| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_server_socket_impl.h" | 5 #include "net/socket/ssl_server_socket_impl.h" |
| 6 | 6 |
| 7 #include <openssl/err.h> | 7 #include <openssl/err.h> |
| 8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
| 9 #include <openssl/x509.h> |
| 9 #include <utility> | 10 #include <utility> |
| 10 | 11 |
| 11 #include "base/callback_helpers.h" | 12 #include "base/callback_helpers.h" |
| 12 #include "base/logging.h" | 13 #include "base/logging.h" |
| 13 #include "base/strings/string_util.h" | 14 #include "base/strings/string_util.h" |
| 14 #include "crypto/openssl_util.h" | 15 #include "crypto/openssl_util.h" |
| 15 #include "crypto/rsa_private_key.h" | 16 #include "crypto/rsa_private_key.h" |
| 16 #include "crypto/scoped_openssl_types.h" | |
| 17 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 18 #include "net/cert/cert_verify_result.h" | 18 #include "net/cert/cert_verify_result.h" |
| 19 #include "net/cert/client_cert_verifier.h" | 19 #include "net/cert/client_cert_verifier.h" |
| 20 #include "net/cert/x509_util_openssl.h" | 20 #include "net/cert/x509_util_openssl.h" |
| 21 #include "net/log/net_log_event_type.h" | 21 #include "net/log/net_log_event_type.h" |
| 22 #include "net/log/net_log_with_source.h" | 22 #include "net/log/net_log_with_source.h" |
| 23 #include "net/ssl/openssl_ssl_util.h" | 23 #include "net/ssl/openssl_ssl_util.h" |
| 24 #include "net/ssl/ssl_connection_status_flags.h" | 24 #include "net/ssl/ssl_connection_status_flags.h" |
| 25 #include "net/ssl/ssl_info.h" | 25 #include "net/ssl/ssl_info.h" |
| 26 | 26 |
| (...skipping 23 matching lines...) Expand all Loading... |
| 50 der_chain.push_back(der_cert); | 50 der_chain.push_back(der_cert); |
| 51 } | 51 } |
| 52 | 52 |
| 53 return X509Certificate::CreateFromDERCertChain(der_chain); | 53 return X509Certificate::CreateFromDERCertChain(der_chain); |
| 54 } | 54 } |
| 55 | 55 |
| 56 class SSLServerSocketImpl : public SSLServerSocket { | 56 class SSLServerSocketImpl : public SSLServerSocket { |
| 57 public: | 57 public: |
| 58 // See comments on CreateSSLServerSocket for details of how these | 58 // See comments on CreateSSLServerSocket for details of how these |
| 59 // parameters are used. | 59 // parameters are used. |
| 60 SSLServerSocketImpl(std::unique_ptr<StreamSocket> socket, SSL* ssl); | 60 SSLServerSocketImpl(std::unique_ptr<StreamSocket> socket, |
| 61 bssl::UniquePtr<SSL> ssl); |
| 61 ~SSLServerSocketImpl() override; | 62 ~SSLServerSocketImpl() override; |
| 62 | 63 |
| 63 // SSLServerSocket interface. | 64 // SSLServerSocket interface. |
| 64 int Handshake(const CompletionCallback& callback) override; | 65 int Handshake(const CompletionCallback& callback) override; |
| 65 | 66 |
| 66 // SSLSocket interface. | 67 // SSLSocket interface. |
| 67 int ExportKeyingMaterial(const base::StringPiece& label, | 68 int ExportKeyingMaterial(const base::StringPiece& label, |
| 68 bool has_context, | 69 bool has_context, |
| 69 const base::StringPiece& context, | 70 const base::StringPiece& context, |
| 70 unsigned char* out, | 71 unsigned char* out, |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 151 | 152 |
| 152 // Used by Write function. | 153 // Used by Write function. |
| 153 scoped_refptr<IOBuffer> user_write_buf_; | 154 scoped_refptr<IOBuffer> user_write_buf_; |
| 154 int user_write_buf_len_; | 155 int user_write_buf_len_; |
| 155 | 156 |
| 156 // Used by TransportWriteComplete() and TransportReadComplete() to signify an | 157 // Used by TransportWriteComplete() and TransportReadComplete() to signify an |
| 157 // error writing to the transport socket. A value of OK indicates no error. | 158 // error writing to the transport socket. A value of OK indicates no error. |
| 158 int transport_write_error_; | 159 int transport_write_error_; |
| 159 | 160 |
| 160 // OpenSSL stuff | 161 // OpenSSL stuff |
| 161 SSL* ssl_; | 162 bssl::UniquePtr<SSL> ssl_; |
| 162 BIO* transport_bio_; | 163 bssl::UniquePtr<BIO> transport_bio_; |
| 163 | 164 |
| 164 // StreamSocket for sending and receiving data. | 165 // StreamSocket for sending and receiving data. |
| 165 std::unique_ptr<StreamSocket> transport_socket_; | 166 std::unique_ptr<StreamSocket> transport_socket_; |
| 166 | 167 |
| 167 // Certificate for the client. | 168 // Certificate for the client. |
| 168 scoped_refptr<X509Certificate> client_cert_; | 169 scoped_refptr<X509Certificate> client_cert_; |
| 169 | 170 |
| 170 State next_handshake_state_; | 171 State next_handshake_state_; |
| 171 bool completed_handshake_; | 172 bool completed_handshake_; |
| 172 | 173 |
| 173 DISALLOW_COPY_AND_ASSIGN(SSLServerSocketImpl); | 174 DISALLOW_COPY_AND_ASSIGN(SSLServerSocketImpl); |
| 174 }; | 175 }; |
| 175 | 176 |
| 176 SSLServerSocketImpl::SSLServerSocketImpl( | 177 SSLServerSocketImpl::SSLServerSocketImpl( |
| 177 std::unique_ptr<StreamSocket> transport_socket, | 178 std::unique_ptr<StreamSocket> transport_socket, |
| 178 SSL* ssl) | 179 bssl::UniquePtr<SSL> ssl) |
| 179 : transport_send_busy_(false), | 180 : transport_send_busy_(false), |
| 180 transport_recv_busy_(false), | 181 transport_recv_busy_(false), |
| 181 transport_recv_eof_(false), | 182 transport_recv_eof_(false), |
| 182 user_read_buf_len_(0), | 183 user_read_buf_len_(0), |
| 183 user_write_buf_len_(0), | 184 user_write_buf_len_(0), |
| 184 transport_write_error_(OK), | 185 transport_write_error_(OK), |
| 185 ssl_(ssl), | 186 ssl_(std::move(ssl)), |
| 186 transport_bio_(NULL), | |
| 187 transport_socket_(std::move(transport_socket)), | 187 transport_socket_(std::move(transport_socket)), |
| 188 next_handshake_state_(STATE_NONE), | 188 next_handshake_state_(STATE_NONE), |
| 189 completed_handshake_(false) {} | 189 completed_handshake_(false) {} |
| 190 | 190 |
| 191 SSLServerSocketImpl::~SSLServerSocketImpl() { | 191 SSLServerSocketImpl::~SSLServerSocketImpl() { |
| 192 if (ssl_) { | 192 if (ssl_) { |
| 193 // Calling SSL_shutdown prevents the session from being marked as | 193 // Calling SSL_shutdown prevents the session from being marked as |
| 194 // unresumable. | 194 // unresumable. |
| 195 SSL_shutdown(ssl_); | 195 SSL_shutdown(ssl_.get()); |
| 196 SSL_free(ssl_); | 196 ssl_.reset(); |
| 197 ssl_ = NULL; | |
| 198 } | |
| 199 if (transport_bio_) { | |
| 200 BIO_free_all(transport_bio_); | |
| 201 transport_bio_ = NULL; | |
| 202 } | 197 } |
| 203 } | 198 } |
| 204 | 199 |
| 205 int SSLServerSocketImpl::Handshake(const CompletionCallback& callback) { | 200 int SSLServerSocketImpl::Handshake(const CompletionCallback& callback) { |
| 206 net_log_.BeginEvent(NetLogEventType::SSL_SERVER_HANDSHAKE); | 201 net_log_.BeginEvent(NetLogEventType::SSL_SERVER_HANDSHAKE); |
| 207 | 202 |
| 208 // Set up new ssl object. | 203 // Set up new ssl object. |
| 209 int rv = Init(); | 204 int rv = Init(); |
| 210 if (rv != OK) { | 205 if (rv != OK) { |
| 211 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv; | 206 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv; |
| 212 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, | 207 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, |
| 213 rv); | 208 rv); |
| 214 return rv; | 209 return rv; |
| 215 } | 210 } |
| 216 | 211 |
| 217 // Set SSL to server mode. Handshake happens in the loop below. | 212 // Set SSL to server mode. Handshake happens in the loop below. |
| 218 SSL_set_accept_state(ssl_); | 213 SSL_set_accept_state(ssl_.get()); |
| 219 | 214 |
| 220 GotoState(STATE_HANDSHAKE); | 215 GotoState(STATE_HANDSHAKE); |
| 221 rv = DoHandshakeLoop(OK); | 216 rv = DoHandshakeLoop(OK); |
| 222 if (rv == ERR_IO_PENDING) { | 217 if (rv == ERR_IO_PENDING) { |
| 223 user_handshake_callback_ = callback; | 218 user_handshake_callback_ = callback; |
| 224 } else { | 219 } else { |
| 225 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, | 220 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, |
| 226 rv); | 221 rv); |
| 227 } | 222 } |
| 228 | 223 |
| 229 return rv > OK ? OK : rv; | 224 return rv > OK ? OK : rv; |
| 230 } | 225 } |
| 231 | 226 |
| 232 int SSLServerSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, | 227 int SSLServerSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, |
| 233 bool has_context, | 228 bool has_context, |
| 234 const base::StringPiece& context, | 229 const base::StringPiece& context, |
| 235 unsigned char* out, | 230 unsigned char* out, |
| 236 unsigned int outlen) { | 231 unsigned int outlen) { |
| 237 if (!IsConnected()) | 232 if (!IsConnected()) |
| 238 return ERR_SOCKET_NOT_CONNECTED; | 233 return ERR_SOCKET_NOT_CONNECTED; |
| 239 | 234 |
| 240 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 235 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 241 | 236 |
| 242 int rv = SSL_export_keying_material( | 237 int rv = SSL_export_keying_material( |
| 243 ssl_, out, outlen, label.data(), label.size(), | 238 ssl_.get(), out, outlen, label.data(), label.size(), |
| 244 reinterpret_cast<const unsigned char*>(context.data()), context.length(), | 239 reinterpret_cast<const unsigned char*>(context.data()), context.length(), |
| 245 context.length() > 0); | 240 context.length() > 0); |
| 246 | 241 |
| 247 if (rv != 1) { | 242 if (rv != 1) { |
| 248 int ssl_error = SSL_get_error(ssl_, rv); | 243 int ssl_error = SSL_get_error(ssl_.get(), rv); |
| 249 LOG(ERROR) << "Failed to export keying material;" | 244 LOG(ERROR) << "Failed to export keying material;" |
| 250 << " returned " << rv << ", SSL error code " << ssl_error; | 245 << " returned " << rv << ", SSL error code " << ssl_error; |
| 251 return MapOpenSSLError(ssl_error, err_tracer); | 246 return MapOpenSSLError(ssl_error, err_tracer); |
| 252 } | 247 } |
| 253 return OK; | 248 return OK; |
| 254 } | 249 } |
| 255 | 250 |
| 256 int SSLServerSocketImpl::Read(IOBuffer* buf, | 251 int SSLServerSocketImpl::Read(IOBuffer* buf, |
| 257 int buf_len, | 252 int buf_len, |
| 258 const CompletionCallback& callback) { | 253 const CompletionCallback& callback) { |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 364 return kProtoUnknown; | 359 return kProtoUnknown; |
| 365 } | 360 } |
| 366 | 361 |
| 367 bool SSLServerSocketImpl::GetSSLInfo(SSLInfo* ssl_info) { | 362 bool SSLServerSocketImpl::GetSSLInfo(SSLInfo* ssl_info) { |
| 368 ssl_info->Reset(); | 363 ssl_info->Reset(); |
| 369 if (!completed_handshake_) | 364 if (!completed_handshake_) |
| 370 return false; | 365 return false; |
| 371 | 366 |
| 372 ssl_info->cert = client_cert_; | 367 ssl_info->cert = client_cert_; |
| 373 | 368 |
| 374 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 369 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get()); |
| 375 CHECK(cipher); | 370 CHECK(cipher); |
| 376 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 371 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
| 377 | 372 |
| 378 SSLConnectionStatusSetCipherSuite( | 373 SSLConnectionStatusSetCipherSuite( |
| 379 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), | 374 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), |
| 380 &ssl_info->connection_status); | 375 &ssl_info->connection_status); |
| 381 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_), | 376 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()), |
| 382 &ssl_info->connection_status); | 377 &ssl_info->connection_status); |
| 383 | 378 |
| 384 if (!SSL_get_secure_renegotiation_support(ssl_)) | 379 if (!SSL_get_secure_renegotiation_support(ssl_.get())) |
| 385 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; | 380 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; |
| 386 | 381 |
| 387 ssl_info->handshake_type = SSL_session_reused(ssl_) | 382 ssl_info->handshake_type = SSL_session_reused(ssl_.get()) |
| 388 ? SSLInfo::HANDSHAKE_RESUME | 383 ? SSLInfo::HANDSHAKE_RESUME |
| 389 : SSLInfo::HANDSHAKE_FULL; | 384 : SSLInfo::HANDSHAKE_FULL; |
| 390 | 385 |
| 391 return true; | 386 return true; |
| 392 } | 387 } |
| 393 | 388 |
| 394 void SSLServerSocketImpl::GetConnectionAttempts(ConnectionAttempts* out) const { | 389 void SSLServerSocketImpl::GetConnectionAttempts(ConnectionAttempts* out) const { |
| 395 out->clear(); | 390 out->clear(); |
| 396 } | 391 } |
| 397 | 392 |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 450 | 445 |
| 451 // Return 0 for EOF, | 446 // Return 0 for EOF, |
| 452 // > 0 for bytes transferred immediately, | 447 // > 0 for bytes transferred immediately, |
| 453 // < 0 for error (or the non-error ERR_IO_PENDING). | 448 // < 0 for error (or the non-error ERR_IO_PENDING). |
| 454 int SSLServerSocketImpl::BufferSend() { | 449 int SSLServerSocketImpl::BufferSend() { |
| 455 if (transport_send_busy_) | 450 if (transport_send_busy_) |
| 456 return ERR_IO_PENDING; | 451 return ERR_IO_PENDING; |
| 457 | 452 |
| 458 if (!send_buffer_) { | 453 if (!send_buffer_) { |
| 459 // Get a fresh send buffer out of the send BIO. | 454 // Get a fresh send buffer out of the send BIO. |
| 460 size_t max_read = BIO_pending(transport_bio_); | 455 size_t max_read = BIO_pending(transport_bio_.get()); |
| 461 if (!max_read) | 456 if (!max_read) |
| 462 return 0; // Nothing pending in the OpenSSL write BIO. | 457 return 0; // Nothing pending in the OpenSSL write BIO. |
| 463 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); | 458 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read); |
| 464 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read); | 459 int read_bytes = |
| 460 BIO_read(transport_bio_.get(), send_buffer_->data(), max_read); |
| 465 DCHECK_GT(read_bytes, 0); | 461 DCHECK_GT(read_bytes, 0); |
| 466 CHECK_EQ(static_cast<int>(max_read), read_bytes); | 462 CHECK_EQ(static_cast<int>(max_read), read_bytes); |
| 467 } | 463 } |
| 468 | 464 |
| 469 int rv = transport_socket_->Write( | 465 int rv = transport_socket_->Write( |
| 470 send_buffer_.get(), send_buffer_->BytesRemaining(), | 466 send_buffer_.get(), send_buffer_->BytesRemaining(), |
| 471 base::Bind(&SSLServerSocketImpl::BufferSendComplete, | 467 base::Bind(&SSLServerSocketImpl::BufferSendComplete, |
| 472 base::Unretained(this))); | 468 base::Unretained(this))); |
| 473 if (rv == ERR_IO_PENDING) { | 469 if (rv == ERR_IO_PENDING) { |
| 474 transport_send_busy_ = true; | 470 transport_send_busy_ = true; |
| (...skipping 11 matching lines...) Expand all Loading... |
| 486 | 482 |
| 487 void SSLServerSocketImpl::TransportWriteComplete(int result) { | 483 void SSLServerSocketImpl::TransportWriteComplete(int result) { |
| 488 DCHECK(ERR_IO_PENDING != result); | 484 DCHECK(ERR_IO_PENDING != result); |
| 489 if (result < 0) { | 485 if (result < 0) { |
| 490 // Got a socket write error; close the BIO to indicate this upward. | 486 // Got a socket write error; close the BIO to indicate this upward. |
| 491 // | 487 // |
| 492 // TODO(davidben): The value of |result| gets lost. Feed the error back into | 488 // TODO(davidben): The value of |result| gets lost. Feed the error back into |
| 493 // the BIO so it gets (re-)detected in OnSendComplete. Perhaps with | 489 // the BIO so it gets (re-)detected in OnSendComplete. Perhaps with |
| 494 // BIO_set_callback. | 490 // BIO_set_callback. |
| 495 DVLOG(1) << "TransportWriteComplete error " << result; | 491 DVLOG(1) << "TransportWriteComplete error " << result; |
| 496 (void)BIO_shutdown_wr(SSL_get_wbio(ssl_)); | 492 (void)BIO_shutdown_wr(SSL_get_wbio(ssl_.get())); |
| 497 | 493 |
| 498 // Match the fix for http://crbug.com/249848 in NSS by erroring future reads | 494 // Match the fix for http://crbug.com/249848 in NSS by erroring future reads |
| 499 // from the socket after a write error. | 495 // from the socket after a write error. |
| 500 // | 496 // |
| 501 // TODO(davidben): Avoid having read and write ends interact this way. | 497 // TODO(davidben): Avoid having read and write ends interact this way. |
| 502 transport_write_error_ = result; | 498 transport_write_error_ = result; |
| 503 (void)BIO_shutdown_wr(transport_bio_); | 499 (void)BIO_shutdown_wr(transport_bio_.get()); |
| 504 send_buffer_ = NULL; | 500 send_buffer_ = NULL; |
| 505 } else { | 501 } else { |
| 506 DCHECK(send_buffer_); | 502 DCHECK(send_buffer_); |
| 507 send_buffer_->DidConsume(result); | 503 send_buffer_->DidConsume(result); |
| 508 DCHECK_GE(send_buffer_->BytesRemaining(), 0); | 504 DCHECK_GE(send_buffer_->BytesRemaining(), 0); |
| 509 if (send_buffer_->BytesRemaining() <= 0) | 505 if (send_buffer_->BytesRemaining() <= 0) |
| 510 send_buffer_ = NULL; | 506 send_buffer_ = NULL; |
| 511 } | 507 } |
| 512 } | 508 } |
| 513 | 509 |
| 514 int SSLServerSocketImpl::BufferRecv() { | 510 int SSLServerSocketImpl::BufferRecv() { |
| 515 if (transport_recv_busy_) | 511 if (transport_recv_busy_) |
| 516 return ERR_IO_PENDING; | 512 return ERR_IO_PENDING; |
| 517 | 513 |
| 518 // Determine how much was requested from |transport_bio_| that was not | 514 // Determine how much was requested from |transport_bio_| that was not |
| 519 // actually available. | 515 // actually available. |
| 520 size_t requested = BIO_ctrl_get_read_request(transport_bio_); | 516 size_t requested = BIO_ctrl_get_read_request(transport_bio_.get()); |
| 521 if (requested == 0) { | 517 if (requested == 0) { |
| 522 // This is not a perfect match of error codes, as no operation is | 518 // This is not a perfect match of error codes, as no operation is |
| 523 // actually pending. However, returning 0 would be interpreted as | 519 // actually pending. However, returning 0 would be interpreted as |
| 524 // a possible sign of EOF, which is also an inappropriate match. | 520 // a possible sign of EOF, which is also an inappropriate match. |
| 525 return ERR_IO_PENDING; | 521 return ERR_IO_PENDING; |
| 526 } | 522 } |
| 527 | 523 |
| 528 // Known Issue: While only reading |requested| data is the more correct | 524 // Known Issue: While only reading |requested| data is the more correct |
| 529 // implementation, it has the downside of resulting in frequent reads: | 525 // implementation, it has the downside of resulting in frequent reads: |
| 530 // One read for the SSL record header (~5 bytes) and one read for the SSL | 526 // One read for the SSL record header (~5 bytes) and one read for the SSL |
| 531 // record body. Rather than issuing these reads to the underlying socket | 527 // record body. Rather than issuing these reads to the underlying socket |
| 532 // (and constantly allocating new IOBuffers), a single Read() request to | 528 // (and constantly allocating new IOBuffers), a single Read() request to |
| 533 // fill |transport_bio_| is issued. As long as an SSL client socket cannot | 529 // fill |transport_bio_| is issued. As long as an SSL client socket cannot |
| 534 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL | 530 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL |
| 535 // traffic, this over-subscribed Read()ing will not cause issues. | 531 // traffic, this over-subscribed Read()ing will not cause issues. |
| 536 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_); | 532 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_.get()); |
| 537 if (!max_write) | 533 if (!max_write) |
| 538 return ERR_IO_PENDING; | 534 return ERR_IO_PENDING; |
| 539 | 535 |
| 540 recv_buffer_ = new IOBuffer(max_write); | 536 recv_buffer_ = new IOBuffer(max_write); |
| 541 int rv = transport_socket_->Read( | 537 int rv = transport_socket_->Read( |
| 542 recv_buffer_.get(), max_write, | 538 recv_buffer_.get(), max_write, |
| 543 base::Bind(&SSLServerSocketImpl::BufferRecvComplete, | 539 base::Bind(&SSLServerSocketImpl::BufferRecvComplete, |
| 544 base::Unretained(this))); | 540 base::Unretained(this))); |
| 545 if (rv == ERR_IO_PENDING) { | 541 if (rv == ERR_IO_PENDING) { |
| 546 transport_recv_busy_ = true; | 542 transport_recv_busy_ = true; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 557 | 553 |
| 558 int SSLServerSocketImpl::TransportReadComplete(int result) { | 554 int SSLServerSocketImpl::TransportReadComplete(int result) { |
| 559 DCHECK(ERR_IO_PENDING != result); | 555 DCHECK(ERR_IO_PENDING != result); |
| 560 if (result <= 0) { | 556 if (result <= 0) { |
| 561 DVLOG(1) << "TransportReadComplete result " << result; | 557 DVLOG(1) << "TransportReadComplete result " << result; |
| 562 // Received 0 (end of file) or an error. Either way, bubble it up to the | 558 // Received 0 (end of file) or an error. Either way, bubble it up to the |
| 563 // SSL layer via the BIO. TODO(joth): consider stashing the error code, to | 559 // SSL layer via the BIO. TODO(joth): consider stashing the error code, to |
| 564 // relay up to the SSL socket client (i.e. via DoReadCallback). | 560 // relay up to the SSL socket client (i.e. via DoReadCallback). |
| 565 if (result == 0) | 561 if (result == 0) |
| 566 transport_recv_eof_ = true; | 562 transport_recv_eof_ = true; |
| 567 (void)BIO_shutdown_wr(transport_bio_); | 563 (void)BIO_shutdown_wr(transport_bio_.get()); |
| 568 } else if (transport_write_error_ < 0) { | 564 } else if (transport_write_error_ < 0) { |
| 569 // Mirror transport write errors as read failures; transport_bio_ has been | 565 // Mirror transport write errors as read failures; transport_bio_ has been |
| 570 // shut down by TransportWriteComplete, so the BIO_write will fail, failing | 566 // shut down by TransportWriteComplete, so the BIO_write will fail, failing |
| 571 // the CHECK. http://crbug.com/335557. | 567 // the CHECK. http://crbug.com/335557. |
| 572 result = transport_write_error_; | 568 result = transport_write_error_; |
| 573 } else { | 569 } else { |
| 574 DCHECK(recv_buffer_); | 570 DCHECK(recv_buffer_); |
| 575 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result); | 571 int ret = BIO_write(transport_bio_.get(), recv_buffer_->data(), result); |
| 576 // A write into a memory BIO should always succeed. | 572 // A write into a memory BIO should always succeed. |
| 577 DCHECK_EQ(result, ret); | 573 DCHECK_EQ(result, ret); |
| 578 } | 574 } |
| 579 recv_buffer_ = NULL; | 575 recv_buffer_ = NULL; |
| 580 transport_recv_busy_ = false; | 576 transport_recv_busy_ = false; |
| 581 return result; | 577 return result; |
| 582 } | 578 } |
| 583 | 579 |
| 584 // Do as much network I/O as possible between the buffer and the | 580 // Do as much network I/O as possible between the buffer and the |
| 585 // transport socket. Return true if some I/O performed, false | 581 // transport socket. Return true if some I/O performed, false |
| (...skipping 10 matching lines...) Expand all Loading... |
| 596 } while (rv > 0); | 592 } while (rv > 0); |
| 597 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) | 593 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) |
| 598 network_moved = true; | 594 network_moved = true; |
| 599 return network_moved; | 595 return network_moved; |
| 600 } | 596 } |
| 601 | 597 |
| 602 int SSLServerSocketImpl::DoPayloadRead() { | 598 int SSLServerSocketImpl::DoPayloadRead() { |
| 603 DCHECK(user_read_buf_); | 599 DCHECK(user_read_buf_); |
| 604 DCHECK_GT(user_read_buf_len_, 0); | 600 DCHECK_GT(user_read_buf_len_, 0); |
| 605 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 601 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 606 int rv = SSL_read(ssl_, user_read_buf_->data(), user_read_buf_len_); | 602 int rv = SSL_read(ssl_.get(), user_read_buf_->data(), user_read_buf_len_); |
| 607 if (rv >= 0) | 603 if (rv >= 0) |
| 608 return rv; | 604 return rv; |
| 609 int ssl_error = SSL_get_error(ssl_, rv); | 605 int ssl_error = SSL_get_error(ssl_.get(), rv); |
| 610 OpenSSLErrorInfo error_info; | 606 OpenSSLErrorInfo error_info; |
| 611 int net_error = | 607 int net_error = |
| 612 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | 608 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 613 if (net_error != ERR_IO_PENDING) { | 609 if (net_error != ERR_IO_PENDING) { |
| 614 net_log_.AddEvent( | 610 net_log_.AddEvent( |
| 615 NetLogEventType::SSL_READ_ERROR, | 611 NetLogEventType::SSL_READ_ERROR, |
| 616 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 612 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 617 } | 613 } |
| 618 return net_error; | 614 return net_error; |
| 619 } | 615 } |
| 620 | 616 |
| 621 int SSLServerSocketImpl::DoPayloadWrite() { | 617 int SSLServerSocketImpl::DoPayloadWrite() { |
| 622 DCHECK(user_write_buf_); | 618 DCHECK(user_write_buf_); |
| 623 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 619 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 624 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 620 int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_); |
| 625 if (rv >= 0) | 621 if (rv >= 0) |
| 626 return rv; | 622 return rv; |
| 627 int ssl_error = SSL_get_error(ssl_, rv); | 623 int ssl_error = SSL_get_error(ssl_.get(), rv); |
| 628 OpenSSLErrorInfo error_info; | 624 OpenSSLErrorInfo error_info; |
| 629 int net_error = | 625 int net_error = |
| 630 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | 626 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 631 if (net_error != ERR_IO_PENDING) { | 627 if (net_error != ERR_IO_PENDING) { |
| 632 net_log_.AddEvent( | 628 net_log_.AddEvent( |
| 633 NetLogEventType::SSL_WRITE_ERROR, | 629 NetLogEventType::SSL_WRITE_ERROR, |
| 634 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 630 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 635 } | 631 } |
| 636 return net_error; | 632 return net_error; |
| 637 } | 633 } |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 697 do { | 693 do { |
| 698 rv = DoPayloadWrite(); | 694 rv = DoPayloadWrite(); |
| 699 network_moved = DoTransportIO(); | 695 network_moved = DoTransportIO(); |
| 700 } while (rv == ERR_IO_PENDING && network_moved); | 696 } while (rv == ERR_IO_PENDING && network_moved); |
| 701 return rv; | 697 return rv; |
| 702 } | 698 } |
| 703 | 699 |
| 704 int SSLServerSocketImpl::DoHandshake() { | 700 int SSLServerSocketImpl::DoHandshake() { |
| 705 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 701 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 706 int net_error = OK; | 702 int net_error = OK; |
| 707 int rv = SSL_do_handshake(ssl_); | 703 int rv = SSL_do_handshake(ssl_.get()); |
| 708 | 704 |
| 709 if (rv == 1) { | 705 if (rv == 1) { |
| 710 completed_handshake_ = true; | 706 completed_handshake_ = true; |
| 711 // The results of SSL_get_peer_certificate() must be explicitly freed. | 707 // The results of SSL_get_peer_certificate() must be explicitly freed. |
| 712 ScopedX509 cert(SSL_get_peer_certificate(ssl_)); | 708 bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl_.get())); |
| 713 if (cert) { | 709 if (cert) { |
| 714 // The caller does not take ownership of SSL_get_peer_cert_chain's | 710 // The caller does not take ownership of SSL_get_peer_cert_chain's |
| 715 // results. | 711 // results. |
| 716 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_); | 712 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_.get()); |
| 717 client_cert_ = CreateX509Certificate(cert.get(), chain); | 713 client_cert_ = CreateX509Certificate(cert.get(), chain); |
| 718 if (!client_cert_.get()) | 714 if (!client_cert_.get()) |
| 719 return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT; | 715 return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT; |
| 720 } | 716 } |
| 721 } else { | 717 } else { |
| 722 int ssl_error = SSL_get_error(ssl_, rv); | 718 int ssl_error = SSL_get_error(ssl_.get(), rv); |
| 723 OpenSSLErrorInfo error_info; | 719 OpenSSLErrorInfo error_info; |
| 724 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); | 720 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info); |
| 725 | 721 |
| 726 // This hack is necessary because the mapping of SSL error codes to | 722 // This hack is necessary because the mapping of SSL error codes to |
| 727 // net_errors assumes (correctly for client sockets, but erroneously for | 723 // net_errors assumes (correctly for client sockets, but erroneously for |
| 728 // server sockets) that peer cert verification failure can only occur if | 724 // server sockets) that peer cert verification failure can only occur if |
| 729 // the cert changed during a renego. crbug.com/570351 | 725 // the cert changed during a renego. crbug.com/570351 |
| 730 if (net_error == ERR_SSL_SERVER_CERT_CHANGED) | 726 if (net_error == ERR_SSL_SERVER_CERT_CHANGED) |
| 731 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT; | 727 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT; |
| 732 | 728 |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 768 } | 764 } |
| 769 | 765 |
| 770 int SSLServerSocketImpl::Init() { | 766 int SSLServerSocketImpl::Init() { |
| 771 DCHECK(!transport_bio_); | 767 DCHECK(!transport_bio_); |
| 772 | 768 |
| 773 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 769 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 774 | 770 |
| 775 if (!ssl_) | 771 if (!ssl_) |
| 776 return ERR_UNEXPECTED; | 772 return ERR_UNEXPECTED; |
| 777 | 773 |
| 778 BIO* ssl_bio = NULL; | 774 BIO* ssl_bio = nullptr; |
| 775 BIO* transport_bio_raw = nullptr; |
| 779 // 0 => use default buffer sizes. | 776 // 0 => use default buffer sizes. |
| 780 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) | 777 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_raw, 0)) |
| 781 return ERR_UNEXPECTED; | 778 return ERR_UNEXPECTED; |
| 779 transport_bio_.reset(transport_bio_raw); |
| 782 DCHECK(ssl_bio); | 780 DCHECK(ssl_bio); |
| 783 DCHECK(transport_bio_); | 781 DCHECK(transport_bio_); |
| 784 | 782 |
| 785 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | 783 SSL_set_bio(ssl_.get(), ssl_bio, ssl_bio); |
| 786 | 784 |
| 787 return OK; | 785 return OK; |
| 788 } | 786 } |
| 789 | 787 |
| 790 // static | 788 // static |
| 791 int SSLServerSocketImpl::CertVerifyCallback(X509_STORE_CTX* store_ctx, | 789 int SSLServerSocketImpl::CertVerifyCallback(X509_STORE_CTX* store_ctx, |
| 792 void* arg) { | 790 void* arg) { |
| 793 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); | 791 ClientCertVerifier* verifier = reinterpret_cast<ClientCertVerifier*>(arg); |
| 794 // If a verifier was not supplied, all certificates are accepted. | 792 // If a verifier was not supplied, all certificates are accepted. |
| 795 if (!verifier) | 793 if (!verifier) |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 863 #if defined(USE_OPENSSL_CERTS) | 861 #if defined(USE_OPENSSL_CERTS) |
| 864 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); | 862 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); |
| 865 #else | 863 #else |
| 866 // Convert OSCertHandle to X509 structure. | 864 // Convert OSCertHandle to X509 structure. |
| 867 std::string der_string; | 865 std::string der_string; |
| 868 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); | 866 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); |
| 869 | 867 |
| 870 const unsigned char* der_string_array = | 868 const unsigned char* der_string_array = |
| 871 reinterpret_cast<const unsigned char*>(der_string.data()); | 869 reinterpret_cast<const unsigned char*>(der_string.data()); |
| 872 | 870 |
| 873 ScopedX509 x509(d2i_X509(NULL, &der_string_array, der_string.length())); | 871 bssl::UniquePtr<X509> x509( |
| 872 d2i_X509(NULL, &der_string_array, der_string.length())); |
| 874 CHECK(x509); | 873 CHECK(x509); |
| 875 | 874 |
| 876 // On success, SSL_CTX_use_certificate acquires a reference to |x509|. | 875 // On success, SSL_CTX_use_certificate acquires a reference to |x509|. |
| 877 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get())); | 876 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get())); |
| 878 #endif // USE_OPENSSL_CERTS | 877 #endif // USE_OPENSSL_CERTS |
| 879 | 878 |
| 880 DCHECK(key_->key()); | 879 DCHECK(key_->key()); |
| 881 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); | 880 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
| 882 | 881 |
| 883 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); | 882 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 922 int rv = SSL_CTX_set_cipher_list(ssl_ctx_.get(), command.c_str()); | 921 int rv = SSL_CTX_set_cipher_list(ssl_ctx_.get(), command.c_str()); |
| 923 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | 922 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. |
| 924 // This will almost certainly result in the socket failing to complete the | 923 // This will almost certainly result in the socket failing to complete the |
| 925 // handshake at which point the appropriate error is bubbled up to the client. | 924 // handshake at which point the appropriate error is bubbled up to the client. |
| 926 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command | 925 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command |
| 927 << "') returned " << rv; | 926 << "') returned " << rv; |
| 928 | 927 |
| 929 if (ssl_server_config_.client_cert_type != | 928 if (ssl_server_config_.client_cert_type != |
| 930 SSLServerConfig::ClientCertType::NO_CLIENT_CERT && | 929 SSLServerConfig::ClientCertType::NO_CLIENT_CERT && |
| 931 !ssl_server_config_.cert_authorities_.empty()) { | 930 !ssl_server_config_.cert_authorities_.empty()) { |
| 932 ScopedX509NameStack stack(sk_X509_NAME_new_null()); | 931 bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null()); |
| 933 for (const auto& authority : ssl_server_config_.cert_authorities_) { | 932 for (const auto& authority : ssl_server_config_.cert_authorities_) { |
| 934 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); | 933 const uint8_t* name = reinterpret_cast<const uint8_t*>(authority.c_str()); |
| 935 const uint8_t* name_start = name; | 934 const uint8_t* name_start = name; |
| 936 ScopedX509_NAME subj(d2i_X509_NAME(nullptr, &name, authority.length())); | 935 bssl::UniquePtr<X509_NAME> subj( |
| 936 d2i_X509_NAME(nullptr, &name, authority.length())); |
| 937 CHECK(subj && name == name_start + authority.length()); | 937 CHECK(subj && name == name_start + authority.length()); |
| 938 sk_X509_NAME_push(stack.get(), subj.release()); | 938 sk_X509_NAME_push(stack.get(), subj.release()); |
| 939 } | 939 } |
| 940 SSL_CTX_set_client_CA_list(ssl_ctx_.get(), stack.release()); | 940 SSL_CTX_set_client_CA_list(ssl_ctx_.get(), stack.release()); |
| 941 } | 941 } |
| 942 } | 942 } |
| 943 | 943 |
| 944 SSLServerContextImpl::~SSLServerContextImpl() {} | 944 SSLServerContextImpl::~SSLServerContextImpl() {} |
| 945 | 945 |
| 946 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( | 946 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( |
| 947 std::unique_ptr<StreamSocket> socket) { | 947 std::unique_ptr<StreamSocket> socket) { |
| 948 SSL* ssl = SSL_new(ssl_ctx_.get()); | 948 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); |
| 949 return std::unique_ptr<SSLServerSocket>( | 949 return std::unique_ptr<SSLServerSocket>( |
| 950 new SSLServerSocketImpl(std::move(socket), ssl)); | 950 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); |
| 951 } | 951 } |
| 952 | 952 |
| 953 void EnableSSLServerSockets() { | 953 void EnableSSLServerSockets() { |
| 954 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). | 954 // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit(). |
| 955 } | 955 } |
| 956 | 956 |
| 957 } // namespace net | 957 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2400033005:
Use BoringSSL scopers in //net. (Closed)
