OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
187 // Converts an OpenSSL error code into a net error code, walking the OpenSSL | 187 // Converts an OpenSSL error code into a net error code, walking the OpenSSL |
188 // error stack if needed. Note that |tracer| is not currently used in the | 188 // error stack if needed. Note that |tracer| is not currently used in the |
189 // implementation, but is passed in anyway as this ensures the caller will clear | 189 // implementation, but is passed in anyway as this ensures the caller will clear |
190 // any residual codes left on the error stack. | 190 // any residual codes left on the error stack. |
191 int MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer) { | 191 int MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer) { |
192 switch (err) { | 192 switch (err) { |
193 case SSL_ERROR_WANT_READ: | 193 case SSL_ERROR_WANT_READ: |
194 case SSL_ERROR_WANT_WRITE: | 194 case SSL_ERROR_WANT_WRITE: |
195 return ERR_IO_PENDING; | 195 return ERR_IO_PENDING; |
196 case SSL_ERROR_SYSCALL: | 196 case SSL_ERROR_SYSCALL: |
197 DVLOG(1) << "OpenSSL SYSCALL error, errno " << errno; | 197 LOG(ERROR) << "OpenSSL SYSCALL error, earliest error code in " |
198 "error queue: " << ERR_peek_error() << ", errno: " | |
199 << errno; | |
wtc
2013/06/19 16:53:53
Note: I am printing the errno as the original code
| |
198 return ERR_SSL_PROTOCOL_ERROR; | 200 return ERR_SSL_PROTOCOL_ERROR; |
199 case SSL_ERROR_SSL: | 201 case SSL_ERROR_SSL: |
200 return MapOpenSSLErrorSSL(); | 202 return MapOpenSSLErrorSSL(); |
201 default: | 203 default: |
202 // TODO(joth): Implement full mapping. | 204 // TODO(joth): Implement full mapping. |
203 LOG(WARNING) << "Unknown OpenSSL error " << err; | 205 LOG(WARNING) << "Unknown OpenSSL error " << err; |
204 return ERR_SSL_PROTOCOL_ERROR; | 206 return ERR_SSL_PROTOCOL_ERROR; |
205 } | 207 } |
206 } | 208 } |
207 | 209 |
(...skipping 315 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
523 | 525 |
524 SSL_set_mode(ssl_, mode.set_mask); | 526 SSL_set_mode(ssl_, mode.set_mask); |
525 SSL_clear_mode(ssl_, mode.clear_mask); | 527 SSL_clear_mode(ssl_, mode.clear_mask); |
526 | 528 |
527 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the | 529 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the |
528 // textual name with SSL_set_cipher_list because there is no public API to | 530 // textual name with SSL_set_cipher_list because there is no public API to |
529 // directly remove a cipher by ID. | 531 // directly remove a cipher by ID. |
530 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); | 532 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); |
531 DCHECK(ciphers); | 533 DCHECK(ciphers); |
532 // See SSLConfig::disabled_cipher_suites for description of the suites | 534 // See SSLConfig::disabled_cipher_suites for description of the suites |
533 // disabled by default. | 535 // disabled by default. Note that !SHA384 only removes HMAC-SHA384 cipher |
534 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA"); | 536 // suites, not GCM cipher suites with SHA384 as the handshake hash. |
537 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA384:!aECDH"); | |
Ryan Sleevi
2013/06/18 23:00:34
Does this also disable SHA-384 from the Signature
wtc
2013/06/19 01:25:16
No. The supported_signature_algorithms list in Ope
| |
535 // Walk through all the installed ciphers, seeing if any need to be | 538 // Walk through all the installed ciphers, seeing if any need to be |
536 // appended to the cipher removal |command|. | 539 // appended to the cipher removal |command|. |
537 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { | 540 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { |
538 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); | 541 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); |
539 const uint16 id = SSL_CIPHER_get_id(cipher); | 542 const uint16 id = SSL_CIPHER_get_id(cipher); |
540 // Remove any ciphers with a strength of less than 80 bits. Note the NSS | 543 // Remove any ciphers with a strength of less than 80 bits. Note the NSS |
541 // implementation uses "effective" bits here but OpenSSL does not provide | 544 // implementation uses "effective" bits here but OpenSSL does not provide |
542 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, | 545 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, |
543 // both of which are greater than 80 anyway. | 546 // both of which are greater than 80 anyway. |
544 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; | 547 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; |
(...skipping 876 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1421 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1424 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
1422 user_write_buf_->data()); | 1425 user_write_buf_->data()); |
1423 return rv; | 1426 return rv; |
1424 } | 1427 } |
1425 | 1428 |
1426 int err = SSL_get_error(ssl_, rv); | 1429 int err = SSL_get_error(ssl_, rv); |
1427 return MapOpenSSLError(err, err_tracer); | 1430 return MapOpenSSLError(err, err_tracer); |
1428 } | 1431 } |
1429 | 1432 |
1430 } // namespace net | 1433 } // namespace net |
OLD | NEW |