| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 248 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) | 248 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) |
| 249 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( | 249 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( |
| 250 X509Certificate::OSCertHandle os_handle) { | 250 X509Certificate::OSCertHandle os_handle) { |
| 251 std::string der_encoded; | 251 std::string der_encoded; |
| 252 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 252 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
| 253 return nullptr; | 253 return nullptr; |
| 254 return x509_util::CreateCryptoBuffer(der_encoded); | 254 return x509_util::CreateCryptoBuffer(der_encoded); |
| 255 } | 255 } |
| 256 #endif | 256 #endif |
| 257 | 257 |
| 258 std::unique_ptr<base::Value> NetLogSSLAlertCallback( |
| 259 const void* bytes, |
| 260 size_t len, |
| 261 NetLogCaptureMode capture_mode) { |
| 262 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); |
| 263 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); |
| 264 return std::move(dict); |
| 265 } |
| 266 |
| 267 std::unique_ptr<base::Value> NetLogSSLMessageCallback( |
| 268 bool is_write, |
| 269 const void* bytes, |
| 270 size_t len, |
| 271 NetLogCaptureMode capture_mode) { |
| 272 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); |
| 273 if (len == 0) { |
| 274 NOTREACHED(); |
| 275 return std::move(dict); |
| 276 } |
| 277 |
| 278 // The handshake message type is the first byte. Include it so elided messages |
| 279 // still report their type. |
| 280 uint8_t type = reinterpret_cast<const uint8_t*>(bytes)[0]; |
| 281 dict->SetInteger("type", type); |
| 282 |
| 283 // Elide client certificate messages unless logging socket bytes. The client |
| 284 // certificate does not contain information needed to impersonate the user |
| 285 // (that's the private key which isn't sent over the wire), but it may contain |
| 286 // information on the user's identity. |
| 287 if (!is_write || type != SSL3_MT_CERTIFICATE || |
| 288 capture_mode.include_socket_bytes()) { |
| 289 dict->SetString("hex_encoded_bytes", base::HexEncode(bytes, len)); |
| 290 } |
| 291 |
| 292 return std::move(dict); |
| 293 } |
| 294 |
| 258 } // namespace | 295 } // namespace |
| 259 | 296 |
| 260 class SSLClientSocketImpl::SSLContext { | 297 class SSLClientSocketImpl::SSLContext { |
| 261 public: | 298 public: |
| 262 static SSLContext* GetInstance() { | 299 static SSLContext* GetInstance() { |
| 263 return base::Singleton<SSLContext, | 300 return base::Singleton<SSLContext, |
| 264 base::LeakySingletonTraits<SSLContext>>::get(); | 301 base::LeakySingletonTraits<SSLContext>>::get(); |
| 265 } | 302 } |
| 266 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 303 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
| 267 SSLClientSessionCache* session_cache() { return &session_cache_; } | 304 SSLClientSessionCache* session_cache() { return &session_cache_; } |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 308 SSL_CTX_set_session_cache_mode( | 345 SSL_CTX_set_session_cache_mode( |
| 309 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL); | 346 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL); |
| 310 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback); | 347 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback); |
| 311 SSL_CTX_set_timeout(ssl_ctx_.get(), 1 * 60 * 60 /* one hour */); | 348 SSL_CTX_set_timeout(ssl_ctx_.get(), 1 * 60 * 60 /* one hour */); |
| 312 | 349 |
| 313 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); | 350 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1); |
| 314 | 351 |
| 315 // Deduplicate all certificates minted from the SSL_CTX in memory. | 352 // Deduplicate all certificates minted from the SSL_CTX in memory. |
| 316 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); | 353 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); |
| 317 | 354 |
| 355 SSL_CTX_set_msg_callback(ssl_ctx_.get(), MessageCallback); |
| 356 |
| 318 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, | 357 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum, |
| 319 &TokenBindingAddCallback, | 358 &TokenBindingAddCallback, |
| 320 &TokenBindingFreeCallback, nullptr, | 359 &TokenBindingFreeCallback, nullptr, |
| 321 &TokenBindingParseCallback, nullptr)) { | 360 &TokenBindingParseCallback, nullptr)) { |
| 322 NOTREACHED(); | 361 NOTREACHED(); |
| 323 } | 362 } |
| 324 } | 363 } |
| 325 | 364 |
| 326 static int TokenBindingAddCallback(SSL* ssl, | 365 static int TokenBindingAddCallback(SSL* ssl, |
| 327 unsigned int extension_value, | 366 unsigned int extension_value, |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 398 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 437 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 399 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); | 438 return socket->PrivateKeyCompleteCallback(out, out_len, max_out); |
| 400 } | 439 } |
| 401 | 440 |
| 402 #if !defined(OS_NACL) | 441 #if !defined(OS_NACL) |
| 403 static void KeyLogCallback(const SSL* ssl, const char* line) { | 442 static void KeyLogCallback(const SSL* ssl, const char* line) { |
| 404 GetInstance()->ssl_key_logger_->WriteLine(line); | 443 GetInstance()->ssl_key_logger_->WriteLine(line); |
| 405 } | 444 } |
| 406 #endif | 445 #endif |
| 407 | 446 |
| 447 static void MessageCallback(int is_write, |
| 448 int version, |
| 449 int content_type, |
| 450 const void* buf, |
| 451 size_t len, |
| 452 SSL* ssl, |
| 453 void* arg) { |
| 454 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 455 return socket->MessageCallback(is_write, content_type, buf, len); |
| 456 } |
| 457 |
| 408 // This is the index used with SSL_get_ex_data to retrieve the owner | 458 // This is the index used with SSL_get_ex_data to retrieve the owner |
| 409 // SSLClientSocketImpl object from an SSL instance. | 459 // SSLClientSocketImpl object from an SSL instance. |
| 410 int ssl_socket_data_index_; | 460 int ssl_socket_data_index_; |
| 411 | 461 |
| 412 bssl::UniquePtr<SSL_CTX> ssl_ctx_; | 462 bssl::UniquePtr<SSL_CTX> ssl_ctx_; |
| 413 | 463 |
| 414 #if !defined(OS_NACL) | 464 #if !defined(OS_NACL) |
| 415 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; | 465 std::unique_ptr<SSLKeyLogger> ssl_key_logger_; |
| 416 #endif | 466 #endif |
| 417 | 467 |
| (...skipping 1387 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1805 | 1855 |
| 1806 signature_result_ = error; | 1856 signature_result_ = error; |
| 1807 if (signature_result_ == OK) | 1857 if (signature_result_ == OK) |
| 1808 signature_ = signature; | 1858 signature_ = signature; |
| 1809 | 1859 |
| 1810 // During a renegotiation, either Read or Write calls may be blocked on an | 1860 // During a renegotiation, either Read or Write calls may be blocked on an |
| 1811 // asynchronous private key operation. | 1861 // asynchronous private key operation. |
| 1812 RetryAllOperations(); | 1862 RetryAllOperations(); |
| 1813 } | 1863 } |
| 1814 | 1864 |
| 1865 void SSLClientSocketImpl::MessageCallback(int is_write, |
| 1866 int content_type, |
| 1867 const void* buf, |
| 1868 size_t len) { |
| 1869 switch (content_type) { |
| 1870 case SSL3_RT_ALERT: |
| 1871 net_log_.AddEvent(is_write ? NetLogEventType::SSL_ALERT_SENT |
| 1872 : NetLogEventType::SSL_ALERT_RECEIVED, |
| 1873 base::Bind(&NetLogSSLAlertCallback, buf, len)); |
| 1874 break; |
| 1875 case SSL3_RT_HANDSHAKE: |
| 1876 net_log_.AddEvent( |
| 1877 is_write ? NetLogEventType::SSL_HANDSHAKE_MESSAGE_SENT |
| 1878 : NetLogEventType::SSL_HANDSHAKE_MESSAGE_RECEIVED, |
| 1879 base::Bind(&NetLogSSLMessageCallback, !!is_write, buf, len)); |
| 1880 break; |
| 1881 default: |
| 1882 return; |
| 1883 } |
| 1884 } |
| 1885 |
| 1815 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, | 1886 int SSLClientSocketImpl::TokenBindingAdd(const uint8_t** out, |
| 1816 size_t* out_len, | 1887 size_t* out_len, |
| 1817 int* out_alert_value) { | 1888 int* out_alert_value) { |
| 1818 if (ssl_config_.token_binding_params.empty()) { | 1889 if (ssl_config_.token_binding_params.empty()) { |
| 1819 return 0; | 1890 return 0; |
| 1820 } | 1891 } |
| 1821 bssl::ScopedCBB output; | 1892 bssl::ScopedCBB output; |
| 1822 CBB parameters_list; | 1893 CBB parameters_list; |
| 1823 if (!CBB_init(output.get(), 7) || | 1894 if (!CBB_init(output.get(), 7) || |
| 1824 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || | 1895 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) || |
| (...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1960 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 2031 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
| 1961 !certificate_requested_) { | 2032 !certificate_requested_) { |
| 1962 net_error = ERR_SSL_PROTOCOL_ERROR; | 2033 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 1963 } | 2034 } |
| 1964 } | 2035 } |
| 1965 | 2036 |
| 1966 return net_error; | 2037 return net_error; |
| 1967 } | 2038 } |
| 1968 | 2039 |
| 1969 } // namespace net | 2040 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2704623002:
Add non-application-data SSL messages to NetLog. (Closed)
