| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_server_socket_impl.h" | 5 #include "net/socket/ssl_server_socket_impl.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
| 12 #include "crypto/openssl_util.h" | 12 #include "crypto/openssl_util.h" |
| 13 #include "crypto/rsa_private_key.h" | 13 #include "crypto/rsa_private_key.h" |
| 14 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
| 15 #include "net/cert/cert_verify_result.h" | 15 #include "net/cert/cert_verify_result.h" |
| 16 #include "net/cert/client_cert_verifier.h" | 16 #include "net/cert/client_cert_verifier.h" |
| 17 #include "net/cert/x509_util.h" |
| 17 #include "net/cert/x509_util_openssl.h" | 18 #include "net/cert/x509_util_openssl.h" |
| 18 #include "net/log/net_log_event_type.h" | 19 #include "net/log/net_log_event_type.h" |
| 19 #include "net/log/net_log_with_source.h" | 20 #include "net/log/net_log_with_source.h" |
| 20 #include "net/socket/socket_bio_adapter.h" | 21 #include "net/socket/socket_bio_adapter.h" |
| 21 #include "net/ssl/openssl_ssl_util.h" | 22 #include "net/ssl/openssl_ssl_util.h" |
| 22 #include "net/ssl/ssl_connection_status_flags.h" | 23 #include "net/ssl/ssl_connection_status_flags.h" |
| 23 #include "net/ssl/ssl_info.h" | 24 #include "net/ssl/ssl_info.h" |
| 24 #include "third_party/boringssl/src/include/openssl/err.h" | 25 #include "third_party/boringssl/src/include/openssl/err.h" |
| 25 #include "third_party/boringssl/src/include/openssl/ssl.h" | 26 #include "third_party/boringssl/src/include/openssl/ssl.h" |
| 26 #include "third_party/boringssl/src/include/openssl/x509.h" | 27 #include "third_party/boringssl/src/include/openssl/x509.h" |
| (...skipping 590 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 617 : ssl_server_config_(ssl_server_config), | 618 : ssl_server_config_(ssl_server_config), |
| 618 cert_(certificate), | 619 cert_(certificate), |
| 619 key_(key.Copy()) { | 620 key_(key.Copy()) { |
| 620 CHECK(key_); | 621 CHECK(key_); |
| 621 crypto::EnsureOpenSSLInit(); | 622 crypto::EnsureOpenSSLInit(); |
| 622 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); | 623 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); |
| 623 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); | 624 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); |
| 624 uint8_t session_ctx_id = 0; | 625 uint8_t session_ctx_id = 0; |
| 625 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, | 626 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, |
| 626 sizeof(session_ctx_id)); | 627 sizeof(session_ctx_id)); |
| 628 // Deduplicate all certificates minted from the SSL_CTX in memory. |
| 629 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); |
| 627 | 630 |
| 628 int verify_mode = 0; | 631 int verify_mode = 0; |
| 629 switch (ssl_server_config_.client_cert_type) { | 632 switch (ssl_server_config_.client_cert_type) { |
| 630 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: | 633 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: |
| 631 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 634 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 632 // Fall-through | 635 // Fall-through |
| 633 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: | 636 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: |
| 634 verify_mode |= SSL_VERIFY_PEER; | 637 verify_mode |= SSL_VERIFY_PEER; |
| 635 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); | 638 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); |
| 636 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), | 639 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), |
| 637 SSLServerSocketImpl::CertVerifyCallback, | 640 SSLServerSocketImpl::CertVerifyCallback, |
| 638 ssl_server_config_.client_cert_verifier); | 641 ssl_server_config_.client_cert_verifier); |
| 639 break; | 642 break; |
| 640 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: | 643 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: |
| 641 break; | 644 break; |
| 642 } | 645 } |
| 643 | 646 |
| 644 // Set certificate and private key. | 647 // Set certificate and private key. |
| 645 DCHECK(cert_->os_cert_handle()); | 648 DCHECK(cert_->os_cert_handle()); |
| 646 #if defined(USE_OPENSSL_CERTS) | 649 DCHECK(key_->key()); |
| 650 #if BUILDFLAG(USE_BYTE_CERTS) |
| 651 // On success, SSL_CTX_set_chain_and_key acquires a reference to |
| 652 // |cert_->os_cert_handle()| and |key_->key()|. |
| 653 CRYPTO_BUFFER* cert_buffers[] = {cert_->os_cert_handle()}; |
| 654 CHECK(SSL_CTX_set_chain_and_key(ssl_ctx_.get(), cert_buffers, |
| 655 arraysize(cert_buffers), key_->key(), |
| 656 nullptr /* privkey_method */)); |
| 657 #elif defined(USE_OPENSSL_CERTS) |
| 647 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); | 658 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); |
| 659 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
| 648 #else | 660 #else |
| 649 // Convert OSCertHandle to X509 structure. | |
| 650 std::string der_string; | 661 std::string der_string; |
| 651 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); | 662 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); |
| 652 | 663 CHECK(SSL_CTX_use_certificate_ASN1( |
| 653 const unsigned char* der_string_array = | 664 ssl_ctx_.get(), der_string.length(), |
| 654 reinterpret_cast<const unsigned char*>(der_string.data()); | 665 reinterpret_cast<const unsigned char*>(der_string.data()))); |
| 655 | 666 // On success, SSL_CTX_use_PrivateKey acquires a reference to |key_->key()|. |
| 656 bssl::UniquePtr<X509> x509( | |
| 657 d2i_X509(NULL, &der_string_array, der_string.length())); | |
| 658 CHECK(x509); | |
| 659 | |
| 660 // On success, SSL_CTX_use_certificate acquires a reference to |x509|. | |
| 661 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get())); | |
| 662 #endif // USE_OPENSSL_CERTS | |
| 663 | |
| 664 DCHECK(key_->key()); | |
| 665 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); | 667 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
| 668 #endif // USE_OPENSSL_CERTS && !USE_BYTE_CERTS |
| 666 | 669 |
| 667 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); | 670 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); |
| 668 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); | 671 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); |
| 669 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(), | 672 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(), |
| 670 ssl_server_config_.version_min)); | 673 ssl_server_config_.version_min)); |
| 671 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(), | 674 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(), |
| 672 ssl_server_config_.version_max)); | 675 ssl_server_config_.version_max)); |
| 673 | 676 |
| 674 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | 677 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, |
| 675 // set everything we care about to an absolute value. | 678 // set everything we care about to an absolute value. |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 731 SSLServerContextImpl::~SSLServerContextImpl() {} | 734 SSLServerContextImpl::~SSLServerContextImpl() {} |
| 732 | 735 |
| 733 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( | 736 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( |
| 734 std::unique_ptr<StreamSocket> socket) { | 737 std::unique_ptr<StreamSocket> socket) { |
| 735 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); | 738 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); |
| 736 return std::unique_ptr<SSLServerSocket>( | 739 return std::unique_ptr<SSLServerSocket>( |
| 737 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); | 740 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); |
| 738 } | 741 } |
| 739 | 742 |
| 740 } // namespace net | 743 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2786173003:
Convert android to use X509CertificateBytes instead of X509CertificateOpenSSL. (Closed)
