OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
229 "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT}; | 229 "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT}; |
230 | 230 |
231 bool AreLegacyECDSACiphersEnabled() { | 231 bool AreLegacyECDSACiphersEnabled() { |
232 return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature); | 232 return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature); |
233 } | 233 } |
234 #endif | 234 #endif |
235 | 235 |
236 const base::Feature kShortRecordHeaderFeature{ | 236 const base::Feature kShortRecordHeaderFeature{ |
237 "SSLShortRecordHeader", base::FEATURE_DISABLED_BY_DEFAULT}; | 237 "SSLShortRecordHeader", base::FEATURE_DISABLED_BY_DEFAULT}; |
238 | 238 |
239 std::unique_ptr<base::Value> NetLogSSLAlertCallback( | |
240 const void* bytes, | |
241 size_t len, | |
242 NetLogCaptureMode capture_mode) { | |
243 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); | |
244 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); | |
245 return std::move(dict); | |
246 } | |
247 | |
248 std::unique_ptr<base::Value> NetLogSSLMessageCallback( | |
249 bool is_write, | |
250 const void* bytes, | |
251 size_t len, | |
252 NetLogCaptureMode capture_mode) { | |
253 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); | |
254 if (len == 0) { | |
255 NOTREACHED(); | |
256 return std::move(dict); | |
257 } | |
258 | |
259 // The handshake message type is the first byte. Include it so elided messages | |
260 // still report their type. | |
261 uint8_t type = reinterpret_cast<const uint8_t*>(bytes)[0]; | |
262 dict->SetInteger("type", type); | |
263 | |
264 // Elide client certificate messages unless logging socket bytes. | |
265 if (!is_write || type != SSL3_MT_CERTIFICATE || | |
266 capture_mode.include_socket_bytes()) { | |
267 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); | |
268 } | |
269 | |
270 return std::move(dict); | |
271 } | |
272 | |
239 } // namespace | 273 } // namespace |
240 | 274 |
241 class SSLClientSocketImpl::SSLContext { | 275 class SSLClientSocketImpl::SSLContext { |
242 public: | 276 public: |
243 static SSLContext* GetInstance() { | 277 static SSLContext* GetInstance() { |
244 return base::Singleton<SSLContext, | 278 return base::Singleton<SSLContext, |
245 base::LeakySingletonTraits<SSLContext>>::get(); | 279 base::LeakySingletonTraits<SSLContext>>::get(); |
246 } | 280 } |
247 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 281 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
248 SSLClientSessionCache* session_cache() { return &session_cache_; } | 282 SSLClientSessionCache* session_cache() { return &session_cache_; } |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
292 | 326 |
293 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); | 327 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); |
294 | 328 |
295 // Deduplicate all certificates minted from the SSL_CTX in memory. | 329 // Deduplicate all certificates minted from the SSL_CTX in memory. |
296 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); | 330 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); |
297 | 331 |
298 if (base::FeatureList::IsEnabled(kShortRecordHeaderFeature)) { | 332 if (base::FeatureList::IsEnabled(kShortRecordHeaderFeature)) { |
299 SSL_CTX_set_short_header_enabled(ssl_ctx_.get(), 1); | 333 SSL_CTX_set_short_header_enabled(ssl_ctx_.get(), 1); |
300 } | 334 } |
301 | 335 |
336 SSL_CTX_set_msg_callback(ssl_ctx_.get(), MessageCallback); | |
337 | |
302 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, | 338 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, |
303 &TokenBindingAddCallback, | 339 &TokenBindingAddCallback, |
304 &TokenBindingFreeCallback, nullptr, | 340 &TokenBindingFreeCallback, nullptr, |
305 &TokenBindingParseCallback, nullptr)) { | 341 &TokenBindingParseCallback, nullptr)) { |
306 NOTREACHED(); | 342 NOTREACHED(); |
307 } | 343 } |
308 } | 344 } |
309 | 345 |
310 static int TokenBindingAddCallback(SSL* ssl, | 346 static int TokenBindingAddCallback(SSL* ssl, |
311 unsigned int extension_value, | 347 unsigned int extension_value, |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
391 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 427 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
392 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); | 428 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); |
393 } | 429 } |
394 | 430 |
395 #if !defined(OS_NACL) | 431 #if !defined(OS_NACL) |
396 static void KeyLogCallback(const SSL* ssl, const char* line) { | 432 static void KeyLogCallback(const SSL* ssl, const char* line) { |
397 GetInstance()->ssl_key_logger_->WriteLine(line); | 433 GetInstance()->ssl_key_logger_->WriteLine(line); |
398 } | 434 } |
399 #endif | 435 #endif |
400 | 436 |
437 static void MessageCallback(int is_write, | |
438 int version, | |
439 int content_type, | |
440 const void* buf, | |
441 size_t len, | |
442 SSL* ssl, | |
443 void* arg) { | |
444 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); | |
445 return socket->MessageCallback(is_write, content_type, buf, len); | |
446 } | |
447 | |
401 // This is the index used with SSL_get_ex_data to retrieve the owner | 448 // This is the index used with SSL_get_ex_data to retrieve the owner |
402 // SSLClientSocketImpl object from an SSL instance. | 449 // SSLClientSocketImpl object from an SSL instance. |
403 int ssl_socket_data_index_; | 450 int ssl_socket_data_index_; |
404 | 451 |
405 bssl::UniquePtr<SSL_CTX> ssl_ctx_; | 452 bssl::UniquePtr<SSL_CTX> ssl_ctx_; |
406 | 453 |
407 #if !defined(OS_NACL) | 454 #if !defined(OS_NACL) |
408 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; | 455 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; |
409 #endif | 456 #endif |
410 | 457 |
(...skipping 1483 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1894 | 1941 |
1895 signature_result_ = error; | 1942 signature_result_ = error; |
1896 if (signature_result_ == OK) | 1943 if (signature_result_ == OK) |
1897 signature_ = signature; | 1944 signature_ = signature; |
1898 | 1945 |
1899 // During a renegotiation, either Read or Write calls may be blocked on an | 1946 // During a renegotiation, either Read or Write calls may be blocked on an |
1900 // asynchronous private key operation. | 1947 // asynchronous private key operation. |
1901 RetryAllOperations(); | 1948 RetryAllOperations(); |
1902 } | 1949 } |
1903 | 1950 |
1951 void SSLClientSocketImpl::MessageCallback(int is_write, | |
1952 int content_type, | |
1953 const void* buf, | |
1954 size_t len) { | |
1955 switch (content_type) { | |
1956 case SSL3_RT_ALERT: | |
1957 net_log_.AddEvent( | |
1958 is_write ? NetLogEventType::SSL_ALERT_SENT | |
1959 : NetLogEventType::SSL_ALERT_RECEIVED, | |
1960 base::Bind(&NetLogSSLAlertCallback, base::Unretained(buf), len)); | |
eroman
2017/02/17 22:16:51
Is Unretained() needed here, or is it just for doc
davidben
2017/04/18 20:51:17
Oh, I didn't realize they weren't needed. Removed.
| |
1961 break; | |
1962 case SSL3_RT_HANDSHAKE: | |
1963 net_log_.AddEvent(is_write | |
1964 ? NetLogEventType::SSL_HANDSHAKE_MESSAGE_SENT | |
1965 : NetLogEventType::SSL_HANDSHAKE_MESSAGE_RECEIVED, | |
1966 base::Bind(&NetLogSSLMessageCallback, !!is_write, | |
1967 base::Unretained(buf), len)); | |
1968 break; | |
1969 default: | |
1970 return; | |
1971 } | |
1972 } | |
1973 | |
1904 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, | 1974 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, |
1905 size_t* out_len, | 1975 size_t* out_len, |
1906 int* out_alert_value) { | 1976 int* out_alert_value) { |
1907 if (ssl_config_.token_binding_params.empty()) { | 1977 if (ssl_config_.token_binding_params.empty()) { |
1908 return 0; | 1978 return 0; |
1909 } | 1979 } |
1910 bssl::ScopedCBB output; | 1980 bssl::ScopedCBB output; |
1911 CBB parameters_list; | 1981 CBB parameters_list; |
1912 if (!CBB_init(output.get(), 7) || | 1982 if (!CBB_init(output.get(), 7) || |
1913 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || | 1983 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2049 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 2119 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
2050 !certificate_requested_) { | 2120 !certificate_requested_) { |
2051 net_error = ERR_SSL_PROTOCOL_ERROR; | 2121 net_error = ERR_SSL_PROTOCOL_ERROR; |
2052 } | 2122 } |
2053 } | 2123 } |
2054 | 2124 |
2055 return net_error; | 2125 return net_error; |
2056 } | 2126 } |
2057 | 2127 |
2058 } // namespace net | 2128 } // namespace net |
OLD | NEW |