OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | |
6 // of operation is derived from SSLClientSocketNSS. | |
7 | |
8 #include "net/socket/ssl_client_socket_openssl.h" | |
9 | |
10 #include <errno.h> | |
11 #include <openssl/bio.h> | |
12 #include <openssl/bytestring.h> | |
13 #include <openssl/err.h> | |
14 #include <openssl/evp.h> | |
15 #include <openssl/mem.h> | |
16 #include <openssl/ssl.h> | |
17 #include <string.h> | |
18 | |
19 #include <utility> | |
20 | |
21 #include "base/bind.h" | |
22 #include "base/callback_helpers.h" | |
23 #include "base/lazy_instance.h" | |
24 #include "base/macros.h" | |
25 #include "base/memory/singleton.h" | |
26 #include "base/metrics/histogram_macros.h" | |
27 #include "base/metrics/sparse_histogram.h" | |
28 #include "base/profiler/scoped_tracker.h" | |
29 #include "base/strings/string_number_conversions.h" | |
30 #include "base/strings/string_piece.h" | |
31 #include "base/synchronization/lock.h" | |
32 #include "base/threading/thread_local.h" | |
33 #include "base/trace_event/trace_event.h" | |
34 #include "base/values.h" | |
35 #include "crypto/auto_cbb.h" | |
36 #include "crypto/ec_private_key.h" | |
37 #include "crypto/openssl_util.h" | |
38 #include "crypto/scoped_openssl_types.h" | |
39 #include "net/base/ip_address.h" | |
40 #include "net/base/net_errors.h" | |
41 #include "net/cert/cert_verifier.h" | |
42 #include "net/cert/ct_ev_whitelist.h" | |
43 #include "net/cert/ct_policy_enforcer.h" | |
44 #include "net/cert/ct_policy_status.h" | |
45 #include "net/cert/ct_verifier.h" | |
46 #include "net/cert/x509_certificate_net_log_param.h" | |
47 #include "net/cert/x509_util_openssl.h" | |
48 #include "net/http/transport_security_state.h" | |
49 #include "net/ssl/scoped_openssl_types.h" | |
50 #include "net/ssl/ssl_cert_request_info.h" | |
51 #include "net/ssl/ssl_client_session_cache_openssl.h" | |
52 #include "net/ssl/ssl_connection_status_flags.h" | |
53 #include "net/ssl/ssl_failure_state.h" | |
54 #include "net/ssl/ssl_info.h" | |
55 #include "net/ssl/ssl_private_key.h" | |
56 #include "net/ssl/token_binding.h" | |
57 | |
58 #if !defined(OS_NACL) | |
59 #include "net/ssl/ssl_key_logger.h" | |
60 #endif | |
61 | |
62 #if defined(USE_NSS_CERTS) | |
63 #include "net/cert_net/nss_ocsp.h" | |
64 #endif | |
65 | |
66 namespace net { | |
67 | |
68 namespace { | |
69 | |
70 // Enable this to see logging for state machine state transitions. | |
71 #if 0 | |
72 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ | |
73 " jump to state " << s; \ | |
74 next_handshake_state_ = s; } while (0) | |
75 #else | |
76 #define GotoState(s) next_handshake_state_ = s | |
77 #endif | |
78 | |
79 // This constant can be any non-negative/non-zero value (eg: it does not | |
80 // overlap with any value of the net::Error range, including net::OK). | |
81 const int kNoPendingResult = 1; | |
82 | |
83 // If a client doesn't have a list of protocols that it supports, but | |
84 // the server supports NPN, choosing "http/1.1" is the best answer. | |
85 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; | |
86 | |
87 // Default size of the internal BoringSSL buffers. | |
88 const int KDefaultOpenSSLBufferSize = 17 * 1024; | |
89 | |
90 // TLS extension number use for Token Binding. | |
91 const unsigned int kTbExtNum = 24; | |
92 | |
93 // Token Binding ProtocolVersions supported. | |
94 const uint8_t kTbProtocolVersionMajor = 0; | |
95 const uint8_t kTbProtocolVersionMinor = 5; | |
96 const uint8_t kTbMinProtocolVersionMajor = 0; | |
97 const uint8_t kTbMinProtocolVersionMinor = 3; | |
98 | |
99 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | |
100 switch (EVP_MD_type(md)) { | |
101 case NID_md5_sha1: | |
102 *hash = SSLPrivateKey::Hash::MD5_SHA1; | |
103 return true; | |
104 case NID_sha1: | |
105 *hash = SSLPrivateKey::Hash::SHA1; | |
106 return true; | |
107 case NID_sha256: | |
108 *hash = SSLPrivateKey::Hash::SHA256; | |
109 return true; | |
110 case NID_sha384: | |
111 *hash = SSLPrivateKey::Hash::SHA384; | |
112 return true; | |
113 case NID_sha512: | |
114 *hash = SSLPrivateKey::Hash::SHA512; | |
115 return true; | |
116 default: | |
117 return false; | |
118 } | |
119 } | |
120 | |
121 std::unique_ptr<base::Value> NetLogPrivateKeyOperationCallback( | |
122 SSLPrivateKey::Type type, | |
123 SSLPrivateKey::Hash hash, | |
124 NetLogCaptureMode mode) { | |
125 std::string type_str; | |
126 switch (type) { | |
127 case SSLPrivateKey::Type::RSA: | |
128 type_str = "RSA"; | |
129 break; | |
130 case SSLPrivateKey::Type::ECDSA: | |
131 type_str = "ECDSA"; | |
132 break; | |
133 } | |
134 | |
135 std::string hash_str; | |
136 switch (hash) { | |
137 case SSLPrivateKey::Hash::MD5_SHA1: | |
138 hash_str = "MD5_SHA1"; | |
139 break; | |
140 case SSLPrivateKey::Hash::SHA1: | |
141 hash_str = "SHA1"; | |
142 break; | |
143 case SSLPrivateKey::Hash::SHA256: | |
144 hash_str = "SHA256"; | |
145 break; | |
146 case SSLPrivateKey::Hash::SHA384: | |
147 hash_str = "SHA384"; | |
148 break; | |
149 case SSLPrivateKey::Hash::SHA512: | |
150 hash_str = "SHA512"; | |
151 break; | |
152 } | |
153 | |
154 std::unique_ptr<base::DictionaryValue> value(new base::DictionaryValue); | |
155 value->SetString("type", type_str); | |
156 value->SetString("hash", hash_str); | |
157 return std::move(value); | |
158 } | |
159 | |
160 std::unique_ptr<base::Value> NetLogChannelIDLookupCallback( | |
161 ChannelIDService* channel_id_service, | |
162 NetLogCaptureMode capture_mode) { | |
163 ChannelIDStore* store = channel_id_service->GetChannelIDStore(); | |
164 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); | |
165 dict->SetBoolean("ephemeral", store->IsEphemeral()); | |
166 dict->SetString("service", base::HexEncode(&channel_id_service, | |
167 sizeof(channel_id_service))); | |
168 dict->SetString("store", base::HexEncode(&store, sizeof(store))); | |
169 return std::move(dict); | |
170 } | |
171 | |
172 std::unique_ptr<base::Value> NetLogChannelIDLookupCompleteCallback( | |
173 crypto::ECPrivateKey* key, | |
174 int result, | |
175 NetLogCaptureMode capture_mode) { | |
176 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); | |
177 dict->SetInteger("net_error", result); | |
178 std::string raw_key; | |
179 if (result == OK && key && key->ExportRawPublicKey(&raw_key)) { | |
180 std::string key_to_log = "redacted"; | |
181 if (capture_mode.include_cookies_and_credentials()) { | |
182 key_to_log = base::HexEncode(raw_key.data(), raw_key.length()); | |
183 } | |
184 dict->SetString("key", key_to_log); | |
185 } | |
186 return std::move(dict); | |
187 } | |
188 | |
189 } // namespace | |
190 | |
191 class SSLClientSocketOpenSSL::SSLContext { | |
192 public: | |
193 static SSLContext* GetInstance() { | |
194 return base::Singleton<SSLContext>::get(); | |
195 } | |
196 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | |
197 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; } | |
198 | |
199 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { | |
200 DCHECK(ssl); | |
201 SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>( | |
202 SSL_get_ex_data(ssl, ssl_socket_data_index_)); | |
203 DCHECK(socket); | |
204 return socket; | |
205 } | |
206 | |
207 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) { | |
208 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0; | |
209 } | |
210 | |
211 #if !defined(OS_NACL) | |
212 void SetSSLKeyLogFile( | |
213 const base::FilePath& path, | |
214 const scoped_refptr<base::SequencedTaskRunner>& task_runner) { | |
215 DCHECK(!ssl_key_logger_); | |
216 ssl_key_logger_.reset(new SSLKeyLogger(path, task_runner)); | |
217 SSL_CTX_set_keylog_callback(ssl_ctx_.get(), KeyLogCallback); | |
218 } | |
219 #endif | |
220 | |
221 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod; | |
222 | |
223 private: | |
224 friend struct base::DefaultSingletonTraits<SSLContext>; | |
225 | |
226 SSLContext() : session_cache_(SSLClientSessionCacheOpenSSL::Config()) { | |
227 crypto::EnsureOpenSSLInit(); | |
228 ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0); | |
229 DCHECK_NE(ssl_socket_data_index_, -1); | |
230 ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method())); | |
231 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL); | |
232 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL); | |
233 SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL); | |
234 // This stops |SSL_shutdown| from generating the close_notify message, which | |
235 // is currently not sent on the network. | |
236 // TODO(haavardm): Remove setting quiet shutdown once 118366 is fixed. | |
237 SSL_CTX_set_quiet_shutdown(ssl_ctx_.get(), 1); | |
238 // Note that SSL_OP_DISABLE_NPN is used to disable NPN if | |
239 // ssl_config_.next_proto is empty. | |
240 SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback, | |
241 NULL); | |
242 | |
243 // Disable the internal session cache. Session caching is handled | |
244 // externally (i.e. by SSLClientSessionCacheOpenSSL). | |
245 SSL_CTX_set_session_cache_mode( | |
246 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL); | |
247 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback); | |
248 | |
249 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, | |
250 &TokenBindingAddCallback, | |
251 &TokenBindingFreeCallback, nullptr, | |
252 &TokenBindingParseCallback, nullptr)) { | |
253 NOTREACHED(); | |
254 } | |
255 } | |
256 | |
257 static int TokenBindingAddCallback(SSL* ssl, | |
258 unsigned int extension_value, | |
259 const uint8_t** out, | |
260 size_t* out_len, | |
261 int* out_alert_value, | |
262 void* add_arg) { | |
263 DCHECK_EQ(extension_value, kTbExtNum); | |
264 SSLClientSocketOpenSSL* socket = | |
265 SSLClientSocketOpenSSL::SSLContext::GetInstance() | |
266 ->GetClientSocketFromSSL(ssl); | |
267 return socket->TokenBindingAdd(out, out_len, out_alert_value); | |
268 } | |
269 | |
270 static void TokenBindingFreeCallback(SSL* ssl, | |
271 unsigned extension_value, | |
272 const uint8_t* out, | |
273 void* add_arg) { | |
274 DCHECK_EQ(extension_value, kTbExtNum); | |
275 OPENSSL_free(const_cast<unsigned char*>(out)); | |
276 } | |
277 | |
278 static int TokenBindingParseCallback(SSL* ssl, | |
279 unsigned int extension_value, | |
280 const uint8_t* contents, | |
281 size_t contents_len, | |
282 int* out_alert_value, | |
283 void* parse_arg) { | |
284 DCHECK_EQ(extension_value, kTbExtNum); | |
285 SSLClientSocketOpenSSL* socket = | |
286 SSLClientSocketOpenSSL::SSLContext::GetInstance() | |
287 ->GetClientSocketFromSSL(ssl); | |
288 return socket->TokenBindingParse(contents, contents_len, out_alert_value); | |
289 } | |
290 | |
291 static int ClientCertRequestCallback(SSL* ssl, void* arg) { | |
292 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
293 DCHECK(socket); | |
294 return socket->ClientCertRequestCallback(ssl); | |
295 } | |
296 | |
297 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { | |
298 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( | |
299 store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); | |
300 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
301 CHECK(socket); | |
302 | |
303 return socket->CertVerifyCallback(store_ctx); | |
304 } | |
305 | |
306 static int SelectNextProtoCallback(SSL* ssl, | |
307 unsigned char** out, unsigned char* outlen, | |
308 const unsigned char* in, | |
309 unsigned int inlen, void* arg) { | |
310 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
311 return socket->SelectNextProtoCallback(out, outlen, in, inlen); | |
312 } | |
313 | |
314 static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) { | |
315 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
316 return socket->NewSessionCallback(session); | |
317 } | |
318 | |
319 static int PrivateKeyTypeCallback(SSL* ssl) { | |
320 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
321 return socket->PrivateKeyTypeCallback(); | |
322 } | |
323 | |
324 static size_t PrivateKeyMaxSignatureLenCallback(SSL* ssl) { | |
325 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
326 return socket->PrivateKeyMaxSignatureLenCallback(); | |
327 } | |
328 | |
329 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl, | |
330 uint8_t* out, | |
331 size_t* out_len, | |
332 size_t max_out, | |
333 const EVP_MD* md, | |
334 const uint8_t* in, | |
335 size_t in_len) { | |
336 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
337 return socket->PrivateKeySignCallback(out, out_len, max_out, md, in, | |
338 in_len); | |
339 } | |
340 | |
341 static ssl_private_key_result_t PrivateKeySignCompleteCallback( | |
342 SSL* ssl, | |
343 uint8_t* out, | |
344 size_t* out_len, | |
345 size_t max_out) { | |
346 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
347 return socket->PrivateKeySignCompleteCallback(out, out_len, max_out); | |
348 } | |
349 | |
350 #if !defined(OS_NACL) | |
351 static void KeyLogCallback(const SSL* ssl, const char* line) { | |
352 GetInstance()->ssl_key_logger_->WriteLine(line); | |
353 } | |
354 #endif | |
355 | |
356 // This is the index used with SSL_get_ex_data to retrieve the owner | |
357 // SSLClientSocketOpenSSL object from an SSL instance. | |
358 int ssl_socket_data_index_; | |
359 | |
360 ScopedSSL_CTX ssl_ctx_; | |
361 | |
362 #if !defined(OS_NACL) | |
363 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; | |
364 #endif | |
365 | |
366 // TODO(davidben): Use a separate cache per URLRequestContext. | |
367 // https://crbug.com/458365 | |
368 // | |
369 // TODO(davidben): Sessions should be invalidated on fatal | |
370 // alerts. https://crbug.com/466352 | |
371 SSLClientSessionCacheOpenSSL session_cache_; | |
372 }; | |
373 | |
374 const SSL_PRIVATE_KEY_METHOD | |
375 SSLClientSocketOpenSSL::SSLContext::kPrivateKeyMethod = { | |
376 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyTypeCallback, | |
377 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyMaxSignatureLenCallback, | |
378 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCallback, | |
379 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCompleteCallback, | |
380 }; | |
381 | |
382 // PeerCertificateChain is a helper object which extracts the certificate | |
383 // chain, as given by the server, from an OpenSSL socket and performs the needed | |
384 // resource management. The first element of the chain is the leaf certificate | |
385 // and the other elements are in the order given by the server. | |
386 class SSLClientSocketOpenSSL::PeerCertificateChain { | |
387 public: | |
388 explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); } | |
389 PeerCertificateChain(const PeerCertificateChain& other) { *this = other; } | |
390 ~PeerCertificateChain() {} | |
391 PeerCertificateChain& operator=(const PeerCertificateChain& other); | |
392 | |
393 // Resets the PeerCertificateChain to the set of certificates in|chain|, | |
394 // which may be NULL, indicating to empty the store certificates. | |
395 // Note: If an error occurs, such as being unable to parse the certificates, | |
396 // this will behave as if Reset(NULL) was called. | |
397 void Reset(STACK_OF(X509)* chain); | |
398 | |
399 // Note that when USE_OPENSSL_CERTS is defined, OSCertHandle is X509* | |
400 scoped_refptr<X509Certificate> AsOSChain() const; | |
401 | |
402 size_t size() const { | |
403 if (!openssl_chain_.get()) | |
404 return 0; | |
405 return sk_X509_num(openssl_chain_.get()); | |
406 } | |
407 | |
408 bool empty() const { | |
409 return size() == 0; | |
410 } | |
411 | |
412 X509* Get(size_t index) const { | |
413 DCHECK_LT(index, size()); | |
414 return sk_X509_value(openssl_chain_.get(), index); | |
415 } | |
416 | |
417 private: | |
418 ScopedX509Stack openssl_chain_; | |
419 }; | |
420 | |
421 SSLClientSocketOpenSSL::PeerCertificateChain& | |
422 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( | |
423 const PeerCertificateChain& other) { | |
424 if (this == &other) | |
425 return *this; | |
426 | |
427 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get())); | |
428 return *this; | |
429 } | |
430 | |
431 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset( | |
432 STACK_OF(X509)* chain) { | |
433 openssl_chain_.reset(chain ? X509_chain_up_ref(chain) : NULL); | |
434 } | |
435 | |
436 scoped_refptr<X509Certificate> | |
437 SSLClientSocketOpenSSL::PeerCertificateChain::AsOSChain() const { | |
438 #if defined(USE_OPENSSL_CERTS) | |
439 // When OSCertHandle is typedef'ed to X509, this implementation does a short | |
440 // cut to avoid converting back and forth between DER and the X509 struct. | |
441 X509Certificate::OSCertHandles intermediates; | |
442 for (size_t i = 1; i < sk_X509_num(openssl_chain_.get()); ++i) { | |
443 intermediates.push_back(sk_X509_value(openssl_chain_.get(), i)); | |
444 } | |
445 | |
446 return X509Certificate::CreateFromHandle( | |
447 sk_X509_value(openssl_chain_.get(), 0), intermediates); | |
448 #else | |
449 // DER-encode the chain and convert to a platform certificate handle. | |
450 std::vector<base::StringPiece> der_chain; | |
451 for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | |
452 X509* x = sk_X509_value(openssl_chain_.get(), i); | |
453 base::StringPiece der; | |
454 if (!x509_util::GetDER(x, &der)) | |
455 return NULL; | |
456 der_chain.push_back(der); | |
457 } | |
458 | |
459 return X509Certificate::CreateFromDERCertChain(der_chain); | |
460 #endif | |
461 } | |
462 | |
463 // static | |
464 void SSLClientSocket::ClearSessionCache() { | |
465 SSLClientSocketOpenSSL::SSLContext* context = | |
466 SSLClientSocketOpenSSL::SSLContext::GetInstance(); | |
467 context->session_cache()->Flush(); | |
468 } | |
469 | |
470 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | |
471 std::unique_ptr<ClientSocketHandle> transport_socket, | |
472 const HostPortPair& host_and_port, | |
473 const SSLConfig& ssl_config, | |
474 const SSLClientSocketContext& context) | |
475 : transport_send_busy_(false), | |
476 transport_recv_busy_(false), | |
477 pending_read_error_(kNoPendingResult), | |
478 pending_read_ssl_error_(SSL_ERROR_NONE), | |
479 transport_read_error_(OK), | |
480 transport_write_error_(OK), | |
481 server_cert_chain_(new PeerCertificateChain(NULL)), | |
482 completed_connect_(false), | |
483 was_ever_used_(false), | |
484 cert_verifier_(context.cert_verifier), | |
485 cert_transparency_verifier_(context.cert_transparency_verifier), | |
486 channel_id_service_(context.channel_id_service), | |
487 tb_was_negotiated_(false), | |
488 tb_negotiated_param_(TB_PARAM_ECDSAP256), | |
489 tb_signed_ekm_map_(10), | |
490 ssl_(NULL), | |
491 transport_bio_(NULL), | |
492 transport_(std::move(transport_socket)), | |
493 host_and_port_(host_and_port), | |
494 ssl_config_(ssl_config), | |
495 ssl_session_cache_shard_(context.ssl_session_cache_shard), | |
496 next_handshake_state_(STATE_NONE), | |
497 disconnected_(false), | |
498 npn_status_(kNextProtoUnsupported), | |
499 channel_id_sent_(false), | |
500 session_pending_(false), | |
501 certificate_verified_(false), | |
502 ssl_failure_state_(SSL_FAILURE_NONE), | |
503 signature_result_(kNoPendingResult), | |
504 transport_security_state_(context.transport_security_state), | |
505 policy_enforcer_(context.ct_policy_enforcer), | |
506 net_log_(transport_->socket()->NetLog()), | |
507 weak_factory_(this) { | |
508 DCHECK(cert_verifier_); | |
509 } | |
510 | |
511 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | |
512 Disconnect(); | |
513 } | |
514 | |
515 #if !defined(OS_NACL) | |
516 void SSLClientSocketOpenSSL::SetSSLKeyLogFile( | |
517 const base::FilePath& ssl_keylog_file, | |
518 const scoped_refptr<base::SequencedTaskRunner>& task_runner) { | |
519 SSLContext::GetInstance()->SetSSLKeyLogFile(ssl_keylog_file, task_runner); | |
520 } | |
521 #endif | |
522 | |
523 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( | |
524 SSLCertRequestInfo* cert_request_info) { | |
525 cert_request_info->host_and_port = host_and_port_; | |
526 cert_request_info->cert_authorities = cert_authorities_; | |
527 cert_request_info->cert_key_types = cert_key_types_; | |
528 } | |
529 | |
530 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( | |
531 std::string* proto) const { | |
532 *proto = npn_proto_; | |
533 return npn_status_; | |
534 } | |
535 | |
536 ChannelIDService* | |
537 SSLClientSocketOpenSSL::GetChannelIDService() const { | |
538 return channel_id_service_; | |
539 } | |
540 | |
541 Error SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding( | |
542 crypto::ECPrivateKey* key, | |
543 std::vector<uint8_t>* out) { | |
544 // The same key will be used across multiple requests to sign the same value, | |
545 // so the signature is cached. | |
546 std::string raw_public_key; | |
547 if (!key->ExportRawPublicKey(&raw_public_key)) | |
548 return ERR_FAILED; | |
549 SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); | |
550 if (it != tb_signed_ekm_map_.end()) { | |
551 *out = it->second; | |
552 return OK; | |
553 } | |
554 | |
555 uint8_t tb_ekm_buf[32]; | |
556 static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding"; | |
557 if (!SSL_export_keying_material(ssl_, tb_ekm_buf, sizeof(tb_ekm_buf), | |
558 kTokenBindingExporterLabel, | |
559 strlen(kTokenBindingExporterLabel), nullptr, | |
560 0, false /* no context */)) { | |
561 return ERR_FAILED; | |
562 } | |
563 | |
564 if (!SignTokenBindingEkm( | |
565 base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf), | |
566 sizeof(tb_ekm_buf)), | |
567 key, out)) | |
568 return ERR_FAILED; | |
569 | |
570 tb_signed_ekm_map_.Put(raw_public_key, *out); | |
571 return OK; | |
572 } | |
573 | |
574 crypto::ECPrivateKey* SSLClientSocketOpenSSL::GetChannelIDKey() const { | |
575 return channel_id_key_.get(); | |
576 } | |
577 | |
578 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { | |
579 return ssl_failure_state_; | |
580 } | |
581 | |
582 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | |
583 const base::StringPiece& label, | |
584 bool has_context, const base::StringPiece& context, | |
585 unsigned char* out, unsigned int outlen) { | |
586 if (!IsConnected()) | |
587 return ERR_SOCKET_NOT_CONNECTED; | |
588 | |
589 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
590 | |
591 int rv = SSL_export_keying_material( | |
592 ssl_, out, outlen, label.data(), label.size(), | |
593 reinterpret_cast<const unsigned char*>(context.data()), context.length(), | |
594 has_context ? 1 : 0); | |
595 | |
596 if (rv != 1) { | |
597 int ssl_error = SSL_get_error(ssl_, rv); | |
598 LOG(ERROR) << "Failed to export keying material;" | |
599 << " returned " << rv | |
600 << ", SSL error code " << ssl_error; | |
601 return MapOpenSSLError(ssl_error, err_tracer); | |
602 } | |
603 return OK; | |
604 } | |
605 | |
606 int SSLClientSocketOpenSSL::Connect(const CompletionCallback& callback) { | |
607 // It is an error to create an SSLClientSocket whose context has no | |
608 // TransportSecurityState. | |
609 DCHECK(transport_security_state_); | |
610 | |
611 // Although StreamSocket does allow calling Connect() after Disconnect(), | |
612 // this has never worked for layered sockets. CHECK to detect any consumers | |
613 // reconnecting an SSL socket. | |
614 // | |
615 // TODO(davidben,mmenke): Remove this API feature. See | |
616 // https://crbug.com/499289. | |
617 CHECK(!disconnected_); | |
618 | |
619 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); | |
620 | |
621 // Set up new ssl object. | |
622 int rv = Init(); | |
623 if (rv != OK) { | |
624 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | |
625 return rv; | |
626 } | |
627 | |
628 // Set SSL to client mode. Handshake happens in the loop below. | |
629 SSL_set_connect_state(ssl_); | |
630 | |
631 GotoState(STATE_HANDSHAKE); | |
632 rv = DoHandshakeLoop(OK); | |
633 if (rv == ERR_IO_PENDING) { | |
634 user_connect_callback_ = callback; | |
635 } else { | |
636 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | |
637 } | |
638 | |
639 return rv > OK ? OK : rv; | |
640 } | |
641 | |
642 void SSLClientSocketOpenSSL::Disconnect() { | |
643 crypto::OpenSSLErrStackTracer tracer(FROM_HERE); | |
644 | |
645 if (ssl_) { | |
646 // Calling SSL_shutdown prevents the session from being marked as | |
647 // unresumable. | |
648 SSL_shutdown(ssl_); | |
649 SSL_free(ssl_); | |
650 ssl_ = NULL; | |
651 } | |
652 if (transport_bio_) { | |
653 BIO_free_all(transport_bio_); | |
654 transport_bio_ = NULL; | |
655 } | |
656 | |
657 disconnected_ = true; | |
658 | |
659 // Shut down anything that may call us back. | |
660 cert_verifier_request_.reset(); | |
661 transport_->socket()->Disconnect(); | |
662 | |
663 // Null all callbacks, delete all buffers. | |
664 transport_send_busy_ = false; | |
665 send_buffer_ = NULL; | |
666 transport_recv_busy_ = false; | |
667 recv_buffer_ = NULL; | |
668 | |
669 user_connect_callback_.Reset(); | |
670 user_read_callback_.Reset(); | |
671 user_write_callback_.Reset(); | |
672 user_read_buf_ = NULL; | |
673 user_read_buf_len_ = 0; | |
674 user_write_buf_ = NULL; | |
675 user_write_buf_len_ = 0; | |
676 | |
677 pending_read_error_ = kNoPendingResult; | |
678 pending_read_ssl_error_ = SSL_ERROR_NONE; | |
679 pending_read_error_info_ = OpenSSLErrorInfo(); | |
680 | |
681 transport_read_error_ = OK; | |
682 transport_write_error_ = OK; | |
683 | |
684 server_cert_verify_result_.Reset(); | |
685 completed_connect_ = false; | |
686 | |
687 cert_authorities_.clear(); | |
688 cert_key_types_.clear(); | |
689 | |
690 start_cert_verification_time_ = base::TimeTicks(); | |
691 | |
692 npn_status_ = kNextProtoUnsupported; | |
693 npn_proto_.clear(); | |
694 | |
695 channel_id_sent_ = false; | |
696 tb_was_negotiated_ = false; | |
697 session_pending_ = false; | |
698 certificate_verified_ = false; | |
699 channel_id_request_.Cancel(); | |
700 ssl_failure_state_ = SSL_FAILURE_NONE; | |
701 | |
702 signature_result_ = kNoPendingResult; | |
703 signature_.clear(); | |
704 } | |
705 | |
706 bool SSLClientSocketOpenSSL::IsConnected() const { | |
707 // If the handshake has not yet completed. | |
708 if (!completed_connect_) | |
709 return false; | |
710 // If an asynchronous operation is still pending. | |
711 if (user_read_buf_.get() || user_write_buf_.get()) | |
712 return true; | |
713 | |
714 return transport_->socket()->IsConnected(); | |
715 } | |
716 | |
717 bool SSLClientSocketOpenSSL::IsConnectedAndIdle() const { | |
718 // If the handshake has not yet completed. | |
719 if (!completed_connect_) | |
720 return false; | |
721 // If an asynchronous operation is still pending. | |
722 if (user_read_buf_.get() || user_write_buf_.get()) | |
723 return false; | |
724 | |
725 // If there is data read from the network that has not yet been consumed, do | |
726 // not treat the connection as idle. | |
727 // | |
728 // Note that this does not check |BIO_pending|, whether there is ciphertext | |
729 // that has not yet been flushed to the network. |Write| returns early, so | |
730 // this can cause race conditions which cause a socket to not be treated | |
731 // reusable when it should be. See https://crbug.com/466147. | |
732 if (BIO_wpending(transport_bio_) > 0) | |
733 return false; | |
734 | |
735 return transport_->socket()->IsConnectedAndIdle(); | |
736 } | |
737 | |
738 int SSLClientSocketOpenSSL::GetPeerAddress(IPEndPoint* addressList) const { | |
739 return transport_->socket()->GetPeerAddress(addressList); | |
740 } | |
741 | |
742 int SSLClientSocketOpenSSL::GetLocalAddress(IPEndPoint* addressList) const { | |
743 return transport_->socket()->GetLocalAddress(addressList); | |
744 } | |
745 | |
746 const BoundNetLog& SSLClientSocketOpenSSL::NetLog() const { | |
747 return net_log_; | |
748 } | |
749 | |
750 void SSLClientSocketOpenSSL::SetSubresourceSpeculation() { | |
751 if (transport_.get() && transport_->socket()) { | |
752 transport_->socket()->SetSubresourceSpeculation(); | |
753 } else { | |
754 NOTREACHED(); | |
755 } | |
756 } | |
757 | |
758 void SSLClientSocketOpenSSL::SetOmniboxSpeculation() { | |
759 if (transport_.get() && transport_->socket()) { | |
760 transport_->socket()->SetOmniboxSpeculation(); | |
761 } else { | |
762 NOTREACHED(); | |
763 } | |
764 } | |
765 | |
766 bool SSLClientSocketOpenSSL::WasEverUsed() const { | |
767 return was_ever_used_; | |
768 } | |
769 | |
770 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { | |
771 ssl_info->Reset(); | |
772 if (server_cert_chain_->empty()) | |
773 return false; | |
774 | |
775 ssl_info->cert = server_cert_verify_result_.verified_cert; | |
776 ssl_info->unverified_cert = server_cert_; | |
777 ssl_info->cert_status = server_cert_verify_result_.cert_status; | |
778 ssl_info->is_issued_by_known_root = | |
779 server_cert_verify_result_.is_issued_by_known_root; | |
780 ssl_info->public_key_hashes = | |
781 server_cert_verify_result_.public_key_hashes; | |
782 ssl_info->client_cert_sent = | |
783 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | |
784 ssl_info->channel_id_sent = channel_id_sent_; | |
785 ssl_info->token_binding_negotiated = tb_was_negotiated_; | |
786 ssl_info->token_binding_key_param = tb_negotiated_param_; | |
787 ssl_info->pinning_failure_log = pinning_failure_log_; | |
788 | |
789 AddCTInfoToSSLInfo(ssl_info); | |
790 | |
791 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | |
792 CHECK(cipher); | |
793 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | |
794 ssl_info->key_exchange_info = | |
795 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | |
796 | |
797 SSLConnectionStatusSetCipherSuite( | |
798 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), | |
799 &ssl_info->connection_status); | |
800 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), | |
801 &ssl_info->connection_status); | |
802 | |
803 if (!SSL_get_secure_renegotiation_support(ssl_)) | |
804 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | |
805 | |
806 if (ssl_config_.version_fallback) | |
807 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; | |
808 | |
809 ssl_info->handshake_type = SSL_session_reused(ssl_) ? | |
810 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; | |
811 | |
812 DVLOG(3) << "Encoded connection status: cipher suite = " | |
813 << SSLConnectionStatusToCipherSuite(ssl_info->connection_status) | |
814 << " version = " | |
815 << SSLConnectionStatusToVersion(ssl_info->connection_status); | |
816 return true; | |
817 } | |
818 | |
819 void SSLClientSocketOpenSSL::GetConnectionAttempts( | |
820 ConnectionAttempts* out) const { | |
821 out->clear(); | |
822 } | |
823 | |
824 int64_t SSLClientSocketOpenSSL::GetTotalReceivedBytes() const { | |
825 return transport_->socket()->GetTotalReceivedBytes(); | |
826 } | |
827 | |
828 int SSLClientSocketOpenSSL::Read(IOBuffer* buf, | |
829 int buf_len, | |
830 const CompletionCallback& callback) { | |
831 user_read_buf_ = buf; | |
832 user_read_buf_len_ = buf_len; | |
833 | |
834 int rv = DoReadLoop(); | |
835 | |
836 if (rv == ERR_IO_PENDING) { | |
837 user_read_callback_ = callback; | |
838 } else { | |
839 if (rv > 0) | |
840 was_ever_used_ = true; | |
841 user_read_buf_ = NULL; | |
842 user_read_buf_len_ = 0; | |
843 } | |
844 | |
845 return rv; | |
846 } | |
847 | |
848 int SSLClientSocketOpenSSL::Write(IOBuffer* buf, | |
849 int buf_len, | |
850 const CompletionCallback& callback) { | |
851 user_write_buf_ = buf; | |
852 user_write_buf_len_ = buf_len; | |
853 | |
854 int rv = DoWriteLoop(); | |
855 | |
856 if (rv == ERR_IO_PENDING) { | |
857 user_write_callback_ = callback; | |
858 } else { | |
859 if (rv > 0) | |
860 was_ever_used_ = true; | |
861 user_write_buf_ = NULL; | |
862 user_write_buf_len_ = 0; | |
863 } | |
864 | |
865 return rv; | |
866 } | |
867 | |
868 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32_t size) { | |
869 return transport_->socket()->SetReceiveBufferSize(size); | |
870 } | |
871 | |
872 int SSLClientSocketOpenSSL::SetSendBufferSize(int32_t size) { | |
873 return transport_->socket()->SetSendBufferSize(size); | |
874 } | |
875 | |
876 int SSLClientSocketOpenSSL::Init() { | |
877 DCHECK(!ssl_); | |
878 DCHECK(!transport_bio_); | |
879 | |
880 #if defined(USE_NSS_CERTS) | |
881 if (ssl_config_.cert_io_enabled) { | |
882 // TODO(davidben): Move this out of SSLClientSocket. See | |
883 // https://crbug.com/539520. | |
884 EnsureNSSHttpIOInit(); | |
885 } | |
886 #endif | |
887 | |
888 SSLContext* context = SSLContext::GetInstance(); | |
889 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
890 | |
891 ssl_ = SSL_new(context->ssl_ctx()); | |
892 if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this)) | |
893 return ERR_UNEXPECTED; | |
894 | |
895 // SNI should only contain valid DNS hostnames, not IP addresses (see RFC | |
896 // 6066, Section 3). | |
897 // | |
898 // TODO(rsleevi): Should this code allow hostnames that violate the LDH rule? | |
899 // See https://crbug.com/496472 and https://crbug.com/496468 for discussion. | |
900 IPAddress unused; | |
901 if (!unused.AssignFromIPLiteral(host_and_port_.host()) && | |
902 !SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) { | |
903 return ERR_UNEXPECTED; | |
904 } | |
905 | |
906 ScopedSSL_SESSION session = | |
907 context->session_cache()->Lookup(GetSessionCacheKey()); | |
908 if (session) | |
909 SSL_set_session(ssl_, session.get()); | |
910 | |
911 send_buffer_ = new GrowableIOBuffer(); | |
912 send_buffer_->SetCapacity(KDefaultOpenSSLBufferSize); | |
913 recv_buffer_ = new GrowableIOBuffer(); | |
914 recv_buffer_->SetCapacity(KDefaultOpenSSLBufferSize); | |
915 | |
916 BIO* ssl_bio = NULL; | |
917 | |
918 // SSLClientSocketOpenSSL retains ownership of the BIO buffers. | |
919 if (!BIO_new_bio_pair_external_buf( | |
920 &ssl_bio, send_buffer_->capacity(), | |
921 reinterpret_cast<uint8_t*>(send_buffer_->data()), &transport_bio_, | |
922 recv_buffer_->capacity(), | |
923 reinterpret_cast<uint8_t*>(recv_buffer_->data()))) | |
924 return ERR_UNEXPECTED; | |
925 DCHECK(ssl_bio); | |
926 DCHECK(transport_bio_); | |
927 | |
928 // Install a callback on OpenSSL's end to plumb transport errors through. | |
929 BIO_set_callback(ssl_bio, &SSLClientSocketOpenSSL::BIOCallback); | |
930 BIO_set_callback_arg(ssl_bio, reinterpret_cast<char*>(this)); | |
931 | |
932 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | |
933 | |
934 DCHECK_LT(SSL3_VERSION, ssl_config_.version_min); | |
935 DCHECK_LT(SSL3_VERSION, ssl_config_.version_max); | |
936 SSL_set_min_version(ssl_, ssl_config_.version_min); | |
937 SSL_set_max_version(ssl_, ssl_config_.version_max); | |
938 | |
939 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | |
940 // set everything we care about to an absolute value. | |
941 SslSetClearMask options; | |
942 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true); | |
943 | |
944 // TODO(joth): Set this conditionally, see http://crbug.com/55410 | |
945 options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true); | |
946 | |
947 SSL_set_options(ssl_, options.set_mask); | |
948 SSL_clear_options(ssl_, options.clear_mask); | |
949 | |
950 // Same as above, this time for the SSL mode. | |
951 SslSetClearMask mode; | |
952 | |
953 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); | |
954 mode.ConfigureFlag(SSL_MODE_CBC_RECORD_SPLITTING, true); | |
955 | |
956 mode.ConfigureFlag(SSL_MODE_ENABLE_FALSE_START, | |
957 ssl_config_.false_start_enabled); | |
958 | |
959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback); | |
960 | |
961 SSL_set_mode(ssl_, mode.set_mask); | |
962 SSL_clear_mode(ssl_, mode.clear_mask); | |
963 | |
964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers | |
965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable | |
966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not | |
967 // supported. As DHE is being deprecated, don't add a cipher only to remove it | |
968 // immediately. | |
969 std::string command( | |
970 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK"); | |
971 | |
972 if (ssl_config_.require_ecdhe) | |
973 command.append(":!kRSA:!kDHE"); | |
974 | |
975 if (!(ssl_config_.rc4_enabled && | |
976 ssl_config_.deprecated_cipher_suites_enabled)) { | |
977 command.append(":!RC4"); | |
978 } | |
979 | |
980 if (!ssl_config_.deprecated_cipher_suites_enabled) { | |
981 // Only offer DHE on the second handshake. https://crbug.com/538690 | |
982 command.append(":!kDHE"); | |
983 } | |
984 | |
985 // Remove any disabled ciphers. | |
986 for (uint16_t id : ssl_config_.disabled_cipher_suites) { | |
987 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); | |
988 if (cipher) { | |
989 command.append(":!"); | |
990 command.append(SSL_CIPHER_get_name(cipher)); | |
991 } | |
992 } | |
993 | |
994 int rv = SSL_set_cipher_list(ssl_, command.c_str()); | |
995 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | |
996 // This will almost certainly result in the socket failing to complete the | |
997 // handshake at which point the appropriate error is bubbled up to the client. | |
998 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | |
999 "returned " << rv; | |
1000 | |
1001 // TLS channel ids. | |
1002 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) { | |
1003 SSL_enable_tls_channel_id(ssl_); | |
1004 } | |
1005 | |
1006 if (!ssl_config_.alpn_protos.empty()) { | |
1007 // Get list of ciphers that are enabled. | |
1008 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_); | |
1009 DCHECK(enabled_ciphers); | |
1010 std::vector<uint16_t> enabled_ciphers_vector; | |
1011 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) { | |
1012 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i); | |
1013 const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)); | |
1014 enabled_ciphers_vector.push_back(id); | |
1015 } | |
1016 | |
1017 NextProtoVector alpn_protos = ssl_config_.alpn_protos; | |
1018 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) || | |
1019 !IsTLSVersionAdequateForHTTP2(ssl_config_)) { | |
1020 DisableHTTP2(&alpn_protos); | |
1021 } | |
1022 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); | |
1023 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0], | |
1024 wire_protos.size()); | |
1025 } | |
1026 | |
1027 if (ssl_config_.npn_protos.empty()) | |
1028 SSL_set_options(ssl_, SSL_OP_DISABLE_NPN); | |
1029 | |
1030 if (ssl_config_.signed_cert_timestamps_enabled) { | |
1031 SSL_enable_signed_cert_timestamps(ssl_); | |
1032 SSL_enable_ocsp_stapling(ssl_); | |
1033 } | |
1034 | |
1035 if (cert_verifier_->SupportsOCSPStapling()) | |
1036 SSL_enable_ocsp_stapling(ssl_); | |
1037 | |
1038 return OK; | |
1039 } | |
1040 | |
1041 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { | |
1042 // Since Run may result in Read being called, clear |user_read_callback_| | |
1043 // up front. | |
1044 if (rv > 0) | |
1045 was_ever_used_ = true; | |
1046 user_read_buf_ = NULL; | |
1047 user_read_buf_len_ = 0; | |
1048 base::ResetAndReturn(&user_read_callback_).Run(rv); | |
1049 } | |
1050 | |
1051 void SSLClientSocketOpenSSL::DoWriteCallback(int rv) { | |
1052 // Since Run may result in Write being called, clear |user_write_callback_| | |
1053 // up front. | |
1054 if (rv > 0) | |
1055 was_ever_used_ = true; | |
1056 user_write_buf_ = NULL; | |
1057 user_write_buf_len_ = 0; | |
1058 base::ResetAndReturn(&user_write_callback_).Run(rv); | |
1059 } | |
1060 | |
1061 bool SSLClientSocketOpenSSL::DoTransportIO() { | |
1062 bool network_moved = false; | |
1063 int rv; | |
1064 // Read and write as much data as possible. The loop is necessary because | |
1065 // Write() may return synchronously. | |
1066 do { | |
1067 rv = BufferSend(); | |
1068 if (rv != ERR_IO_PENDING && rv != 0) | |
1069 network_moved = true; | |
1070 } while (rv > 0); | |
1071 if (transport_read_error_ == OK && BufferRecv() != ERR_IO_PENDING) | |
1072 network_moved = true; | |
1073 return network_moved; | |
1074 } | |
1075 | |
1076 // TODO(cbentzel): Remove including "base/threading/thread_local.h" and | |
1077 // g_first_run_completed once crbug.com/424386 is fixed. | |
1078 base::LazyInstance<base::ThreadLocalBoolean>::Leaky g_first_run_completed = | |
1079 LAZY_INSTANCE_INITIALIZER; | |
1080 | |
1081 int SSLClientSocketOpenSSL::DoHandshake() { | |
1082 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
1083 | |
1084 int rv; | |
1085 | |
1086 // TODO(cbentzel): Leave only 1 call to SSL_do_handshake once crbug.com/424386 | |
1087 // is fixed. | |
1088 if (ssl_config_.send_client_cert && ssl_config_.client_cert.get()) { | |
1089 rv = SSL_do_handshake(ssl_); | |
1090 } else { | |
1091 if (g_first_run_completed.Get().Get()) { | |
1092 // TODO(cbentzel): Remove ScopedTracker below once crbug.com/424386 is | |
1093 // fixed. | |
1094 tracked_objects::ScopedTracker tracking_profile( | |
1095 FROM_HERE_WITH_EXPLICIT_FUNCTION("424386 SSL_do_handshake()")); | |
1096 | |
1097 rv = SSL_do_handshake(ssl_); | |
1098 } else { | |
1099 g_first_run_completed.Get().Set(true); | |
1100 rv = SSL_do_handshake(ssl_); | |
1101 } | |
1102 } | |
1103 | |
1104 int net_error = OK; | |
1105 if (rv <= 0) { | |
1106 int ssl_error = SSL_get_error(ssl_, rv); | |
1107 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | |
1108 // The server supports channel ID. Stop to look one up before returning to | |
1109 // the handshake. | |
1110 GotoState(STATE_CHANNEL_ID_LOOKUP); | |
1111 return OK; | |
1112 } | |
1113 if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP && | |
1114 !ssl_config_.send_client_cert) { | |
1115 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | |
1116 } | |
1117 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) { | |
1118 DCHECK(ssl_config_.client_private_key); | |
1119 DCHECK_NE(kNoPendingResult, signature_result_); | |
1120 GotoState(STATE_HANDSHAKE); | |
1121 return ERR_IO_PENDING; | |
1122 } | |
1123 | |
1124 OpenSSLErrorInfo error_info; | |
1125 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | |
1126 if (net_error == ERR_IO_PENDING) { | |
1127 // If not done, stay in this state | |
1128 GotoState(STATE_HANDSHAKE); | |
1129 return ERR_IO_PENDING; | |
1130 } | |
1131 | |
1132 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " | |
1133 << ssl_error << ", net_error " << net_error; | |
1134 net_log_.AddEvent( | |
1135 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | |
1136 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | |
1137 | |
1138 // Classify the handshake failure. This is used to determine causes of the | |
1139 // TLS version fallback. | |
1140 | |
1141 // |cipher| is the current outgoing cipher suite, so it is non-null iff | |
1142 // ChangeCipherSpec was sent. | |
1143 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | |
1144 if (SSL_get_state(ssl_) == SSL3_ST_CR_SRVR_HELLO_A) { | |
1145 ssl_failure_state_ = SSL_FAILURE_CLIENT_HELLO; | |
1146 } else if (cipher && (SSL_CIPHER_get_id(cipher) == | |
1147 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 || | |
1148 SSL_CIPHER_get_id(cipher) == | |
1149 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256)) { | |
1150 ssl_failure_state_ = SSL_FAILURE_BUGGY_GCM; | |
1151 } else if (cipher && ssl_config_.send_client_cert) { | |
1152 ssl_failure_state_ = SSL_FAILURE_CLIENT_AUTH; | |
1153 } else if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL && | |
1154 ERR_GET_REASON(error_info.error_code) == | |
1155 SSL_R_OLD_SESSION_VERSION_NOT_RETURNED) { | |
1156 ssl_failure_state_ = SSL_FAILURE_SESSION_MISMATCH; | |
1157 } else if (cipher && npn_status_ != kNextProtoUnsupported) { | |
1158 ssl_failure_state_ = SSL_FAILURE_NEXT_PROTO; | |
1159 } else { | |
1160 ssl_failure_state_ = SSL_FAILURE_UNKNOWN; | |
1161 } | |
1162 } | |
1163 | |
1164 GotoState(STATE_HANDSHAKE_COMPLETE); | |
1165 return net_error; | |
1166 } | |
1167 | |
1168 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { | |
1169 if (result < 0) | |
1170 return result; | |
1171 | |
1172 if (ssl_config_.version_fallback && | |
1173 ssl_config_.version_max < ssl_config_.version_fallback_min) { | |
1174 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | |
1175 } | |
1176 | |
1177 // Check that if token binding was negotiated, then extended master secret | |
1178 // must also be negotiated. | |
1179 if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) | |
1180 return ERR_SSL_PROTOCOL_ERROR; | |
1181 | |
1182 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. | |
1183 if (npn_status_ == kNextProtoUnsupported) { | |
1184 const uint8_t* alpn_proto = NULL; | |
1185 unsigned alpn_len = 0; | |
1186 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | |
1187 if (alpn_len > 0) { | |
1188 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | |
1189 npn_status_ = kNextProtoNegotiated; | |
1190 set_negotiation_extension(kExtensionALPN); | |
1191 } | |
1192 } | |
1193 | |
1194 RecordNegotiationExtension(); | |
1195 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, | |
1196 ssl_config_.channel_id_enabled); | |
1197 | |
1198 // Only record OCSP histograms if OCSP was requested. | |
1199 if (ssl_config_.signed_cert_timestamps_enabled || | |
1200 cert_verifier_->SupportsOCSPStapling()) { | |
1201 const uint8_t* ocsp_response; | |
1202 size_t ocsp_response_len; | |
1203 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); | |
1204 | |
1205 set_stapled_ocsp_response_received(ocsp_response_len != 0); | |
1206 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | |
1207 } | |
1208 | |
1209 const uint8_t* sct_list; | |
1210 size_t sct_list_len; | |
1211 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | |
1212 set_signed_cert_timestamps_received(sct_list_len != 0); | |
1213 | |
1214 if (IsRenegotiationAllowed()) | |
1215 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely); | |
1216 | |
1217 uint8_t server_key_exchange_hash = SSL_get_server_key_exchange_hash(ssl_); | |
1218 if (server_key_exchange_hash != TLSEXT_hash_none) { | |
1219 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLServerKeyExchangeHash", | |
1220 server_key_exchange_hash); | |
1221 } | |
1222 | |
1223 // Verify the certificate. | |
1224 UpdateServerCert(); | |
1225 GotoState(STATE_VERIFY_CERT); | |
1226 return OK; | |
1227 } | |
1228 | |
1229 int SSLClientSocketOpenSSL::DoChannelIDLookup() { | |
1230 NetLog::ParametersCallback callback = base::Bind( | |
1231 &NetLogChannelIDLookupCallback, base::Unretained(channel_id_service_)); | |
1232 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_CHANNEL_ID, callback); | |
1233 GotoState(STATE_CHANNEL_ID_LOOKUP_COMPLETE); | |
1234 return channel_id_service_->GetOrCreateChannelID( | |
1235 host_and_port_.host(), &channel_id_key_, | |
1236 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete, | |
1237 base::Unretained(this)), | |
1238 &channel_id_request_); | |
1239 } | |
1240 | |
1241 int SSLClientSocketOpenSSL::DoChannelIDLookupComplete(int result) { | |
1242 net_log_.EndEvent(NetLog::TYPE_SSL_GET_CHANNEL_ID, | |
1243 base::Bind(&NetLogChannelIDLookupCompleteCallback, | |
1244 channel_id_key_.get(), result)); | |
1245 if (result < 0) | |
1246 return result; | |
1247 | |
1248 // Hand the key to OpenSSL. Check for error in case OpenSSL rejects the key | |
1249 // type. | |
1250 DCHECK(channel_id_key_); | |
1251 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
1252 int rv = SSL_set1_tls_channel_id(ssl_, channel_id_key_->key()); | |
1253 if (!rv) { | |
1254 LOG(ERROR) << "Failed to set Channel ID."; | |
1255 int err = SSL_get_error(ssl_, rv); | |
1256 return MapOpenSSLError(err, err_tracer); | |
1257 } | |
1258 | |
1259 // Return to the handshake. | |
1260 channel_id_sent_ = true; | |
1261 GotoState(STATE_HANDSHAKE); | |
1262 return OK; | |
1263 } | |
1264 | |
1265 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { | |
1266 DCHECK(!server_cert_chain_->empty()); | |
1267 DCHECK(start_cert_verification_time_.is_null()); | |
1268 | |
1269 GotoState(STATE_VERIFY_CERT_COMPLETE); | |
1270 | |
1271 // OpenSSL decoded the certificate, but the platform certificate | |
1272 // implementation could not. This is treated as a fatal SSL-level protocol | |
1273 // error rather than a certificate error. See https://crbug.com/91341. | |
1274 if (!server_cert_.get()) | |
1275 return ERR_SSL_SERVER_CERT_BAD_FORMAT; | |
1276 | |
1277 // If the certificate is bad and has been previously accepted, use | |
1278 // the previous status and bypass the error. | |
1279 base::StringPiece der_cert; | |
1280 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) { | |
1281 NOTREACHED(); | |
1282 return ERR_CERT_INVALID; | |
1283 } | |
1284 CertStatus cert_status; | |
1285 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | |
1286 VLOG(1) << "Received an expected bad cert with status: " << cert_status; | |
1287 server_cert_verify_result_.Reset(); | |
1288 server_cert_verify_result_.cert_status = cert_status; | |
1289 server_cert_verify_result_.verified_cert = server_cert_; | |
1290 return OK; | |
1291 } | |
1292 | |
1293 std::string ocsp_response; | |
1294 if (cert_verifier_->SupportsOCSPStapling()) { | |
1295 const uint8_t* ocsp_response_raw; | |
1296 size_t ocsp_response_len; | |
1297 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | |
1298 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), | |
1299 ocsp_response_len); | |
1300 } | |
1301 | |
1302 start_cert_verification_time_ = base::TimeTicks::Now(); | |
1303 | |
1304 return cert_verifier_->Verify( | |
1305 server_cert_.get(), host_and_port_.host(), ocsp_response, | |
1306 ssl_config_.GetCertVerifyFlags(), | |
1307 // TODO(davidben): Route the CRLSet through SSLConfig so | |
1308 // SSLClientSocket doesn't depend on SSLConfigService. | |
1309 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | |
1310 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete, | |
1311 base::Unretained(this)), | |
1312 &cert_verifier_request_, net_log_); | |
1313 } | |
1314 | |
1315 int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) { | |
1316 cert_verifier_request_.reset(); | |
1317 | |
1318 if (!start_cert_verification_time_.is_null()) { | |
1319 base::TimeDelta verify_time = | |
1320 base::TimeTicks::Now() - start_cert_verification_time_; | |
1321 if (result == OK) { | |
1322 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time); | |
1323 } else { | |
1324 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time); | |
1325 } | |
1326 } | |
1327 | |
1328 const CertStatus cert_status = server_cert_verify_result_.cert_status; | |
1329 if (transport_security_state_ && | |
1330 (result == OK || | |
1331 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | |
1332 !transport_security_state_->CheckPublicKeyPins( | |
1333 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, | |
1334 server_cert_verify_result_.public_key_hashes, server_cert_.get(), | |
1335 server_cert_verify_result_.verified_cert.get(), | |
1336 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { | |
1337 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | |
1338 } | |
1339 | |
1340 if (result == OK) { | |
1341 // Only check Certificate Transparency if there were no other errors with | |
1342 // the connection. | |
1343 VerifyCT(); | |
1344 | |
1345 DCHECK(!certificate_verified_); | |
1346 certificate_verified_ = true; | |
1347 MaybeCacheSession(); | |
1348 } else { | |
1349 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) | |
1350 << " (" << result << ")"; | |
1351 } | |
1352 | |
1353 completed_connect_ = true; | |
1354 // Exit DoHandshakeLoop and return the result to the caller to Connect. | |
1355 DCHECK_EQ(STATE_NONE, next_handshake_state_); | |
1356 return result; | |
1357 } | |
1358 | |
1359 void SSLClientSocketOpenSSL::DoConnectCallback(int rv) { | |
1360 if (!user_connect_callback_.is_null()) { | |
1361 CompletionCallback c = user_connect_callback_; | |
1362 user_connect_callback_.Reset(); | |
1363 c.Run(rv > OK ? OK : rv); | |
1364 } | |
1365 } | |
1366 | |
1367 void SSLClientSocketOpenSSL::UpdateServerCert() { | |
1368 server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_)); | |
1369 server_cert_ = server_cert_chain_->AsOSChain(); | |
1370 if (server_cert_.get()) { | |
1371 net_log_.AddEvent( | |
1372 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED, | |
1373 base::Bind(&NetLogX509CertificateCallback, | |
1374 base::Unretained(server_cert_.get()))); | |
1375 } | |
1376 } | |
1377 | |
1378 void SSLClientSocketOpenSSL::VerifyCT() { | |
1379 if (!cert_transparency_verifier_) | |
1380 return; | |
1381 | |
1382 const uint8_t* ocsp_response_raw; | |
1383 size_t ocsp_response_len; | |
1384 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | |
1385 std::string ocsp_response; | |
1386 if (ocsp_response_len > 0) { | |
1387 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), | |
1388 ocsp_response_len); | |
1389 } | |
1390 | |
1391 const uint8_t* sct_list_raw; | |
1392 size_t sct_list_len; | |
1393 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); | |
1394 std::string sct_list; | |
1395 if (sct_list_len > 0) | |
1396 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | |
1397 | |
1398 // Note that this is a completely synchronous operation: The CT Log Verifier | |
1399 // gets all the data it needs for SCT verification and does not do any | |
1400 // external communication. | |
1401 cert_transparency_verifier_->Verify( | |
1402 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | |
1403 &ct_verify_result_, net_log_); | |
1404 | |
1405 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); | |
1406 ct_verify_result_.ev_policy_compliance = | |
1407 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
1408 if (policy_enforcer_) { | |
1409 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | |
1410 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1411 SSLConfigService::GetEVCertsWhitelist(); | |
1412 ct::EVPolicyCompliance ev_policy_compliance = | |
1413 policy_enforcer_->DoesConformToCTEVPolicy( | |
1414 server_cert_verify_result_.verified_cert.get(), | |
1415 ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); | |
1416 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
1417 if (ev_policy_compliance != | |
1418 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
1419 ev_policy_compliance != | |
1420 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
1421 ev_policy_compliance != | |
1422 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
1423 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | |
1424 VLOG(1) << "EV certificate for " | |
1425 << server_cert_verify_result_.verified_cert->subject() | |
1426 .GetDisplayName() | |
1427 << " does not conform to CT policy, removing EV status."; | |
1428 server_cert_verify_result_.cert_status |= | |
1429 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
1430 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1431 } | |
1432 } | |
1433 ct_verify_result_.cert_policy_compliance = | |
1434 policy_enforcer_->DoesConformToCertPolicy( | |
1435 server_cert_verify_result_.verified_cert.get(), | |
1436 ct_verify_result_.verified_scts, net_log_); | |
1437 } | |
1438 } | |
1439 | |
1440 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | |
1441 int rv = DoHandshakeLoop(result); | |
1442 if (rv != ERR_IO_PENDING) { | |
1443 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | |
1444 DoConnectCallback(rv); | |
1445 } | |
1446 } | |
1447 | |
1448 void SSLClientSocketOpenSSL::OnSendComplete(int result) { | |
1449 if (next_handshake_state_ == STATE_HANDSHAKE) { | |
1450 // In handshake phase. | |
1451 OnHandshakeIOComplete(result); | |
1452 return; | |
1453 } | |
1454 | |
1455 // During a renegotiation, a Read call may also be blocked on a transport | |
1456 // write, so retry both operations. | |
1457 PumpReadWriteEvents(); | |
1458 } | |
1459 | |
1460 void SSLClientSocketOpenSSL::OnRecvComplete(int result) { | |
1461 TRACE_EVENT0("net", "SSLClientSocketOpenSSL::OnRecvComplete"); | |
1462 if (next_handshake_state_ == STATE_HANDSHAKE) { | |
1463 // In handshake phase. | |
1464 OnHandshakeIOComplete(result); | |
1465 return; | |
1466 } | |
1467 | |
1468 // Network layer received some data, check if client requested to read | |
1469 // decrypted data. | |
1470 if (!user_read_buf_.get()) | |
1471 return; | |
1472 | |
1473 int rv = DoReadLoop(); | |
1474 if (rv != ERR_IO_PENDING) | |
1475 DoReadCallback(rv); | |
1476 } | |
1477 | |
1478 int SSLClientSocketOpenSSL::DoHandshakeLoop(int last_io_result) { | |
1479 TRACE_EVENT0("net", "SSLClientSocketOpenSSL::DoHandshakeLoop"); | |
1480 int rv = last_io_result; | |
1481 do { | |
1482 // Default to STATE_NONE for next state. | |
1483 // (This is a quirk carried over from the windows | |
1484 // implementation. It makes reading the logs a bit harder.) | |
1485 // State handlers can and often do call GotoState just | |
1486 // to stay in the current state. | |
1487 State state = next_handshake_state_; | |
1488 GotoState(STATE_NONE); | |
1489 switch (state) { | |
1490 case STATE_HANDSHAKE: | |
1491 rv = DoHandshake(); | |
1492 break; | |
1493 case STATE_HANDSHAKE_COMPLETE: | |
1494 rv = DoHandshakeComplete(rv); | |
1495 break; | |
1496 case STATE_CHANNEL_ID_LOOKUP: | |
1497 DCHECK_EQ(OK, rv); | |
1498 rv = DoChannelIDLookup(); | |
1499 break; | |
1500 case STATE_CHANNEL_ID_LOOKUP_COMPLETE: | |
1501 rv = DoChannelIDLookupComplete(rv); | |
1502 break; | |
1503 case STATE_VERIFY_CERT: | |
1504 DCHECK_EQ(OK, rv); | |
1505 rv = DoVerifyCert(rv); | |
1506 break; | |
1507 case STATE_VERIFY_CERT_COMPLETE: | |
1508 rv = DoVerifyCertComplete(rv); | |
1509 break; | |
1510 case STATE_NONE: | |
1511 default: | |
1512 rv = ERR_UNEXPECTED; | |
1513 NOTREACHED() << "unexpected state" << state; | |
1514 break; | |
1515 } | |
1516 | |
1517 bool network_moved = DoTransportIO(); | |
1518 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) { | |
1519 // In general we exit the loop if rv is ERR_IO_PENDING. In this | |
1520 // special case we keep looping even if rv is ERR_IO_PENDING because | |
1521 // the transport IO may allow DoHandshake to make progress. | |
1522 rv = OK; // This causes us to stay in the loop. | |
1523 } | |
1524 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); | |
1525 return rv; | |
1526 } | |
1527 | |
1528 int SSLClientSocketOpenSSL::DoReadLoop() { | |
1529 bool network_moved; | |
1530 int rv; | |
1531 do { | |
1532 rv = DoPayloadRead(); | |
1533 network_moved = DoTransportIO(); | |
1534 } while (rv == ERR_IO_PENDING && network_moved); | |
1535 | |
1536 return rv; | |
1537 } | |
1538 | |
1539 int SSLClientSocketOpenSSL::DoWriteLoop() { | |
1540 bool network_moved; | |
1541 int rv; | |
1542 do { | |
1543 rv = DoPayloadWrite(); | |
1544 network_moved = DoTransportIO(); | |
1545 } while (rv == ERR_IO_PENDING && network_moved); | |
1546 | |
1547 return rv; | |
1548 } | |
1549 | |
1550 int SSLClientSocketOpenSSL::DoPayloadRead() { | |
1551 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
1552 | |
1553 DCHECK_LT(0, user_read_buf_len_); | |
1554 DCHECK(user_read_buf_.get()); | |
1555 | |
1556 int rv; | |
1557 if (pending_read_error_ != kNoPendingResult) { | |
1558 rv = pending_read_error_; | |
1559 pending_read_error_ = kNoPendingResult; | |
1560 if (rv == 0) { | |
1561 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, | |
1562 rv, user_read_buf_->data()); | |
1563 } else { | |
1564 net_log_.AddEvent( | |
1565 NetLog::TYPE_SSL_READ_ERROR, | |
1566 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, | |
1567 pending_read_error_info_)); | |
1568 } | |
1569 pending_read_ssl_error_ = SSL_ERROR_NONE; | |
1570 pending_read_error_info_ = OpenSSLErrorInfo(); | |
1571 return rv; | |
1572 } | |
1573 | |
1574 int total_bytes_read = 0; | |
1575 int ssl_ret; | |
1576 do { | |
1577 ssl_ret = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read, | |
1578 user_read_buf_len_ - total_bytes_read); | |
1579 if (ssl_ret > 0) | |
1580 total_bytes_read += ssl_ret; | |
1581 } while (total_bytes_read < user_read_buf_len_ && ssl_ret > 0); | |
1582 | |
1583 // Although only the final SSL_read call may have failed, the failure needs to | |
1584 // processed immediately, while the information still available in OpenSSL's | |
1585 // error queue. | |
1586 if (ssl_ret <= 0) { | |
1587 // A zero return from SSL_read may mean any of: | |
1588 // - The underlying BIO_read returned 0. | |
1589 // - The peer sent a close_notify. | |
1590 // - Any arbitrary error. https://crbug.com/466303 | |
1591 // | |
1592 // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED | |
1593 // error, so it does not occur. The second and third are distinguished by | |
1594 // SSL_ERROR_ZERO_RETURN. | |
1595 pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret); | |
1596 if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) { | |
1597 pending_read_error_ = 0; | |
1598 } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP && | |
1599 !ssl_config_.send_client_cert) { | |
1600 pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | |
1601 } else if (pending_read_ssl_error_ == | |
1602 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) { | |
1603 DCHECK(ssl_config_.client_private_key); | |
1604 DCHECK_NE(kNoPendingResult, signature_result_); | |
1605 pending_read_error_ = ERR_IO_PENDING; | |
1606 } else { | |
1607 pending_read_error_ = MapOpenSSLErrorWithDetails( | |
1608 pending_read_ssl_error_, err_tracer, &pending_read_error_info_); | |
1609 } | |
1610 | |
1611 // Many servers do not reliably send a close_notify alert when shutting down | |
1612 // a connection, and instead terminate the TCP connection. This is reported | |
1613 // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a | |
1614 // graceful EOF, instead of treating it as an error as it should be. | |
1615 if (pending_read_error_ == ERR_CONNECTION_CLOSED) | |
1616 pending_read_error_ = 0; | |
1617 } | |
1618 | |
1619 if (total_bytes_read > 0) { | |
1620 // Return any bytes read to the caller. The error will be deferred to the | |
1621 // next call of DoPayloadRead. | |
1622 rv = total_bytes_read; | |
1623 | |
1624 // Do not treat insufficient data as an error to return in the next call to | |
1625 // DoPayloadRead() - instead, let the call fall through to check SSL_read() | |
1626 // again. This is because DoTransportIO() may complete in between the next | |
1627 // call to DoPayloadRead(), and thus it is important to check SSL_read() on | |
1628 // subsequent invocations to see if a complete record may now be read. | |
1629 if (pending_read_error_ == ERR_IO_PENDING) | |
1630 pending_read_error_ = kNoPendingResult; | |
1631 } else { | |
1632 // No bytes were returned. Return the pending read error immediately. | |
1633 DCHECK_NE(kNoPendingResult, pending_read_error_); | |
1634 rv = pending_read_error_; | |
1635 pending_read_error_ = kNoPendingResult; | |
1636 } | |
1637 | |
1638 if (rv >= 0) { | |
1639 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, | |
1640 user_read_buf_->data()); | |
1641 } else if (rv != ERR_IO_PENDING) { | |
1642 net_log_.AddEvent( | |
1643 NetLog::TYPE_SSL_READ_ERROR, | |
1644 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, | |
1645 pending_read_error_info_)); | |
1646 pending_read_ssl_error_ = SSL_ERROR_NONE; | |
1647 pending_read_error_info_ = OpenSSLErrorInfo(); | |
1648 } | |
1649 return rv; | |
1650 } | |
1651 | |
1652 int SSLClientSocketOpenSSL::DoPayloadWrite() { | |
1653 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
1654 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | |
1655 | |
1656 if (rv >= 0) { | |
1657 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | |
1658 user_write_buf_->data()); | |
1659 return rv; | |
1660 } | |
1661 | |
1662 int ssl_error = SSL_get_error(ssl_, rv); | |
1663 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) | |
1664 return ERR_IO_PENDING; | |
1665 OpenSSLErrorInfo error_info; | |
1666 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, | |
1667 &error_info); | |
1668 | |
1669 if (net_error != ERR_IO_PENDING) { | |
1670 net_log_.AddEvent( | |
1671 NetLog::TYPE_SSL_WRITE_ERROR, | |
1672 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | |
1673 } | |
1674 return net_error; | |
1675 } | |
1676 | |
1677 void SSLClientSocketOpenSSL::PumpReadWriteEvents() { | |
1678 int rv_read = ERR_IO_PENDING; | |
1679 int rv_write = ERR_IO_PENDING; | |
1680 bool network_moved; | |
1681 do { | |
1682 if (user_read_buf_.get()) | |
1683 rv_read = DoPayloadRead(); | |
1684 if (user_write_buf_.get()) | |
1685 rv_write = DoPayloadWrite(); | |
1686 network_moved = DoTransportIO(); | |
1687 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING && | |
1688 (user_read_buf_.get() || user_write_buf_.get()) && network_moved); | |
1689 | |
1690 // Performing the Read callback may cause |this| to be deleted. If this | |
1691 // happens, the Write callback should not be invoked. Guard against this by | |
1692 // holding a WeakPtr to |this| and ensuring it's still valid. | |
1693 base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr()); | |
1694 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING) | |
1695 DoReadCallback(rv_read); | |
1696 | |
1697 if (!guard.get()) | |
1698 return; | |
1699 | |
1700 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING) | |
1701 DoWriteCallback(rv_write); | |
1702 } | |
1703 | |
1704 int SSLClientSocketOpenSSL::BufferSend(void) { | |
1705 if (transport_send_busy_) | |
1706 return ERR_IO_PENDING; | |
1707 | |
1708 size_t buffer_read_offset; | |
1709 uint8_t* read_buf; | |
1710 size_t max_read; | |
1711 int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf, | |
1712 &buffer_read_offset, &max_read); | |
1713 DCHECK_EQ(status, 1); // Should never fail. | |
1714 if (!max_read) | |
1715 return 0; // Nothing pending in the OpenSSL write BIO. | |
1716 CHECK_EQ(read_buf, reinterpret_cast<uint8_t*>(send_buffer_->StartOfBuffer())); | |
1717 CHECK_LT(buffer_read_offset, static_cast<size_t>(send_buffer_->capacity())); | |
1718 send_buffer_->set_offset(buffer_read_offset); | |
1719 | |
1720 int rv = transport_->socket()->Write( | |
1721 send_buffer_.get(), max_read, | |
1722 base::Bind(&SSLClientSocketOpenSSL::BufferSendComplete, | |
1723 base::Unretained(this))); | |
1724 if (rv == ERR_IO_PENDING) { | |
1725 transport_send_busy_ = true; | |
1726 } else { | |
1727 TransportWriteComplete(rv); | |
1728 } | |
1729 return rv; | |
1730 } | |
1731 | |
1732 int SSLClientSocketOpenSSL::BufferRecv(void) { | |
1733 if (transport_recv_busy_) | |
1734 return ERR_IO_PENDING; | |
1735 | |
1736 // Determine how much was requested from |transport_bio_| that was not | |
1737 // actually available. | |
1738 size_t requested = BIO_ctrl_get_read_request(transport_bio_); | |
1739 if (requested == 0) { | |
1740 // This is not a perfect match of error codes, as no operation is | |
1741 // actually pending. However, returning 0 would be interpreted as | |
1742 // a possible sign of EOF, which is also an inappropriate match. | |
1743 return ERR_IO_PENDING; | |
1744 } | |
1745 | |
1746 // Known Issue: While only reading |requested| data is the more correct | |
1747 // implementation, it has the downside of resulting in frequent reads: | |
1748 // One read for the SSL record header (~5 bytes) and one read for the SSL | |
1749 // record body. Rather than issuing these reads to the underlying socket | |
1750 // (and constantly allocating new IOBuffers), a single Read() request to | |
1751 // fill |transport_bio_| is issued. As long as an SSL client socket cannot | |
1752 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL | |
1753 // traffic, this over-subscribed Read()ing will not cause issues. | |
1754 | |
1755 size_t buffer_write_offset; | |
1756 uint8_t* write_buf; | |
1757 size_t max_write; | |
1758 int status = BIO_zero_copy_get_write_buf(transport_bio_, &write_buf, | |
1759 &buffer_write_offset, &max_write); | |
1760 DCHECK_EQ(status, 1); // Should never fail. | |
1761 if (!max_write) | |
1762 return ERR_IO_PENDING; | |
1763 | |
1764 CHECK_EQ(write_buf, | |
1765 reinterpret_cast<uint8_t*>(recv_buffer_->StartOfBuffer())); | |
1766 CHECK_LT(buffer_write_offset, static_cast<size_t>(recv_buffer_->capacity())); | |
1767 | |
1768 recv_buffer_->set_offset(buffer_write_offset); | |
1769 int rv = transport_->socket()->Read( | |
1770 recv_buffer_.get(), | |
1771 max_write, | |
1772 base::Bind(&SSLClientSocketOpenSSL::BufferRecvComplete, | |
1773 base::Unretained(this))); | |
1774 if (rv == ERR_IO_PENDING) { | |
1775 transport_recv_busy_ = true; | |
1776 } else { | |
1777 rv = TransportReadComplete(rv); | |
1778 } | |
1779 return rv; | |
1780 } | |
1781 | |
1782 void SSLClientSocketOpenSSL::BufferSendComplete(int result) { | |
1783 TransportWriteComplete(result); | |
1784 OnSendComplete(result); | |
1785 } | |
1786 | |
1787 void SSLClientSocketOpenSSL::BufferRecvComplete(int result) { | |
1788 result = TransportReadComplete(result); | |
1789 OnRecvComplete(result); | |
1790 } | |
1791 | |
1792 void SSLClientSocketOpenSSL::TransportWriteComplete(int result) { | |
1793 DCHECK(ERR_IO_PENDING != result); | |
1794 int bytes_written = 0; | |
1795 if (result < 0) { | |
1796 // Record the error. Save it to be reported in a future read or write on | |
1797 // transport_bio_'s peer. | |
1798 transport_write_error_ = result; | |
1799 } else { | |
1800 bytes_written = result; | |
1801 } | |
1802 DCHECK_GE(send_buffer_->RemainingCapacity(), bytes_written); | |
1803 int ret = BIO_zero_copy_get_read_buf_done(transport_bio_, bytes_written); | |
1804 DCHECK_EQ(1, ret); | |
1805 transport_send_busy_ = false; | |
1806 } | |
1807 | |
1808 int SSLClientSocketOpenSSL::TransportReadComplete(int result) { | |
1809 DCHECK(ERR_IO_PENDING != result); | |
1810 // If an EOF, canonicalize to ERR_CONNECTION_CLOSED here so MapOpenSSLError | |
1811 // does not report success. | |
1812 if (result == 0) | |
1813 result = ERR_CONNECTION_CLOSED; | |
1814 int bytes_read = 0; | |
1815 if (result < 0) { | |
1816 DVLOG(1) << "TransportReadComplete result " << result; | |
1817 // Received an error. Save it to be reported in a future read on | |
1818 // transport_bio_'s peer. | |
1819 transport_read_error_ = result; | |
1820 } else { | |
1821 bytes_read = result; | |
1822 } | |
1823 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read); | |
1824 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read); | |
1825 DCHECK_EQ(1, ret); | |
1826 transport_recv_busy_ = false; | |
1827 return result; | |
1828 } | |
1829 | |
1830 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) { | |
1831 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; | |
1832 DCHECK(ssl == ssl_); | |
1833 | |
1834 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED); | |
1835 | |
1836 // Clear any currently configured certificates. | |
1837 SSL_certs_clear(ssl_); | |
1838 | |
1839 #if defined(OS_IOS) | |
1840 // TODO(droger): Support client auth on iOS. See http://crbug.com/145954). | |
1841 LOG(WARNING) << "Client auth is not supported"; | |
1842 #else // !defined(OS_IOS) | |
1843 if (!ssl_config_.send_client_cert) { | |
1844 // First pass: we know that a client certificate is needed, but we do not | |
1845 // have one at hand. | |
1846 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); | |
1847 for (size_t i = 0; i < sk_X509_NAME_num(authorities); i++) { | |
1848 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); | |
1849 unsigned char* str = NULL; | |
1850 int length = i2d_X509_NAME(ca_name, &str); | |
1851 cert_authorities_.push_back(std::string( | |
1852 reinterpret_cast<const char*>(str), | |
1853 static_cast<size_t>(length))); | |
1854 OPENSSL_free(str); | |
1855 } | |
1856 | |
1857 const unsigned char* client_cert_types; | |
1858 size_t num_client_cert_types = | |
1859 SSL_get0_certificate_types(ssl, &client_cert_types); | |
1860 for (size_t i = 0; i < num_client_cert_types; i++) { | |
1861 cert_key_types_.push_back( | |
1862 static_cast<SSLClientCertType>(client_cert_types[i])); | |
1863 } | |
1864 | |
1865 // Suspends handshake. SSL_get_error will return SSL_ERROR_WANT_X509_LOOKUP. | |
1866 return -1; | |
1867 } | |
1868 | |
1869 // Second pass: a client certificate should have been selected. | |
1870 if (ssl_config_.client_cert.get()) { | |
1871 ScopedX509 leaf_x509 = | |
1872 OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle()); | |
1873 if (!leaf_x509) { | |
1874 LOG(WARNING) << "Failed to import certificate"; | |
1875 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | |
1876 return -1; | |
1877 } | |
1878 | |
1879 ScopedX509Stack chain = OSCertHandlesToOpenSSL( | |
1880 ssl_config_.client_cert->GetIntermediateCertificates()); | |
1881 if (!chain) { | |
1882 LOG(WARNING) << "Failed to import intermediate certificates"; | |
1883 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | |
1884 return -1; | |
1885 } | |
1886 | |
1887 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || | |
1888 !SSL_set1_chain(ssl_, chain.get())) { | |
1889 LOG(WARNING) << "Failed to set client certificate"; | |
1890 return -1; | |
1891 } | |
1892 | |
1893 if (!ssl_config_.client_private_key) { | |
1894 // The caller supplied a null private key. Fail the handshake and surface | |
1895 // an appropriate error to the caller. | |
1896 LOG(WARNING) << "Client cert found without private key"; | |
1897 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | |
1898 return -1; | |
1899 } | |
1900 | |
1901 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod); | |
1902 | |
1903 std::vector<SSLPrivateKey::Hash> digest_prefs = | |
1904 ssl_config_.client_private_key->GetDigestPreferences(); | |
1905 | |
1906 size_t digests_len = digest_prefs.size(); | |
1907 std::vector<int> digests; | |
1908 for (size_t i = 0; i < digests_len; i++) { | |
1909 switch (digest_prefs[i]) { | |
1910 case SSLPrivateKey::Hash::SHA1: | |
1911 digests.push_back(NID_sha1); | |
1912 break; | |
1913 case SSLPrivateKey::Hash::SHA256: | |
1914 digests.push_back(NID_sha256); | |
1915 break; | |
1916 case SSLPrivateKey::Hash::SHA384: | |
1917 digests.push_back(NID_sha384); | |
1918 break; | |
1919 case SSLPrivateKey::Hash::SHA512: | |
1920 digests.push_back(NID_sha512); | |
1921 break; | |
1922 case SSLPrivateKey::Hash::MD5_SHA1: | |
1923 // MD5-SHA1 is not used in TLS 1.2. | |
1924 break; | |
1925 } | |
1926 } | |
1927 | |
1928 SSL_set_private_key_digest_prefs(ssl_, digests.data(), digests.size()); | |
1929 | |
1930 int cert_count = 1 + sk_X509_num(chain.get()); | |
1931 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
1932 NetLog::IntCallback("cert_count", cert_count)); | |
1933 return 1; | |
1934 } | |
1935 #endif // defined(OS_IOS) | |
1936 | |
1937 // Send no client certificate. | |
1938 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | |
1939 NetLog::IntCallback("cert_count", 0)); | |
1940 return 1; | |
1941 } | |
1942 | |
1943 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) { | |
1944 if (!completed_connect_) { | |
1945 // If the first handshake hasn't completed then we accept any certificates | |
1946 // because we verify after the handshake. | |
1947 return 1; | |
1948 } | |
1949 | |
1950 // Disallow the server certificate to change in a renegotiation. | |
1951 if (server_cert_chain_->empty()) { | |
1952 LOG(ERROR) << "Received invalid certificate chain between handshakes"; | |
1953 return 0; | |
1954 } | |
1955 base::StringPiece old_der, new_der; | |
1956 if (store_ctx->cert == NULL || | |
1957 !x509_util::GetDER(server_cert_chain_->Get(0), &old_der) || | |
1958 !x509_util::GetDER(store_ctx->cert, &new_der)) { | |
1959 LOG(ERROR) << "Failed to encode certificates"; | |
1960 return 0; | |
1961 } | |
1962 if (old_der != new_der) { | |
1963 LOG(ERROR) << "Server certificate changed between handshakes"; | |
1964 return 0; | |
1965 } | |
1966 | |
1967 return 1; | |
1968 } | |
1969 | |
1970 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the | |
1971 // server supports NPN, selects a protocol from the list that the server | |
1972 // provides. According to third_party/boringssl/src/ssl/ssl_lib.c, the | |
1973 // callback can assume that |in| is syntactically valid. | |
1974 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out, | |
1975 unsigned char* outlen, | |
1976 const unsigned char* in, | |
1977 unsigned int inlen) { | |
1978 if (ssl_config_.npn_protos.empty()) { | |
1979 *out = reinterpret_cast<uint8_t*>( | |
1980 const_cast<char*>(kDefaultSupportedNPNProtocol)); | |
1981 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; | |
1982 npn_status_ = kNextProtoUnsupported; | |
1983 return SSL_TLSEXT_ERR_OK; | |
1984 } | |
1985 | |
1986 // Assume there's no overlap between our protocols and the server's list. | |
1987 npn_status_ = kNextProtoNoOverlap; | |
1988 | |
1989 // For each protocol in server preference order, see if we support it. | |
1990 for (unsigned int i = 0; i < inlen; i += in[i] + 1) { | |
1991 for (NextProto next_proto : ssl_config_.npn_protos) { | |
1992 const std::string proto = NextProtoToString(next_proto); | |
1993 if (in[i] == proto.size() && | |
1994 memcmp(&in[i + 1], proto.data(), in[i]) == 0) { | |
1995 // We found a match. | |
1996 *out = const_cast<unsigned char*>(in) + i + 1; | |
1997 *outlen = in[i]; | |
1998 npn_status_ = kNextProtoNegotiated; | |
1999 break; | |
2000 } | |
2001 } | |
2002 if (npn_status_ == kNextProtoNegotiated) | |
2003 break; | |
2004 } | |
2005 | |
2006 // If we didn't find a protocol, we select the last one from our list. | |
2007 if (npn_status_ == kNextProtoNoOverlap) { | |
2008 // NextProtoToString returns a pointer to a static string. | |
2009 const char* proto = NextProtoToString(ssl_config_.npn_protos.back()); | |
2010 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); | |
2011 *outlen = strlen(proto); | |
2012 } | |
2013 | |
2014 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen); | |
2015 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | |
2016 set_negotiation_extension(kExtensionNPN); | |
2017 return SSL_TLSEXT_ERR_OK; | |
2018 } | |
2019 | |
2020 long SSLClientSocketOpenSSL::MaybeReplayTransportError( | |
2021 BIO *bio, | |
2022 int cmd, | |
2023 const char *argp, int argi, long argl, | |
2024 long retvalue) { | |
2025 if (cmd == (BIO_CB_READ|BIO_CB_RETURN) && retvalue <= 0) { | |
2026 // If there is no more data in the buffer, report any pending errors that | |
2027 // were observed. Note that both the readbuf and the writebuf are checked | |
2028 // for errors, since the application may have encountered a socket error | |
2029 // while writing that would otherwise not be reported until the application | |
2030 // attempted to write again - which it may never do. See | |
2031 // https://crbug.com/249848. | |
2032 if (transport_read_error_ != OK) { | |
2033 OpenSSLPutNetError(FROM_HERE, transport_read_error_); | |
2034 return -1; | |
2035 } | |
2036 if (transport_write_error_ != OK) { | |
2037 OpenSSLPutNetError(FROM_HERE, transport_write_error_); | |
2038 return -1; | |
2039 } | |
2040 } else if (cmd == BIO_CB_WRITE) { | |
2041 // Because of the write buffer, this reports a failure from the previous | |
2042 // write payload. If the current payload fails to write, the error will be | |
2043 // reported in a future write or read to |bio|. | |
2044 if (transport_write_error_ != OK) { | |
2045 OpenSSLPutNetError(FROM_HERE, transport_write_error_); | |
2046 return -1; | |
2047 } | |
2048 } | |
2049 return retvalue; | |
2050 } | |
2051 | |
2052 // static | |
2053 long SSLClientSocketOpenSSL::BIOCallback( | |
2054 BIO *bio, | |
2055 int cmd, | |
2056 const char *argp, int argi, long argl, | |
2057 long retvalue) { | |
2058 SSLClientSocketOpenSSL* socket = reinterpret_cast<SSLClientSocketOpenSSL*>( | |
2059 BIO_get_callback_arg(bio)); | |
2060 CHECK(socket); | |
2061 return socket->MaybeReplayTransportError( | |
2062 bio, cmd, argp, argi, argl, retvalue); | |
2063 } | |
2064 | |
2065 void SSLClientSocketOpenSSL::MaybeCacheSession() { | |
2066 // Only cache the session once both a new session has been established and the | |
2067 // certificate has been verified. Due to False Start, these events may happen | |
2068 // in either order. | |
2069 if (!session_pending_ || !certificate_verified_) | |
2070 return; | |
2071 | |
2072 SSLContext::GetInstance()->session_cache()->Insert(GetSessionCacheKey(), | |
2073 SSL_get_session(ssl_)); | |
2074 session_pending_ = false; | |
2075 } | |
2076 | |
2077 int SSLClientSocketOpenSSL::NewSessionCallback(SSL_SESSION* session) { | |
2078 DCHECK_EQ(session, SSL_get_session(ssl_)); | |
2079 | |
2080 // Only sessions from the initial handshake get cached. Note this callback may | |
2081 // be signaled on abbreviated handshakes if the ticket was renewed. | |
2082 session_pending_ = true; | |
2083 MaybeCacheSession(); | |
2084 | |
2085 // OpenSSL passes a reference to |session|, but the session cache does not | |
2086 // take this reference, so release it. | |
2087 SSL_SESSION_free(session); | |
2088 return 1; | |
2089 } | |
2090 | |
2091 void SSLClientSocketOpenSSL::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { | |
2092 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); | |
2093 } | |
2094 | |
2095 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | |
2096 std::string result = host_and_port_.ToString(); | |
2097 result.append("/"); | |
2098 result.append(ssl_session_cache_shard_); | |
2099 | |
2100 // Shard the session cache based on maximum protocol version. This causes | |
2101 // fallback connections to use a separate session cache. | |
2102 result.append("/"); | |
2103 switch (ssl_config_.version_max) { | |
2104 case SSL_PROTOCOL_VERSION_TLS1: | |
2105 result.append("tls1"); | |
2106 break; | |
2107 case SSL_PROTOCOL_VERSION_TLS1_1: | |
2108 result.append("tls1.1"); | |
2109 break; | |
2110 case SSL_PROTOCOL_VERSION_TLS1_2: | |
2111 result.append("tls1.2"); | |
2112 break; | |
2113 default: | |
2114 NOTREACHED(); | |
2115 } | |
2116 | |
2117 result.append("/"); | |
2118 if (ssl_config_.deprecated_cipher_suites_enabled) | |
2119 result.append("deprecated"); | |
2120 | |
2121 result.append("/"); | |
2122 if (ssl_config_.channel_id_enabled) | |
2123 result.append("channelid"); | |
2124 | |
2125 return result; | |
2126 } | |
2127 | |
2128 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const { | |
2129 if (tb_was_negotiated_) | |
2130 return false; | |
2131 | |
2132 if (npn_status_ == kNextProtoUnsupported) | |
2133 return ssl_config_.renego_allowed_default; | |
2134 | |
2135 NextProto next_proto = NextProtoFromString(npn_proto_); | |
2136 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { | |
2137 if (next_proto == allowed) | |
2138 return true; | |
2139 } | |
2140 return false; | |
2141 } | |
2142 | |
2143 int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() { | |
2144 switch (ssl_config_.client_private_key->GetType()) { | |
2145 case SSLPrivateKey::Type::RSA: | |
2146 return EVP_PKEY_RSA; | |
2147 case SSLPrivateKey::Type::ECDSA: | |
2148 return EVP_PKEY_EC; | |
2149 } | |
2150 NOTREACHED(); | |
2151 return EVP_PKEY_NONE; | |
2152 } | |
2153 | |
2154 size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback() { | |
2155 return ssl_config_.client_private_key->GetMaxSignatureLengthInBytes(); | |
2156 } | |
2157 | |
2158 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback( | |
2159 uint8_t* out, | |
2160 size_t* out_len, | |
2161 size_t max_out, | |
2162 const EVP_MD* md, | |
2163 const uint8_t* in, | |
2164 size_t in_len) { | |
2165 DCHECK_EQ(kNoPendingResult, signature_result_); | |
2166 DCHECK(signature_.empty()); | |
2167 DCHECK(ssl_config_.client_private_key); | |
2168 | |
2169 SSLPrivateKey::Hash hash; | |
2170 if (!EVP_MDToPrivateKeyHash(md, &hash)) { | |
2171 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED); | |
2172 return ssl_private_key_failure; | |
2173 } | |
2174 | |
2175 net_log_.BeginEvent( | |
2176 NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION, | |
2177 base::Bind(&NetLogPrivateKeyOperationCallback, | |
2178 ssl_config_.client_private_key->GetType(), hash)); | |
2179 | |
2180 signature_result_ = ERR_IO_PENDING; | |
2181 ssl_config_.client_private_key->SignDigest( | |
2182 hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len), | |
2183 base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete, | |
2184 weak_factory_.GetWeakPtr())); | |
2185 return ssl_private_key_retry; | |
2186 } | |
2187 | |
2188 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback( | |
2189 uint8_t* out, | |
2190 size_t* out_len, | |
2191 size_t max_out) { | |
2192 DCHECK_NE(kNoPendingResult, signature_result_); | |
2193 DCHECK(ssl_config_.client_private_key); | |
2194 | |
2195 if (signature_result_ == ERR_IO_PENDING) | |
2196 return ssl_private_key_retry; | |
2197 if (signature_result_ != OK) { | |
2198 OpenSSLPutNetError(FROM_HERE, signature_result_); | |
2199 return ssl_private_key_failure; | |
2200 } | |
2201 if (signature_.size() > max_out) { | |
2202 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED); | |
2203 return ssl_private_key_failure; | |
2204 } | |
2205 memcpy(out, signature_.data(), signature_.size()); | |
2206 *out_len = signature_.size(); | |
2207 signature_.clear(); | |
2208 return ssl_private_key_success; | |
2209 } | |
2210 | |
2211 void SSLClientSocketOpenSSL::OnPrivateKeySignComplete( | |
2212 Error error, | |
2213 const std::vector<uint8_t>& signature) { | |
2214 DCHECK_EQ(ERR_IO_PENDING, signature_result_); | |
2215 DCHECK(signature_.empty()); | |
2216 DCHECK(ssl_config_.client_private_key); | |
2217 | |
2218 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION, | |
2219 error); | |
2220 | |
2221 signature_result_ = error; | |
2222 if (signature_result_ == OK) | |
2223 signature_ = signature; | |
2224 | |
2225 if (next_handshake_state_ == STATE_HANDSHAKE) { | |
2226 OnHandshakeIOComplete(signature_result_); | |
2227 return; | |
2228 } | |
2229 | |
2230 // During a renegotiation, either Read or Write calls may be blocked on an | |
2231 // asynchronous private key operation. | |
2232 PumpReadWriteEvents(); | |
2233 } | |
2234 | |
2235 int SSLClientSocketOpenSSL::TokenBindingAdd(const uint8_t** out, | |
2236 size_t* out_len, | |
2237 int* out_alert_value) { | |
2238 if (ssl_config_.token_binding_params.empty()) { | |
2239 return 0; | |
2240 } | |
2241 crypto::AutoCBB output; | |
2242 CBB parameters_list; | |
2243 if (!CBB_init(output.get(), 7) || | |
2244 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || | |
2245 !CBB_add_u8(output.get(), kTbProtocolVersionMinor) || | |
2246 !CBB_add_u8_length_prefixed(output.get(), ¶meters_list)) { | |
2247 *out_alert_value = SSL_AD_INTERNAL_ERROR; | |
2248 return -1; | |
2249 } | |
2250 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) { | |
2251 if (!CBB_add_u8(¶meters_list, ssl_config_.token_binding_params[i])) { | |
2252 *out_alert_value = SSL_AD_INTERNAL_ERROR; | |
2253 return -1; | |
2254 } | |
2255 } | |
2256 // |*out| will be freed by TokenBindingFreeCallback. | |
2257 if (!CBB_finish(output.get(), const_cast<uint8_t**>(out), out_len)) { | |
2258 *out_alert_value = SSL_AD_INTERNAL_ERROR; | |
2259 return -1; | |
2260 } | |
2261 | |
2262 return 1; | |
2263 } | |
2264 | |
2265 int SSLClientSocketOpenSSL::TokenBindingParse(const uint8_t* contents, | |
2266 size_t contents_len, | |
2267 int* out_alert_value) { | |
2268 if (completed_connect_) { | |
2269 // Token Binding may only be negotiated on the initial handshake. | |
2270 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2271 return 0; | |
2272 } | |
2273 | |
2274 CBS extension; | |
2275 CBS_init(&extension, contents, contents_len); | |
2276 | |
2277 CBS parameters_list; | |
2278 uint8_t version_major, version_minor, param; | |
2279 if (!CBS_get_u8(&extension, &version_major) || | |
2280 !CBS_get_u8(&extension, &version_minor) || | |
2281 !CBS_get_u8_length_prefixed(&extension, ¶meters_list) || | |
2282 !CBS_get_u8(¶meters_list, ¶m) || CBS_len(¶meters_list) > 0 || | |
2283 CBS_len(&extension) > 0) { | |
2284 *out_alert_value = SSL_AD_DECODE_ERROR; | |
2285 return 0; | |
2286 } | |
2287 // The server-negotiated version must be less than or equal to our version. | |
2288 if (version_major > kTbProtocolVersionMajor || | |
2289 (version_minor > kTbProtocolVersionMinor && | |
2290 version_major == kTbProtocolVersionMajor)) { | |
2291 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2292 return 0; | |
2293 } | |
2294 // If the version the server negotiated is older than we support, don't fail | |
2295 // parsing the extension, but also don't set |negotiated_|. | |
2296 if (version_major < kTbMinProtocolVersionMajor || | |
2297 (version_minor < kTbMinProtocolVersionMinor && | |
2298 version_major == kTbMinProtocolVersionMajor)) { | |
2299 return 1; | |
2300 } | |
2301 | |
2302 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) { | |
2303 if (param == ssl_config_.token_binding_params[i]) { | |
2304 tb_negotiated_param_ = ssl_config_.token_binding_params[i]; | |
2305 tb_was_negotiated_ = true; | |
2306 return 1; | |
2307 } | |
2308 } | |
2309 | |
2310 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2311 return 0; | |
2312 } | |
2313 | |
2314 } // namespace net | |
OLD | NEW |