| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 | 14 |
| 15 #include "base/bind.h" | 15 #include "base/bind.h" |
| 16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
| 17 #include "base/environment.h" | 17 #include "base/environment.h" |
| 18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
| 20 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
| 21 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
| 22 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
| 23 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
| 24 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
| 25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
| 26 #include "net/cert/cert_verifier.h" | 26 #include "net/cert/cert_verifier.h" |
| 27 #include "net/cert/ct_ev_whitelist.h" |
| 27 #include "net/cert/ct_verifier.h" | 28 #include "net/cert/ct_verifier.h" |
| 28 #include "net/cert/single_request_cert_verifier.h" | 29 #include "net/cert/single_request_cert_verifier.h" |
| 29 #include "net/cert/x509_certificate_net_log_param.h" | 30 #include "net/cert/x509_certificate_net_log_param.h" |
| 30 #include "net/cert/x509_util_openssl.h" | 31 #include "net/cert/x509_util_openssl.h" |
| 31 #include "net/http/transport_security_state.h" | 32 #include "net/http/transport_security_state.h" |
| 32 #include "net/socket/ssl_session_cache_openssl.h" | 33 #include "net/socket/ssl_session_cache_openssl.h" |
| 33 #include "net/ssl/openssl_ssl_util.h" | |
| 34 #include "net/ssl/ssl_cert_request_info.h" | 34 #include "net/ssl/ssl_cert_request_info.h" |
| 35 #include "net/ssl/ssl_connection_status_flags.h" | 35 #include "net/ssl/ssl_connection_status_flags.h" |
| 36 #include "net/ssl/ssl_info.h" | 36 #include "net/ssl/ssl_info.h" |
| 37 | 37 |
| 38 #if defined(OS_WIN) | 38 #if defined(OS_WIN) |
| 39 #include "base/win/windows_version.h" | 39 #include "base/win/windows_version.h" |
| 40 #endif | 40 #endif |
| 41 | 41 |
| 42 #if defined(USE_OPENSSL_CERTS) | 42 #if defined(USE_OPENSSL_CERTS) |
| 43 #include "net/ssl/openssl_client_key_store.h" | 43 #include "net/ssl/openssl_client_key_store.h" |
| (...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 332 } | 332 } |
| 333 | 333 |
| 334 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 334 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
| 335 scoped_ptr<ClientSocketHandle> transport_socket, | 335 scoped_ptr<ClientSocketHandle> transport_socket, |
| 336 const HostPortPair& host_and_port, | 336 const HostPortPair& host_and_port, |
| 337 const SSLConfig& ssl_config, | 337 const SSLConfig& ssl_config, |
| 338 const SSLClientSocketContext& context) | 338 const SSLClientSocketContext& context) |
| 339 : transport_send_busy_(false), | 339 : transport_send_busy_(false), |
| 340 transport_recv_busy_(false), | 340 transport_recv_busy_(false), |
| 341 pending_read_error_(kNoPendingReadResult), | 341 pending_read_error_(kNoPendingReadResult), |
| 342 pending_read_ssl_error_(SSL_ERROR_NONE), |
| 342 transport_read_error_(OK), | 343 transport_read_error_(OK), |
| 343 transport_write_error_(OK), | 344 transport_write_error_(OK), |
| 344 server_cert_chain_(new PeerCertificateChain(NULL)), | 345 server_cert_chain_(new PeerCertificateChain(NULL)), |
| 345 completed_connect_(false), | 346 completed_connect_(false), |
| 346 was_ever_used_(false), | 347 was_ever_used_(false), |
| 347 client_auth_cert_needed_(false), | 348 client_auth_cert_needed_(false), |
| 348 cert_verifier_(context.cert_verifier), | 349 cert_verifier_(context.cert_verifier), |
| 349 cert_transparency_verifier_(context.cert_transparency_verifier), | 350 cert_transparency_verifier_(context.cert_transparency_verifier), |
| 350 channel_id_service_(context.channel_id_service), | 351 channel_id_service_(context.channel_id_service), |
| 351 ssl_(NULL), | 352 ssl_(NULL), |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 490 | 491 |
| 491 user_connect_callback_.Reset(); | 492 user_connect_callback_.Reset(); |
| 492 user_read_callback_.Reset(); | 493 user_read_callback_.Reset(); |
| 493 user_write_callback_.Reset(); | 494 user_write_callback_.Reset(); |
| 494 user_read_buf_ = NULL; | 495 user_read_buf_ = NULL; |
| 495 user_read_buf_len_ = 0; | 496 user_read_buf_len_ = 0; |
| 496 user_write_buf_ = NULL; | 497 user_write_buf_ = NULL; |
| 497 user_write_buf_len_ = 0; | 498 user_write_buf_len_ = 0; |
| 498 | 499 |
| 499 pending_read_error_ = kNoPendingReadResult; | 500 pending_read_error_ = kNoPendingReadResult; |
| 501 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| 502 pending_read_error_info_ = OpenSSLErrorInfo(); |
| 503 |
| 500 transport_read_error_ = OK; | 504 transport_read_error_ = OK; |
| 501 transport_write_error_ = OK; | 505 transport_write_error_ = OK; |
| 502 | 506 |
| 503 server_cert_verify_result_.Reset(); | 507 server_cert_verify_result_.Reset(); |
| 504 completed_connect_ = false; | 508 completed_connect_ = false; |
| 505 | 509 |
| 506 cert_authorities_.clear(); | 510 cert_authorities_.clear(); |
| 507 cert_key_types_.clear(); | 511 cert_key_types_.clear(); |
| 508 client_auth_cert_needed_ = false; | 512 client_auth_cert_needed_ = false; |
| 509 | 513 |
| (...skipping 586 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1096 (result == OK || | 1100 (result == OK || |
| 1097 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1101 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 1098 !transport_security_state_->CheckPublicKeyPins( | 1102 !transport_security_state_->CheckPublicKeyPins( |
| 1099 host_and_port_.host(), | 1103 host_and_port_.host(), |
| 1100 server_cert_verify_result_.is_issued_by_known_root, | 1104 server_cert_verify_result_.is_issued_by_known_root, |
| 1101 server_cert_verify_result_.public_key_hashes, | 1105 server_cert_verify_result_.public_key_hashes, |
| 1102 &pinning_failure_log_)) { | 1106 &pinning_failure_log_)) { |
| 1103 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1107 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 1104 } | 1108 } |
| 1105 | 1109 |
| 1110 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1111 SSLConfigService::GetEVCertsWhitelist(); |
| 1112 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1113 if (ev_whitelist.get() && ev_whitelist->IsValid()) { |
| 1114 const SHA256HashValue fingerprint( |
| 1115 X509Certificate::CalculateFingerprint256( |
| 1116 server_cert_verify_result_.verified_cert->os_cert_handle())); |
| 1117 |
| 1118 UMA_HISTOGRAM_BOOLEAN( |
| 1119 "Net.SSL_EVCertificateInWhitelist", |
| 1120 ev_whitelist->ContainsCertificateHash( |
| 1121 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); |
| 1122 } |
| 1123 } |
| 1124 |
| 1106 if (result == OK) { | 1125 if (result == OK) { |
| 1107 // Only check Certificate Transparency if there were no other errors with | 1126 // Only check Certificate Transparency if there were no other errors with |
| 1108 // the connection. | 1127 // the connection. |
| 1109 VerifyCT(); | 1128 VerifyCT(); |
| 1110 | 1129 |
| 1111 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1130 // TODO(joth): Work out if we need to remember the intermediate CA certs |
| 1112 // when the server sends them to us, and do so here. | 1131 // when the server sends them to us, and do so here. |
| 1113 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1132 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
| 1114 marked_session_as_good_ = true; | 1133 marked_session_as_good_ = true; |
| 1115 CheckIfHandshakeFinished(); | 1134 CheckIfHandshakeFinished(); |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1313 int SSLClientSocketOpenSSL::DoPayloadRead() { | 1332 int SSLClientSocketOpenSSL::DoPayloadRead() { |
| 1314 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1333 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1315 | 1334 |
| 1316 int rv; | 1335 int rv; |
| 1317 if (pending_read_error_ != kNoPendingReadResult) { | 1336 if (pending_read_error_ != kNoPendingReadResult) { |
| 1318 rv = pending_read_error_; | 1337 rv = pending_read_error_; |
| 1319 pending_read_error_ = kNoPendingReadResult; | 1338 pending_read_error_ = kNoPendingReadResult; |
| 1320 if (rv == 0) { | 1339 if (rv == 0) { |
| 1321 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, | 1340 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, |
| 1322 rv, user_read_buf_->data()); | 1341 rv, user_read_buf_->data()); |
| 1342 } else { |
| 1343 net_log_.AddEvent( |
| 1344 NetLog::TYPE_SSL_READ_ERROR, |
| 1345 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, |
| 1346 pending_read_error_info_)); |
| 1323 } | 1347 } |
| 1348 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| 1349 pending_read_error_info_ = OpenSSLErrorInfo(); |
| 1324 return rv; | 1350 return rv; |
| 1325 } | 1351 } |
| 1326 | 1352 |
| 1327 int total_bytes_read = 0; | 1353 int total_bytes_read = 0; |
| 1328 do { | 1354 do { |
| 1329 rv = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read, | 1355 rv = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read, |
| 1330 user_read_buf_len_ - total_bytes_read); | 1356 user_read_buf_len_ - total_bytes_read); |
| 1331 if (rv > 0) | 1357 if (rv > 0) |
| 1332 total_bytes_read += rv; | 1358 total_bytes_read += rv; |
| 1333 } while (total_bytes_read < user_read_buf_len_ && rv > 0); | 1359 } while (total_bytes_read < user_read_buf_len_ && rv > 0); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 1348 int *next_result = &rv; | 1374 int *next_result = &rv; |
| 1349 if (total_bytes_read > 0) { | 1375 if (total_bytes_read > 0) { |
| 1350 pending_read_error_ = rv; | 1376 pending_read_error_ = rv; |
| 1351 rv = total_bytes_read; | 1377 rv = total_bytes_read; |
| 1352 next_result = &pending_read_error_; | 1378 next_result = &pending_read_error_; |
| 1353 } | 1379 } |
| 1354 | 1380 |
| 1355 if (client_auth_cert_needed_) { | 1381 if (client_auth_cert_needed_) { |
| 1356 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1382 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 1357 } else if (*next_result < 0) { | 1383 } else if (*next_result < 0) { |
| 1358 int err = SSL_get_error(ssl_, *next_result); | 1384 pending_read_ssl_error_ = SSL_get_error(ssl_, *next_result); |
| 1359 *next_result = MapOpenSSLError(err, err_tracer); | 1385 *next_result = MapOpenSSLErrorWithDetails(pending_read_ssl_error_, |
| 1386 err_tracer, |
| 1387 &pending_read_error_info_); |
| 1360 | 1388 |
| 1361 // Many servers do not reliably send a close_notify alert when shutting | 1389 // Many servers do not reliably send a close_notify alert when shutting |
| 1362 // down a connection, and instead terminate the TCP connection. This is | 1390 // down a connection, and instead terminate the TCP connection. This is |
| 1363 // reported as ERR_CONNECTION_CLOSED. Because of this, map the unclean | 1391 // reported as ERR_CONNECTION_CLOSED. Because of this, map the unclean |
| 1364 // shutdown to a graceful EOF, instead of treating it as an error as it | 1392 // shutdown to a graceful EOF, instead of treating it as an error as it |
| 1365 // should be. | 1393 // should be. |
| 1366 if (*next_result == ERR_CONNECTION_CLOSED) | 1394 if (*next_result == ERR_CONNECTION_CLOSED) |
| 1367 *next_result = 0; | 1395 *next_result = 0; |
| 1368 | 1396 |
| 1369 if (rv > 0 && *next_result == ERR_IO_PENDING) { | 1397 if (rv > 0 && *next_result == ERR_IO_PENDING) { |
| 1370 // If at least some data was read from SSL_read(), do not treat | 1398 // If at least some data was read from SSL_read(), do not treat |
| 1371 // insufficient data as an error to return in the next call to | 1399 // insufficient data as an error to return in the next call to |
| 1372 // DoPayloadRead() - instead, let the call fall through to check | 1400 // DoPayloadRead() - instead, let the call fall through to check |
| 1373 // SSL_read() again. This is because DoTransportIO() may complete | 1401 // SSL_read() again. This is because DoTransportIO() may complete |
| 1374 // in between the next call to DoPayloadRead(), and thus it is | 1402 // in between the next call to DoPayloadRead(), and thus it is |
| 1375 // important to check SSL_read() on subsequent invocations to see | 1403 // important to check SSL_read() on subsequent invocations to see |
| 1376 // if a complete record may now be read. | 1404 // if a complete record may now be read. |
| 1377 *next_result = kNoPendingReadResult; | 1405 *next_result = kNoPendingReadResult; |
| 1378 } | 1406 } |
| 1379 } | 1407 } |
| 1380 } | 1408 } |
| 1381 | 1409 |
| 1382 if (rv >= 0) { | 1410 if (rv >= 0) { |
| 1383 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, | 1411 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, |
| 1384 user_read_buf_->data()); | 1412 user_read_buf_->data()); |
| 1413 } else if (rv != ERR_IO_PENDING) { |
| 1414 net_log_.AddEvent( |
| 1415 NetLog::TYPE_SSL_READ_ERROR, |
| 1416 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_, |
| 1417 pending_read_error_info_)); |
| 1418 pending_read_ssl_error_ = SSL_ERROR_NONE; |
| 1419 pending_read_error_info_ = OpenSSLErrorInfo(); |
| 1385 } | 1420 } |
| 1386 return rv; | 1421 return rv; |
| 1387 } | 1422 } |
| 1388 | 1423 |
| 1389 int SSLClientSocketOpenSSL::DoPayloadWrite() { | 1424 int SSLClientSocketOpenSSL::DoPayloadWrite() { |
| 1390 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1425 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1391 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 1426 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); |
| 1392 if (rv >= 0) { | 1427 if (rv >= 0) { |
| 1393 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1428 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 1394 user_write_buf_->data()); | 1429 user_write_buf_->data()); |
| 1395 return rv; | 1430 return rv; |
| 1396 } | 1431 } |
| 1397 | 1432 |
| 1398 int err = SSL_get_error(ssl_, rv); | 1433 int ssl_error = SSL_get_error(ssl_, rv); |
| 1399 return MapOpenSSLError(err, err_tracer); | 1434 OpenSSLErrorInfo error_info; |
| 1435 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, |
| 1436 &error_info); |
| 1437 |
| 1438 if (net_error != ERR_IO_PENDING) { |
| 1439 net_log_.AddEvent( |
| 1440 NetLog::TYPE_SSL_WRITE_ERROR, |
| 1441 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 1442 } |
| 1443 return net_error; |
| 1400 } | 1444 } |
| 1401 | 1445 |
| 1402 int SSLClientSocketOpenSSL::BufferSend(void) { | 1446 int SSLClientSocketOpenSSL::BufferSend(void) { |
| 1403 if (transport_send_busy_) | 1447 if (transport_send_busy_) |
| 1404 return ERR_IO_PENDING; | 1448 return ERR_IO_PENDING; |
| 1405 | 1449 |
| 1406 if (!send_buffer_.get()) { | 1450 if (!send_buffer_.get()) { |
| 1407 // Get a fresh send buffer out of the send BIO. | 1451 // Get a fresh send buffer out of the send BIO. |
| 1408 size_t max_read = BIO_pending(transport_bio_); | 1452 size_t max_read = BIO_pending(transport_bio_); |
| 1409 if (!max_read) | 1453 if (!max_read) |
| (...skipping 364 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1774 ct::SCT_STATUS_LOG_UNKNOWN)); | 1818 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 1775 } | 1819 } |
| 1776 } | 1820 } |
| 1777 | 1821 |
| 1778 scoped_refptr<X509Certificate> | 1822 scoped_refptr<X509Certificate> |
| 1779 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1823 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1780 return server_cert_; | 1824 return server_cert_; |
| 1781 } | 1825 } |
| 1782 | 1826 |
| 1783 } // namespace net | 1827 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 669813003:
Update from chromium https://crrev.com/301725/ (Closed)
Base URL: git@github.com:domokit/mojo.git@master