Chromium Code Reviews Chromium Code Reviews
Issue 2348453002:
Remove NPN from SSLConfig and SSLClientSocket*. (Closed)
| Index: net/socket/ssl_client_socket_impl.cc |
| diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc |
| index 5345d8e5b41347ecdc9950b16e50c4f70d1a8e96..92ce81943c70ac126983c826cf839dfa5dfe4777 100644 |
| --- a/net/socket/ssl_client_socket_impl.cc |
| +++ b/net/socket/ssl_client_socket_impl.cc |
| @@ -70,10 +70,6 @@ namespace { |
| // overlap with any value of the net::Error range, including net::OK). |
| const int kNoPendingResult = 1; |
| -// If a client doesn't have a list of protocols that it supports, but |
| -// the server supports NPN, choosing "http/1.1" is the best answer. |
| -const char kDefaultSupportedNPNProtocol[] = "http/1.1"; |
| - |
| // Default size of the internal BoringSSL buffers. |
| const int kDefaultOpenSSLBufferSize = 17 * 1024; |
| @@ -248,10 +244,6 @@ class SSLClientSocketImpl::SSLContext { |
| // is currently not sent on the network. |
| // TODO(haavardm): Remove setting quiet shutdown once 118366 is fixed. |
| SSL_CTX_set_quiet_shutdown(ssl_ctx_.get(), 1); |
| - // Note that SSL_OP_DISABLE_NPN is used to disable NPN if |
| - // ssl_config_.next_proto is empty. |
| - SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback, |
| - NULL); |
| // Disable the internal session cache. Session caching is handled |
| // externally (i.e. by SSLClientSessionCache). |
| @@ -316,16 +308,6 @@ class SSLClientSocketImpl::SSLContext { |
| return socket->CertVerifyCallback(store_ctx); |
| } |
| - static int SelectNextProtoCallback(SSL* ssl, |
| - unsigned char** out, |
| - unsigned char* outlen, |
| - const unsigned char* in, |
| - unsigned int inlen, |
| - void* arg) { |
| - SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| - return socket->SelectNextProtoCallback(out, outlen, in, inlen); |
| - } |
| - |
| static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) { |
| SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| return socket->NewSessionCallback(session); |
| @@ -514,9 +496,7 @@ SSLClientSocketImpl::SSLClientSocketImpl( |
| ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| next_handshake_state_(STATE_NONE), |
| disconnected_(false), |
| - npn_status_(kNextProtoUnsupported), |
| negotiated_protocol_(kProtoUnknown), |
| - negotiation_extension_(kExtensionUnknown), |
| channel_id_sent_(false), |
| certificate_verified_(false), |
| signature_result_(kNoPendingResult), |
| @@ -697,7 +677,6 @@ void SSLClientSocketImpl::Disconnect() { |
| start_cert_verification_time_ = base::TimeTicks(); |
| - npn_status_ = kNextProtoUnsupported; |
| negotiated_protocol_ = kProtoUnknown; |
| channel_id_sent_ = false; |
| @@ -1065,8 +1044,7 @@ int SSLClientSocketImpl::Init() { |
| wire_protos.size()); |
| } |
| - if (ssl_config_.npn_protos.empty()) |
| - SSL_set_options(ssl_, SSL_OP_DISABLE_NPN); |
| + SSL_set_options(ssl_, SSL_OP_DISABLE_NPN); |
|
davidben
2016/09/15 18:57:00
This line can be removed. (If the callback isn't c
Bence
2016/09/15 19:01:31
Done.
|
| if (ssl_config_.signed_cert_timestamps_enabled) { |
| SSL_enable_signed_cert_timestamps(ssl_); |
| @@ -1205,18 +1183,13 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
| if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) |
| return ERR_SSL_PROTOCOL_ERROR; |
| - // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
| - if (npn_status_ == kNextProtoUnsupported) { |
| - const uint8_t* alpn_proto = NULL; |
| - unsigned alpn_len = 0; |
| - SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
| - if (alpn_len > 0) { |
| - base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto), |
| - alpn_len); |
| - negotiated_protocol_ = NextProtoFromString(proto); |
| - npn_status_ = kNextProtoNegotiated; |
| - negotiation_extension_ = kExtensionALPN; |
| - } |
| + const uint8_t* alpn_proto = NULL; |
| + unsigned alpn_len = 0; |
| + SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
| + if (alpn_len > 0) { |
| + base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto), |
| + alpn_len); |
| + negotiated_protocol_ = NextProtoFromString(proto); |
| } |
| RecordNegotiatedProtocol(); |
| @@ -1987,56 +1960,6 @@ int SSLClientSocketImpl::CertVerifyCallback(X509_STORE_CTX* store_ctx) { |
| return 1; |
| } |
| -// SelectNextProtoCallback is called by OpenSSL during the handshake. If the |
| -// server supports NPN, selects a protocol from the list that the server |
| -// provides. According to third_party/boringssl/src/ssl/ssl_lib.c, the |
| -// callback can assume that |in| is syntactically valid. |
| -int SSLClientSocketImpl::SelectNextProtoCallback(unsigned char** out, |
| - unsigned char* outlen, |
| - const unsigned char* in, |
| - unsigned int inlen) { |
| - if (ssl_config_.npn_protos.empty()) { |
| - *out = reinterpret_cast<uint8_t*>( |
| - const_cast<char*>(kDefaultSupportedNPNProtocol)); |
| - *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1; |
| - npn_status_ = kNextProtoUnsupported; |
| - return SSL_TLSEXT_ERR_OK; |
| - } |
| - |
| - // Assume there's no overlap between our protocols and the server's list. |
| - npn_status_ = kNextProtoNoOverlap; |
| - |
| - // For each protocol in server preference order, see if we support it. |
| - for (unsigned int i = 0; i < inlen; i += in[i] + 1) { |
| - for (NextProto next_proto : ssl_config_.npn_protos) { |
| - const std::string proto = NextProtoToString(next_proto); |
| - if (in[i] == proto.size() && |
| - memcmp(&in[i + 1], proto.data(), in[i]) == 0) { |
| - // We found a match. |
| - negotiated_protocol_ = next_proto; |
| - *out = const_cast<unsigned char*>(in) + i + 1; |
| - *outlen = in[i]; |
| - npn_status_ = kNextProtoNegotiated; |
| - break; |
| - } |
| - } |
| - if (npn_status_ == kNextProtoNegotiated) |
| - break; |
| - } |
| - |
| - // If we didn't find a protocol, we select the last one from our list. |
| - if (npn_status_ == kNextProtoNoOverlap) { |
| - negotiated_protocol_ = ssl_config_.npn_protos.back(); |
| - // NextProtoToString returns a pointer to a static string. |
| - const char* proto = NextProtoToString(negotiated_protocol_); |
| - *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto)); |
| - *outlen = strlen(proto); |
| - } |
| - |
| - negotiation_extension_ = kExtensionNPN; |
| - return SSL_TLSEXT_ERR_OK; |
| -} |
| - |
| long SSLClientSocketImpl::MaybeReplayTransportError(BIO* bio, |
| int cmd, |
| const char* argp, |
| @@ -2147,7 +2070,7 @@ bool SSLClientSocketImpl::IsRenegotiationAllowed() const { |
| if (tb_was_negotiated_) |
| return false; |
| - if (npn_status_ == kNextProtoUnsupported) |
| + if (negotiated_protocol_ == kProtoUnknown) |
| return ssl_config_.renego_allowed_default; |
| for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { |
