OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
11 #include <openssl/opensslv.h> | 11 #include <openssl/opensslv.h> |
12 #include <openssl/ssl.h> | 12 #include <openssl/ssl.h> |
13 | 13 |
14 #include "base/bind.h" | 14 #include "base/bind.h" |
15 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
17 #include "base/metrics/histogram.h" | 17 #include "base/metrics/histogram.h" |
18 #include "base/synchronization/lock.h" | 18 #include "base/synchronization/lock.h" |
19 #include "crypto/ec_private_key.h" | 19 #include "crypto/ec_private_key.h" |
20 #include "crypto/openssl_util.h" | 20 #include "crypto/openssl_util.h" |
| 21 #include "crypto/scoped_openssl_types.h" |
21 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
22 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
23 #include "net/cert/single_request_cert_verifier.h" | 24 #include "net/cert/single_request_cert_verifier.h" |
24 #include "net/cert/x509_certificate_net_log_param.h" | 25 #include "net/cert/x509_certificate_net_log_param.h" |
25 #include "net/socket/openssl_ssl_util.h" | 26 #include "net/socket/openssl_ssl_util.h" |
26 #include "net/socket/ssl_error_params.h" | 27 #include "net/socket/ssl_error_params.h" |
27 #include "net/socket/ssl_session_cache_openssl.h" | 28 #include "net/socket/ssl_session_cache_openssl.h" |
28 #include "net/ssl/openssl_client_key_store.h" | 29 #include "net/ssl/openssl_client_key_store.h" |
29 #include "net/ssl/ssl_cert_request_info.h" | 30 #include "net/ssl/ssl_cert_request_info.h" |
30 #include "net/ssl/ssl_connection_status_flags.h" | 31 #include "net/ssl/ssl_connection_status_flags.h" |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
89 | 90 |
90 // Compute a unique key string for the SSL session cache. |socket| is an | 91 // Compute a unique key string for the SSL session cache. |socket| is an |
91 // input socket object. Return a string. | 92 // input socket object. Return a string. |
92 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { | 93 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) { |
93 std::string result = socket.host_and_port().ToString(); | 94 std::string result = socket.host_and_port().ToString(); |
94 result.append("/"); | 95 result.append("/"); |
95 result.append(socket.ssl_session_cache_shard()); | 96 result.append(socket.ssl_session_cache_shard()); |
96 return result; | 97 return result; |
97 } | 98 } |
98 | 99 |
| 100 static void FreeX509Stack(STACK_OF(X509) * ptr) { |
| 101 sk_X509_pop_free(ptr, X509_free); |
| 102 } |
| 103 |
99 } // namespace | 104 } // namespace |
100 | 105 |
101 class SSLClientSocketOpenSSL::SSLContext { | 106 class SSLClientSocketOpenSSL::SSLContext { |
102 public: | 107 public: |
103 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } | 108 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } |
104 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 109 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
105 SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; } | 110 SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; } |
106 | 111 |
107 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { | 112 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { |
108 DCHECK(ssl); | 113 DCHECK(ssl); |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
163 const unsigned char* in, | 168 const unsigned char* in, |
164 unsigned int inlen, void* arg) { | 169 unsigned int inlen, void* arg) { |
165 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 170 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
166 return socket->SelectNextProtoCallback(out, outlen, in, inlen); | 171 return socket->SelectNextProtoCallback(out, outlen, in, inlen); |
167 } | 172 } |
168 | 173 |
169 // This is the index used with SSL_get_ex_data to retrieve the owner | 174 // This is the index used with SSL_get_ex_data to retrieve the owner |
170 // SSLClientSocketOpenSSL object from an SSL instance. | 175 // SSLClientSocketOpenSSL object from an SSL instance. |
171 int ssl_socket_data_index_; | 176 int ssl_socket_data_index_; |
172 | 177 |
173 crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_; | 178 crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ssl_ctx_; |
174 // |session_cache_| must be destroyed before |ssl_ctx_|. | 179 // |session_cache_| must be destroyed before |ssl_ctx_|. |
175 SSLSessionCacheOpenSSL session_cache_; | 180 SSLSessionCacheOpenSSL session_cache_; |
176 }; | 181 }; |
177 | 182 |
178 // PeerCertificateChain is a helper object which extracts the certificate | 183 // PeerCertificateChain is a helper object which extracts the certificate |
179 // chain, as given by the server, from an OpenSSL socket and performs the needed | 184 // chain, as given by the server, from an OpenSSL socket and performs the needed |
180 // resource management. The first element of the chain is the leaf certificate | 185 // resource management. The first element of the chain is the leaf certificate |
181 // and the other elements are in the order given by the server. | 186 // and the other elements are in the order given by the server. |
182 class SSLClientSocketOpenSSL::PeerCertificateChain { | 187 class SSLClientSocketOpenSSL::PeerCertificateChain { |
183 public: | 188 public: |
(...skipping 18 matching lines...) Expand all Loading... |
202 } | 207 } |
203 | 208 |
204 X509* operator[](size_t index) const { | 209 X509* operator[](size_t index) const { |
205 DCHECK_LT(index, size()); | 210 DCHECK_LT(index, size()); |
206 return sk_X509_value(openssl_chain_.get(), index); | 211 return sk_X509_value(openssl_chain_.get(), index); |
207 } | 212 } |
208 | 213 |
209 bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } | 214 bool IsValid() { return os_chain_.get() && openssl_chain_.get(); } |
210 | 215 |
211 private: | 216 private: |
212 static void FreeX509Stack(STACK_OF(X509)* cert_chain) { | 217 typedef crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>::Type |
213 sk_X509_pop_free(cert_chain, X509_free); | 218 ScopedX509Stack; |
214 } | |
215 | 219 |
216 friend class crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>; | 220 ScopedX509Stack openssl_chain_; |
217 | |
218 crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_; | |
219 | 221 |
220 scoped_refptr<X509Certificate> os_chain_; | 222 scoped_refptr<X509Certificate> os_chain_; |
221 }; | 223 }; |
222 | 224 |
223 SSLClientSocketOpenSSL::PeerCertificateChain& | 225 SSLClientSocketOpenSSL::PeerCertificateChain& |
224 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( | 226 SSLClientSocketOpenSSL::PeerCertificateChain::operator=( |
225 const PeerCertificateChain& other) { | 227 const PeerCertificateChain& other) { |
226 if (this == &other) | 228 if (this == &other) |
227 return *this; | 229 return *this; |
228 | 230 |
(...skipping 1218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1447 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; | 1449 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_; |
1448 return SSL_TLSEXT_ERR_OK; | 1450 return SSL_TLSEXT_ERR_OK; |
1449 } | 1451 } |
1450 | 1452 |
1451 scoped_refptr<X509Certificate> | 1453 scoped_refptr<X509Certificate> |
1452 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1454 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1453 return server_cert_; | 1455 return server_cert_; |
1454 } | 1456 } |
1455 | 1457 |
1456 } // namespace net | 1458 } // namespace net |
OLD | NEW |