OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 494 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
505 net_log_(transport_->socket()->NetLog()) {} | 505 net_log_(transport_->socket()->NetLog()) {} |
506 | 506 |
507 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 507 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
508 Disconnect(); | 508 Disconnect(); |
509 } | 509 } |
510 | 510 |
511 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( | 511 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( |
512 SSLCertRequestInfo* cert_request_info) { | 512 SSLCertRequestInfo* cert_request_info) { |
513 cert_request_info->host_and_port = host_and_port_; | 513 cert_request_info->host_and_port = host_and_port_; |
514 cert_request_info->cert_authorities = cert_authorities_; | 514 cert_request_info->cert_authorities = cert_authorities_; |
| 515 cert_request_info->cert_key_types = cert_key_types_; |
515 } | 516 } |
516 | 517 |
517 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( | 518 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( |
518 std::string* proto, std::string* server_protos) { | 519 std::string* proto, std::string* server_protos) { |
519 *proto = npn_proto_; | 520 *proto = npn_proto_; |
520 *server_protos = server_protos_; | 521 *server_protos = server_protos_; |
521 return npn_status_; | 522 return npn_status_; |
522 } | 523 } |
523 | 524 |
524 ServerBoundCertService* | 525 ServerBoundCertService* |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
609 user_write_buf_ = NULL; | 610 user_write_buf_ = NULL; |
610 user_write_buf_len_ = 0; | 611 user_write_buf_len_ = 0; |
611 | 612 |
612 pending_read_error_ = kNoPendingReadResult; | 613 pending_read_error_ = kNoPendingReadResult; |
613 transport_write_error_ = OK; | 614 transport_write_error_ = OK; |
614 | 615 |
615 server_cert_verify_result_.Reset(); | 616 server_cert_verify_result_.Reset(); |
616 completed_handshake_ = false; | 617 completed_handshake_ = false; |
617 | 618 |
618 cert_authorities_.clear(); | 619 cert_authorities_.clear(); |
| 620 cert_key_types_.clear(); |
619 client_auth_cert_needed_ = false; | 621 client_auth_cert_needed_ = false; |
620 } | 622 } |
621 | 623 |
622 bool SSLClientSocketOpenSSL::IsConnected() const { | 624 bool SSLClientSocketOpenSSL::IsConnected() const { |
623 // If the handshake has not yet completed. | 625 // If the handshake has not yet completed. |
624 if (!completed_handshake_) | 626 if (!completed_handshake_) |
625 return false; | 627 return false; |
626 // If an asynchronous operation is still pending. | 628 // If an asynchronous operation is still pending. |
627 if (user_read_buf_.get() || user_write_buf_.get()) | 629 if (user_read_buf_.get() || user_write_buf_.get()) |
628 return true; | 630 return true; |
(...skipping 774 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1403 return result; | 1405 return result; |
1404 } | 1406 } |
1405 | 1407 |
1406 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, | 1408 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, |
1407 X509** x509, | 1409 X509** x509, |
1408 EVP_PKEY** pkey) { | 1410 EVP_PKEY** pkey) { |
1409 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; | 1411 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; |
1410 DCHECK(ssl == ssl_); | 1412 DCHECK(ssl == ssl_); |
1411 DCHECK(*x509 == NULL); | 1413 DCHECK(*x509 == NULL); |
1412 DCHECK(*pkey == NULL); | 1414 DCHECK(*pkey == NULL); |
1413 #if defined(USE_OPENSSL_CERTS) | |
1414 if (!ssl_config_.send_client_cert) { | 1415 if (!ssl_config_.send_client_cert) { |
1415 // First pass: we know that a client certificate is needed, but we do not | 1416 // First pass: we know that a client certificate is needed, but we do not |
1416 // have one at hand. | 1417 // have one at hand. |
1417 client_auth_cert_needed_ = true; | 1418 client_auth_cert_needed_ = true; |
1418 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); | 1419 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl); |
1419 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { | 1420 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) { |
1420 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); | 1421 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i); |
1421 unsigned char* str = NULL; | 1422 unsigned char* str = NULL; |
1422 int length = i2d_X509_NAME(ca_name, &str); | 1423 int length = i2d_X509_NAME(ca_name, &str); |
1423 cert_authorities_.push_back(std::string( | 1424 cert_authorities_.push_back(std::string( |
1424 reinterpret_cast<const char*>(str), | 1425 reinterpret_cast<const char*>(str), |
1425 static_cast<size_t>(length))); | 1426 static_cast<size_t>(length))); |
1426 OPENSSL_free(str); | 1427 OPENSSL_free(str); |
1427 } | 1428 } |
1428 | 1429 |
| 1430 const unsigned char* client_cert_types; |
| 1431 size_t num_client_cert_types; |
| 1432 SSL_get_client_certificate_types(ssl, &client_cert_types, |
| 1433 &num_client_cert_types); |
| 1434 for (size_t i = 0; i < num_client_cert_types; i++) { |
| 1435 cert_key_types_.push_back( |
| 1436 static_cast<SSLClientCertType>(client_cert_types[i])); |
| 1437 } |
| 1438 |
1429 return -1; // Suspends handshake. | 1439 return -1; // Suspends handshake. |
1430 } | 1440 } |
1431 | 1441 |
1432 // Second pass: a client certificate should have been selected. | 1442 // Second pass: a client certificate should have been selected. |
1433 if (ssl_config_.client_cert.get()) { | 1443 if (ssl_config_.client_cert.get()) { |
| 1444 #if defined(USE_OPENSSL_CERTS) |
1434 // A note about ownership: FetchClientCertPrivateKey() increments | 1445 // A note about ownership: FetchClientCertPrivateKey() increments |
1435 // the reference count of the EVP_PKEY. Ownership of this reference | 1446 // the reference count of the EVP_PKEY. Ownership of this reference |
1436 // is passed directly to OpenSSL, which will release the reference | 1447 // is passed directly to OpenSSL, which will release the reference |
1437 // using EVP_PKEY_free() when the SSL object is destroyed. | 1448 // using EVP_PKEY_free() when the SSL object is destroyed. |
1438 OpenSSLClientKeyStore::ScopedEVP_PKEY privkey; | 1449 OpenSSLClientKeyStore::ScopedEVP_PKEY privkey; |
1439 if (OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | 1450 if (OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( |
1440 ssl_config_.client_cert.get(), &privkey)) { | 1451 ssl_config_.client_cert.get(), &privkey)) { |
1441 // TODO(joth): (copied from NSS) We should wait for server certificate | 1452 // TODO(joth): (copied from NSS) We should wait for server certificate |
1442 // verification before sending our credentials. See http://crbug.com/13934 | 1453 // verification before sending our credentials. See http://crbug.com/13934 |
1443 *x509 = X509Certificate::DupOSCertHandle( | 1454 *x509 = X509Certificate::DupOSCertHandle( |
1444 ssl_config_.client_cert->os_cert_handle()); | 1455 ssl_config_.client_cert->os_cert_handle()); |
1445 *pkey = privkey.release(); | 1456 *pkey = privkey.release(); |
1446 return 1; | 1457 return 1; |
1447 } | 1458 } |
1448 LOG(WARNING) << "Client cert found without private key"; | 1459 LOG(WARNING) << "Client cert found without private key"; |
| 1460 #else // !defined(USE_OPENSSL_CERTS) |
| 1461 // OS handling of client certificates is not yet implemented. |
| 1462 NOTIMPLEMENTED(); |
| 1463 #endif // defined(USE_OPENSSL_CERTS) |
1449 } | 1464 } |
1450 #else // !defined(USE_OPENSSL_CERTS) | |
1451 // OS handling of client certificates is not yet implemented. | |
1452 NOTIMPLEMENTED(); | |
1453 #endif // defined(USE_OPENSSL_CERTS) | |
1454 | 1465 |
1455 // Send no client certificate. | 1466 // Send no client certificate. |
1456 return 0; | 1467 return 0; |
1457 } | 1468 } |
1458 | 1469 |
1459 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, | 1470 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl, |
1460 EVP_PKEY** pkey) { | 1471 EVP_PKEY** pkey) { |
1461 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; | 1472 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called"; |
1462 DCHECK_EQ(ssl, ssl_); | 1473 DCHECK_EQ(ssl, ssl_); |
1463 DCHECK(!*pkey); | 1474 DCHECK(!*pkey); |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1565 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1576 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
1566 return SSL_TLSEXT_ERR_OK; | 1577 return SSL_TLSEXT_ERR_OK; |
1567 } | 1578 } |
1568 | 1579 |
1569 scoped_refptr<X509Certificate> | 1580 scoped_refptr<X509Certificate> |
1570 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1581 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1571 return server_cert_; | 1582 return server_cert_; |
1572 } | 1583 } |
1573 | 1584 |
1574 } // namespace net | 1585 } // namespace net |
OLD | NEW |