OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
43 #include "net/cert/x509_util_openssl.h" | 43 #include "net/cert/x509_util_openssl.h" |
44 #include "net/http/transport_security_state.h" | 44 #include "net/http/transport_security_state.h" |
45 #include "net/ssl/scoped_openssl_types.h" | 45 #include "net/ssl/scoped_openssl_types.h" |
46 #include "net/ssl/ssl_cert_request_info.h" | 46 #include "net/ssl/ssl_cert_request_info.h" |
47 #include "net/ssl/ssl_client_session_cache_openssl.h" | 47 #include "net/ssl/ssl_client_session_cache_openssl.h" |
48 #include "net/ssl/ssl_connection_status_flags.h" | 48 #include "net/ssl/ssl_connection_status_flags.h" |
49 #include "net/ssl/ssl_failure_state.h" | 49 #include "net/ssl/ssl_failure_state.h" |
50 #include "net/ssl/ssl_info.h" | 50 #include "net/ssl/ssl_info.h" |
51 #include "net/ssl/ssl_private_key.h" | 51 #include "net/ssl/ssl_private_key.h" |
52 | 52 |
53 #if defined(OS_WIN) | |
54 #include "base/win/windows_version.h" | |
55 #endif | |
56 | |
57 #if !defined(OS_NACL) | 53 #if !defined(OS_NACL) |
58 #include "net/ssl/ssl_key_logger.h" | 54 #include "net/ssl/ssl_key_logger.h" |
59 #endif | 55 #endif |
60 | 56 |
61 #if defined(USE_NSS_CERTS) || defined(OS_IOS) | 57 #if defined(USE_NSS_CERTS) || defined(OS_IOS) |
62 #include "net/cert_net/nss_ocsp.h" | 58 #include "net/cert_net/nss_ocsp.h" |
63 #endif | 59 #endif |
64 | 60 |
65 namespace net { | 61 namespace net { |
66 | 62 |
(...skipping 926 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
993 | 989 |
994 // Remove any disabled ciphers. | 990 // Remove any disabled ciphers. |
995 for (uint16_t id : ssl_config_.disabled_cipher_suites) { | 991 for (uint16_t id : ssl_config_.disabled_cipher_suites) { |
996 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); | 992 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); |
997 if (cipher) { | 993 if (cipher) { |
998 command.append(":!"); | 994 command.append(":!"); |
999 command.append(SSL_CIPHER_get_name(cipher)); | 995 command.append(SSL_CIPHER_get_name(cipher)); |
1000 } | 996 } |
1001 } | 997 } |
1002 | 998 |
1003 // Disable ECDSA cipher suites on platforms that do not support ECDSA | |
1004 // signed certificates, as servers may use the presence of such | |
1005 // ciphersuites as a hint to send an ECDSA certificate. | |
1006 #if defined(OS_WIN) | |
1007 if (base::win::GetVersion() < base::win::VERSION_VISTA) | |
1008 command.append(":!ECDSA"); | |
1009 #endif | |
1010 | |
1011 int rv = SSL_set_cipher_list(ssl_, command.c_str()); | 999 int rv = SSL_set_cipher_list(ssl_, command.c_str()); |
1012 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | 1000 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. |
1013 // This will almost certainly result in the socket failing to complete the | 1001 // This will almost certainly result in the socket failing to complete the |
1014 // handshake at which point the appropriate error is bubbled up to the client. | 1002 // handshake at which point the appropriate error is bubbled up to the client. |
1015 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | 1003 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " |
1016 "returned " << rv; | 1004 "returned " << rv; |
1017 | 1005 |
1018 // TLS channel ids. | 1006 // TLS channel ids. |
1019 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { | 1007 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { |
1020 SSL_enable_tls_channel_id(ssl_); | 1008 SSL_enable_tls_channel_id(ssl_); |
(...skipping 1283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2304 tb_was_negotiated_ = true; | 2292 tb_was_negotiated_ = true; |
2305 return 1; | 2293 return 1; |
2306 } | 2294 } |
2307 } | 2295 } |
2308 | 2296 |
2309 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2297 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
2310 return 0; | 2298 return 0; |
2311 } | 2299 } |
2312 | 2300 |
2313 } // namespace net | 2301 } // namespace net |
OLD | NEW |