| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_server_socket_openssl.h" | 5 #include "net/socket/ssl_server_socket_impl.h" |
| 6 | 6 |
| 7 #include <openssl/err.h> | 7 #include <openssl/err.h> |
| 8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| 11 #include "base/callback_helpers.h" | 11 #include "base/callback_helpers.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/strings/string_util.h" | 13 #include "base/strings/string_util.h" |
| 14 #include "crypto/openssl_util.h" | 14 #include "crypto/openssl_util.h" |
| 15 #include "crypto/rsa_private_key.h" | 15 #include "crypto/rsa_private_key.h" |
| (...skipping 28 matching lines...) Expand all Loading... |
| 44 for (size_t i = 0; i < sk_X509_num(chain); ++i) { | 44 for (size_t i = 0; i < sk_X509_num(chain); ++i) { |
| 45 X509* x = sk_X509_value(chain, i); | 45 X509* x = sk_X509_value(chain, i); |
| 46 if (!x509_util::GetDER(x, &der_cert)) | 46 if (!x509_util::GetDER(x, &der_cert)) |
| 47 return nullptr; | 47 return nullptr; |
| 48 der_chain.push_back(der_cert); | 48 der_chain.push_back(der_cert); |
| 49 } | 49 } |
| 50 | 50 |
| 51 return X509Certificate::CreateFromDERCertChain(der_chain); | 51 return X509Certificate::CreateFromDERCertChain(der_chain); |
| 52 } | 52 } |
| 53 | 53 |
| 54 class SSLServerSocketOpenSSL : public SSLServerSocket { | 54 class SSLServerSocketImpl : public SSLServerSocket { |
| 55 public: | 55 public: |
| 56 // See comments on CreateSSLServerSocket for details of how these | 56 // See comments on CreateSSLServerSocket for details of how these |
| 57 // parameters are used. | 57 // parameters are used. |
| 58 SSLServerSocketOpenSSL(std::unique_ptr<StreamSocket> socket, SSL* ssl); | 58 SSLServerSocketImpl(std::unique_ptr<StreamSocket> socket, SSL* ssl); |
| 59 ~SSLServerSocketOpenSSL() override; | 59 ~SSLServerSocketImpl() override; |
| 60 | 60 |
| 61 // SSLServerSocket interface. | 61 // SSLServerSocket interface. |
| 62 int Handshake(const CompletionCallback& callback) override; | 62 int Handshake(const CompletionCallback& callback) override; |
| 63 | 63 |
| 64 // SSLSocket interface. | 64 // SSLSocket interface. |
| 65 int ExportKeyingMaterial(const base::StringPiece& label, | 65 int ExportKeyingMaterial(const base::StringPiece& label, |
| 66 bool has_context, | 66 bool has_context, |
| 67 const base::StringPiece& context, | 67 const base::StringPiece& context, |
| 68 unsigned char* out, | 68 unsigned char* out, |
| 69 unsigned int outlen) override; | 69 unsigned int outlen) override; |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 161 | 161 |
| 162 // StreamSocket for sending and receiving data. | 162 // StreamSocket for sending and receiving data. |
| 163 std::unique_ptr<StreamSocket> transport_socket_; | 163 std::unique_ptr<StreamSocket> transport_socket_; |
| 164 | 164 |
| 165 // Certificate for the client. | 165 // Certificate for the client. |
| 166 scoped_refptr<X509Certificate> client_cert_; | 166 scoped_refptr<X509Certificate> client_cert_; |
| 167 | 167 |
| 168 State next_handshake_state_; | 168 State next_handshake_state_; |
| 169 bool completed_handshake_; | 169 bool completed_handshake_; |
| 170 | 170 |
| 171 DISALLOW_COPY_AND_ASSIGN(SSLServerSocketOpenSSL); | 171 DISALLOW_COPY_AND_ASSIGN(SSLServerSocketImpl); |
| 172 }; | 172 }; |
| 173 | 173 |
| 174 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL( | 174 SSLServerSocketImpl::SSLServerSocketImpl( |
| 175 std::unique_ptr<StreamSocket> transport_socket, | 175 std::unique_ptr<StreamSocket> transport_socket, |
| 176 SSL* ssl) | 176 SSL* ssl) |
| 177 : transport_send_busy_(false), | 177 : transport_send_busy_(false), |
| 178 transport_recv_busy_(false), | 178 transport_recv_busy_(false), |
| 179 transport_recv_eof_(false), | 179 transport_recv_eof_(false), |
| 180 user_read_buf_len_(0), | 180 user_read_buf_len_(0), |
| 181 user_write_buf_len_(0), | 181 user_write_buf_len_(0), |
| 182 transport_write_error_(OK), | 182 transport_write_error_(OK), |
| 183 ssl_(ssl), | 183 ssl_(ssl), |
| 184 transport_bio_(NULL), | 184 transport_bio_(NULL), |
| 185 transport_socket_(std::move(transport_socket)), | 185 transport_socket_(std::move(transport_socket)), |
| 186 next_handshake_state_(STATE_NONE), | 186 next_handshake_state_(STATE_NONE), |
| 187 completed_handshake_(false) {} | 187 completed_handshake_(false) {} |
| 188 | 188 |
| 189 SSLServerSocketOpenSSL::~SSLServerSocketOpenSSL() { | 189 SSLServerSocketImpl::~SSLServerSocketImpl() { |
| 190 if (ssl_) { | 190 if (ssl_) { |
| 191 // Calling SSL_shutdown prevents the session from being marked as | 191 // Calling SSL_shutdown prevents the session from being marked as |
| 192 // unresumable. | 192 // unresumable. |
| 193 SSL_shutdown(ssl_); | 193 SSL_shutdown(ssl_); |
| 194 SSL_free(ssl_); | 194 SSL_free(ssl_); |
| 195 ssl_ = NULL; | 195 ssl_ = NULL; |
| 196 } | 196 } |
| 197 if (transport_bio_) { | 197 if (transport_bio_) { |
| 198 BIO_free_all(transport_bio_); | 198 BIO_free_all(transport_bio_); |
| 199 transport_bio_ = NULL; | 199 transport_bio_ = NULL; |
| 200 } | 200 } |
| 201 } | 201 } |
| 202 | 202 |
| 203 int SSLServerSocketOpenSSL::Handshake(const CompletionCallback& callback) { | 203 int SSLServerSocketImpl::Handshake(const CompletionCallback& callback) { |
| 204 net_log_.BeginEvent(NetLog::TYPE_SSL_SERVER_HANDSHAKE); | 204 net_log_.BeginEvent(NetLog::TYPE_SSL_SERVER_HANDSHAKE); |
| 205 | 205 |
| 206 // Set up new ssl object. | 206 // Set up new ssl object. |
| 207 int rv = Init(); | 207 int rv = Init(); |
| 208 if (rv != OK) { | 208 if (rv != OK) { |
| 209 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv; | 209 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv; |
| 210 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); | 210 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); |
| 211 return rv; | 211 return rv; |
| 212 } | 212 } |
| 213 | 213 |
| 214 // Set SSL to server mode. Handshake happens in the loop below. | 214 // Set SSL to server mode. Handshake happens in the loop below. |
| 215 SSL_set_accept_state(ssl_); | 215 SSL_set_accept_state(ssl_); |
| 216 | 216 |
| 217 GotoState(STATE_HANDSHAKE); | 217 GotoState(STATE_HANDSHAKE); |
| 218 rv = DoHandshakeLoop(OK); | 218 rv = DoHandshakeLoop(OK); |
| 219 if (rv == ERR_IO_PENDING) { | 219 if (rv == ERR_IO_PENDING) { |
| 220 user_handshake_callback_ = callback; | 220 user_handshake_callback_ = callback; |
| 221 } else { | 221 } else { |
| 222 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); | 222 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); |
| 223 } | 223 } |
| 224 | 224 |
| 225 return rv > OK ? OK : rv; | 225 return rv > OK ? OK : rv; |
| 226 } | 226 } |
| 227 | 227 |
| 228 int SSLServerSocketOpenSSL::ExportKeyingMaterial( | 228 int SSLServerSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, |
| 229 const base::StringPiece& label, | 229 bool has_context, |
| 230 bool has_context, | 230 const base::StringPiece& context, |
| 231 const base::StringPiece& context, | 231 unsigned char* out, |
| 232 unsigned char* out, | 232 unsigned int outlen) { |
| 233 unsigned int outlen) { | |
| 234 if (!IsConnected()) | 233 if (!IsConnected()) |
| 235 return ERR_SOCKET_NOT_CONNECTED; | 234 return ERR_SOCKET_NOT_CONNECTED; |
| 236 | 235 |
| 237 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 236 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 238 | 237 |
| 239 int rv = SSL_export_keying_material( | 238 int rv = SSL_export_keying_material( |
| 240 ssl_, out, outlen, label.data(), label.size(), | 239 ssl_, out, outlen, label.data(), label.size(), |
| 241 reinterpret_cast<const unsigned char*>(context.data()), | 240 reinterpret_cast<const unsigned char*>(context.data()), context.length(), |
| 242 context.length(), context.length() > 0); | 241 context.length() > 0); |
| 243 | 242 |
| 244 if (rv != 1) { | 243 if (rv != 1) { |
| 245 int ssl_error = SSL_get_error(ssl_, rv); | 244 int ssl_error = SSL_get_error(ssl_, rv); |
| 246 LOG(ERROR) << "Failed to export keying material;" | 245 LOG(ERROR) << "Failed to export keying material;" |
| 247 << " returned " << rv | 246 << " returned " << rv << ", SSL error code " << ssl_error; |
| 248 << ", SSL error code " << ssl_error; | |
| 249 return MapOpenSSLError(ssl_error, err_tracer); | 247 return MapOpenSSLError(ssl_error, err_tracer); |
| 250 } | 248 } |
| 251 return OK; | 249 return OK; |
| 252 } | 250 } |
| 253 | 251 |
| 254 int SSLServerSocketOpenSSL::Read(IOBuffer* buf, | 252 int SSLServerSocketImpl::Read(IOBuffer* buf, |
| 255 int buf_len, | 253 int buf_len, |
| 256 const CompletionCallback& callback) { | 254 const CompletionCallback& callback) { |
| 257 DCHECK(user_read_callback_.is_null()); | 255 DCHECK(user_read_callback_.is_null()); |
| 258 DCHECK(user_handshake_callback_.is_null()); | 256 DCHECK(user_handshake_callback_.is_null()); |
| 259 DCHECK(!user_read_buf_); | 257 DCHECK(!user_read_buf_); |
| 260 DCHECK(!callback.is_null()); | 258 DCHECK(!callback.is_null()); |
| 261 | 259 |
| 262 user_read_buf_ = buf; | 260 user_read_buf_ = buf; |
| 263 user_read_buf_len_ = buf_len; | 261 user_read_buf_len_ = buf_len; |
| 264 | 262 |
| 265 DCHECK(completed_handshake_); | 263 DCHECK(completed_handshake_); |
| 266 | 264 |
| 267 int rv = DoReadLoop(OK); | 265 int rv = DoReadLoop(OK); |
| 268 | 266 |
| 269 if (rv == ERR_IO_PENDING) { | 267 if (rv == ERR_IO_PENDING) { |
| 270 user_read_callback_ = callback; | 268 user_read_callback_ = callback; |
| 271 } else { | 269 } else { |
| 272 user_read_buf_ = NULL; | 270 user_read_buf_ = NULL; |
| 273 user_read_buf_len_ = 0; | 271 user_read_buf_len_ = 0; |
| 274 } | 272 } |
| 275 | 273 |
| 276 return rv; | 274 return rv; |
| 277 } | 275 } |
| 278 | 276 |
| 279 int SSLServerSocketOpenSSL::Write(IOBuffer* buf, | 277 int SSLServerSocketImpl::Write(IOBuffer* buf, |
| 280 int buf_len, | 278 int buf_len, |
| 281 const CompletionCallback& callback) { | 279 const CompletionCallback& callback) { |
| 282 DCHECK(user_write_callback_.is_null()); | 280 DCHECK(user_write_callback_.is_null()); |
| 283 DCHECK(!user_write_buf_); | 281 DCHECK(!user_write_buf_); |
| 284 DCHECK(!callback.is_null()); | 282 DCHECK(!callback.is_null()); |
| 285 | 283 |
| 286 user_write_buf_ = buf; | 284 user_write_buf_ = buf; |
| 287 user_write_buf_len_ = buf_len; | 285 user_write_buf_len_ = buf_len; |
| 288 | 286 |
| 289 int rv = DoWriteLoop(OK); | 287 int rv = DoWriteLoop(OK); |
| 290 | 288 |
| 291 if (rv == ERR_IO_PENDING) { | 289 if (rv == ERR_IO_PENDING) { |
| 292 user_write_callback_ = callback; | 290 user_write_callback_ = callback; |
| 293 } else { | 291 } else { |
| 294 user_write_buf_ = NULL; | 292 user_write_buf_ = NULL; |
| 295 user_write_buf_len_ = 0; | 293 user_write_buf_len_ = 0; |
| 296 } | 294 } |
| 297 return rv; | 295 return rv; |
| 298 } | 296 } |
| 299 | 297 |
| 300 int SSLServerSocketOpenSSL::SetReceiveBufferSize(int32_t size) { | 298 int SSLServerSocketImpl::SetReceiveBufferSize(int32_t size) { |
| 301 return transport_socket_->SetReceiveBufferSize(size); | 299 return transport_socket_->SetReceiveBufferSize(size); |
| 302 } | 300 } |
| 303 | 301 |
| 304 int SSLServerSocketOpenSSL::SetSendBufferSize(int32_t size) { | 302 int SSLServerSocketImpl::SetSendBufferSize(int32_t size) { |
| 305 return transport_socket_->SetSendBufferSize(size); | 303 return transport_socket_->SetSendBufferSize(size); |
| 306 } | 304 } |
| 307 | 305 |
| 308 int SSLServerSocketOpenSSL::Connect(const CompletionCallback& callback) { | 306 int SSLServerSocketImpl::Connect(const CompletionCallback& callback) { |
| 309 NOTIMPLEMENTED(); | 307 NOTIMPLEMENTED(); |
| 310 return ERR_NOT_IMPLEMENTED; | 308 return ERR_NOT_IMPLEMENTED; |
| 311 } | 309 } |
| 312 | 310 |
| 313 void SSLServerSocketOpenSSL::Disconnect() { | 311 void SSLServerSocketImpl::Disconnect() { |
| 314 transport_socket_->Disconnect(); | 312 transport_socket_->Disconnect(); |
| 315 } | 313 } |
| 316 | 314 |
| 317 bool SSLServerSocketOpenSSL::IsConnected() const { | 315 bool SSLServerSocketImpl::IsConnected() const { |
| 318 // TODO(wtc): Find out if we should check transport_socket_->IsConnected() | 316 // TODO(wtc): Find out if we should check transport_socket_->IsConnected() |
| 319 // as well. | 317 // as well. |
| 320 return completed_handshake_; | 318 return completed_handshake_; |
| 321 } | 319 } |
| 322 | 320 |
| 323 bool SSLServerSocketOpenSSL::IsConnectedAndIdle() const { | 321 bool SSLServerSocketImpl::IsConnectedAndIdle() const { |
| 324 return completed_handshake_ && transport_socket_->IsConnectedAndIdle(); | 322 return completed_handshake_ && transport_socket_->IsConnectedAndIdle(); |
| 325 } | 323 } |
| 326 | 324 |
| 327 int SSLServerSocketOpenSSL::GetPeerAddress(IPEndPoint* address) const { | 325 int SSLServerSocketImpl::GetPeerAddress(IPEndPoint* address) const { |
| 328 if (!IsConnected()) | 326 if (!IsConnected()) |
| 329 return ERR_SOCKET_NOT_CONNECTED; | 327 return ERR_SOCKET_NOT_CONNECTED; |
| 330 return transport_socket_->GetPeerAddress(address); | 328 return transport_socket_->GetPeerAddress(address); |
| 331 } | 329 } |
| 332 | 330 |
| 333 int SSLServerSocketOpenSSL::GetLocalAddress(IPEndPoint* address) const { | 331 int SSLServerSocketImpl::GetLocalAddress(IPEndPoint* address) const { |
| 334 if (!IsConnected()) | 332 if (!IsConnected()) |
| 335 return ERR_SOCKET_NOT_CONNECTED; | 333 return ERR_SOCKET_NOT_CONNECTED; |
| 336 return transport_socket_->GetLocalAddress(address); | 334 return transport_socket_->GetLocalAddress(address); |
| 337 } | 335 } |
| 338 | 336 |
| 339 const BoundNetLog& SSLServerSocketOpenSSL::NetLog() const { | 337 const BoundNetLog& SSLServerSocketImpl::NetLog() const { |
| 340 return net_log_; | 338 return net_log_; |
| 341 } | 339 } |
| 342 | 340 |
| 343 void SSLServerSocketOpenSSL::SetSubresourceSpeculation() { | 341 void SSLServerSocketImpl::SetSubresourceSpeculation() { |
| 344 transport_socket_->SetSubresourceSpeculation(); | 342 transport_socket_->SetSubresourceSpeculation(); |
| 345 } | 343 } |
| 346 | 344 |
| 347 void SSLServerSocketOpenSSL::SetOmniboxSpeculation() { | 345 void SSLServerSocketImpl::SetOmniboxSpeculation() { |
| 348 transport_socket_->SetOmniboxSpeculation(); | 346 transport_socket_->SetOmniboxSpeculation(); |
| 349 } | 347 } |
| 350 | 348 |
| 351 bool SSLServerSocketOpenSSL::WasEverUsed() const { | 349 bool SSLServerSocketImpl::WasEverUsed() const { |
| 352 return transport_socket_->WasEverUsed(); | 350 return transport_socket_->WasEverUsed(); |
| 353 } | 351 } |
| 354 | 352 |
| 355 bool SSLServerSocketOpenSSL::WasNpnNegotiated() const { | 353 bool SSLServerSocketImpl::WasNpnNegotiated() const { |
| 356 NOTIMPLEMENTED(); | 354 NOTIMPLEMENTED(); |
| 357 return false; | 355 return false; |
| 358 } | 356 } |
| 359 | 357 |
| 360 NextProto SSLServerSocketOpenSSL::GetNegotiatedProtocol() const { | 358 NextProto SSLServerSocketImpl::GetNegotiatedProtocol() const { |
| 361 // NPN is not supported by this class. | 359 // NPN is not supported by this class. |
| 362 return kProtoUnknown; | 360 return kProtoUnknown; |
| 363 } | 361 } |
| 364 | 362 |
| 365 bool SSLServerSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { | 363 bool SSLServerSocketImpl::GetSSLInfo(SSLInfo* ssl_info) { |
| 366 ssl_info->Reset(); | 364 ssl_info->Reset(); |
| 367 if (!completed_handshake_) | 365 if (!completed_handshake_) |
| 368 return false; | 366 return false; |
| 369 | 367 |
| 370 ssl_info->cert = client_cert_; | 368 ssl_info->cert = client_cert_; |
| 371 | 369 |
| 372 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 370 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
| 373 CHECK(cipher); | 371 CHECK(cipher); |
| 374 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 372 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 375 | 373 |
| 376 SSLConnectionStatusSetCipherSuite( | 374 SSLConnectionStatusSetCipherSuite( |
| 377 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), | 375 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), |
| 378 &ssl_info->connection_status); | 376 &ssl_info->connection_status); |
| 379 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), | 377 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), |
| 380 &ssl_info->connection_status); | 378 &ssl_info->connection_status); |
| 381 | 379 |
| 382 if (!SSL_get_secure_renegotiation_support(ssl_)) | 380 if (!SSL_get_secure_renegotiation_support(ssl_)) |
| 383 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 381 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 384 | 382 |
| 385 ssl_info->handshake_type = SSL_session_reused(ssl_) | 383 ssl_info->handshake_type = SSL_session_reused(ssl_) |
| 386 ? SSLInfo::HANDSHAKE_RESUME | 384 ? SSLInfo::HANDSHAKE_RESUME |
| 387 : SSLInfo::HANDSHAKE_FULL; | 385 : SSLInfo::HANDSHAKE_FULL; |
| 388 | 386 |
| 389 return true; | 387 return true; |
| 390 } | 388 } |
| 391 | 389 |
| 392 void SSLServerSocketOpenSSL::GetConnectionAttempts( | 390 void SSLServerSocketImpl::GetConnectionAttempts(ConnectionAttempts* out) const { |
| 393 ConnectionAttempts* out) const { | |
| 394 out->clear(); | 391 out->clear(); |
| 395 } | 392 } |
| 396 | 393 |
| 397 int64_t SSLServerSocketOpenSSL::GetTotalReceivedBytes() const { | 394 int64_t SSLServerSocketImpl::GetTotalReceivedBytes() const { |
| 398 return transport_socket_->GetTotalReceivedBytes(); | 395 return transport_socket_->GetTotalReceivedBytes(); |
| 399 } | 396 } |
| 400 | 397 |
| 401 void SSLServerSocketOpenSSL::OnSendComplete(int result) { | 398 void SSLServerSocketImpl::OnSendComplete(int result) { |
| 402 if (next_handshake_state_ == STATE_HANDSHAKE) { | 399 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| 403 // In handshake phase. | 400 // In handshake phase. |
| 404 OnHandshakeIOComplete(result); | 401 OnHandshakeIOComplete(result); |
| 405 return; | 402 return; |
| 406 } | 403 } |
| 407 | 404 |
| 408 // TODO(byungchul): This state machine is not correct. Copy the state machine | 405 // TODO(byungchul): This state machine is not correct. Copy the state machine |
| 409 // of SSLClientSocketOpenSSL::OnSendComplete() which handles it better. | 406 // of SSLClientSocketImpl::OnSendComplete() which handles it better. |
| 410 if (!completed_handshake_) | 407 if (!completed_handshake_) |
| 411 return; | 408 return; |
| 412 | 409 |
| 413 if (user_write_buf_) { | 410 if (user_write_buf_) { |
| 414 int rv = DoWriteLoop(result); | 411 int rv = DoWriteLoop(result); |
| 415 if (rv != ERR_IO_PENDING) | 412 if (rv != ERR_IO_PENDING) |
| 416 DoWriteCallback(rv); | 413 DoWriteCallback(rv); |
| 417 } else { | 414 } else { |
| 418 // Ensure that any queued ciphertext is flushed. | 415 // Ensure that any queued ciphertext is flushed. |
| 419 DoTransportIO(); | 416 DoTransportIO(); |
| 420 } | 417 } |
| 421 } | 418 } |
| 422 | 419 |
| 423 void SSLServerSocketOpenSSL::OnRecvComplete(int result) { | 420 void SSLServerSocketImpl::OnRecvComplete(int result) { |
| 424 if (next_handshake_state_ == STATE_HANDSHAKE) { | 421 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| 425 // In handshake phase. | 422 // In handshake phase. |
| 426 OnHandshakeIOComplete(result); | 423 OnHandshakeIOComplete(result); |
| 427 return; | 424 return; |
| 428 } | 425 } |
| 429 | 426 |
| 430 // Network layer received some data, check if client requested to read | 427 // Network layer received some data, check if client requested to read |
| 431 // decrypted data. | 428 // decrypted data. |
| 432 if (!user_read_buf_ || !completed_handshake_) | 429 if (!user_read_buf_ || !completed_handshake_) |
| 433 return; | 430 return; |
| 434 | 431 |
| 435 int rv = DoReadLoop(result); | 432 int rv = DoReadLoop(result); |
| 436 if (rv != ERR_IO_PENDING) | 433 if (rv != ERR_IO_PENDING) |
| 437 DoReadCallback(rv); | 434 DoReadCallback(rv); |
| 438 } | 435 } |
| 439 | 436 |
| 440 void SSLServerSocketOpenSSL::OnHandshakeIOComplete(int result) { | 437 void SSLServerSocketImpl::OnHandshakeIOComplete(int result) { |
| 441 int rv = DoHandshakeLoop(result); | 438 int rv = DoHandshakeLoop(result); |
| 442 if (rv == ERR_IO_PENDING) | 439 if (rv == ERR_IO_PENDING) |
| 443 return; | 440 return; |
| 444 | 441 |
| 445 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); | 442 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_SERVER_HANDSHAKE, rv); |
| 446 if (!user_handshake_callback_.is_null()) | 443 if (!user_handshake_callback_.is_null()) |
| 447 DoHandshakeCallback(rv); | 444 DoHandshakeCallback(rv); |
| 448 } | 445 } |
| 449 | 446 |
| 450 // Return 0 for EOF, | 447 // Return 0 for EOF, |
| 451 // > 0 for bytes transferred immediately, | 448 // > 0 for bytes transferred immediately, |
| 452 // < 0 for error (or the non-error ERR_IO_PENDING). | 449 // < 0 for error (or the non-error ERR_IO_PENDING). |
| 453 int SSLServerSocketOpenSSL::BufferSend() { | 450 int SSLServerSocketImpl::BufferSend() { |
| 454 if (transport_send_busy_) | 451 if (transport_send_busy_) |
| 455 return ERR_IO_PENDING; | 452 return ERR_IO_PENDING; |
| 456 | 453 |
| 457 if (!send_buffer_) { | 454 if (!send_buffer_) { |
| 458 // Get a fresh send buffer out of the send BIO. | 455 // Get a fresh send buffer out of the send BIO. |
| 459 size_t max_read = BIO_pending(transport_bio_); | 456 size_t max_read = BIO_pending(transport_bio_); |
| 460 if (!max_read) | 457 if (!max_read) |
| 461 return 0; // Nothing pending in the OpenSSL write BIO. | 458 return 0; // Nothing pending in the OpenSSL write BIO. |
| 462 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); | 459 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); |
| 463 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read); | 460 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read); |
| 464 DCHECK_GT(read_bytes, 0); | 461 DCHECK_GT(read_bytes, 0); |
| 465 CHECK_EQ(static_cast<int>(max_read), read_bytes); | 462 CHECK_EQ(static_cast<int>(max_read), read_bytes); |
| 466 } | 463 } |
| 467 | 464 |
| 468 int rv = transport_socket_->Write( | 465 int rv = transport_socket_->Write( |
| 469 send_buffer_.get(), send_buffer_->BytesRemaining(), | 466 send_buffer_.get(), send_buffer_->BytesRemaining(), |
| 470 base::Bind(&SSLServerSocketOpenSSL::BufferSendComplete, | 467 base::Bind(&SSLServerSocketImpl::BufferSendComplete, |
| 471 base::Unretained(this))); | 468 base::Unretained(this))); |
| 472 if (rv == ERR_IO_PENDING) { | 469 if (rv == ERR_IO_PENDING) { |
| 473 transport_send_busy_ = true; | 470 transport_send_busy_ = true; |
| 474 } else { | 471 } else { |
| 475 TransportWriteComplete(rv); | 472 TransportWriteComplete(rv); |
| 476 } | 473 } |
| 477 return rv; | 474 return rv; |
| 478 } | 475 } |
| 479 | 476 |
| 480 void SSLServerSocketOpenSSL::BufferSendComplete(int result) { | 477 void SSLServerSocketImpl::BufferSendComplete(int result) { |
| 481 transport_send_busy_ = false; | 478 transport_send_busy_ = false; |
| 482 TransportWriteComplete(result); | 479 TransportWriteComplete(result); |
| 483 OnSendComplete(result); | 480 OnSendComplete(result); |
| 484 } | 481 } |
| 485 | 482 |
| 486 void SSLServerSocketOpenSSL::TransportWriteComplete(int result) { | 483 void SSLServerSocketImpl::TransportWriteComplete(int result) { |
| 487 DCHECK(ERR_IO_PENDING != result); | 484 DCHECK(ERR_IO_PENDING != result); |
| 488 if (result < 0) { | 485 if (result < 0) { |
| 489 // Got a socket write error; close the BIO to indicate this upward. | 486 // Got a socket write error; close the BIO to indicate this upward. |
| 490 // | 487 // |
| 491 // TODO(davidben): The value of |result| gets lost. Feed the error back into | 488 // TODO(davidben): The value of |result| gets lost. Feed the error back into |
| 492 // the BIO so it gets (re-)detected in OnSendComplete. Perhaps with | 489 // the BIO so it gets (re-)detected in OnSendComplete. Perhaps with |
| 493 // BIO_set_callback. | 490 // BIO_set_callback. |
| 494 DVLOG(1) << "TransportWriteComplete error " << result; | 491 DVLOG(1) << "TransportWriteComplete error " << result; |
| 495 (void)BIO_shutdown_wr(SSL_get_wbio(ssl_)); | 492 (void)BIO_shutdown_wr(SSL_get_wbio(ssl_)); |
| 496 | 493 |
| 497 // Match the fix for http://crbug.com/249848 in NSS by erroring future reads | 494 // Match the fix for http://crbug.com/249848 in NSS by erroring future reads |
| 498 // from the socket after a write error. | 495 // from the socket after a write error. |
| 499 // | 496 // |
| 500 // TODO(davidben): Avoid having read and write ends interact this way. | 497 // TODO(davidben): Avoid having read and write ends interact this way. |
| 501 transport_write_error_ = result; | 498 transport_write_error_ = result; |
| 502 (void)BIO_shutdown_wr(transport_bio_); | 499 (void)BIO_shutdown_wr(transport_bio_); |
| 503 send_buffer_ = NULL; | 500 send_buffer_ = NULL; |
| 504 } else { | 501 } else { |
| 505 DCHECK(send_buffer_); | 502 DCHECK(send_buffer_); |
| 506 send_buffer_->DidConsume(result); | 503 send_buffer_->DidConsume(result); |
| 507 DCHECK_GE(send_buffer_->BytesRemaining(), 0); | 504 DCHECK_GE(send_buffer_->BytesRemaining(), 0); |
| 508 if (send_buffer_->BytesRemaining() <= 0) | 505 if (send_buffer_->BytesRemaining() <= 0) |
| 509 send_buffer_ = NULL; | 506 send_buffer_ = NULL; |
| 510 } | 507 } |
| 511 } | 508 } |
| 512 | 509 |
| 513 int SSLServerSocketOpenSSL::BufferRecv() { | 510 int SSLServerSocketImpl::BufferRecv() { |
| 514 if (transport_recv_busy_) | 511 if (transport_recv_busy_) |
| 515 return ERR_IO_PENDING; | 512 return ERR_IO_PENDING; |
| 516 | 513 |
| 517 // Determine how much was requested from |transport_bio_| that was not | 514 // Determine how much was requested from |transport_bio_| that was not |
| 518 // actually available. | 515 // actually available. |
| 519 size_t requested = BIO_ctrl_get_read_request(transport_bio_); | 516 size_t requested = BIO_ctrl_get_read_request(transport_bio_); |
| 520 if (requested == 0) { | 517 if (requested == 0) { |
| 521 // This is not a perfect match of error codes, as no operation is | 518 // This is not a perfect match of error codes, as no operation is |
| 522 // actually pending. However, returning 0 would be interpreted as | 519 // actually pending. However, returning 0 would be interpreted as |
| 523 // a possible sign of EOF, which is also an inappropriate match. | 520 // a possible sign of EOF, which is also an inappropriate match. |
| 524 return ERR_IO_PENDING; | 521 return ERR_IO_PENDING; |
| 525 } | 522 } |
| 526 | 523 |
| 527 // Known Issue: While only reading |requested| data is the more correct | 524 // Known Issue: While only reading |requested| data is the more correct |
| 528 // implementation, it has the downside of resulting in frequent reads: | 525 // implementation, it has the downside of resulting in frequent reads: |
| 529 // One read for the SSL record header (~5 bytes) and one read for the SSL | 526 // One read for the SSL record header (~5 bytes) and one read for the SSL |
| 530 // record body. Rather than issuing these reads to the underlying socket | 527 // record body. Rather than issuing these reads to the underlying socket |
| 531 // (and constantly allocating new IOBuffers), a single Read() request to | 528 // (and constantly allocating new IOBuffers), a single Read() request to |
| 532 // fill |transport_bio_| is issued. As long as an SSL client socket cannot | 529 // fill |transport_bio_| is issued. As long as an SSL client socket cannot |
| 533 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL | 530 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL |
| 534 // traffic, this over-subscribed Read()ing will not cause issues. | 531 // traffic, this over-subscribed Read()ing will not cause issues. |
| 535 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_); | 532 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_); |
| 536 if (!max_write) | 533 if (!max_write) |
| 537 return ERR_IO_PENDING; | 534 return ERR_IO_PENDING; |
| 538 | 535 |
| 539 recv_buffer_ = new IOBuffer(max_write); | 536 recv_buffer_ = new IOBuffer(max_write); |
| 540 int rv = transport_socket_->Read( | 537 int rv = transport_socket_->Read( |
| 541 recv_buffer_.get(), max_write, | 538 recv_buffer_.get(), max_write, |
| 542 base::Bind(&SSLServerSocketOpenSSL::BufferRecvComplete, | 539 base::Bind(&SSLServerSocketImpl::BufferRecvComplete, |
| 543 base::Unretained(this))); | 540 base::Unretained(this))); |
| 544 if (rv == ERR_IO_PENDING) { | 541 if (rv == ERR_IO_PENDING) { |
| 545 transport_recv_busy_ = true; | 542 transport_recv_busy_ = true; |
| 546 } else { | 543 } else { |
| 547 rv = TransportReadComplete(rv); | 544 rv = TransportReadComplete(rv); |
| 548 } | 545 } |
| 549 return rv; | 546 return rv; |
| 550 } | 547 } |
| 551 | 548 |
| 552 void SSLServerSocketOpenSSL::BufferRecvComplete(int result) { | 549 void SSLServerSocketImpl::BufferRecvComplete(int result) { |
| 553 result = TransportReadComplete(result); | 550 result = TransportReadComplete(result); |
| 554 OnRecvComplete(result); | 551 OnRecvComplete(result); |
| 555 } | 552 } |
| 556 | 553 |
| 557 int SSLServerSocketOpenSSL::TransportReadComplete(int result) { | 554 int SSLServerSocketImpl::TransportReadComplete(int result) { |
| 558 DCHECK(ERR_IO_PENDING != result); | 555 DCHECK(ERR_IO_PENDING != result); |
| 559 if (result <= 0) { | 556 if (result <= 0) { |
| 560 DVLOG(1) << "TransportReadComplete result " << result; | 557 DVLOG(1) << "TransportReadComplete result " << result; |
| 561 // Received 0 (end of file) or an error. Either way, bubble it up to the | 558 // Received 0 (end of file) or an error. Either way, bubble it up to the |
| 562 // SSL layer via the BIO. TODO(joth): consider stashing the error code, to | 559 // SSL layer via the BIO. TODO(joth): consider stashing the error code, to |
| 563 // relay up to the SSL socket client (i.e. via DoReadCallback). | 560 // relay up to the SSL socket client (i.e. via DoReadCallback). |
| 564 if (result == 0) | 561 if (result == 0) |
| 565 transport_recv_eof_ = true; | 562 transport_recv_eof_ = true; |
| 566 (void)BIO_shutdown_wr(transport_bio_); | 563 (void)BIO_shutdown_wr(transport_bio_); |
| 567 } else if (transport_write_error_ < 0) { | 564 } else if (transport_write_error_ < 0) { |
| 568 // Mirror transport write errors as read failures; transport_bio_ has been | 565 // Mirror transport write errors as read failures; transport_bio_ has been |
| 569 // shut down by TransportWriteComplete, so the BIO_write will fail, failing | 566 // shut down by TransportWriteComplete, so the BIO_write will fail, failing |
| 570 // the CHECK. http://crbug.com/335557. | 567 // the CHECK. http://crbug.com/335557. |
| 571 result = transport_write_error_; | 568 result = transport_write_error_; |
| 572 } else { | 569 } else { |
| 573 DCHECK(recv_buffer_); | 570 DCHECK(recv_buffer_); |
| 574 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result); | 571 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result); |
| 575 // A write into a memory BIO should always succeed. | 572 // A write into a memory BIO should always succeed. |
| 576 DCHECK_EQ(result, ret); | 573 DCHECK_EQ(result, ret); |
| 577 } | 574 } |
| 578 recv_buffer_ = NULL; | 575 recv_buffer_ = NULL; |
| 579 transport_recv_busy_ = false; | 576 transport_recv_busy_ = false; |
| 580 return result; | 577 return result; |
| 581 } | 578 } |
| 582 | 579 |
| 583 // Do as much network I/O as possible between the buffer and the | 580 // Do as much network I/O as possible between the buffer and the |
| 584 // transport socket. Return true if some I/O performed, false | 581 // transport socket. Return true if some I/O performed, false |
| 585 // otherwise (error or ERR_IO_PENDING). | 582 // otherwise (error or ERR_IO_PENDING). |
| 586 bool SSLServerSocketOpenSSL::DoTransportIO() { | 583 bool SSLServerSocketImpl::DoTransportIO() { |
| 587 bool network_moved = false; | 584 bool network_moved = false; |
| 588 int rv; | 585 int rv; |
| 589 // Read and write as much data as possible. The loop is necessary because | 586 // Read and write as much data as possible. The loop is necessary because |
| 590 // Write() may return synchronously. | 587 // Write() may return synchronously. |
| 591 do { | 588 do { |
| 592 rv = BufferSend(); | 589 rv = BufferSend(); |
| 593 if (rv != ERR_IO_PENDING && rv != 0) | 590 if (rv != ERR_IO_PENDING && rv != 0) |
| 594 network_moved = true; | 591 network_moved = true; |
| 595 } while (rv > 0); | 592 } while (rv > 0); |
| 596 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) | 593 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) |
| 597 network_moved = true; | 594 network_moved = true; |
| 598 return network_moved; | 595 return network_moved; |
| 599 } | 596 } |
| 600 | 597 |
| 601 int SSLServerSocketOpenSSL::DoPayloadRead() { | 598 int SSLServerSocketImpl::DoPayloadRead() { |
| 602 DCHECK(user_read_buf_); | 599 DCHECK(user_read_buf_); |
| 603 DCHECK_GT(user_read_buf_len_, 0); | 600 DCHECK_GT(user_read_buf_len_, 0); |
| 604 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 601 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 605 int rv = SSL_read(ssl_, user_read_buf_->data(), user_read_buf_len_); | 602 int rv = SSL_read(ssl_, user_read_buf_->data(), user_read_buf_len_); |
| 606 if (rv >= 0) | 603 if (rv >= 0) |
| 607 return rv; | 604 return rv; |
| 608 int ssl_error = SSL_get_error(ssl_, rv); | 605 int ssl_error = SSL_get_error(ssl_, rv); |
| 609 OpenSSLErrorInfo error_info; | 606 OpenSSLErrorInfo error_info; |
| 610 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, | 607 int net_error = |
| 611 &error_info); | 608 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 612 if (net_error != ERR_IO_PENDING) { | 609 if (net_error != ERR_IO_PENDING) { |
| 613 net_log_.AddEvent( | 610 net_log_.AddEvent( |
| 614 NetLog::TYPE_SSL_READ_ERROR, | 611 NetLog::TYPE_SSL_READ_ERROR, |
| 615 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 612 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 616 } | 613 } |
| 617 return net_error; | 614 return net_error; |
| 618 } | 615 } |
| 619 | 616 |
| 620 int SSLServerSocketOpenSSL::DoPayloadWrite() { | 617 int SSLServerSocketImpl::DoPayloadWrite() { |
| 621 DCHECK(user_write_buf_); | 618 DCHECK(user_write_buf_); |
| 622 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 619 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 623 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 620 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); |
| 624 if (rv >= 0) | 621 if (rv >= 0) |
| 625 return rv; | 622 return rv; |
| 626 int ssl_error = SSL_get_error(ssl_, rv); | 623 int ssl_error = SSL_get_error(ssl_, rv); |
| 627 OpenSSLErrorInfo error_info; | 624 OpenSSLErrorInfo error_info; |
| 628 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, | 625 int net_error = |
| 629 &error_info); | 626 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 630 if (net_error != ERR_IO_PENDING) { | 627 if (net_error != ERR_IO_PENDING) { |
| 631 net_log_.AddEvent( | 628 net_log_.AddEvent( |
| 632 NetLog::TYPE_SSL_WRITE_ERROR, | 629 NetLog::TYPE_SSL_WRITE_ERROR, |
| 633 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 630 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 634 } | 631 } |
| 635 return net_error; | 632 return net_error; |
| 636 } | 633 } |
| 637 | 634 |
| 638 int SSLServerSocketOpenSSL::DoHandshakeLoop(int last_io_result) { | 635 int SSLServerSocketImpl::DoHandshakeLoop(int last_io_result) { |
| 639 int rv = last_io_result; | 636 int rv = last_io_result; |
| 640 do { | 637 do { |
| 641 // Default to STATE_NONE for next state. | 638 // Default to STATE_NONE for next state. |
| 642 // (This is a quirk carried over from the windows | 639 // (This is a quirk carried over from the windows |
| 643 // implementation. It makes reading the logs a bit harder.) | 640 // implementation. It makes reading the logs a bit harder.) |
| 644 // State handlers can and often do call GotoState just | 641 // State handlers can and often do call GotoState just |
| 645 // to stay in the current state. | 642 // to stay in the current state. |
| 646 State state = next_handshake_state_; | 643 State state = next_handshake_state_; |
| 647 GotoState(STATE_NONE); | 644 GotoState(STATE_NONE); |
| 648 switch (state) { | 645 switch (state) { |
| (...skipping 12 matching lines...) Expand all Loading... |
| 661 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) { | 658 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) { |
| 662 // In general we exit the loop if rv is ERR_IO_PENDING. In this | 659 // In general we exit the loop if rv is ERR_IO_PENDING. In this |
| 663 // special case we keep looping even if rv is ERR_IO_PENDING because | 660 // special case we keep looping even if rv is ERR_IO_PENDING because |
| 664 // the transport IO may allow DoHandshake to make progress. | 661 // the transport IO may allow DoHandshake to make progress. |
| 665 rv = OK; // This causes us to stay in the loop. | 662 rv = OK; // This causes us to stay in the loop. |
| 666 } | 663 } |
| 667 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); | 664 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); |
| 668 return rv; | 665 return rv; |
| 669 } | 666 } |
| 670 | 667 |
| 671 int SSLServerSocketOpenSSL::DoReadLoop(int result) { | 668 int SSLServerSocketImpl::DoReadLoop(int result) { |
| 672 DCHECK(completed_handshake_); | 669 DCHECK(completed_handshake_); |
| 673 DCHECK(next_handshake_state_ == STATE_NONE); | 670 DCHECK(next_handshake_state_ == STATE_NONE); |
| 674 | 671 |
| 675 if (result < 0) | 672 if (result < 0) |
| 676 return result; | 673 return result; |
| 677 | 674 |
| 678 bool network_moved; | 675 bool network_moved; |
| 679 int rv; | 676 int rv; |
| 680 do { | 677 do { |
| 681 rv = DoPayloadRead(); | 678 rv = DoPayloadRead(); |
| 682 network_moved = DoTransportIO(); | 679 network_moved = DoTransportIO(); |
| 683 } while (rv == ERR_IO_PENDING && network_moved); | 680 } while (rv == ERR_IO_PENDING && network_moved); |
| 684 return rv; | 681 return rv; |
| 685 } | 682 } |
| 686 | 683 |
| 687 int SSLServerSocketOpenSSL::DoWriteLoop(int result) { | 684 int SSLServerSocketImpl::DoWriteLoop(int result) { |
| 688 DCHECK(completed_handshake_); | 685 DCHECK(completed_handshake_); |
| 689 DCHECK_EQ(next_handshake_state_, STATE_NONE); | 686 DCHECK_EQ(next_handshake_state_, STATE_NONE); |
| 690 | 687 |
| 691 if (result < 0) | 688 if (result < 0) |
| 692 return result; | 689 return result; |
| 693 | 690 |
| 694 bool network_moved; | 691 bool network_moved; |
| 695 int rv; | 692 int rv; |
| 696 do { | 693 do { |
| 697 rv = DoPayloadWrite(); | 694 rv = DoPayloadWrite(); |
| 698 network_moved = DoTransportIO(); | 695 network_moved = DoTransportIO(); |
| 699 } while (rv == ERR_IO_PENDING && network_moved); | 696 } while (rv == ERR_IO_PENDING && network_moved); |
| 700 return rv; | 697 return rv; |
| 701 } | 698 } |
| 702 | 699 |
| 703 int SSLServerSocketOpenSSL::DoHandshake() { | 700 int SSLServerSocketImpl::DoHandshake() { |
| 704 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 701 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 705 int net_error = OK; | 702 int net_error = OK; |
| 706 int rv = SSL_do_handshake(ssl_); | 703 int rv = SSL_do_handshake(ssl_); |
| 707 | 704 |
| 708 if (rv == 1) { | 705 if (rv == 1) { |
| 709 completed_handshake_ = true; | 706 completed_handshake_ = true; |
| 710 // The results of SSL_get_peer_certificate() must be explicitly freed. | 707 // The results of SSL_get_peer_certificate() must be explicitly freed. |
| 711 ScopedX509 cert(SSL_get_peer_certificate(ssl_)); | 708 ScopedX509 cert(SSL_get_peer_certificate(ssl_)); |
| 712 if (cert) { | 709 if (cert) { |
| 713 // The caller does not take ownership of SSL_get_peer_cert_chain's | 710 // The caller does not take ownership of SSL_get_peer_cert_chain's |
| (...skipping 12 matching lines...) Expand all Loading... |
| 726 // net_errors assumes (correctly for client sockets, but erroneously for | 723 // net_errors assumes (correctly for client sockets, but erroneously for |
| 727 // server sockets) that peer cert verification failure can only occur if | 724 // server sockets) that peer cert verification failure can only occur if |
| 728 // the cert changed during a renego. crbug.com/570351 | 725 // the cert changed during a renego. crbug.com/570351 |
| 729 if (net_error == ERR_SSL_SERVER_CERT_CHANGED) | 726 if (net_error == ERR_SSL_SERVER_CERT_CHANGED) |
| 730 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT; | 727 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT; |
| 731 | 728 |
| 732 // If not done, stay in this state | 729 // If not done, stay in this state |
| 733 if (net_error == ERR_IO_PENDING) { | 730 if (net_error == ERR_IO_PENDING) { |
| 734 GotoState(STATE_HANDSHAKE); | 731 GotoState(STATE_HANDSHAKE); |
| 735 } else { | 732 } else { |
| 736 LOG(ERROR) << "handshake failed; returned " << rv | 733 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " |
| 737 << ", SSL error code " << ssl_error | 734 << ssl_error << ", net_error " << net_error; |
| 738 << ", net_error " << net_error; | |
| 739 net_log_.AddEvent( | 735 net_log_.AddEvent( |
| 740 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 736 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 741 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 737 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 742 } | 738 } |
| 743 } | 739 } |
| 744 return net_error; | 740 return net_error; |
| 745 } | 741 } |
| 746 | 742 |
| 747 void SSLServerSocketOpenSSL::DoHandshakeCallback(int rv) { | 743 void SSLServerSocketImpl::DoHandshakeCallback(int rv) { |
| 748 DCHECK_NE(rv, ERR_IO_PENDING); | 744 DCHECK_NE(rv, ERR_IO_PENDING); |
| 749 base::ResetAndReturn(&user_handshake_callback_).Run(rv > OK ? OK : rv); | 745 base::ResetAndReturn(&user_handshake_callback_).Run(rv > OK ? OK : rv); |
| 750 } | 746 } |
| 751 | 747 |
| 752 void SSLServerSocketOpenSSL::DoReadCallback(int rv) { | 748 void SSLServerSocketImpl::DoReadCallback(int rv) { |
| 753 DCHECK(rv != ERR_IO_PENDING); | 749 DCHECK(rv != ERR_IO_PENDING); |
| 754 DCHECK(!user_read_callback_.is_null()); | 750 DCHECK(!user_read_callback_.is_null()); |
| 755 | 751 |
| 756 user_read_buf_ = NULL; | 752 user_read_buf_ = NULL; |
| 757 user_read_buf_len_ = 0; | 753 user_read_buf_len_ = 0; |
| 758 base::ResetAndReturn(&user_read_callback_).Run(rv); | 754 base::ResetAndReturn(&user_read_callback_).Run(rv); |
| 759 } | 755 } |
| 760 | 756 |
| 761 void SSLServerSocketOpenSSL::DoWriteCallback(int rv) { | 757 void SSLServerSocketImpl::DoWriteCallback(int rv) { |
| 762 DCHECK(rv != ERR_IO_PENDING); | 758 DCHECK(rv != ERR_IO_PENDING); |
| 763 DCHECK(!user_write_callback_.is_null()); | 759 DCHECK(!user_write_callback_.is_null()); |
| 764 | 760 |
| 765 user_write_buf_ = NULL; | 761 user_write_buf_ = NULL; |
| 766 user_write_buf_len_ = 0; | 762 user_write_buf_len_ = 0; |
| 767 base::ResetAndReturn(&user_write_callback_).Run(rv); | 763 base::ResetAndReturn(&user_write_callback_).Run(rv); |
| 768 } | 764 } |
| 769 | 765 |
| 770 int SSLServerSocketOpenSSL::Init() { | 766 int SSLServerSocketImpl::Init() { |
| 771 DCHECK(!transport_bio_); | 767 DCHECK(!transport_bio_); |
| 772 | 768 |
| 773 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 769 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 774 | 770 |
| 775 if (!ssl_) | 771 if (!ssl_) |
| 776 return ERR_UNEXPECTED; | 772 return ERR_UNEXPECTED; |
| 777 | 773 |
| 778 BIO* ssl_bio = NULL; | 774 BIO* ssl_bio = NULL; |
| 779 // 0 => use default buffer sizes. | 775 // 0 => use default buffer sizes. |
| 780 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) | 776 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) |
| 781 return ERR_UNEXPECTED; | 777 return ERR_UNEXPECTED; |
| 782 DCHECK(ssl_bio); | 778 DCHECK(ssl_bio); |
| 783 DCHECK(transport_bio_); | 779 DCHECK(transport_bio_); |
| 784 | 780 |
| 785 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | 781 SSL_set_bio(ssl_, ssl_bio, ssl_bio); |
| 786 | 782 |
| 787 return OK; | 783 return OK; |
| 788 } | 784 } |
| 789 | 785 |
| 790 // static | 786 // static |
| 791 int SSLServerSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx, | 787 int SSLServerSocketImpl::CertVerifyCallback(X509_STORE_CTX* store_ctx, |
| 792 void* arg) { | 788 void* arg) { |
| 793 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); | 789 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); |
| 794 // If a verifier was not supplied, all certificates are accepted. | 790 // If a verifier was not supplied, all certificates are accepted. |
| 795 if (!verifier) | 791 if (!verifier) |
| 796 return 1; | 792 return 1; |
| 797 STACK_OF(X509)* chain = store_ctx->untrusted; | 793 STACK_OF(X509)* chain = store_ctx->untrusted; |
| 798 scoped_refptr<X509Certificate> client_cert( | 794 scoped_refptr<X509Certificate> client_cert( |
| 799 CreateX509Certificate(nullptr, chain)); | 795 CreateX509Certificate(nullptr, chain)); |
| 800 if (!client_cert.get()) { | 796 if (!client_cert.get()) { |
| 801 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); | 797 X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_CERT_REJECTED); |
| 802 return 0; | 798 return 0; |
| (...skipping 14 matching lines...) Expand all Loading... |
| 817 return 1; | 813 return 1; |
| 818 } | 814 } |
| 819 | 815 |
| 820 } // namespace | 816 } // namespace |
| 821 | 817 |
| 822 std::unique_ptr<SSLServerContext> CreateSSLServerContext( | 818 std::unique_ptr<SSLServerContext> CreateSSLServerContext( |
| 823 X509Certificate* certificate, | 819 X509Certificate* certificate, |
| 824 const crypto::RSAPrivateKey& key, | 820 const crypto::RSAPrivateKey& key, |
| 825 const SSLServerConfig& ssl_server_config) { | 821 const SSLServerConfig& ssl_server_config) { |
| 826 return std::unique_ptr<SSLServerContext>( | 822 return std::unique_ptr<SSLServerContext>( |
| 827 new SSLServerContextOpenSSL(certificate, key, ssl_server_config)); | 823 new SSLServerContextImpl(certificate, key, ssl_server_config)); |
| 828 } | 824 } |
| 829 | 825 |
| 830 SSLServerContextOpenSSL::SSLServerContextOpenSSL( | 826 SSLServerContextImpl::SSLServerContextImpl( |
| 831 X509Certificate* certificate, | 827 X509Certificate* certificate, |
| 832 const crypto::RSAPrivateKey& key, | 828 const crypto::RSAPrivateKey& key, |
| 833 const SSLServerConfig& ssl_server_config) | 829 const SSLServerConfig& ssl_server_config) |
| 834 : ssl_server_config_(ssl_server_config), | 830 : ssl_server_config_(ssl_server_config), |
| 835 cert_(certificate), | 831 cert_(certificate), |
| 836 key_(key.Copy()) { | 832 key_(key.Copy()) { |
| 837 CHECK(key_); | 833 CHECK(key_); |
| 838 crypto::EnsureOpenSSLInit(); | 834 crypto::EnsureOpenSSLInit(); |
| 839 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); | 835 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); |
| 840 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); | 836 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); |
| 841 uint8_t session_ctx_id = 0; | 837 uint8_t session_ctx_id = 0; |
| 842 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, | 838 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, |
| 843 sizeof(session_ctx_id)); | 839 sizeof(session_ctx_id)); |
| 844 | 840 |
| 845 int verify_mode = 0; | 841 int verify_mode = 0; |
| 846 switch (ssl_server_config_.client_cert_type) { | 842 switch (ssl_server_config_.client_cert_type) { |
| 847 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: | 843 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: |
| 848 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 844 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 849 // Fall-through | 845 // Fall-through |
| 850 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: | 846 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: |
| 851 verify_mode |= SSL_VERIFY_PEER; | 847 verify_mode |= SSL_VERIFY_PEER; |
| 852 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); | 848 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); |
| 853 SSL_CTX_set_cert_verify_callback( | 849 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), |
| 854 ssl_ctx_.get(), SSLServerSocketOpenSSL::CertVerifyCallback, | 850 SSLServerSocketImpl::CertVerifyCallback, |
| 855 ssl_server_config_.client_cert_verifier); | 851 ssl_server_config_.client_cert_verifier); |
| 856 break; | 852 break; |
| 857 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: | 853 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: |
| 858 break; | 854 break; |
| 859 } | 855 } |
| 860 | 856 |
| 861 // Set certificate and private key. | 857 // Set certificate and private key. |
| 862 DCHECK(cert_->os_cert_handle()); | 858 DCHECK(cert_->os_cert_handle()); |
| 863 #if defined(USE_OPENSSL_CERTS) | 859 #if defined(USE_OPENSSL_CERTS) |
| 864 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); | 860 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); |
| 865 #else | 861 #else |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 934 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); | 930 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); |
| 935 const uint8_t* name_start = name; | 931 const uint8_t* name_start = name; |
| 936 ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length())); | 932 ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length())); |
| 937 CHECK(subj && name == name_start + authority.length()); | 933 CHECK(subj && name == name_start + authority.length()); |
| 938 sk_X509_NAME_push(stack.get(), subj.release()); | 934 sk_X509_NAME_push(stack.get(), subj.release()); |
| 939 } | 935 } |
| 940 SSL_CTX_set_client_CA_list(ssl_ctx_.get(), stack.release()); | 936 SSL_CTX_set_client_CA_list(ssl_ctx_.get(), stack.release()); |
| 941 } | 937 } |
| 942 } | 938 } |
| 943 | 939 |
| 944 SSLServerContextOpenSSL::~SSLServerContextOpenSSL() {} | 940 SSLServerContextImpl::~SSLServerContextImpl() {} |
| 945 | 941 |
| 946 std::unique_ptr<SSLServerSocket> SSLServerContextOpenSSL::CreateSSLServerSocket( | 942 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( |
| 947 std::unique_ptr<StreamSocket> socket) { | 943 std::unique_ptr<StreamSocket> socket) { |
| 948 SSL* ssl = SSL_new(ssl_ctx_.get()); | 944 SSL* ssl = SSL_new(ssl_ctx_.get()); |
| 949 return std::unique_ptr<SSLServerSocket>( | 945 return std::unique_ptr<SSLServerSocket>( |
| 950 new SSLServerSocketOpenSSL(std::move(socket), ssl)); | 946 new SSLServerSocketImpl(std::move(socket), ssl)); |
| 951 } | 947 } |
| 952 | 948 |
| 953 void EnableSSLServerSockets() { | 949 void EnableSSLServerSockets() { |
| 954 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). | 950 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). |
| 955 } | 951 } |
| 956 | 952 |
| 957 } // namespace net | 953 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1921563003:
Renaming _openssl files to _impl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master