OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 1484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1495 *pkey = EVP_PKEY_dup(ec_private_key->key()); | 1495 *pkey = EVP_PKEY_dup(ec_private_key->key()); |
1496 } | 1496 } |
1497 | 1497 |
1498 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) { | 1498 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) { |
1499 if (!completed_handshake_) { | 1499 if (!completed_handshake_) { |
1500 // If the first handshake hasn't completed then we accept any certificates | 1500 // If the first handshake hasn't completed then we accept any certificates |
1501 // because we verify after the handshake. | 1501 // because we verify after the handshake. |
1502 return 1; | 1502 return 1; |
1503 } | 1503 } |
1504 | 1504 |
1505 if (X509Certificate::IsSameOSCert(server_cert_->os_cert_handle(), | 1505 std::string der_current_cert; |
1506 sk_X509_value(store_ctx->untrusted, 0))) { | 1506 if (!X509Certificate::GetDEREncoded(server_cert_->os_cert_handle(), |
1507 &der_current_cert)) { | |
1508 LOG(ERROR) << "Failed to get current certificate in DER form"; | |
1509 return 0; | |
1510 } | |
1511 | |
1512 X509* leaf_cert = sk_X509_value(store_ctx->chain, 0); | |
1513 int len = i2d_X509(leaf_cert, NULL); | |
1514 if (len < 0) { | |
1515 LOG(ERROR) << "Failed to marshal certificate from renegotiation"; | |
1516 return 0; | |
1517 } | |
1518 | |
1519 scoped_ptr<uint8[]> der_leaf_cert(new uint8[len]); | |
1520 uint8 *outp = der_leaf_cert.get(); | |
1521 len = i2d_X509(leaf_cert, &outp); | |
1522 | |
1523 if (static_cast<size_t>(len) == der_current_cert.size() && | |
1524 memcmp(der_leaf_cert.get(), | |
1525 der_current_cert.data(), | |
1526 der_current_cert.size()) == 0) { | |
1527 // The certificates match so the renegotiation can continue. | |
Ryan Sleevi
2014/03/18 20:47:07
Why not convert the untrusted cert to an X509Certi
haavardm
2014/03/18 21:36:41
Not sure I understand. If I get this correctly, NS
| |
1507 return 1; | 1528 return 1; |
1508 } | 1529 } |
1509 | 1530 |
1510 LOG(ERROR) << "Server certificate changed between handshakes"; | 1531 LOG(ERROR) << "Server certificate changed between handshakes"; |
1511 return 0; | 1532 return 0; |
1512 } | 1533 } |
1513 | 1534 |
1514 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the | 1535 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the |
1515 // server supports NPN, selects a protocol from the list that the server | 1536 // server supports NPN, selects a protocol from the list that the server |
1516 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the | 1537 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1562 #endif | 1583 #endif |
1563 return SSL_TLSEXT_ERR_OK; | 1584 return SSL_TLSEXT_ERR_OK; |
1564 } | 1585 } |
1565 | 1586 |
1566 scoped_refptr<X509Certificate> | 1587 scoped_refptr<X509Certificate> |
1567 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1588 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1568 return server_cert_; | 1589 return server_cert_; |
1569 } | 1590 } |
1570 | 1591 |
1571 } // namespace net | 1592 } // namespace net |
OLD | NEW |