 23 #include "base/memory/singleton.h" |
| 23 #include "base/metrics/histogram_macros.h" | 24 #include "base/metrics/histogram_macros.h" |
| 24 #include "base/metrics/sparse_histogram.h" | 25 #include "base/metrics/sparse_histogram.h" |
| 25 #include "base/profiler/scoped_tracker.h" | 26 #include "base/profiler/scoped_tracker.h" |
| 26 #include "base/strings/string_piece.h" | 27 #include "base/strings/string_piece.h" |
| 27 #include "base/synchronization/lock.h" | 28 #include "base/synchronization/lock.h" |
| 28 #include "base/threading/thread_local.h" | 29 #include "base/threading/thread_local.h" |
| 29 #include "base/values.h" | 30 #include "base/values.h" |
| 30 #include "crypto/ec_private_key.h" | 31 #include "crypto/ec_private_key.h" |
| 31 #include "crypto/openssl_util.h" | 32 #include "crypto/openssl_util.h" |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 92 const uint8_t kTbMinProtocolVersionMajor = 0; | 93 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 93 const uint8_t kTbMinProtocolVersionMinor = 2; | 94 const uint8_t kTbMinProtocolVersionMinor = 2; |
| 94 | 95 |
| 95 void FreeX509Stack(STACK_OF(X509)* ptr) { | 96 void FreeX509Stack(STACK_OF(X509)* ptr) { |
| 96 sk_X509_pop_free(ptr, X509_free); | 97 sk_X509_pop_free(ptr, X509_free); |
| 97 } | 98 } |
| 98 | 99 |
| 99 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | 100 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; |
| 100 | 101 |
| 101 // Used for encoding the |connection_status| field of an SSLInfo object. | 102 // Used for encoding the |connection_status| field of an SSLInfo object. |
| 102 int EncodeSSLConnectionStatus(uint16 cipher_suite, | 103 int EncodeSSLConnectionStatus(uint16_t cipher_suite, |
| 103 int compression, | 104 int compression, |
| 104 int version) { | 105 int version) { |
| 105 return cipher_suite | | 106 return cipher_suite | |
| 106 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << | 107 ((compression & SSL_CONNECTION_COMPRESSION_MASK) << |
| 107 SSL_CONNECTION_COMPRESSION_SHIFT) | | 108 SSL_CONNECTION_COMPRESSION_SHIFT) | |
| 108 ((version & SSL_CONNECTION_VERSION_MASK) << | 109 ((version & SSL_CONNECTION_VERSION_MASK) << |
| 109 SSL_CONNECTION_VERSION_SHIFT); | 110 SSL_CONNECTION_VERSION_SHIFT); |
| 110 } | 111 } |
| 111 | 112 |
| 112 // Returns the net SSL version number (see ssl_connection_status_flags.h) for | 113 // Returns the net SSL version number (see ssl_connection_status_flags.h) for |
| (...skipping 645 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 758 | 759 |
| 759 AddSCTInfoToSSLInfo(ssl_info); | 760 AddSCTInfoToSSLInfo(ssl_info); |
| 760 | 761 |
| 761 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 762 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 762 CHECK(cipher); | 763 CHECK(cipher); |
| 763 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 764 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 764 ssl_info->key_exchange_info = | 765 ssl_info->key_exchange_info = |
| 765 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 766 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
| 766 | 767 |
| 767 ssl_info->connection_status = EncodeSSLConnectionStatus( | 768 ssl_info->connection_status = EncodeSSLConnectionStatus( |
| 768 static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 769 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, |
| 769 GetNetSSLVersion(ssl_)); | 770 GetNetSSLVersion(ssl_)); |
| 770 | 771 |
| 771 if (!SSL_get_secure_renegotiation_support(ssl_)) | 772 if (!SSL_get_secure_renegotiation_support(ssl_)) |
| 772 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 773 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 773 | 774 |
| 774 if (ssl_config_.version_fallback) | 775 if (ssl_config_.version_fallback) |
| 775 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; | 776 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; |
| 776 | 777 |
| 777 ssl_info->handshake_type = SSL_session_reused(ssl_) ? | 778 ssl_info->handshake_type = SSL_session_reused(ssl_) ? |
| 778 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; | 779 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 826 } else { | 827 } else { |
| 827 if (rv > 0) | 828 if (rv > 0) |
| 828 was_ever_used_ = true; | 829 was_ever_used_ = true; |
| 829 user_write_buf_ = NULL; | 830 user_write_buf_ = NULL; |
| 830 user_write_buf_len_ = 0; | 831 user_write_buf_len_ = 0; |
| 831 } | 832 } |
| 832 | 833 |
| 833 return rv; | 834 return rv; |
| 834 } | 835 } |
| 835 | 836 |
| 836 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) { | 837 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32_t size) { |
| 837 return transport_->socket()->SetReceiveBufferSize(size); | 838 return transport_->socket()->SetReceiveBufferSize(size); |
| 838 } | 839 } |
| 839 | 840 |
| 840 int SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) { | 841 int SSLClientSocketOpenSSL::SetSendBufferSize(int32_t size) { |
| 841 return transport_->socket()->SetSendBufferSize(size); | 842 return transport_->socket()->SetSendBufferSize(size); |
| 842 } | 843 } |
| 843 | 844 |
| 844 int SSLClientSocketOpenSSL::Init() { | 845 int SSLClientSocketOpenSSL::Init() { |
| 845 DCHECK(!ssl_); | 846 DCHECK(!ssl_); |
| 846 DCHECK(!transport_bio_); | 847 DCHECK(!transport_bio_); |
| 847 | 848 |
| 848 #if defined(USE_NSS_CERTS) || defined(OS_IOS) | 849 #if defined(USE_NSS_CERTS) || defined(OS_IOS) |
| 849 if (ssl_config_.cert_io_enabled) { | 850 if (ssl_config_.cert_io_enabled) { |
| 850 // TODO(davidben): Move this out of SSLClientSocket. See | 851 // TODO(davidben): Move this out of SSLClientSocket. See |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 980 | 981 |
| 981 // TLS channel ids. | 982 // TLS channel ids. |
| 982 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { | 983 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { |
| 983 SSL_enable_tls_channel_id(ssl_); | 984 SSL_enable_tls_channel_id(ssl_); |
| 984 } | 985 } |
| 985 | 986 |
| 986 if (!ssl_config_.alpn_protos.empty()) { | 987 if (!ssl_config_.alpn_protos.empty()) { |
| 987 // Get list of ciphers that are enabled. | 988 // Get list of ciphers that are enabled. |
| 988 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); | 989 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); |
| 989 DCHECK(enabled_ciphers); | 990 DCHECK(enabled_ciphers); |
| 990 std::vector<uint16> enabled_ciphers_vector; | 991 std::vector<uint16_t> enabled_ciphers_vector; |
| 991 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { | 992 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { |
| 992 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); | 993 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); |
| 993 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); | 994 const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)); |
| 994 enabled_ciphers_vector.push_back(id); | 995 enabled_ciphers_vector.push_back(id); |
| 995 } | 996 } |
| 996 | 997 |
| 997 NextProtoVector alpn_protos = ssl_config_.alpn_protos; | 998 NextProtoVector alpn_protos = ssl_config_.alpn_protos; |
| 998 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || | 999 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || |
| 999 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { | 1000 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { |
| 1000 DisableHTTP2(&alpn_protos); | 1001 DisableHTTP2(&alpn_protos); |
| 1001 } | 1002 } |
| 1002 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); | 1003 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); |
| 1003 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], | 1004 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], |
| (...skipping 927 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1931 | 1932 |
| 1932 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the | 1933 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the |
| 1933 // server supports NPN, selects a protocol from the list that the server | 1934 // server supports NPN, selects a protocol from the list that the server |
| 1934 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the | 1935 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the |
| 1935 // callback can assume that |in| is syntactically valid. | 1936 // callback can assume that |in| is syntactically valid. |
| 1936 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, | 1937 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, |
| 1937 unsigned char* outlen, | 1938 unsigned char* outlen, |
| 1938 const unsigned char* in, | 1939 const unsigned char* in, |
| 1939 unsigned int inlen) { | 1940 unsigned int inlen) { |
| 1940 if (ssl_config_.npn_protos.empty()) { | 1941 if (ssl_config_.npn_protos.empty()) { |
| 1941 *out = reinterpret_cast<uint8*>( | 1942 *out = reinterpret_cast<uint8_t*>( |
| 1942 const_cast<char*>(kDefaultSupportedNPNProtocol)); | 1943 const_cast<char*>(kDefaultSupportedNPNProtocol)); |
| 1943 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; | 1944 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; |
| 1944 npn_status_ = kNextProtoUnsupported; | 1945 npn_status_ = kNextProtoUnsupported; |
| 1945 return SSL_TLSEXT_ERR_OK; | 1946 return SSL_TLSEXT_ERR_OK; |
| 1946 } | 1947 } |
| 1947 | 1948 |
| 1948 // Assume there's no overlap between our protocols and the server's list. | 1949 // Assume there's no overlap between our protocols and the server's list. |
| 1949 npn_status_ = kNextProtoNoOverlap; | 1950 npn_status_ = kNextProtoNoOverlap; |
| 1950 | 1951 |
| 1951 // For each protocol in server preference order, see if we support it. | 1952 // For each protocol in server preference order, see if we support it. |
| (...skipping 312 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2264 tb_was_negotiated_ = true; | 2265 tb_was_negotiated_ = true; |
| 2265 return 1; | 2266 return 1; |
| 2266 } | 2267 } |
| 2267 } | 2268 } |
| 2268 | 2269 |
| 2269 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2270 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2270 return 0; | 2271 return 0; |
| 2271 } | 2272 } |
| 2272 | 2273 |
| 2273 } // namespace net | 2274 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1535363003:
Switch to standard integer types in net/. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master