| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 368 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 379 | 379 |
| 380 // Must increase the reference count manually for sk_X509_dup | 380 // Must increase the reference count manually for sk_X509_dup |
| 381 openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get())); | 381 openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get())); |
| 382 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | 382 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { |
| 383 X509* x = sk_X509_value(openssl_chain_.get(), i); | 383 X509* x = sk_X509_value(openssl_chain_.get(), i); |
| 384 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | 384 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
| 385 } | 385 } |
| 386 return *this; | 386 return *this; |
| 387 } | 387 } |
| 388 | 388 |
| 389 #if defined(USE_OPENSSL) | 389 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
| 390 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut | 390 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut |
| 391 // to avoid converting back and forth between der and X509 struct. | 391 // to avoid converting back and forth between der and X509 struct. |
| 392 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { | 392 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { |
| 393 openssl_chain_.reset(NULL); | 393 openssl_chain_.reset(NULL); |
| 394 os_chain_ = NULL; | 394 os_chain_ = NULL; |
| 395 | 395 |
| 396 if (ssl == NULL) | 396 if (ssl == NULL) |
| 397 return; | 397 return; |
| 398 | 398 |
| 399 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); | 399 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 410 // sk_X509_dup does not increase reference count on the certs in the stack. | 410 // sk_X509_dup does not increase reference count on the certs in the stack. |
| 411 openssl_chain_.reset(sk_X509_dup(chain)); | 411 openssl_chain_.reset(sk_X509_dup(chain)); |
| 412 | 412 |
| 413 std::vector<base::StringPiece> der_chain; | 413 std::vector<base::StringPiece> der_chain; |
| 414 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | 414 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { |
| 415 X509* x = sk_X509_value(openssl_chain_.get(), i); | 415 X509* x = sk_X509_value(openssl_chain_.get(), i); |
| 416 // Increase the reference count for the certs in openssl_chain_. | 416 // Increase the reference count for the certs in openssl_chain_. |
| 417 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | 417 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
| 418 } | 418 } |
| 419 } | 419 } |
| 420 #else // !defined(USE_OPENSSL) | 420 #else // !defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
| 421 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { | 421 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { |
| 422 openssl_chain_.reset(NULL); | 422 openssl_chain_.reset(NULL); |
| 423 os_chain_ = NULL; | 423 os_chain_ = NULL; |
| 424 | 424 |
| 425 if (ssl == NULL) | 425 if (ssl == NULL) |
| 426 return; | 426 return; |
| 427 | 427 |
| 428 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); | 428 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); |
| 429 if (!chain) | 429 if (!chain) |
| 430 return; | 430 return; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 451 for (size_t i = 0; i < der_chain.size(); ++i) { | 451 for (size_t i = 0; i < der_chain.size(); ++i) { |
| 452 OPENSSL_free(const_cast<char*>(der_chain[i].data())); | 452 OPENSSL_free(const_cast<char*>(der_chain[i].data())); |
| 453 } | 453 } |
| 454 | 454 |
| 455 if (der_chain.size() != | 455 if (der_chain.size() != |
| 456 static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) { | 456 static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) { |
| 457 openssl_chain_.reset(NULL); | 457 openssl_chain_.reset(NULL); |
| 458 os_chain_ = NULL; | 458 os_chain_ = NULL; |
| 459 } | 459 } |
| 460 } | 460 } |
| 461 #endif // USE_OPENSSL | 461 #endif // defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
| 462 | 462 |
| 463 // static | 463 // static |
| 464 SSLSessionCacheOpenSSL::Config | 464 SSLSessionCacheOpenSSL::Config |
| 465 SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = { | 465 SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = { |
| 466 &GetSessionCacheKey, // key_func | 466 &GetSessionCacheKey, // key_func |
| 467 1024, // max_entries | 467 1024, // max_entries |
| 468 256, // expiration_check_count | 468 256, // expiration_check_count |
| 469 60 * 60, // timeout_seconds | 469 60 * 60, // timeout_seconds |
| 470 }; | 470 }; |
| 471 | 471 |
| 472 // static | 472 // static |
| 473 void SSLClientSocket::ClearSessionCache() { | 473 void SSLClientSocket::ClearSessionCache() { |
| 474 SSLClientSocketOpenSSL::SSLContext* context = | 474 SSLClientSocketOpenSSL::SSLContext* context = |
| 475 SSLClientSocketOpenSSL::SSLContext::GetInstance(); | 475 SSLClientSocketOpenSSL::SSLContext::GetInstance(); |
| 476 context->session_cache()->Flush(); | 476 context->session_cache()->Flush(); |
| 477 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
| 477 OpenSSLClientKeyStore::GetInstance()->Flush(); | 478 OpenSSLClientKeyStore::GetInstance()->Flush(); |
| 479 #endif |
| 478 } | 480 } |
| 479 | 481 |
| 480 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 482 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
| 481 scoped_ptr<ClientSocketHandle> transport_socket, | 483 scoped_ptr<ClientSocketHandle> transport_socket, |
| 482 const HostPortPair& host_and_port, | 484 const HostPortPair& host_and_port, |
| 483 const SSLConfig& ssl_config, | 485 const SSLConfig& ssl_config, |
| 484 const SSLClientSocketContext& context) | 486 const SSLClientSocketContext& context) |
| 485 : transport_send_busy_(false), | 487 : transport_send_busy_(false), |
| 486 transport_recv_busy_(false), | 488 transport_recv_busy_(false), |
| 487 transport_recv_eof_(false), | 489 transport_recv_eof_(false), |
| (...skipping 918 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1406 return result; | 1408 return result; |
| 1407 } | 1409 } |
| 1408 | 1410 |
| 1409 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, | 1411 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, |
| 1410 X509** x509, | 1412 X509** x509, |
| 1411 EVP_PKEY** pkey) { | 1413 EVP_PKEY** pkey) { |
| 1412 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; | 1414 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; |
| 1413 DCHECK(ssl == ssl_); | 1415 DCHECK(ssl == ssl_); |
| 1414 DCHECK(*x509 == NULL); | 1416 DCHECK(*x509 == NULL); |
| 1415 DCHECK(*pkey == NULL); | 1417 DCHECK(*pkey == NULL); |
| 1416 | 1418 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
| 1417 if (!ssl_config_.send_client_cert) { | 1419 if (!ssl_config_.send_client_cert) { |
| 1418 // First pass: we know that a client certificate is needed, but we do not | 1420 // First pass: we know that a client certificate is needed, but we do not |
| 1419 // have one at hand. | 1421 // have one at hand. |
| 1420 client_auth_cert_needed_ = true; | 1422 client_auth_cert_needed_ = true; |
| 1421 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); | 1423 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); |
| 1422 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { | 1424 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { |
| 1423 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); | 1425 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); |
| 1424 unsigned char* str = NULL; | 1426 unsigned char* str = NULL; |
| 1425 int length = i2d_X509_NAME(ca_name, &str); | 1427 int length = i2d_X509_NAME(ca_name, &str); |
| 1426 cert_authorities_.push_back(std::string( | 1428 cert_authorities_.push_back(std::string( |
| (...skipping 16 matching lines...) Expand all Loading... |
| 1443 ssl_config_.client_cert.get(), &privkey)) { | 1445 ssl_config_.client_cert.get(), &privkey)) { |
| 1444 // TODO(joth): (copied from NSS) We should wait for server certificate | 1446 // TODO(joth): (copied from NSS) We should wait for server certificate |
| 1445 // verification before sending our credentials. See http://crbug.com/13934 | 1447 // verification before sending our credentials. See http://crbug.com/13934 |
| 1446 *x509 = X509Certificate::DupOSCertHandle( | 1448 *x509 = X509Certificate::DupOSCertHandle( |
| 1447 ssl_config_.client_cert->os_cert_handle()); | 1449 ssl_config_.client_cert->os_cert_handle()); |
| 1448 *pkey = privkey.release(); | 1450 *pkey = privkey.release(); |
| 1449 return 1; | 1451 return 1; |
| 1450 } | 1452 } |
| 1451 LOG(WARNING) << "Client cert found without private key"; | 1453 LOG(WARNING) << "Client cert found without private key"; |
| 1452 } | 1454 } |
| 1455 #else // !defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
| 1456 // OS handling of client certificates is not yet implemented. |
| 1457 NOTIMPLEMENTED(); |
| 1458 #endif // defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
| 1453 | 1459 |
| 1454 // Send no client certificate. | 1460 // Send no client certificate. |
| 1455 return 0; | 1461 return 0; |
| 1456 } | 1462 } |
| 1457 | 1463 |
| 1458 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, | 1464 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, |
| 1459 EVP_PKEY** pkey) { | 1465 EVP_PKEY** pkey) { |
| 1460 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; | 1466 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; |
| 1461 DCHECK_EQ(ssl, ssl_); | 1467 DCHECK_EQ(ssl, ssl_); |
| 1462 DCHECK(!*pkey); | 1468 DCHECK(!*pkey); |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1562 #endif | 1568 #endif |
| 1563 return SSL_TLSEXT_ERR_OK; | 1569 return SSL_TLSEXT_ERR_OK; |
| 1564 } | 1570 } |
| 1565 | 1571 |
| 1566 scoped_refptr<X509Certificate> | 1572 scoped_refptr<X509Certificate> |
| 1567 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1573 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1568 return server_cert_; | 1574 return server_cert_; |
| 1569 } | 1575 } |
| 1570 | 1576 |
| 1571 } // namespace net | 1577 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 206453002:
Introduce USE_OPENSSL_CERTS for certificate handling. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master