OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 368 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
379 | 379 |
380 // Must increase the reference count manually for sk_X509_dup | 380 // Must increase the reference count manually for sk_X509_dup |
381 openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get())); | 381 openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get())); |
382 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | 382 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { |
383 X509* x = sk_X509_value(openssl_chain_.get(), i); | 383 X509* x = sk_X509_value(openssl_chain_.get(), i); |
384 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | 384 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
385 } | 385 } |
386 return *this; | 386 return *this; |
387 } | 387 } |
388 | 388 |
389 #if defined(USE_OPENSSL) | 389 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
390 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut | 390 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut |
391 // to avoid converting back and forth between der and X509 struct. | 391 // to avoid converting back and forth between der and X509 struct. |
392 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { | 392 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { |
393 openssl_chain_.reset(NULL); | 393 openssl_chain_.reset(NULL); |
394 os_chain_ = NULL; | 394 os_chain_ = NULL; |
395 | 395 |
396 if (ssl == NULL) | 396 if (ssl == NULL) |
397 return; | 397 return; |
398 | 398 |
399 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); | 399 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); |
(...skipping 10 matching lines...) Expand all Loading... |
410 // sk_X509_dup does not increase reference count on the certs in the stack. | 410 // sk_X509_dup does not increase reference count on the certs in the stack. |
411 openssl_chain_.reset(sk_X509_dup(chain)); | 411 openssl_chain_.reset(sk_X509_dup(chain)); |
412 | 412 |
413 std::vector<base::StringPiece> der_chain; | 413 std::vector<base::StringPiece> der_chain; |
414 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | 414 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { |
415 X509* x = sk_X509_value(openssl_chain_.get(), i); | 415 X509* x = sk_X509_value(openssl_chain_.get(), i); |
416 // Increase the reference count for the certs in openssl_chain_. | 416 // Increase the reference count for the certs in openssl_chain_. |
417 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | 417 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
418 } | 418 } |
419 } | 419 } |
420 #else // !defined(USE_OPENSSL) | 420 #else // !defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
421 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { | 421 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(SSL* ssl) { |
422 openssl_chain_.reset(NULL); | 422 openssl_chain_.reset(NULL); |
423 os_chain_ = NULL; | 423 os_chain_ = NULL; |
424 | 424 |
425 if (ssl == NULL) | 425 if (ssl == NULL) |
426 return; | 426 return; |
427 | 427 |
428 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); | 428 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); |
429 if (!chain) | 429 if (!chain) |
430 return; | 430 return; |
(...skipping 20 matching lines...) Expand all Loading... |
451 for (size_t i = 0; i < der_chain.size(); ++i) { | 451 for (size_t i = 0; i < der_chain.size(); ++i) { |
452 OPENSSL_free(const_cast<char*>(der_chain[i].data())); | 452 OPENSSL_free(const_cast<char*>(der_chain[i].data())); |
453 } | 453 } |
454 | 454 |
455 if (der_chain.size() != | 455 if (der_chain.size() != |
456 static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) { | 456 static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) { |
457 openssl_chain_.reset(NULL); | 457 openssl_chain_.reset(NULL); |
458 os_chain_ = NULL; | 458 os_chain_ = NULL; |
459 } | 459 } |
460 } | 460 } |
461 #endif // USE_OPENSSL | 461 #endif // defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
462 | 462 |
463 // static | 463 // static |
464 SSLSessionCacheOpenSSL::Config | 464 SSLSessionCacheOpenSSL::Config |
465 SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = { | 465 SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = { |
466 &GetSessionCacheKey, // key_func | 466 &GetSessionCacheKey, // key_func |
467 1024, // max_entries | 467 1024, // max_entries |
468 256, // expiration_check_count | 468 256, // expiration_check_count |
469 60 * 60, // timeout_seconds | 469 60 * 60, // timeout_seconds |
470 }; | 470 }; |
471 | 471 |
472 // static | 472 // static |
473 void SSLClientSocket::ClearSessionCache() { | 473 void SSLClientSocket::ClearSessionCache() { |
474 SSLClientSocketOpenSSL::SSLContext* context = | 474 SSLClientSocketOpenSSL::SSLContext* context = |
475 SSLClientSocketOpenSSL::SSLContext::GetInstance(); | 475 SSLClientSocketOpenSSL::SSLContext::GetInstance(); |
476 context->session_cache()->Flush(); | 476 context->session_cache()->Flush(); |
| 477 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
477 OpenSSLClientKeyStore::GetInstance()->Flush(); | 478 OpenSSLClientKeyStore::GetInstance()->Flush(); |
| 479 #endif |
478 } | 480 } |
479 | 481 |
480 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 482 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
481 scoped_ptr<ClientSocketHandle> transport_socket, | 483 scoped_ptr<ClientSocketHandle> transport_socket, |
482 const HostPortPair& host_and_port, | 484 const HostPortPair& host_and_port, |
483 const SSLConfig& ssl_config, | 485 const SSLConfig& ssl_config, |
484 const SSLClientSocketContext& context) | 486 const SSLClientSocketContext& context) |
485 : transport_send_busy_(false), | 487 : transport_send_busy_(false), |
486 transport_recv_busy_(false), | 488 transport_recv_busy_(false), |
487 transport_recv_eof_(false), | 489 transport_recv_eof_(false), |
(...skipping 918 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1406 return result; | 1408 return result; |
1407 } | 1409 } |
1408 | 1410 |
1409 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, | 1411 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, |
1410 X509** x509, | 1412 X509** x509, |
1411 EVP_PKEY** pkey) { | 1413 EVP_PKEY** pkey) { |
1412 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; | 1414 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; |
1413 DCHECK(ssl == ssl_); | 1415 DCHECK(ssl == ssl_); |
1414 DCHECK(*x509 == NULL); | 1416 DCHECK(*x509 == NULL); |
1415 DCHECK(*pkey == NULL); | 1417 DCHECK(*pkey == NULL); |
1416 | 1418 #if defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
1417 if (!ssl_config_.send_client_cert) { | 1419 if (!ssl_config_.send_client_cert) { |
1418 // First pass: we know that a client certificate is needed, but we do not | 1420 // First pass: we know that a client certificate is needed, but we do not |
1419 // have one at hand. | 1421 // have one at hand. |
1420 client_auth_cert_needed_ = true; | 1422 client_auth_cert_needed_ = true; |
1421 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); | 1423 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); |
1422 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { | 1424 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { |
1423 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); | 1425 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); |
1424 unsigned char* str = NULL; | 1426 unsigned char* str = NULL; |
1425 int length = i2d_X509_NAME(ca_name, &str); | 1427 int length = i2d_X509_NAME(ca_name, &str); |
1426 cert_authorities_.push_back(std::string( | 1428 cert_authorities_.push_back(std::string( |
(...skipping 16 matching lines...) Expand all Loading... |
1443 ssl_config_.client_cert.get(), &privkey)) { | 1445 ssl_config_.client_cert.get(), &privkey)) { |
1444 // TODO(joth): (copied from NSS) We should wait for server certificate | 1446 // TODO(joth): (copied from NSS) We should wait for server certificate |
1445 // verification before sending our credentials. See http://crbug.com/13934 | 1447 // verification before sending our credentials. See http://crbug.com/13934 |
1446 *x509 = X509Certificate::DupOSCertHandle( | 1448 *x509 = X509Certificate::DupOSCertHandle( |
1447 ssl_config_.client_cert->os_cert_handle()); | 1449 ssl_config_.client_cert->os_cert_handle()); |
1448 *pkey = privkey.release(); | 1450 *pkey = privkey.release(); |
1449 return 1; | 1451 return 1; |
1450 } | 1452 } |
1451 LOG(WARNING) << "Client cert found without private key"; | 1453 LOG(WARNING) << "Client cert found without private key"; |
1452 } | 1454 } |
| 1455 #else // !defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
| 1456 // OS handling of client certificates is not yet implemented. |
| 1457 NOTIMPLEMENTED(); |
| 1458 #endif // defined(USE_OPENSSL_CERTS) || defined(OS_ANDROID) |
1453 | 1459 |
1454 // Send no client certificate. | 1460 // Send no client certificate. |
1455 return 0; | 1461 return 0; |
1456 } | 1462 } |
1457 | 1463 |
1458 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, | 1464 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, |
1459 EVP_PKEY** pkey) { | 1465 EVP_PKEY** pkey) { |
1460 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; | 1466 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; |
1461 DCHECK_EQ(ssl, ssl_); | 1467 DCHECK_EQ(ssl, ssl_); |
1462 DCHECK(!*pkey); | 1468 DCHECK(!*pkey); |
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1562 #endif | 1568 #endif |
1563 return SSL_TLSEXT_ERR_OK; | 1569 return SSL_TLSEXT_ERR_OK; |
1564 } | 1570 } |
1565 | 1571 |
1566 scoped_refptr<X509Certificate> | 1572 scoped_refptr<X509Certificate> |
1567 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1573 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1568 return server_cert_; | 1574 return server_cert_; |
1569 } | 1575 } |
1570 | 1576 |
1571 } // namespace net | 1577 } // namespace net |
OLD | NEW |