| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/tools/flip_server/spdy_ssl.h" | 5 #include "net/tools/flip_server/spdy_ssl.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "openssl/err.h" | 8 #include "openssl/err.h" |
| 9 #include "openssl/ssl.h" | 9 #include "openssl/ssl.h" |
| 10 | 10 |
| 11 namespace net { | 11 namespace net { |
| 12 | 12 |
| 13 // Each element consists of <the length of the string><string> . | 13 // Each element consists of <the length of the string><string> . |
| 14 #define NEXT_PROTO_STRING \ | 14 #define NEXT_PROTO_STRING \ |
| 15 "\x08spdy/4a2" \ | 15 "\x08spdy/4a2" \ |
| 16 "\x06spdy/3" \ | 16 "\x06spdy/3" \ |
| 17 "\x06spdy/2" \ | 17 "\x06spdy/2" \ |
| 18 "\x08http/1.1" \ | 18 "\x08http/1.1" \ |
| 19 "\x08http/1.0" | 19 "\x08http/1.0" |
| 20 #define SSL_CIPHER_LIST "!aNULL:!ADH:!eNull:!LOW:!EXP:RC4+RSA:MEDIUM:HIGH" | 20 #define SSL_CIPHER_LIST "!aNULL:!ADH:!eNull:!LOW:!EXP:RC4+RSA:MEDIUM:HIGH" |
| 21 | 21 |
| 22 int ssl_set_npn_callback(SSL *s, | 22 int ssl_set_npn_callback(SSL* s, |
| 23 const unsigned char **data, | 23 const unsigned char** data, |
| 24 unsigned int *len, | 24 unsigned int* len, |
| 25 void *arg) { | 25 void* arg) { |
| 26 VLOG(1) << "SSL NPN callback: advertising protocols."; | 26 VLOG(1) << "SSL NPN callback: advertising protocols."; |
| 27 *data = (const unsigned char *) NEXT_PROTO_STRING; | 27 *data = (const unsigned char*)NEXT_PROTO_STRING; |
| 28 *len = strlen(NEXT_PROTO_STRING); | 28 *len = strlen(NEXT_PROTO_STRING); |
| 29 return SSL_TLSEXT_ERR_OK; | 29 return SSL_TLSEXT_ERR_OK; |
| 30 } | 30 } |
| 31 | 31 |
| 32 void InitSSL(SSLState* state, | 32 void InitSSL(SSLState* state, |
| 33 std::string ssl_cert_name, | 33 std::string ssl_cert_name, |
| 34 std::string ssl_key_name, | 34 std::string ssl_key_name, |
| 35 bool use_npn, | 35 bool use_npn, |
| 36 int session_expiration_time, | 36 int session_expiration_time, |
| 37 bool disable_ssl_compression) { | 37 bool disable_ssl_compression) { |
| (...skipping 12 matching lines...) Expand all Loading... |
| 50 LOG(FATAL) << "Unable to create SSL context"; | 50 LOG(FATAL) << "Unable to create SSL context"; |
| 51 } | 51 } |
| 52 // Disable SSLv2 support. | 52 // Disable SSLv2 support. |
| 53 SSL_CTX_set_options(state->ssl_ctx, | 53 SSL_CTX_set_options(state->ssl_ctx, |
| 54 SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE); | 54 SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 55 if (SSL_CTX_use_certificate_chain_file(state->ssl_ctx, | 55 if (SSL_CTX_use_certificate_chain_file(state->ssl_ctx, |
| 56 ssl_cert_name.c_str()) <= 0) { | 56 ssl_cert_name.c_str()) <= 0) { |
| 57 PrintSslError(); | 57 PrintSslError(); |
| 58 LOG(FATAL) << "Unable to use cert.pem as SSL cert."; | 58 LOG(FATAL) << "Unable to use cert.pem as SSL cert."; |
| 59 } | 59 } |
| 60 if (SSL_CTX_use_PrivateKey_file(state->ssl_ctx, | 60 if (SSL_CTX_use_PrivateKey_file( |
| 61 ssl_key_name.c_str(), | 61 state->ssl_ctx, ssl_key_name.c_str(), SSL_FILETYPE_PEM) <= 0) { |
| 62 SSL_FILETYPE_PEM) <= 0) { | |
| 63 PrintSslError(); | 62 PrintSslError(); |
| 64 LOG(FATAL) << "Unable to use key.pem as SSL key."; | 63 LOG(FATAL) << "Unable to use key.pem as SSL key."; |
| 65 } | 64 } |
| 66 if (!SSL_CTX_check_private_key(state->ssl_ctx)) { | 65 if (!SSL_CTX_check_private_key(state->ssl_ctx)) { |
| 67 PrintSslError(); | 66 PrintSslError(); |
| 68 LOG(FATAL) << "The cert.pem and key.pem files don't match"; | 67 LOG(FATAL) << "The cert.pem and key.pem files don't match"; |
| 69 } | 68 } |
| 70 if (use_npn) { | 69 if (use_npn) { |
| 71 SSL_CTX_set_next_protos_advertised_cb(state->ssl_ctx, | 70 SSL_CTX_set_next_protos_advertised_cb( |
| 72 ssl_set_npn_callback, NULL); | 71 state->ssl_ctx, ssl_set_npn_callback, NULL); |
| 73 } | 72 } |
| 74 VLOG(1) << "SSL CTX default cipher list: " << SSL_CIPHER_LIST; | 73 VLOG(1) << "SSL CTX default cipher list: " << SSL_CIPHER_LIST; |
| 75 SSL_CTX_set_cipher_list(state->ssl_ctx, SSL_CIPHER_LIST); | 74 SSL_CTX_set_cipher_list(state->ssl_ctx, SSL_CIPHER_LIST); |
| 76 | 75 |
| 77 VLOG(1) << "SSL CTX session expiry: " << session_expiration_time | 76 VLOG(1) << "SSL CTX session expiry: " << session_expiration_time |
| 78 << " seconds"; | 77 << " seconds"; |
| 79 SSL_CTX_set_timeout(state->ssl_ctx, session_expiration_time); | 78 SSL_CTX_set_timeout(state->ssl_ctx, session_expiration_time); |
| 80 | 79 |
| 81 #ifdef SSL_MODE_RELEASE_BUFFERS | 80 #ifdef SSL_MODE_RELEASE_BUFFERS |
| 82 VLOG(1) << "SSL CTX: Setting Release Buffers mode."; | 81 VLOG(1) << "SSL CTX: Setting Release Buffers mode."; |
| 83 SSL_CTX_set_mode(state->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); | 82 SSL_CTX_set_mode(state->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); |
| 84 #endif | 83 #endif |
| 85 | 84 |
| 86 // Proper methods to disable compression don't exist until 0.9.9+. For now | 85 // Proper methods to disable compression don't exist until 0.9.9+. For now |
| 87 // we must manipulate the stack of compression methods directly. | 86 // we must manipulate the stack of compression methods directly. |
| 88 if (disable_ssl_compression) { | 87 if (disable_ssl_compression) { |
| 89 STACK_OF(SSL_COMP) *ssl_comp_methods = SSL_COMP_get_compression_methods(); | 88 STACK_OF(SSL_COMP)* ssl_comp_methods = SSL_COMP_get_compression_methods(); |
| 90 int num_methods = sk_SSL_COMP_num(ssl_comp_methods); | 89 int num_methods = sk_SSL_COMP_num(ssl_comp_methods); |
| 91 int i; | 90 int i; |
| 92 for (i = 0; i < num_methods; i++) { | 91 for (i = 0; i < num_methods; i++) { |
| 93 static_cast<void>(sk_SSL_COMP_delete(ssl_comp_methods, i)); | 92 static_cast<void>(sk_SSL_COMP_delete(ssl_comp_methods, i)); |
| 94 } | 93 } |
| 95 } | 94 } |
| 96 } | 95 } |
| 97 | 96 |
| 98 SSL* CreateSSLContext(SSL_CTX* ssl_ctx) { | 97 SSL* CreateSSLContext(SSL_CTX* ssl_ctx) { |
| 99 SSL* ssl = SSL_new(ssl_ctx); | 98 SSL* ssl = SSL_new(ssl_ctx); |
| 100 SSL_set_accept_state(ssl); | 99 SSL_set_accept_state(ssl); |
| 101 PrintSslError(); | 100 PrintSslError(); |
| 102 return ssl; | 101 return ssl; |
| 103 } | 102 } |
| 104 | 103 |
| 105 void PrintSslError() { | 104 void PrintSslError() { |
| 106 char buf[128]; // this buffer must be at least 120 chars long. | 105 char buf[128]; // this buffer must be at least 120 chars long. |
| 107 int error_num = ERR_get_error(); | 106 int error_num = ERR_get_error(); |
| 108 while (error_num != 0) { | 107 while (error_num != 0) { |
| 109 ERR_error_string_n(error_num, buf, sizeof(buf)); | 108 ERR_error_string_n(error_num, buf, sizeof(buf)); |
| 110 LOG(ERROR) << buf; | 109 LOG(ERROR) << buf; |
| 111 error_num = ERR_get_error(); | 110 error_num = ERR_get_error(); |
| 112 } | 111 } |
| 113 } | 112 } |
| 114 | 113 |
| 115 } // namespace net | 114 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 93793004:
Format and Refactor Flip Server. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master