OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
248 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) | 248 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) |
249 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( | 249 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( |
250 X509Certificate::OSCertHandle os_handle) { | 250 X509Certificate::OSCertHandle os_handle) { |
251 std::string der_encoded; | 251 std::string der_encoded; |
252 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 252 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
253 return nullptr; | 253 return nullptr; |
254 return x509_util::CreateCryptoBuffer(der_encoded); | 254 return x509_util::CreateCryptoBuffer(der_encoded); |
255 } | 255 } |
256 #endif | 256 #endif |
257 | 257 |
| 258 std::unique_ptr<base::Value> NetLogSSLAlertCallback( |
| 259 const void* bytes, |
| 260 size_t len, |
| 261 NetLogCaptureMode capture_mode) { |
| 262 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); |
| 263 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); |
| 264 return std::move(dict); |
| 265 } |
| 266 |
| 267 std::unique_ptr<base::Value> NetLogSSLMessageCallback( |
| 268 bool is_write, |
| 269 const void* bytes, |
| 270 size_t len, |
| 271 NetLogCaptureMode capture_mode) { |
| 272 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); |
| 273 if (len == 0) { |
| 274 NOTREACHED(); |
| 275 return std::move(dict); |
| 276 } |
| 277 |
| 278 // The handshake message type is the first byte. Include it so elided messages |
| 279 // still report their type. |
| 280 uint8_t type = reinterpret_cast<const uint8_t*>(bytes)[0]; |
| 281 dict->SetInteger("type", type); |
| 282 |
| 283 // Elide client certificate messages unless logging socket bytes. The client |
| 284 // certificate does not contain information needed to impersonate the user |
| 285 // (that's the private key which isn't sent over the wire), but it may contain |
| 286 // information on the user's identity. |
| 287 if (!is_write || type != SSL3_MT_CERTIFICATE || |
| 288 capture_mode.include_socket_bytes()) { |
| 289 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); |
| 290 } |
| 291 |
| 292 return std::move(dict); |
| 293 } |
| 294 |
258 } // namespace | 295 } // namespace |
259 | 296 |
260 class SSLClientSocketImpl::SSLContext { | 297 class SSLClientSocketImpl::SSLContext { |
261 public: | 298 public: |
262 static SSLContext* GetInstance() { | 299 static SSLContext* GetInstance() { |
263 return base::Singleton<SSLContext, | 300 return base::Singleton<SSLContext, |
264 base::LeakySingletonTraits<SSLContext>>::get(); | 301 base::LeakySingletonTraits<SSLContext>>::get(); |
265 } | 302 } |
266 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 303 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
267 SSLClientSessionCache* session_cache() { return &session_cache_; } | 304 SSLClientSessionCache* session_cache() { return &session_cache_; } |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
308 SSL_CTX_set_session_cache_mode( | 345 SSL_CTX_set_session_cache_mode( |
309 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL); | 346 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL); |
310 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback); | 347 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback); |
311 SSL_CTX_set_timeout(ssl_ctx_.get(), 1 * 60 * 60 /* one hour */); | 348 SSL_CTX_set_timeout(ssl_ctx_.get(), 1 * 60 * 60 /* one hour */); |
312 | 349 |
313 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); | 350 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); |
314 | 351 |
315 // Deduplicate all certificates minted from the SSL_CTX in memory. | 352 // Deduplicate all certificates minted from the SSL_CTX in memory. |
316 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); | 353 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); |
317 | 354 |
| 355 SSL_CTX_set_msg_callback(ssl_ctx_.get(), MessageCallback); |
| 356 |
318 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, | 357 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, |
319 &TokenBindingAddCallback, | 358 &TokenBindingAddCallback, |
320 &TokenBindingFreeCallback, nullptr, | 359 &TokenBindingFreeCallback, nullptr, |
321 &TokenBindingParseCallback, nullptr)) { | 360 &TokenBindingParseCallback, nullptr)) { |
322 NOTREACHED(); | 361 NOTREACHED(); |
323 } | 362 } |
324 } | 363 } |
325 | 364 |
326 static int TokenBindingAddCallback(SSL* ssl, | 365 static int TokenBindingAddCallback(SSL* ssl, |
327 unsigned int extension_value, | 366 unsigned int extension_value, |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
398 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 437 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
399 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); | 438 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); |
400 } | 439 } |
401 | 440 |
402 #if !defined(OS_NACL) | 441 #if !defined(OS_NACL) |
403 static void KeyLogCallback(const SSL* ssl, const char* line) { | 442 static void KeyLogCallback(const SSL* ssl, const char* line) { |
404 GetInstance()->ssl_key_logger_->WriteLine(line); | 443 GetInstance()->ssl_key_logger_->WriteLine(line); |
405 } | 444 } |
406 #endif | 445 #endif |
407 | 446 |
| 447 static void MessageCallback(int is_write, |
| 448 int version, |
| 449 int content_type, |
| 450 const void* buf, |
| 451 size_t len, |
| 452 SSL* ssl, |
| 453 void* arg) { |
| 454 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 455 return socket->MessageCallback(is_write, content_type, buf, len); |
| 456 } |
| 457 |
408 // This is the index used with SSL_get_ex_data to retrieve the owner | 458 // This is the index used with SSL_get_ex_data to retrieve the owner |
409 // SSLClientSocketImpl object from an SSL instance. | 459 // SSLClientSocketImpl object from an SSL instance. |
410 int ssl_socket_data_index_; | 460 int ssl_socket_data_index_; |
411 | 461 |
412 bssl::UniquePtr<SSL_CTX> ssl_ctx_; | 462 bssl::UniquePtr<SSL_CTX> ssl_ctx_; |
413 | 463 |
414 #if !defined(OS_NACL) | 464 #if !defined(OS_NACL) |
415 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; | 465 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; |
416 #endif | 466 #endif |
417 | 467 |
(...skipping 1387 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1805 | 1855 |
1806 signature_result_ = error; | 1856 signature_result_ = error; |
1807 if (signature_result_ == OK) | 1857 if (signature_result_ == OK) |
1808 signature_ = signature; | 1858 signature_ = signature; |
1809 | 1859 |
1810 // During a renegotiation, either Read or Write calls may be blocked on an | 1860 // During a renegotiation, either Read or Write calls may be blocked on an |
1811 // asynchronous private key operation. | 1861 // asynchronous private key operation. |
1812 RetryAllOperations(); | 1862 RetryAllOperations(); |
1813 } | 1863 } |
1814 | 1864 |
| 1865 void SSLClientSocketImpl::MessageCallback(int is_write, |
| 1866 int content_type, |
| 1867 const void* buf, |
| 1868 size_t len) { |
| 1869 switch (content_type) { |
| 1870 case SSL3_RT_ALERT: |
| 1871 net_log_.AddEvent(is_write ? NetLogEventType::SSL_ALERT_SENT |
| 1872 : NetLogEventType::SSL_ALERT_RECEIVED, |
| 1873 base::Bind(&NetLogSSLAlertCallback, buf, len)); |
| 1874 break; |
| 1875 case SSL3_RT_HANDSHAKE: |
| 1876 net_log_.AddEvent( |
| 1877 is_write ? NetLogEventType::SSL_HANDSHAKE_MESSAGE_SENT |
| 1878 : NetLogEventType::SSL_HANDSHAKE_MESSAGE_RECEIVED, |
| 1879 base::Bind(&NetLogSSLMessageCallback, !!is_write, buf, len)); |
| 1880 break; |
| 1881 default: |
| 1882 return; |
| 1883 } |
| 1884 } |
| 1885 |
1815 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, | 1886 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, |
1816 size_t* out_len, | 1887 size_t* out_len, |
1817 int* out_alert_value) { | 1888 int* out_alert_value) { |
1818 if (ssl_config_.token_binding_params.empty()) { | 1889 if (ssl_config_.token_binding_params.empty()) { |
1819 return 0; | 1890 return 0; |
1820 } | 1891 } |
1821 bssl::ScopedCBB output; | 1892 bssl::ScopedCBB output; |
1822 CBB parameters_list; | 1893 CBB parameters_list; |
1823 if (!CBB_init(output.get(), 7) || | 1894 if (!CBB_init(output.get(), 7) || |
1824 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || | 1895 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1960 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 2031 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
1961 !certificate_requested_) { | 2032 !certificate_requested_) { |
1962 net_error = ERR_SSL_PROTOCOL_ERROR; | 2033 net_error = ERR_SSL_PROTOCOL_ERROR; |
1963 } | 2034 } |
1964 } | 2035 } |
1965 | 2036 |
1966 return net_error; | 2037 return net_error; |
1967 } | 2038 } |
1968 | 2039 |
1969 } // namespace net | 2040 } // namespace net |
OLD | NEW |