| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 909 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 920 int SSLClientSocketOpenSSL::DoHandshake() { | 920 int SSLClientSocketOpenSSL::DoHandshake() { |
| 921 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. | 921 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 922 tracked_objects::ScopedTracker tracking_profile1( | 922 tracked_objects::ScopedTracker tracking_profile1( |
| 923 FROM_HERE_WITH_EXPLICIT_FUNCTION( | 923 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 924 "424386 SSLClientSocketOpenSSL::DoHandshake1")); | 924 "424386 SSLClientSocketOpenSSL::DoHandshake1")); |
| 925 | 925 |
| 926 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 926 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 927 int net_error = OK; | 927 int net_error = OK; |
| 928 int rv = SSL_do_handshake(ssl_); | 928 int rv = SSL_do_handshake(ssl_); |
| 929 | 929 |
| 930 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. | 930 if (client_auth_cert_needed_) { |
| 931 tracked_objects::ScopedTracker tracking_profile2( | 931 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 932 FROM_HERE_WITH_EXPLICIT_FUNCTION( | 932 tracked_objects::ScopedTracker tracking_profile2( |
| 933 "424386 SSLClientSocketOpenSSL::DoHandshake2")); | 933 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 934 "424386 SSLClientSocketOpenSSL::DoHandshake2")); |
| 934 | 935 |
| 935 if (client_auth_cert_needed_) { | |
| 936 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 936 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
| 937 // If the handshake already succeeded (because the server requests but | 937 // If the handshake already succeeded (because the server requests but |
| 938 // doesn't require a client cert), we need to invalidate the SSL session | 938 // doesn't require a client cert), we need to invalidate the SSL session |
| 939 // so that we won't try to resume the non-client-authenticated session in | 939 // so that we won't try to resume the non-client-authenticated session in |
| 940 // the next handshake. This will cause the server to ask for a client | 940 // the next handshake. This will cause the server to ask for a client |
| 941 // cert again. | 941 // cert again. |
| 942 if (rv == 1) { | 942 if (rv == 1) { |
| 943 // Remove from session cache but don't clear this connection. | 943 // Remove from session cache but don't clear this connection. |
| 944 SSL_SESSION* session = SSL_get_session(ssl_); | 944 SSL_SESSION* session = SSL_get_session(ssl_); |
| 945 if (session) { | 945 if (session) { |
| 946 int rv = SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl_), session); | 946 int rv = SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl_), session); |
| 947 LOG_IF(WARNING, !rv) << "Couldn't invalidate SSL session: " << session; | 947 LOG_IF(WARNING, !rv) << "Couldn't invalidate SSL session: " << session; |
| 948 } | 948 } |
| 949 } | 949 } |
| 950 } else if (rv == 1) { | 950 } else if (rv == 1) { |
| 951 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 952 tracked_objects::ScopedTracker tracking_profile3( |
| 953 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 954 "424386 SSLClientSocketOpenSSL::DoHandshake3")); |
| 955 |
| 951 if (trying_cached_session_ && logging::DEBUG_MODE) { | 956 if (trying_cached_session_ && logging::DEBUG_MODE) { |
| 952 DVLOG(2) << "Result of session reuse for " << host_and_port_.ToString() | 957 DVLOG(2) << "Result of session reuse for " << host_and_port_.ToString() |
| 953 << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); | 958 << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); |
| 954 } | 959 } |
| 955 | 960 |
| 956 if (ssl_config_.version_fallback && | 961 if (ssl_config_.version_fallback && |
| 957 ssl_config_.version_max < ssl_config_.version_fallback_min) { | 962 ssl_config_.version_max < ssl_config_.version_fallback_min) { |
| 958 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | 963 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; |
| 959 } | 964 } |
| 960 | 965 |
| (...skipping 27 matching lines...) Expand all Loading... |
| 988 | 993 |
| 989 const uint8_t* sct_list; | 994 const uint8_t* sct_list; |
| 990 size_t sct_list_len; | 995 size_t sct_list_len; |
| 991 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | 996 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); |
| 992 set_signed_cert_timestamps_received(sct_list_len != 0); | 997 set_signed_cert_timestamps_received(sct_list_len != 0); |
| 993 | 998 |
| 994 // Verify the certificate. | 999 // Verify the certificate. |
| 995 UpdateServerCert(); | 1000 UpdateServerCert(); |
| 996 GotoState(STATE_VERIFY_CERT); | 1001 GotoState(STATE_VERIFY_CERT); |
| 997 } else { | 1002 } else { |
| 1003 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 1004 tracked_objects::ScopedTracker tracking_profile4( |
| 1005 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 1006 "424386 SSLClientSocketOpenSSL::DoHandshake4")); |
| 1007 |
| 998 int ssl_error = SSL_get_error(ssl_, rv); | 1008 int ssl_error = SSL_get_error(ssl_, rv); |
| 999 | 1009 |
| 1000 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { | 1010 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) { |
| 1001 // The server supports channel ID. Stop to look one up before returning to | 1011 // The server supports channel ID. Stop to look one up before returning to |
| 1002 // the handshake. | 1012 // the handshake. |
| 1003 channel_id_xtn_negotiated_ = true; | 1013 channel_id_xtn_negotiated_ = true; |
| 1004 GotoState(STATE_CHANNEL_ID_LOOKUP); | 1014 GotoState(STATE_CHANNEL_ID_LOOKUP); |
| 1005 return OK; | 1015 return OK; |
| 1006 } | 1016 } |
| 1007 | 1017 |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1193 if (rv < OK) | 1203 if (rv < OK) |
| 1194 OnHandshakeCompletion(); | 1204 OnHandshakeCompletion(); |
| 1195 if (!user_connect_callback_.is_null()) { | 1205 if (!user_connect_callback_.is_null()) { |
| 1196 CompletionCallback c = user_connect_callback_; | 1206 CompletionCallback c = user_connect_callback_; |
| 1197 user_connect_callback_.Reset(); | 1207 user_connect_callback_.Reset(); |
| 1198 c.Run(rv > OK ? OK : rv); | 1208 c.Run(rv > OK ? OK : rv); |
| 1199 } | 1209 } |
| 1200 } | 1210 } |
| 1201 | 1211 |
| 1202 void SSLClientSocketOpenSSL::UpdateServerCert() { | 1212 void SSLClientSocketOpenSSL::UpdateServerCert() { |
| 1213 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 1214 tracked_objects::ScopedTracker tracking_profile( |
| 1215 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 1216 "424386 SSLClientSocketOpenSSL::UpdateServerCert")); |
| 1217 |
| 1203 server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_)); | 1218 server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_)); |
| 1204 server_cert_ = server_cert_chain_->AsOSChain(); | 1219 server_cert_ = server_cert_chain_->AsOSChain(); |
| 1205 | 1220 |
| 1206 if (server_cert_.get()) { | 1221 if (server_cert_.get()) { |
| 1207 net_log_.AddEvent( | 1222 net_log_.AddEvent( |
| 1208 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED, | 1223 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED, |
| 1209 base::Bind(&NetLogX509CertificateCallback, | 1224 base::Bind(&NetLogX509CertificateCallback, |
| 1210 base::Unretained(server_cert_.get()))); | 1225 base::Unretained(server_cert_.get()))); |
| 1211 | 1226 |
| 1212 // TODO(rsleevi): Plumb an OCSP response into the Mac system library and | 1227 // TODO(rsleevi): Plumb an OCSP response into the Mac system library and |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1264 &ct_verify_result_, net_log_); | 1279 &ct_verify_result_, net_log_); |
| 1265 | 1280 |
| 1266 if (!policy_enforcer_) { | 1281 if (!policy_enforcer_) { |
| 1267 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1282 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1268 } else { | 1283 } else { |
| 1269 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | 1284 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1270 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1285 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1271 SSLConfigService::GetEVCertsWhitelist(); | 1286 SSLConfigService::GetEVCertsWhitelist(); |
| 1272 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 1287 if (!policy_enforcer_->DoesConformToCTEVPolicy( |
| 1273 server_cert_verify_result_.verified_cert.get(), | 1288 server_cert_verify_result_.verified_cert.get(), |
| 1274 ev_whitelist.get(), ct_verify_result_)) { | 1289 ev_whitelist.get(), ct_verify_result_, net_log_)) { |
| 1275 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 1290 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 1276 VLOG(1) << "EV certificate for " | 1291 VLOG(1) << "EV certificate for " |
| 1277 << server_cert_verify_result_.verified_cert->subject() | 1292 << server_cert_verify_result_.verified_cert->subject() |
| 1278 .GetDisplayName() | 1293 .GetDisplayName() |
| 1279 << " does not conform to CT policy, removing EV status."; | 1294 << " does not conform to CT policy, removing EV status."; |
| 1280 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1295 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1281 } | 1296 } |
| 1282 } | 1297 } |
| 1283 } | 1298 } |
| 1284 } | 1299 } |
| (...skipping 577 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1862 } | 1877 } |
| 1863 return retvalue; | 1878 return retvalue; |
| 1864 } | 1879 } |
| 1865 | 1880 |
| 1866 // static | 1881 // static |
| 1867 long SSLClientSocketOpenSSL::BIOCallback( | 1882 long SSLClientSocketOpenSSL::BIOCallback( |
| 1868 BIO *bio, | 1883 BIO *bio, |
| 1869 int cmd, | 1884 int cmd, |
| 1870 const char *argp, int argi, long argl, | 1885 const char *argp, int argi, long argl, |
| 1871 long retvalue) { | 1886 long retvalue) { |
| 1887 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 1888 tracked_objects::ScopedTracker tracking_profile( |
| 1889 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 1890 "424386 SSLClientSocketOpenSSL::BIOCallback")); |
| 1891 |
| 1872 SSLClientSocketOpenSSL* socket = reinterpret_cast<SSLClientSocketOpenSSL*>( | 1892 SSLClientSocketOpenSSL* socket = reinterpret_cast<SSLClientSocketOpenSSL*>( |
| 1873 BIO_get_callback_arg(bio)); | 1893 BIO_get_callback_arg(bio)); |
| 1874 CHECK(socket); | 1894 CHECK(socket); |
| 1875 return socket->MaybeReplayTransportError( | 1895 return socket->MaybeReplayTransportError( |
| 1876 bio, cmd, argp, argi, argl, retvalue); | 1896 bio, cmd, argp, argi, argl, retvalue); |
| 1877 } | 1897 } |
| 1878 | 1898 |
| 1879 // static | 1899 // static |
| 1880 void SSLClientSocketOpenSSL::InfoCallback(const SSL* ssl, | 1900 void SSLClientSocketOpenSSL::InfoCallback(const SSL* ssl, |
| 1881 int type, | 1901 int type, |
| 1882 int /*val*/) { | 1902 int /*val*/) { |
| 1903 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 1904 tracked_objects::ScopedTracker tracking_profile( |
| 1905 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 1906 "424386 SSLClientSocketOpenSSL::InfoCallback")); |
| 1907 |
| 1883 if (type == SSL_CB_HANDSHAKE_DONE) { | 1908 if (type == SSL_CB_HANDSHAKE_DONE) { |
| 1884 SSLClientSocketOpenSSL* ssl_socket = | 1909 SSLClientSocketOpenSSL* ssl_socket = |
| 1885 SSLContext::GetInstance()->GetClientSocketFromSSL(ssl); | 1910 SSLContext::GetInstance()->GetClientSocketFromSSL(ssl); |
| 1886 ssl_socket->handshake_succeeded_ = true; | 1911 ssl_socket->handshake_succeeded_ = true; |
| 1887 ssl_socket->CheckIfHandshakeFinished(); | 1912 ssl_socket->CheckIfHandshakeFinished(); |
| 1888 } | 1913 } |
| 1889 } | 1914 } |
| 1890 | 1915 |
| 1891 // Determines if both the handshake and certificate verification have completed | 1916 // Determines if both the handshake and certificate verification have completed |
| 1892 // successfully, and calls the handshake completion callback if that is the | 1917 // successfully, and calls the handshake completion callback if that is the |
| (...skipping 30 matching lines...) Expand all Loading... |
| 1923 ct::SCT_STATUS_LOG_UNKNOWN)); | 1948 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 1924 } | 1949 } |
| 1925 } | 1950 } |
| 1926 | 1951 |
| 1927 scoped_refptr<X509Certificate> | 1952 scoped_refptr<X509Certificate> |
| 1928 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1953 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1929 return server_cert_; | 1954 return server_cert_; |
| 1930 } | 1955 } |
| 1931 | 1956 |
| 1932 } // namespace net | 1957 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 816543004:
Update from https://crrev.com/308996 (Closed)
Base URL: git@github.com:domokit/mojo.git@master