Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(298)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_impl.cc

Issue 2698113002: Configure renegotiations on, then disable after the handshake. (Closed)
Patch Set: . Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/ssl_client_socket_impl.h" 5 #include "net/socket/ssl_client_socket_impl.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <string.h> 8 #include <string.h>
9 9
10 #include <algorithm> 10 #include <algorithm>
(...skipping 1024 matching lines...) Expand 10 before | Expand all | Expand 10 after
1035 } 1035 }
1036 1036
1037 if (ssl_config_.signed_cert_timestamps_enabled) { 1037 if (ssl_config_.signed_cert_timestamps_enabled) {
1038 SSL_enable_signed_cert_timestamps(ssl_.get()); 1038 SSL_enable_signed_cert_timestamps(ssl_.get());
1039 SSL_enable_ocsp_stapling(ssl_.get()); 1039 SSL_enable_ocsp_stapling(ssl_.get());
1040 } 1040 }
1041 1041
1042 if (cert_verifier_->SupportsOCSPStapling()) 1042 if (cert_verifier_->SupportsOCSPStapling())
1043 SSL_enable_ocsp_stapling(ssl_.get()); 1043 SSL_enable_ocsp_stapling(ssl_.get());
1044 1044
1045 // Configure BoringSSL to allow renegotiations. Once the initial handshake
1046 // completes, if renegotiations are not allowed, the default reject value will
1047 // be restored. This is done in this order to permit a BoringSSL
1048 // optimization. See https://crbug.com/boringssl/123.
1049 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
1050
1045 return OK; 1051 return OK;
1046 } 1052 }
1047 1053
1048 void SSLClientSocketImpl::DoReadCallback(int rv) { 1054 void SSLClientSocketImpl::DoReadCallback(int rv) {
1049 // Since Run may result in Read being called, clear |user_read_callback_| 1055 // Since Run may result in Read being called, clear |user_read_callback_|
1050 // up front. 1056 // up front.
1051 if (rv > 0) 1057 if (rv > 0)
1052 was_ever_used_ = true; 1058 was_ever_used_ = true;
1053 user_read_buf_ = NULL; 1059 user_read_buf_ = NULL;
1054 user_read_buf_len_ = 0; 1060 user_read_buf_len_ = 0;
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after
1173 size_t ocsp_response_len; 1179 size_t ocsp_response_len;
1174 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); 1180 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len);
1175 set_stapled_ocsp_response_received(ocsp_response_len != 0); 1181 set_stapled_ocsp_response_received(ocsp_response_len != 0);
1176 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); 1182 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
1177 1183
1178 const uint8_t* sct_list; 1184 const uint8_t* sct_list;
1179 size_t sct_list_len; 1185 size_t sct_list_len;
1180 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len); 1186 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len);
1181 set_signed_cert_timestamps_received(sct_list_len != 0); 1187 set_signed_cert_timestamps_received(sct_list_len != 0);
1182 1188
1183 if (IsRenegotiationAllowed()) 1189 if (!IsRenegotiationAllowed())
1184 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); 1190 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never);
1185 1191
1186 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get()); 1192 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get());
1187 if (signature_algorithm != 0) { 1193 if (signature_algorithm != 0) {
1188 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm", 1194 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm",
1189 signature_algorithm); 1195 signature_algorithm);
1190 } 1196 }
1191 1197
1192 // Verify the certificate. 1198 // Verify the certificate.
1193 UpdateServerCert(); 1199 UpdateServerCert();
1194 next_handshake_state_ = STATE_VERIFY_CERT; 1200 next_handshake_state_ = STATE_VERIFY_CERT;
(...skipping 845 matching lines...) Expand 10 before | Expand all | Expand 10 after
2040 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && 2046 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED &&
2041 !certificate_requested_) { 2047 !certificate_requested_) {
2042 net_error = ERR_SSL_PROTOCOL_ERROR; 2048 net_error = ERR_SSL_PROTOCOL_ERROR;
2043 } 2049 }
2044 } 2050 }
2045 2051
2046 return net_error; 2052 return net_error;
2047 } 2053 }
2048 2054
2049 } // namespace net 2055 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698