OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 1024 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1035 } | 1035 } |
1036 | 1036 |
1037 if (ssl_config_.signed_cert_timestamps_enabled) { | 1037 if (ssl_config_.signed_cert_timestamps_enabled) { |
1038 SSL_enable_signed_cert_timestamps(ssl_.get()); | 1038 SSL_enable_signed_cert_timestamps(ssl_.get()); |
1039 SSL_enable_ocsp_stapling(ssl_.get()); | 1039 SSL_enable_ocsp_stapling(ssl_.get()); |
1040 } | 1040 } |
1041 | 1041 |
1042 if (cert_verifier_->SupportsOCSPStapling()) | 1042 if (cert_verifier_->SupportsOCSPStapling()) |
1043 SSL_enable_ocsp_stapling(ssl_.get()); | 1043 SSL_enable_ocsp_stapling(ssl_.get()); |
1044 | 1044 |
| 1045 // Configure BoringSSL to allow renegotiations. Once the initial handshake |
| 1046 // completes, if renegotiations are not allowed, the default reject value will |
| 1047 // be restored. This is done in this order to permit a BoringSSL |
| 1048 // optimization. See https://crbug.com/boringssl/123. |
| 1049 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); |
| 1050 |
1045 return OK; | 1051 return OK; |
1046 } | 1052 } |
1047 | 1053 |
1048 void SSLClientSocketImpl::DoReadCallback(int rv) { | 1054 void SSLClientSocketImpl::DoReadCallback(int rv) { |
1049 // Since Run may result in Read being called, clear |user_read_callback_| | 1055 // Since Run may result in Read being called, clear |user_read_callback_| |
1050 // up front. | 1056 // up front. |
1051 if (rv > 0) | 1057 if (rv > 0) |
1052 was_ever_used_ = true; | 1058 was_ever_used_ = true; |
1053 user_read_buf_ = NULL; | 1059 user_read_buf_ = NULL; |
1054 user_read_buf_len_ = 0; | 1060 user_read_buf_len_ = 0; |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1173 size_t ocsp_response_len; | 1179 size_t ocsp_response_len; |
1174 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); | 1180 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); |
1175 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 1181 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
1176 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 1182 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
1177 | 1183 |
1178 const uint8_t* sct_list; | 1184 const uint8_t* sct_list; |
1179 size_t sct_list_len; | 1185 size_t sct_list_len; |
1180 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len); | 1186 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len); |
1181 set_signed_cert_timestamps_received(sct_list_len != 0); | 1187 set_signed_cert_timestamps_received(sct_list_len != 0); |
1182 | 1188 |
1183 if (IsRenegotiationAllowed()) | 1189 if (!IsRenegotiationAllowed()) |
1184 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); | 1190 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never); |
1185 | 1191 |
1186 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get()); | 1192 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get()); |
1187 if (signature_algorithm != 0) { | 1193 if (signature_algorithm != 0) { |
1188 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm", | 1194 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm", |
1189 signature_algorithm); | 1195 signature_algorithm); |
1190 } | 1196 } |
1191 | 1197 |
1192 // Verify the certificate. | 1198 // Verify the certificate. |
1193 UpdateServerCert(); | 1199 UpdateServerCert(); |
1194 next_handshake_state_ = STATE_VERIFY_CERT; | 1200 next_handshake_state_ = STATE_VERIFY_CERT; |
(...skipping 845 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2040 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 2046 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
2041 !certificate_requested_) { | 2047 !certificate_requested_) { |
2042 net_error = ERR_SSL_PROTOCOL_ERROR; | 2048 net_error = ERR_SSL_PROTOCOL_ERROR; |
2043 } | 2049 } |
2044 } | 2050 } |
2045 | 2051 |
2046 return net_error; | 2052 return net_error; |
2047 } | 2053 } |
2048 | 2054 |
2049 } // namespace net | 2055 } // namespace net |
OLD | NEW |