OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_server_socket_impl.h" | 5 #include "net/socket/ssl_server_socket_impl.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
12 #include "crypto/openssl_util.h" | 12 #include "crypto/openssl_util.h" |
13 #include "crypto/rsa_private_key.h" | 13 #include "crypto/rsa_private_key.h" |
14 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
15 #include "net/cert/cert_verify_result.h" | 15 #include "net/cert/cert_verify_result.h" |
16 #include "net/cert/client_cert_verifier.h" | 16 #include "net/cert/client_cert_verifier.h" |
| 17 #include "net/cert/x509_util.h" |
17 #include "net/cert/x509_util_openssl.h" | 18 #include "net/cert/x509_util_openssl.h" |
18 #include "net/log/net_log_event_type.h" | 19 #include "net/log/net_log_event_type.h" |
19 #include "net/log/net_log_with_source.h" | 20 #include "net/log/net_log_with_source.h" |
20 #include "net/socket/socket_bio_adapter.h" | 21 #include "net/socket/socket_bio_adapter.h" |
21 #include "net/ssl/openssl_ssl_util.h" | 22 #include "net/ssl/openssl_ssl_util.h" |
22 #include "net/ssl/ssl_connection_status_flags.h" | 23 #include "net/ssl/ssl_connection_status_flags.h" |
23 #include "net/ssl/ssl_info.h" | 24 #include "net/ssl/ssl_info.h" |
24 #include "third_party/boringssl/src/include/openssl/err.h" | 25 #include "third_party/boringssl/src/include/openssl/err.h" |
25 #include "third_party/boringssl/src/include/openssl/ssl.h" | 26 #include "third_party/boringssl/src/include/openssl/ssl.h" |
26 #include "third_party/boringssl/src/include/openssl/x509.h" | 27 #include "third_party/boringssl/src/include/openssl/x509.h" |
(...skipping 590 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
617 : ssl_server_config_(ssl_server_config), | 618 : ssl_server_config_(ssl_server_config), |
618 cert_(certificate), | 619 cert_(certificate), |
619 key_(key.Copy()) { | 620 key_(key.Copy()) { |
620 CHECK(key_); | 621 CHECK(key_); |
621 crypto::EnsureOpenSSLInit(); | 622 crypto::EnsureOpenSSLInit(); |
622 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); | 623 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); |
623 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); | 624 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); |
624 uint8_t session_ctx_id = 0; | 625 uint8_t session_ctx_id = 0; |
625 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, | 626 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, |
626 sizeof(session_ctx_id)); | 627 sizeof(session_ctx_id)); |
| 628 // Deduplicate all certificates minted from the SSL_CTX in memory. |
| 629 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool()); |
627 | 630 |
628 int verify_mode = 0; | 631 int verify_mode = 0; |
629 switch (ssl_server_config_.client_cert_type) { | 632 switch (ssl_server_config_.client_cert_type) { |
630 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: | 633 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: |
631 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 634 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
632 // Fall-through | 635 // Fall-through |
633 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: | 636 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: |
634 verify_mode |= SSL_VERIFY_PEER; | 637 verify_mode |= SSL_VERIFY_PEER; |
635 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); | 638 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); |
636 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), | 639 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), |
637 SSLServerSocketImpl::CertVerifyCallback, | 640 SSLServerSocketImpl::CertVerifyCallback, |
638 ssl_server_config_.client_cert_verifier); | 641 ssl_server_config_.client_cert_verifier); |
639 break; | 642 break; |
640 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: | 643 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: |
641 break; | 644 break; |
642 } | 645 } |
643 | 646 |
644 // Set certificate and private key. | 647 // Set certificate and private key. |
645 DCHECK(cert_->os_cert_handle()); | 648 DCHECK(cert_->os_cert_handle()); |
646 #if defined(USE_OPENSSL_CERTS) | 649 DCHECK(key_->key()); |
| 650 #if BUILDFLAG(USE_BYTE_CERTS) |
| 651 // On success, SSL_CTX_set_chain_and_key acquires a reference to |
| 652 // |cert_->os_cert_handle()| and |key_->key()|. |
| 653 CRYPTO_BUFFER* cert_buffers[] = {cert_->os_cert_handle()}; |
| 654 CHECK(SSL_CTX_set_chain_and_key(ssl_ctx_.get(), cert_buffers, |
| 655 arraysize(cert_buffers), key_->key(), |
| 656 nullptr /* privkey_method */)); |
| 657 #elif defined(USE_OPENSSL_CERTS) |
647 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); | 658 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); |
| 659 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
648 #else | 660 #else |
649 // Convert OSCertHandle to X509 structure. | |
650 std::string der_string; | 661 std::string der_string; |
651 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); | 662 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); |
652 | 663 CHECK(SSL_CTX_use_certificate_ASN1( |
653 const unsigned char* der_string_array = | 664 ssl_ctx_.get(), der_string.length(), |
654 reinterpret_cast<const unsigned char*>(der_string.data()); | 665 reinterpret_cast<const unsigned char*>(der_string.data()))); |
655 | 666 // On success, SSL_CTX_use_PrivateKey acquires a reference to |key_->key()|. |
656 bssl::UniquePtr<X509> x509( | |
657 d2i_X509(NULL, &der_string_array, der_string.length())); | |
658 CHECK(x509); | |
659 | |
660 // On success, SSL_CTX_use_certificate acquires a reference to |x509|. | |
661 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get())); | |
662 #endif // USE_OPENSSL_CERTS | |
663 | |
664 DCHECK(key_->key()); | |
665 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); | 667 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); |
| 668 #endif // USE_OPENSSL_CERTS && !USE_BYTE_CERTS |
666 | 669 |
667 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); | 670 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); |
668 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); | 671 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); |
669 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(), | 672 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(), |
670 ssl_server_config_.version_min)); | 673 ssl_server_config_.version_min)); |
671 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(), | 674 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(), |
672 ssl_server_config_.version_max)); | 675 ssl_server_config_.version_max)); |
673 | 676 |
674 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, | 677 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, |
675 // set everything we care about to an absolute value. | 678 // set everything we care about to an absolute value. |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
731 SSLServerContextImpl::~SSLServerContextImpl() {} | 734 SSLServerContextImpl::~SSLServerContextImpl() {} |
732 | 735 |
733 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( | 736 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( |
734 std::unique_ptr<StreamSocket> socket) { | 737 std::unique_ptr<StreamSocket> socket) { |
735 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); | 738 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); |
736 return std::unique_ptr<SSLServerSocket>( | 739 return std::unique_ptr<SSLServerSocket>( |
737 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); | 740 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); |
738 } | 741 } |
739 | 742 |
740 } // namespace net | 743 } // namespace net |
OLD | NEW |