Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(336)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_server_socket_impl.cc

Issue 2817053003: Revert of Convert android to use X509CertificateBytes instead of X509CertificateOpenSSL. (Closed)
Patch Set: Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_objects_extractor.cc ('k') | net/ssl/openssl_client_key_store.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/ssl_server_socket_impl.h" 5 #include "net/socket/ssl_server_socket_impl.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/callback_helpers.h" 9 #include "base/callback_helpers.h"
10 #include "base/logging.h" 10 #include "base/logging.h"
11 #include "base/strings/string_util.h" 11 #include "base/strings/string_util.h"
12 #include "crypto/openssl_util.h" 12 #include "crypto/openssl_util.h"
13 #include "crypto/rsa_private_key.h" 13 #include "crypto/rsa_private_key.h"
14 #include "net/base/net_errors.h" 14 #include "net/base/net_errors.h"
15 #include "net/cert/cert_verify_result.h" 15 #include "net/cert/cert_verify_result.h"
16 #include "net/cert/client_cert_verifier.h" 16 #include "net/cert/client_cert_verifier.h"
17 #include "net/cert/x509_util.h"
18 #include "net/cert/x509_util_openssl.h" 17 #include "net/cert/x509_util_openssl.h"
19 #include "net/log/net_log_event_type.h" 18 #include "net/log/net_log_event_type.h"
20 #include "net/log/net_log_with_source.h" 19 #include "net/log/net_log_with_source.h"
21 #include "net/socket/socket_bio_adapter.h" 20 #include "net/socket/socket_bio_adapter.h"
22 #include "net/ssl/openssl_ssl_util.h" 21 #include "net/ssl/openssl_ssl_util.h"
23 #include "net/ssl/ssl_connection_status_flags.h" 22 #include "net/ssl/ssl_connection_status_flags.h"
24 #include "net/ssl/ssl_info.h" 23 #include "net/ssl/ssl_info.h"
25 #include "third_party/boringssl/src/include/openssl/err.h" 24 #include "third_party/boringssl/src/include/openssl/err.h"
26 #include "third_party/boringssl/src/include/openssl/ssl.h" 25 #include "third_party/boringssl/src/include/openssl/ssl.h"
27 #include "third_party/boringssl/src/include/openssl/x509.h" 26 #include "third_party/boringssl/src/include/openssl/x509.h"
(...skipping 590 matching lines...) Expand 10 before | Expand all | Expand 10 after
618 : ssl_server_config_(ssl_server_config), 617 : ssl_server_config_(ssl_server_config),
619 cert_(certificate), 618 cert_(certificate),
620 key_(key.Copy()) { 619 key_(key.Copy()) {
621 CHECK(key_); 620 CHECK(key_);
622 crypto::EnsureOpenSSLInit(); 621 crypto::EnsureOpenSSLInit();
623 ssl_ctx_.reset(SSL_CTX_new(TLS_method())); 622 ssl_ctx_.reset(SSL_CTX_new(TLS_method()));
624 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER); 623 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER);
625 uint8_t session_ctx_id = 0; 624 uint8_t session_ctx_id = 0;
626 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id, 625 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id,
627 sizeof(session_ctx_id)); 626 sizeof(session_ctx_id));
628 // Deduplicate all certificates minted from the SSL_CTX in memory.
629 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool());
630 627
631 int verify_mode = 0; 628 int verify_mode = 0;
632 switch (ssl_server_config_.client_cert_type) { 629 switch (ssl_server_config_.client_cert_type) {
633 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT: 630 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT:
634 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 631 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
635 // Fall-through 632 // Fall-through
636 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT: 633 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT:
637 verify_mode |= SSL_VERIFY_PEER; 634 verify_mode |= SSL_VERIFY_PEER;
638 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr); 635 SSL_CTX_set_verify(ssl_ctx_.get(), verify_mode, nullptr);
639 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), 636 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(),
640 SSLServerSocketImpl::CertVerifyCallback, 637 SSLServerSocketImpl::CertVerifyCallback,
641 ssl_server_config_.client_cert_verifier); 638 ssl_server_config_.client_cert_verifier);
642 break; 639 break;
643 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT: 640 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT:
644 break; 641 break;
645 } 642 }
646 643
647 // Set certificate and private key. 644 // Set certificate and private key.
648 DCHECK(cert_->os_cert_handle()); 645 DCHECK(cert_->os_cert_handle());
649 DCHECK(key_->key()); 646 #if defined(USE_OPENSSL_CERTS)
650 #if BUILDFLAG(USE_BYTE_CERTS)
651 // On success, SSL_CTX_set_chain_and_key acquires a reference to
652 // |cert_->os_cert_handle()| and |key_->key()|.
653 CRYPTO_BUFFER* cert_buffers[] = {cert_->os_cert_handle()};
654 CHECK(SSL_CTX_set_chain_and_key(ssl_ctx_.get(), cert_buffers,
655 arraysize(cert_buffers), key_->key(),
656 nullptr /* privkey_method */));
657 #elif defined(USE_OPENSSL_CERTS)
658 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle())); 647 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), cert_->os_cert_handle()));
659 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key()));
660 #else 648 #else
649 // Convert OSCertHandle to X509 structure.
661 std::string der_string; 650 std::string der_string;
662 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string)); 651 CHECK(X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string));
663 CHECK(SSL_CTX_use_certificate_ASN1( 652
664 ssl_ctx_.get(), der_string.length(), 653 const unsigned char* der_string_array =
665 reinterpret_cast<const unsigned char*>(der_string.data()))); 654 reinterpret_cast<const unsigned char*>(der_string.data());
666 // On success, SSL_CTX_use_PrivateKey acquires a reference to |key_->key()|. 655
656 bssl::UniquePtr<X509> x509(
657 d2i_X509(NULL, &der_string_array, der_string.length()));
658 CHECK(x509);
659
660 // On success, SSL_CTX_use_certificate acquires a reference to |x509|.
661 CHECK(SSL_CTX_use_certificate(ssl_ctx_.get(), x509.get()));
662 #endif // USE_OPENSSL_CERTS
663
664 DCHECK(key_->key());
667 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key())); 665 CHECK(SSL_CTX_use_PrivateKey(ssl_ctx_.get(), key_->key()));
668 #endif // USE_OPENSSL_CERTS && !USE_BYTE_CERTS
669 666
670 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min); 667 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min);
671 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max); 668 DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max);
672 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(), 669 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(),
673 ssl_server_config_.version_min)); 670 ssl_server_config_.version_min));
674 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(), 671 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(),
675 ssl_server_config_.version_max)); 672 ssl_server_config_.version_max));
676 673
677 // OpenSSL defaults some options to on, others to off. To avoid ambiguity, 674 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
678 // set everything we care about to an absolute value. 675 // set everything we care about to an absolute value.
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
734 SSLServerContextImpl::~SSLServerContextImpl() {} 731 SSLServerContextImpl::~SSLServerContextImpl() {}
735 732
736 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket( 733 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket(
737 std::unique_ptr<StreamSocket> socket) { 734 std::unique_ptr<StreamSocket> socket) {
738 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get())); 735 bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx_.get()));
739 return std::unique_ptr<SSLServerSocket>( 736 return std::unique_ptr<SSLServerSocket>(
740 new SSLServerSocketImpl(std::move(socket), std::move(ssl))); 737 new SSLServerSocketImpl(std::move(socket), std::move(ssl)));
741 } 738 }
742 739
743 } // namespace net 740 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/ct_objects_extractor.cc ('k') | net/ssl/openssl_client_key_store.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698