OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
11 #include <openssl/opensslv.h> | 11 #include <openssl/opensslv.h> |
12 #include <openssl/ssl.h> | 12 #include <openssl/ssl.h> |
13 | 13 |
14 #include "base/bind.h" | 14 #include "base/bind.h" |
15 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
17 #include "base/metrics/histogram.h" | 17 #include "base/metrics/histogram.h" |
18 #include "base/synchronization/lock.h" | 18 #include "base/synchronization/lock.h" |
19 #include "crypto/ec_private_key.h" | 19 #include "crypto/ec_private_key.h" |
20 #include "crypto/openssl_util.h" | 20 #include "crypto/openssl_util.h" |
21 #include "crypto/scoped_openssl_types.h" | |
21 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
22 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
23 #include "net/cert/single_request_cert_verifier.h" | 24 #include "net/cert/single_request_cert_verifier.h" |
24 #include "net/cert/x509_certificate_net_log_param.h" | 25 #include "net/cert/x509_certificate_net_log_param.h" |
25 #include "net/socket/openssl_ssl_util.h" | 26 #include "net/socket/openssl_ssl_util.h" |
26 #include "net/socket/ssl_error_params.h" | 27 #include "net/socket/ssl_error_params.h" |
27 #include "net/socket/ssl_session_cache_openssl.h" | 28 #include "net/socket/ssl_session_cache_openssl.h" |
28 #include "net/ssl/openssl_client_key_store.h" | 29 #include "net/ssl/openssl_client_key_store.h" |
29 #include "net/ssl/ssl_cert_request_info.h" | 30 #include "net/ssl/ssl_cert_request_info.h" |
30 #include "net/ssl/ssl_connection_status_flags.h" | 31 #include "net/ssl/ssl_connection_status_flags.h" |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
163 const unsigned char* in, | 164 const unsigned char* in, |
164 unsigned int inlen, void* arg) { | 165 unsigned int inlen, void* arg) { |
165 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 166 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
166 return socket->SelectNextProtoCallback(out, outlen, in, inlen); | 167 return socket->SelectNextProtoCallback(out, outlen, in, inlen); |
167 } | 168 } |
168 | 169 |
169 // This is the index used with SSL_get_ex_data to retrieve the owner | 170 // This is the index used with SSL_get_ex_data to retrieve the owner |
170 // SSLClientSocketOpenSSL object from an SSL instance. | 171 // SSLClientSocketOpenSSL object from an SSL instance. |
171 int ssl_socket_data_index_; | 172 int ssl_socket_data_index_; |
172 | 173 |
173 crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; | 174 scoped_ptr<SSL_CTX, crypto::OpenSSLDestroyer<SSL_CTX, SSL_CTX_free> > |
175 ssl_ctx_; | |
174 // |session_cache_| must be destroyed before |ssl_ctx_|. | 176 // |session_cache_| must be destroyed before |ssl_ctx_|. |
175 SSLSessionCacheOpenSSL session_cache_; | 177 SSLSessionCacheOpenSSL session_cache_; |
176 }; | 178 }; |
177 | 179 |
178 // PeerCertificateChain is a helper object which extracts the certificate | 180 // PeerCertificateChain is a helper object which extracts the certificate |
179 // chain, as given by the server, from an OpenSSL socket and performs the needed | 181 // chain, as given by the server, from an OpenSSL socket and performs the needed |
180 // resource management. The first element of the chain is the leaf certificate | 182 // resource management. The first element of the chain is the leaf certificate |
181 // and the other elements are in the order given by the server. | 183 // and the other elements are in the order given by the server. |
182 class SSLClientSocketOpenSSL::PeerCertificateChain { | 184 class SSLClientSocketOpenSSL::PeerCertificateChain { |
183 public: | 185 public: |
(...skipping 22 matching lines...) Expand all Loading... | |
206 return sk_X509_value(openssl_chain_.get(), index); | 208 return sk_X509_value(openssl_chain_.get(), index); |
207 } | 209 } |
208 | 210 |
209 bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } | 211 bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } |
210 | 212 |
211 private: | 213 private: |
212 static void FreeX509Stack(STACK_OF(X509)* cert_chain) { | 214 static void FreeX509Stack(STACK_OF(X509)* cert_chain) { |
213 sk_X509_pop_free(cert_chain, X509_free); | 215 sk_X509_pop_free(cert_chain, X509_free); |
214 } | 216 } |
215 | 217 |
216 friend class crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | 218 typedef scoped_ptr<STACK_OF(X509), |
219 crypto::OpenSSLDestroyer<STACK_OF(X509), FreeX509Stack> > | |
220 ScopedX509Stack; | |
221 friend struct crypto::OpenSSLDestroyer<STACK_OF(X509), FreeX509Stack>; | |
wtc
2014/07/02 20:13:13
This friend declaration seems wrong. To match the
Ryan Sleevi
2014/07/02 20:16:30
It's correct. OpenSSLDestroyer is what actually ca
| |
217 | 222 |
218 crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_; | 223 ScopedX509Stack openssl_chain_; |
219 | 224 |
220 scoped_refptr<X509Certificate> os_chain_; | 225 scoped_refptr<X509Certificate> os_chain_; |
221 }; | 226 }; |
222 | 227 |
223 SSLClientSocketOpenSSL::PeerCertificateChain& | 228 SSLClientSocketOpenSSL::PeerCertificateChain& |
224 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( | 229 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( |
225 const PeerCertificateChain& other) { | 230 const PeerCertificateChain& other) { |
226 if (this == &other) | 231 if (this == &other) |
227 return *this; | 232 return *this; |
228 | 233 |
(...skipping 1218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1447 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1452 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
1448 return SSL_TLSEXT_ERR_OK; | 1453 return SSL_TLSEXT_ERR_OK; |
1449 } | 1454 } |
1450 | 1455 |
1451 scoped_refptr<X509Certificate> | 1456 scoped_refptr<X509Certificate> |
1452 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1457 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1453 return server_cert_; | 1458 return server_cert_; |
1454 } | 1459 } |
1455 | 1460 |
1456 } // namespace net | 1461 } // namespace net |
OLD | NEW |