Chromium Code Reviews Chromium Code Reviews
Issue 537633003:
Implement SSLKEYLOGFILE for OpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | |
| 11 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 12 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 13 | 14 |
| 14 #include "base/bind.h" | 15 #include "base/bind.h" |
| 15 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
| 17 #include "base/environment.h" | |
| 16 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 17 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
| 20 #include "base/strings/string_piece.h" | |
| 18 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
| 19 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
| 20 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
| 21 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
| 22 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
| 23 #include "net/cert/cert_verifier.h" | 26 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/single_request_cert_verifier.h" | 27 #include "net/cert/single_request_cert_verifier.h" |
| 25 #include "net/cert/x509_certificate_net_log_param.h" | 28 #include "net/cert/x509_certificate_net_log_param.h" |
| 26 #include "net/http/transport_security_state.h" | 29 #include "net/http/transport_security_state.h" |
| 27 #include "net/socket/ssl_session_cache_openssl.h" | 30 #include "net/socket/ssl_session_cache_openssl.h" |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 119 ScopedX509Stack stack(sk_X509_new_null()); | 122 ScopedX509Stack stack(sk_X509_new_null()); |
| 120 for (size_t i = 0; i < os_handles.size(); i++) { | 123 for (size_t i = 0; i < os_handles.size(); i++) { |
| 121 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); | 124 ScopedX509 x509 = OSCertHandleToOpenSSL(os_handles[i]); |
| 122 if (!x509) | 125 if (!x509) |
| 123 return ScopedX509Stack(); | 126 return ScopedX509Stack(); |
| 124 sk_X509_push(stack.get(), x509.release()); | 127 sk_X509_push(stack.get(), x509.release()); |
| 125 } | 128 } |
| 126 return stack.Pass(); | 129 return stack.Pass(); |
| 127 } | 130 } |
| 128 | 131 |
| 132 int LogErrorCallback(const char* str, size_t len, void* context) { | |
| 133 LOG(ERROR) << base::StringPiece(str, len); | |
| 134 return 1; | |
| 135 } | |
| 136 | |
| 129 } // namespace | 137 } // namespace |
| 130 | 138 |
| 131 class SSLClientSocketOpenSSL::SSLContext { | 139 class SSLClientSocketOpenSSL::SSLContext { |
| 132 public: | 140 public: |
| 133 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } | 141 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); } |
| 134 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } | 142 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); } |
| 135 SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; } | 143 SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; } |
| 136 | 144 |
| 137 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { | 145 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) { |
| 138 DCHECK(ssl); | 146 DCHECK(ssl); |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 157 session_cache_.Reset(ssl_ctx_.get(), kDefaultSessionCacheConfig); | 165 session_cache_.Reset(ssl_ctx_.get(), kDefaultSessionCacheConfig); |
| 158 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL); | 166 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL); |
| 159 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL); | 167 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL); |
| 160 SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL); | 168 SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL); |
| 161 // TODO(kristianm): Only select this if ssl_config_.next_proto is not empty. | 169 // TODO(kristianm): Only select this if ssl_config_.next_proto is not empty. |
| 162 // It would be better if the callback were not a global setting, | 170 // It would be better if the callback were not a global setting, |
| 163 // but that is an OpenSSL issue. | 171 // but that is an OpenSSL issue. |
| 164 SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback, | 172 SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback, |
| 165 NULL); | 173 NULL); |
| 166 ssl_ctx_->tlsext_channel_id_enabled_new = 1; | 174 ssl_ctx_->tlsext_channel_id_enabled_new = 1; |
| 175 | |
| 176 scoped_ptr<base::Environment> env(base::Environment::Create()); | |
| 177 std::string ssl_keylog_file; | |
| 178 if (env->GetVar("SSLKEYLOGFILE", &ssl_keylog_file) && | |
| 179 !ssl_keylog_file.empty()) { | |
| 180 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 181 BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a"); | |
| 182 if (!bio) { | |
| 183 LOG(ERROR) << "Failed to open " << ssl_keylog_file; | |
|
Ryan Sleevi
2014/09/11 23:20:43
Comparison: In NSS world, this is a noop.
davidben
2014/09/11 23:30:19
Well, NSS has an SSL_TRACE call, but yeah that's a
| |
| 184 ERR_print_errors_cb(&LogErrorCallback, NULL); | |
| 185 } else { | |
| 186 SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio); | |
| 187 } | |
| 188 } | |
| 167 } | 189 } |
| 168 | 190 |
| 169 static std::string GetSessionCacheKey(const SSL* ssl) { | 191 static std::string GetSessionCacheKey(const SSL* ssl) { |
| 170 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 192 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
| 171 DCHECK(socket); | 193 DCHECK(socket); |
| 172 return socket->GetSessionCacheKey(); | 194 return socket->GetSessionCacheKey(); |
| 173 } | 195 } |
| 174 | 196 |
| 175 static SSLSessionCacheOpenSSL::Config kDefaultSessionCacheConfig; | 197 static SSLSessionCacheOpenSSL::Config kDefaultSessionCacheConfig; |
| 176 | 198 |
| (...skipping 1479 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1656 if (handshake_succeeded_ && marked_session_as_good_) | 1678 if (handshake_succeeded_ && marked_session_as_good_) |
| 1657 OnHandshakeCompletion(); | 1679 OnHandshakeCompletion(); |
| 1658 } | 1680 } |
| 1659 | 1681 |
| 1660 scoped_refptr<X509Certificate> | 1682 scoped_refptr<X509Certificate> |
| 1661 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1683 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1662 return server_cert_; | 1684 return server_cert_; |
| 1663 } | 1685 } |
| 1664 | 1686 |
| 1665 } // namespace net | 1687 } // namespace net |
| OLD | NEW |
