| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| 11 #include <openssl/opensslv.h> | 11 #include <openssl/opensslv.h> |
| 12 #include <openssl/ssl.h> | 12 #include <openssl/ssl.h> |
| 13 | 13 |
| 14 #include "base/bind.h" | 14 #include "base/bind.h" |
| 15 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
| 16 #include "base/debug/alias.h" | |
| 17 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 18 #include "base/metrics/histogram.h" | 17 #include "base/metrics/histogram.h" |
| 19 #include "base/synchronization/lock.h" | 18 #include "base/synchronization/lock.h" |
| 20 #include "crypto/ec_private_key.h" | 19 #include "crypto/ec_private_key.h" |
| 21 #include "crypto/openssl_util.h" | 20 #include "crypto/openssl_util.h" |
| 22 #include "net/base/net_errors.h" | 21 #include "net/base/net_errors.h" |
| 23 #include "net/cert/cert_verifier.h" | 22 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/single_request_cert_verifier.h" | 23 #include "net/cert/single_request_cert_verifier.h" |
| 25 #include "net/cert/x509_certificate_net_log_param.h" | 24 #include "net/cert/x509_certificate_net_log_param.h" |
| 25 #include "net/socket/openssl_ssl_util.h" |
| 26 #include "net/socket/ssl_error_params.h" | 26 #include "net/socket/ssl_error_params.h" |
| 27 #include "net/socket/ssl_session_cache_openssl.h" | 27 #include "net/socket/ssl_session_cache_openssl.h" |
| 28 #include "net/ssl/openssl_client_key_store.h" | 28 #include "net/ssl/openssl_client_key_store.h" |
| 29 #include "net/ssl/ssl_cert_request_info.h" | 29 #include "net/ssl/ssl_cert_request_info.h" |
| 30 #include "net/ssl/ssl_connection_status_flags.h" | 30 #include "net/ssl/ssl_connection_status_flags.h" |
| 31 #include "net/ssl/ssl_info.h" | 31 #include "net/ssl/ssl_info.h" |
| 32 | 32 |
| 33 namespace net { | 33 namespace net { |
| 34 | 34 |
| 35 namespace { | 35 namespace { |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 80 return SSL_CONNECTION_VERSION_TLS1; | 80 return SSL_CONNECTION_VERSION_TLS1; |
| 81 case 0x0302: | 81 case 0x0302: |
| 82 return SSL_CONNECTION_VERSION_TLS1_1; | 82 return SSL_CONNECTION_VERSION_TLS1_1; |
| 83 case 0x0303: | 83 case 0x0303: |
| 84 return SSL_CONNECTION_VERSION_TLS1_2; | 84 return SSL_CONNECTION_VERSION_TLS1_2; |
| 85 default: | 85 default: |
| 86 return SSL_CONNECTION_VERSION_UNKNOWN; | 86 return SSL_CONNECTION_VERSION_UNKNOWN; |
| 87 } | 87 } |
| 88 } | 88 } |
| 89 | 89 |
| 90 int MapOpenSSLErrorSSL() { | |
| 91 // Walk down the error stack to find the SSLerr generated reason. | |
| 92 unsigned long error_code; | |
| 93 do { | |
| 94 error_code = ERR_get_error(); | |
| 95 if (error_code == 0) | |
| 96 return ERR_SSL_PROTOCOL_ERROR; | |
| 97 } while (ERR_GET_LIB(error_code) != ERR_LIB_SSL); | |
| 98 | |
| 99 DVLOG(1) << "OpenSSL SSL error, reason: " << ERR_GET_REASON(error_code) | |
| 100 << ", name: " << ERR_error_string(error_code, NULL); | |
| 101 switch (ERR_GET_REASON(error_code)) { | |
| 102 case SSL_R_READ_TIMEOUT_EXPIRED: | |
| 103 return ERR_TIMED_OUT; | |
| 104 case SSL_R_BAD_RESPONSE_ARGUMENT: | |
| 105 return ERR_INVALID_ARGUMENT; | |
| 106 case SSL_R_UNKNOWN_CERTIFICATE_TYPE: | |
| 107 case SSL_R_UNKNOWN_CIPHER_TYPE: | |
| 108 case SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE: | |
| 109 case SSL_R_UNKNOWN_PKEY_TYPE: | |
| 110 case SSL_R_UNKNOWN_REMOTE_ERROR_TYPE: | |
| 111 case SSL_R_UNKNOWN_SSL_VERSION: | |
| 112 return ERR_NOT_IMPLEMENTED; | |
| 113 case SSL_R_UNSUPPORTED_SSL_VERSION: | |
| 114 case SSL_R_NO_CIPHER_MATCH: | |
| 115 case SSL_R_NO_SHARED_CIPHER: | |
| 116 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: | |
| 117 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: | |
| 118 case SSL_R_UNSUPPORTED_PROTOCOL: | |
| 119 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; | |
| 120 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: | |
| 121 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: | |
| 122 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: | |
| 123 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: | |
| 124 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: | |
| 125 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: | |
| 126 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: | |
| 127 return ERR_BAD_SSL_CLIENT_AUTH_CERT; | |
| 128 case SSL_R_BAD_DECOMPRESSION: | |
| 129 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: | |
| 130 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; | |
| 131 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: | |
| 132 return ERR_SSL_BAD_RECORD_MAC_ALERT; | |
| 133 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: | |
| 134 return ERR_SSL_DECRYPT_ERROR_ALERT; | |
| 135 case SSL_R_TLSV1_UNRECOGNIZED_NAME: | |
| 136 return ERR_SSL_UNRECOGNIZED_NAME_ALERT; | |
| 137 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: | |
| 138 return ERR_SSL_UNSAFE_NEGOTIATION; | |
| 139 case SSL_R_WRONG_NUMBER_OF_KEY_BITS: | |
| 140 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | |
| 141 // SSL_R_UNKNOWN_PROTOCOL is reported if premature application data is | |
| 142 // received (see http://crbug.com/42538), and also if all the protocol | |
| 143 // versions supported by the server were disabled in this socket instance. | |
| 144 // Mapped to ERR_SSL_PROTOCOL_ERROR for compatibility with other SSL sockets | |
| 145 // in the former scenario. | |
| 146 case SSL_R_UNKNOWN_PROTOCOL: | |
| 147 case SSL_R_SSL_HANDSHAKE_FAILURE: | |
| 148 case SSL_R_DECRYPTION_FAILED: | |
| 149 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: | |
| 150 case SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG: | |
| 151 case SSL_R_DIGEST_CHECK_FAILED: | |
| 152 case SSL_R_DUPLICATE_COMPRESSION_ID: | |
| 153 case SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER: | |
| 154 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: | |
| 155 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: | |
| 156 case SSL_R_EXCESSIVE_MESSAGE_SIZE: | |
| 157 case SSL_R_EXTRA_DATA_IN_MESSAGE: | |
| 158 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: | |
| 159 case SSL_R_ILLEGAL_PADDING: | |
| 160 case SSL_R_INVALID_CHALLENGE_LENGTH: | |
| 161 case SSL_R_INVALID_COMMAND: | |
| 162 case SSL_R_INVALID_PURPOSE: | |
| 163 case SSL_R_INVALID_STATUS_RESPONSE: | |
| 164 case SSL_R_INVALID_TICKET_KEYS_LENGTH: | |
| 165 case SSL_R_KEY_ARG_TOO_LONG: | |
| 166 case SSL_R_READ_WRONG_PACKET_TYPE: | |
| 167 // SSL_do_handshake reports this error when the server responds to a | |
| 168 // ClientHello with a fatal close_notify alert. | |
| 169 case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY: | |
| 170 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: | |
| 171 // TODO(joth): SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the | |
| 172 // server after receiving ClientHello if there's no common supported cipher. | |
| 173 // Ideally we'd map that specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH | |
| 174 // to match the NSS implementation. See also http://goo.gl/oMtZW | |
| 175 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: | |
| 176 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: | |
| 177 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: | |
| 178 case SSL_R_TLSV1_ALERT_DECODE_ERROR: | |
| 179 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: | |
| 180 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: | |
| 181 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: | |
| 182 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: | |
| 183 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: | |
| 184 case SSL_R_TLSV1_ALERT_USER_CANCELLED: | |
| 185 return ERR_SSL_PROTOCOL_ERROR; | |
| 186 case SSL_R_CERTIFICATE_VERIFY_FAILED: | |
| 187 // The only way that the certificate verify callback can fail is if | |
| 188 // the leaf certificate changed during a renegotiation. | |
| 189 return ERR_SSL_SERVER_CERT_CHANGED; | |
| 190 default: | |
| 191 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); | |
| 192 return ERR_FAILED; | |
| 193 } | |
| 194 } | |
| 195 | |
| 196 // Converts an OpenSSL error code into a net error code, walking the OpenSSL | |
| 197 // error stack if needed. Note that |tracer| is not currently used in the | |
| 198 // implementation, but is passed in anyway as this ensures the caller will clear | |
| 199 // any residual codes left on the error stack. | |
| 200 int MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer) { | |
| 201 switch (err) { | |
| 202 case SSL_ERROR_WANT_READ: | |
| 203 case SSL_ERROR_WANT_WRITE: | |
| 204 return ERR_IO_PENDING; | |
| 205 case SSL_ERROR_SYSCALL: | |
| 206 LOG(ERROR) << "OpenSSL SYSCALL error, earliest error code in " | |
| 207 "error queue: " << ERR_peek_error() << ", errno: " | |
| 208 << errno; | |
| 209 return ERR_SSL_PROTOCOL_ERROR; | |
| 210 case SSL_ERROR_SSL: | |
| 211 return MapOpenSSLErrorSSL(); | |
| 212 default: | |
| 213 // TODO(joth): Implement full mapping. | |
| 214 LOG(WARNING) << "Unknown OpenSSL error " << err; | |
| 215 return ERR_SSL_PROTOCOL_ERROR; | |
| 216 } | |
| 217 } | |
| 218 | |
| 219 // Utility to construct the appropriate set & clear masks for use the OpenSSL | |
| 220 // options and mode configuration functions. (SSL_set_options etc) | |
| 221 struct SslSetClearMask { | |
| 222 SslSetClearMask() : set_mask(0), clear_mask(0) {} | |
| 223 void ConfigureFlag(long flag, bool state) { | |
| 224 (state ? set_mask : clear_mask) |= flag; | |
| 225 // Make sure we haven't got any intersection in the set & clear options. | |
| 226 DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state; | |
| 227 } | |
| 228 long set_mask; | |
| 229 long clear_mask; | |
| 230 }; | |
| 231 | |
| 232 // Compute a unique key string for the SSL session cache. |socket| is an | 90 // Compute a unique key string for the SSL session cache. |socket| is an |
| 233 // input socket object. Return a string. | 91 // input socket object. Return a string. |
| 234 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { | 92 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { |
| 235 std::string result = socket.host_and_port().ToString(); | 93 std::string result = socket.host_and_port().ToString(); |
| 236 result.append("/"); | 94 result.append("/"); |
| 237 result.append(socket.ssl_session_cache_shard()); | 95 result.append(socket.ssl_session_cache_shard()); |
| 238 return result; | 96 return result; |
| 239 } | 97 } |
| 240 | 98 |
| 241 } // namespace | 99 } // namespace |
| (...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 526 return server_bound_cert_service_; | 384 return server_bound_cert_service_; |
| 527 } | 385 } |
| 528 | 386 |
| 529 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | 387 int SSLClientSocketOpenSSL::ExportKeyingMaterial( |
| 530 const base::StringPiece& label, | 388 const base::StringPiece& label, |
| 531 bool has_context, const base::StringPiece& context, | 389 bool has_context, const base::StringPiece& context, |
| 532 unsigned char* out, unsigned int outlen) { | 390 unsigned char* out, unsigned int outlen) { |
| 533 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 391 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 534 | 392 |
| 535 int rv = SSL_export_keying_material( | 393 int rv = SSL_export_keying_material( |
| 536 ssl_, out, outlen, const_cast<char*>(label.data()), | 394 ssl_, out, outlen, label.data(), label.size(), |
| 537 label.size(), | 395 reinterpret_cast<const unsigned char*>(context.data()), |
| 538 reinterpret_cast<unsigned char*>(const_cast<char*>(context.data())), | 396 context.length(), context.length() > 0); |
| 539 context.length(), | |
| 540 context.length() > 0); | |
| 541 | 397 |
| 542 if (rv != 1) { | 398 if (rv != 1) { |
| 543 int ssl_error = SSL_get_error(ssl_, rv); | 399 int ssl_error = SSL_get_error(ssl_, rv); |
| 544 LOG(ERROR) << "Failed to export keying material;" | 400 LOG(ERROR) << "Failed to export keying material;" |
| 545 << " returned " << rv | 401 << " returned " << rv |
| 546 << ", SSL error code " << ssl_error; | 402 << ", SSL error code " << ssl_error; |
| 547 return MapOpenSSLError(ssl_error, err_tracer); | 403 return MapOpenSSLError(ssl_error, err_tracer); |
| 548 } | 404 } |
| 549 return OK; | 405 return OK; |
| 550 } | 406 } |
| 551 | 407 |
| 552 int SSLClientSocketOpenSSL::GetTLSUniqueChannelBinding(std::string* out) { | 408 int SSLClientSocketOpenSSL::GetTLSUniqueChannelBinding(std::string* out) { |
| 409 NOTIMPLEMENTED(); |
| 553 return ERR_NOT_IMPLEMENTED; | 410 return ERR_NOT_IMPLEMENTED; |
| 554 } | 411 } |
| 555 | 412 |
| 556 int SSLClientSocketOpenSSL::Connect(const CompletionCallback& callback) { | 413 int SSLClientSocketOpenSSL::Connect(const CompletionCallback& callback) { |
| 557 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); | 414 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); |
| 558 | 415 |
| 559 // Set up new ssl object. | 416 // Set up new ssl object. |
| 560 if (!Init()) { | 417 int rv = Init(); |
| 561 int result = ERR_UNEXPECTED; | 418 if (rv != OK) { |
| 562 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, result); | 419 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 563 return result; | 420 return rv; |
| 564 } | 421 } |
| 565 | 422 |
| 566 // Set SSL to client mode. Handshake happens in the loop below. | 423 // Set SSL to client mode. Handshake happens in the loop below. |
| 567 SSL_set_connect_state(ssl_); | 424 SSL_set_connect_state(ssl_); |
| 568 | 425 |
| 569 GotoState(STATE_HANDSHAKE); | 426 GotoState(STATE_HANDSHAKE); |
| 570 int rv = DoHandshakeLoop(net::OK); | 427 rv = DoHandshakeLoop(OK); |
| 571 if (rv == ERR_IO_PENDING) { | 428 if (rv == ERR_IO_PENDING) { |
| 572 user_connect_callback_ = callback; | 429 user_connect_callback_ = callback; |
| 573 } else { | 430 } else { |
| 574 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 431 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 575 } | 432 } |
| 576 | 433 |
| 577 return rv > OK ? OK : rv; | 434 return rv > OK ? OK : rv; |
| 578 } | 435 } |
| 579 | 436 |
| 580 void SSLClientSocketOpenSSL::Disconnect() { | 437 void SSLClientSocketOpenSSL::Disconnect() { |
| (...skipping 196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 777 } | 634 } |
| 778 | 635 |
| 779 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) { | 636 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) { |
| 780 return transport_->socket()->SetReceiveBufferSize(size); | 637 return transport_->socket()->SetReceiveBufferSize(size); |
| 781 } | 638 } |
| 782 | 639 |
| 783 int SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) { | 640 int SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) { |
| 784 return transport_->socket()->SetSendBufferSize(size); | 641 return transport_->socket()->SetSendBufferSize(size); |
| 785 } | 642 } |
| 786 | 643 |
| 787 bool SSLClientSocketOpenSSL::Init() { | 644 int SSLClientSocketOpenSSL::Init() { |
| 788 DCHECK(!ssl_); | 645 DCHECK(!ssl_); |
| 789 DCHECK(!transport_bio_); | 646 DCHECK(!transport_bio_); |
| 790 | 647 |
| 791 SSLContext* context = SSLContext::GetInstance(); | 648 SSLContext* context = SSLContext::GetInstance(); |
| 792 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 649 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 793 | 650 |
| 794 ssl_ = SSL_new(context->ssl_ctx()); | 651 ssl_ = SSL_new(context->ssl_ctx()); |
| 795 if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this)) | 652 if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this)) |
| 796 return false; | 653 return ERR_UNEXPECTED; |
| 797 | 654 |
| 798 if (!SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) | 655 if (!SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) |
| 799 return false; | 656 return ERR_UNEXPECTED; |
| 800 | 657 |
| 801 trying_cached_session_ = context->session_cache()->SetSSLSessionWithKey( | 658 trying_cached_session_ = context->session_cache()->SetSSLSessionWithKey( |
| 802 ssl_, GetSocketSessionCacheKey(*this)); | 659 ssl_, GetSocketSessionCacheKey(*this)); |
| 803 | 660 |
| 804 BIO* ssl_bio = NULL; | 661 BIO* ssl_bio = NULL; |
| 805 // 0 => use default buffer sizes. | 662 // 0 => use default buffer sizes. |
| 806 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) | 663 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0)) |
| 807 return false; | 664 return ERR_UNEXPECTED; |
| 808 DCHECK(ssl_bio); | 665 DCHECK(ssl_bio); |
| 809 DCHECK(transport_bio_); | 666 DCHECK(transport_bio_); |
| 810 | 667 |
| 811 SSL_set_bio(ssl_, ssl_bio, ssl_bio); | 668 SSL_set_bio(ssl_, ssl_bio, ssl_bio); |
| 812 | 669 |
| 813 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | 670 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, |
| 814 // set everything we care about to an absolute value. | 671 // set everything we care about to an absolute value. |
| 815 SslSetClearMask options; | 672 SslSetClearMask options; |
| 816 options.ConfigureFlag(SSL_OP_NO_SSLv2, true); | 673 options.ConfigureFlag(SSL_OP_NO_SSLv2, true); |
| 817 bool ssl3_enabled = (ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3); | 674 bool ssl3_enabled = (ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3); |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 886 // This will almost certainly result in the socket failing to complete the | 743 // This will almost certainly result in the socket failing to complete the |
| 887 // handshake at which point the appropriate error is bubbled up to the client. | 744 // handshake at which point the appropriate error is bubbled up to the client. |
| 888 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | 745 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " |
| 889 "returned " << rv; | 746 "returned " << rv; |
| 890 | 747 |
| 891 // TLS channel ids. | 748 // TLS channel ids. |
| 892 if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) { | 749 if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) { |
| 893 SSL_enable_tls_channel_id(ssl_); | 750 SSL_enable_tls_channel_id(ssl_); |
| 894 } | 751 } |
| 895 | 752 |
| 896 return true; | 753 return OK; |
| 897 } | 754 } |
| 898 | 755 |
| 899 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { | 756 void SSLClientSocketOpenSSL::DoReadCallback(int rv) { |
| 900 // Since Run may result in Read being called, clear |user_read_callback_| | 757 // Since Run may result in Read being called, clear |user_read_callback_| |
| 901 // up front. | 758 // up front. |
| 902 if (rv > 0) | 759 if (rv > 0) |
| 903 was_ever_used_ = true; | 760 was_ever_used_ = true; |
| 904 user_read_buf_ = NULL; | 761 user_read_buf_ = NULL; |
| 905 user_read_buf_len_ = 0; | 762 user_read_buf_len_ = 0; |
| 906 base::ResetAndReturn(&user_read_callback_).Run(rv); | 763 base::ResetAndReturn(&user_read_callback_).Run(rv); |
| (...skipping 19 matching lines...) Expand all Loading... |
| 926 if (rv != ERR_IO_PENDING && rv != 0) | 783 if (rv != ERR_IO_PENDING && rv != 0) |
| 927 network_moved = true; | 784 network_moved = true; |
| 928 } while (rv > 0); | 785 } while (rv > 0); |
| 929 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) | 786 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) |
| 930 network_moved = true; | 787 network_moved = true; |
| 931 return network_moved; | 788 return network_moved; |
| 932 } | 789 } |
| 933 | 790 |
| 934 int SSLClientSocketOpenSSL::DoHandshake() { | 791 int SSLClientSocketOpenSSL::DoHandshake() { |
| 935 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 792 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 936 int net_error = net::OK; | 793 int net_error = OK; |
| 937 int rv = SSL_do_handshake(ssl_); | 794 int rv = SSL_do_handshake(ssl_); |
| 938 | 795 |
| 939 if (client_auth_cert_needed_) { | 796 if (client_auth_cert_needed_) { |
| 940 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 797 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 941 // If the handshake already succeeded (because the server requests but | 798 // If the handshake already succeeded (because the server requests but |
| 942 // doesn't require a client cert), we need to invalidate the SSL session | 799 // doesn't require a client cert), we need to invalidate the SSL session |
| 943 // so that we won't try to resume the non-client-authenticated session in | 800 // so that we won't try to resume the non-client-authenticated session in |
| 944 // the next handshake. This will cause the server to ask for a client | 801 // the next handshake. This will cause the server to ask for a client |
| 945 // cert again. | 802 // cert again. |
| 946 if (rv == 1) { | 803 if (rv == 1) { |
| (...skipping 439 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1386 (void)BIO_shutdown_wr(transport_bio_); | 1243 (void)BIO_shutdown_wr(transport_bio_); |
| 1387 } else if (transport_write_error_ < 0) { | 1244 } else if (transport_write_error_ < 0) { |
| 1388 // Mirror transport write errors as read failures; transport_bio_ has been | 1245 // Mirror transport write errors as read failures; transport_bio_ has been |
| 1389 // shut down by TransportWriteComplete, so the BIO_write will fail, failing | 1246 // shut down by TransportWriteComplete, so the BIO_write will fail, failing |
| 1390 // the CHECK. http://crbug.com/335557. | 1247 // the CHECK. http://crbug.com/335557. |
| 1391 result = transport_write_error_; | 1248 result = transport_write_error_; |
| 1392 } else { | 1249 } else { |
| 1393 DCHECK(recv_buffer_.get()); | 1250 DCHECK(recv_buffer_.get()); |
| 1394 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result); | 1251 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result); |
| 1395 // A write into a memory BIO should always succeed. | 1252 // A write into a memory BIO should always succeed. |
| 1396 // Force values on the stack for http://crbug.com/335557 | 1253 DCHECK_EQ(result, ret); |
| 1397 base::debug::Alias(&result); | |
| 1398 base::debug::Alias(&ret); | |
| 1399 CHECK_EQ(result, ret); | |
| 1400 } | 1254 } |
| 1401 recv_buffer_ = NULL; | 1255 recv_buffer_ = NULL; |
| 1402 transport_recv_busy_ = false; | 1256 transport_recv_busy_ = false; |
| 1403 return result; | 1257 return result; |
| 1404 } | 1258 } |
| 1405 | 1259 |
| 1406 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, | 1260 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl, |
| 1407 X509** x509, | 1261 X509** x509, |
| 1408 EVP_PKEY** pkey) { | 1262 EVP_PKEY** pkey) { |
| 1409 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; | 1263 DVLOG(3) << "OpenSSL ClientCertRequestCallback called"; |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1565 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1419 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
| 1566 return SSL_TLSEXT_ERR_OK; | 1420 return SSL_TLSEXT_ERR_OK; |
| 1567 } | 1421 } |
| 1568 | 1422 |
| 1569 scoped_refptr<X509Certificate> | 1423 scoped_refptr<X509Certificate> |
| 1570 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1424 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1571 return server_cert_; | 1425 return server_cert_; |
| 1572 } | 1426 } |
| 1573 | 1427 |
| 1574 } // namespace net | 1428 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 274783002:
Implement SSL server socket over OpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master