OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 30 matching lines...) Expand all Loading... |
41 #include "net/cert/ct_policy_status.h" | 41 #include "net/cert/ct_policy_status.h" |
42 #include "net/cert/ct_verifier.h" | 42 #include "net/cert/ct_verifier.h" |
43 #include "net/cert/x509_certificate_net_log_param.h" | 43 #include "net/cert/x509_certificate_net_log_param.h" |
44 #include "net/cert/x509_util_openssl.h" | 44 #include "net/cert/x509_util_openssl.h" |
45 #include "net/http/transport_security_state.h" | 45 #include "net/http/transport_security_state.h" |
46 #include "net/ssl/scoped_openssl_types.h" | 46 #include "net/ssl/scoped_openssl_types.h" |
47 #include "net/ssl/ssl_cert_request_info.h" | 47 #include "net/ssl/ssl_cert_request_info.h" |
48 #include "net/ssl/ssl_cipher_suite_names.h" | 48 #include "net/ssl/ssl_cipher_suite_names.h" |
49 #include "net/ssl/ssl_client_session_cache.h" | 49 #include "net/ssl/ssl_client_session_cache.h" |
50 #include "net/ssl/ssl_connection_status_flags.h" | 50 #include "net/ssl/ssl_connection_status_flags.h" |
51 #include "net/ssl/ssl_failure_state.h" | |
52 #include "net/ssl/ssl_info.h" | 51 #include "net/ssl/ssl_info.h" |
53 #include "net/ssl/ssl_private_key.h" | 52 #include "net/ssl/ssl_private_key.h" |
54 #include "net/ssl/token_binding.h" | 53 #include "net/ssl/token_binding.h" |
55 | 54 |
56 #if !defined(OS_NACL) | 55 #if !defined(OS_NACL) |
57 #include "net/ssl/ssl_key_logger.h" | 56 #include "net/ssl/ssl_key_logger.h" |
58 #endif | 57 #endif |
59 | 58 |
60 #if defined(USE_NSS_CERTS) | 59 #if defined(USE_NSS_CERTS) |
61 #include "net/cert_net/nss_ocsp.h" | 60 #include "net/cert_net/nss_ocsp.h" |
(...skipping 442 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
504 transport_(std::move(transport_socket)), | 503 transport_(std::move(transport_socket)), |
505 host_and_port_(host_and_port), | 504 host_and_port_(host_and_port), |
506 ssl_config_(ssl_config), | 505 ssl_config_(ssl_config), |
507 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 506 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
508 next_handshake_state_(STATE_NONE), | 507 next_handshake_state_(STATE_NONE), |
509 disconnected_(false), | 508 disconnected_(false), |
510 npn_status_(kNextProtoUnsupported), | 509 npn_status_(kNextProtoUnsupported), |
511 channel_id_sent_(false), | 510 channel_id_sent_(false), |
512 session_pending_(false), | 511 session_pending_(false), |
513 certificate_verified_(false), | 512 certificate_verified_(false), |
514 ssl_failure_state_(SSL_FAILURE_NONE), | |
515 signature_result_(kNoPendingResult), | 513 signature_result_(kNoPendingResult), |
516 transport_security_state_(context.transport_security_state), | 514 transport_security_state_(context.transport_security_state), |
517 policy_enforcer_(context.ct_policy_enforcer), | 515 policy_enforcer_(context.ct_policy_enforcer), |
518 pkp_bypassed_(false), | 516 pkp_bypassed_(false), |
519 net_log_(transport_->socket()->NetLog()), | 517 net_log_(transport_->socket()->NetLog()), |
520 weak_factory_(this) { | 518 weak_factory_(this) { |
521 DCHECK(cert_verifier_); | 519 DCHECK(cert_verifier_); |
522 DCHECK(transport_security_state_); | 520 DCHECK(transport_security_state_); |
523 DCHECK(policy_enforcer_); | 521 DCHECK(policy_enforcer_); |
524 } | 522 } |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
582 return ERR_FAILED; | 580 return ERR_FAILED; |
583 | 581 |
584 tb_signed_ekm_map_.Put(raw_public_key, *out); | 582 tb_signed_ekm_map_.Put(raw_public_key, *out); |
585 return OK; | 583 return OK; |
586 } | 584 } |
587 | 585 |
588 crypto::ECPrivateKey* SSLClientSocketImpl::GetChannelIDKey() const { | 586 crypto::ECPrivateKey* SSLClientSocketImpl::GetChannelIDKey() const { |
589 return channel_id_key_.get(); | 587 return channel_id_key_.get(); |
590 } | 588 } |
591 | 589 |
592 SSLFailureState SSLClientSocketImpl::GetSSLFailureState() const { | |
593 return ssl_failure_state_; | |
594 } | |
595 | |
596 int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, | 590 int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, |
597 bool has_context, | 591 bool has_context, |
598 const base::StringPiece& context, | 592 const base::StringPiece& context, |
599 unsigned char* out, | 593 unsigned char* out, |
600 unsigned int outlen) { | 594 unsigned int outlen) { |
601 if (!IsConnected()) | 595 if (!IsConnected()) |
602 return ERR_SOCKET_NOT_CONNECTED; | 596 return ERR_SOCKET_NOT_CONNECTED; |
603 | 597 |
604 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 598 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
605 | 599 |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
700 start_cert_verification_time_ = base::TimeTicks(); | 694 start_cert_verification_time_ = base::TimeTicks(); |
701 | 695 |
702 npn_status_ = kNextProtoUnsupported; | 696 npn_status_ = kNextProtoUnsupported; |
703 npn_proto_.clear(); | 697 npn_proto_.clear(); |
704 | 698 |
705 channel_id_sent_ = false; | 699 channel_id_sent_ = false; |
706 tb_was_negotiated_ = false; | 700 tb_was_negotiated_ = false; |
707 session_pending_ = false; | 701 session_pending_ = false; |
708 certificate_verified_ = false; | 702 certificate_verified_ = false; |
709 channel_id_request_.Cancel(); | 703 channel_id_request_.Cancel(); |
710 ssl_failure_state_ = SSL_FAILURE_NONE; | |
711 | 704 |
712 signature_result_ = kNoPendingResult; | 705 signature_result_ = kNoPendingResult; |
713 signature_.clear(); | 706 signature_.clear(); |
714 } | 707 } |
715 | 708 |
716 bool SSLClientSocketImpl::IsConnected() const { | 709 bool SSLClientSocketImpl::IsConnected() const { |
717 // If the handshake has not yet completed. | 710 // If the handshake has not yet completed. |
718 if (!completed_connect_) | 711 if (!completed_connect_) |
719 return false; | 712 return false; |
720 // If an asynchronous operation is still pending. | 713 // If an asynchronous operation is still pending. |
(...skipping 408 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1129 // If not done, stay in this state | 1122 // If not done, stay in this state |
1130 next_handshake_state_ = STATE_HANDSHAKE; | 1123 next_handshake_state_ = STATE_HANDSHAKE; |
1131 return ERR_IO_PENDING; | 1124 return ERR_IO_PENDING; |
1132 } | 1125 } |
1133 | 1126 |
1134 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " | 1127 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " |
1135 << ssl_error << ", net_error " << net_error; | 1128 << ssl_error << ", net_error " << net_error; |
1136 net_log_.AddEvent( | 1129 net_log_.AddEvent( |
1137 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1130 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1138 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 1131 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
1139 | |
1140 // Classify the handshake failure. This is used to determine causes of the | |
1141 // TLS version fallback. | |
1142 | |
1143 // |cipher| is the current outgoing cipher suite, so it is non-null iff | |
1144 // ChangeCipherSpec was sent. | |
1145 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | |
1146 if (SSL_get_state(ssl_) == SSL3_ST_CR_SRVR_HELLO_A) { | |
1147 ssl_failure_state_ = SSL_FAILURE_CLIENT_HELLO; | |
1148 } else if (cipher && (SSL_CIPHER_get_id(cipher) == | |
1149 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 || | |
1150 SSL_CIPHER_get_id(cipher) == | |
1151 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256)) { | |
1152 ssl_failure_state_ = SSL_FAILURE_BUGGY_GCM; | |
1153 } else if (cipher && ssl_config_.send_client_cert) { | |
1154 ssl_failure_state_ = SSL_FAILURE_CLIENT_AUTH; | |
1155 } else if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL && | |
1156 ERR_GET_REASON(error_info.error_code) == | |
1157 SSL_R_OLD_SESSION_VERSION_NOT_RETURNED) { | |
1158 ssl_failure_state_ = SSL_FAILURE_SESSION_MISMATCH; | |
1159 } else if (cipher && npn_status_ != kNextProtoUnsupported) { | |
1160 ssl_failure_state_ = SSL_FAILURE_NEXT_PROTO; | |
1161 } else { | |
1162 ssl_failure_state_ = SSL_FAILURE_UNKNOWN; | |
1163 } | |
1164 } | 1132 } |
1165 | 1133 |
1166 next_handshake_state_ = STATE_HANDSHAKE_COMPLETE; | 1134 next_handshake_state_ = STATE_HANDSHAKE_COMPLETE; |
1167 return net_error; | 1135 return net_error; |
1168 } | 1136 } |
1169 | 1137 |
1170 int SSLClientSocketImpl::DoHandshakeComplete(int result) { | 1138 int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
1171 if (result < 0) | 1139 if (result < 0) |
1172 return result; | 1140 return result; |
1173 | 1141 |
(...skipping 1139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2313 if (rv != OK) { | 2281 if (rv != OK) { |
2314 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2282 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
2315 return; | 2283 return; |
2316 } | 2284 } |
2317 | 2285 |
2318 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2286 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
2319 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2287 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
2320 } | 2288 } |
2321 | 2289 |
2322 } // namespace net | 2290 } // namespace net |
OLD | NEW |