OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
12 #include <openssl/bytestring.h> | |
12 #include <openssl/err.h> | 13 #include <openssl/err.h> |
14 #include <openssl/evp.h> | |
13 #include <openssl/mem.h> | 15 #include <openssl/mem.h> |
14 #include <openssl/ssl.h> | 16 #include <openssl/ssl.h> |
15 #include <string.h> | 17 #include <string.h> |
16 | 18 |
17 #include "base/bind.h" | 19 #include "base/bind.h" |
18 #include "base/callback_helpers.h" | 20 #include "base/callback_helpers.h" |
19 #include "base/environment.h" | 21 #include "base/environment.h" |
20 #include "base/lazy_instance.h" | 22 #include "base/lazy_instance.h" |
21 #include "base/memory/singleton.h" | 23 #include "base/memory/singleton.h" |
22 #include "base/metrics/histogram_macros.h" | 24 #include "base/metrics/histogram_macros.h" |
(...skipping 225 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
248 !ssl_keylog_file.empty()) { | 250 !ssl_keylog_file.empty()) { |
249 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 251 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
250 BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a"); | 252 BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a"); |
251 if (!bio) { | 253 if (!bio) { |
252 LOG(ERROR) << "Failed to open " << ssl_keylog_file; | 254 LOG(ERROR) << "Failed to open " << ssl_keylog_file; |
253 ERR_print_errors_cb(&LogErrorCallback, NULL); | 255 ERR_print_errors_cb(&LogErrorCallback, NULL); |
254 } else { | 256 } else { |
255 SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio); | 257 SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio); |
256 } | 258 } |
257 } | 259 } |
260 | |
261 if (!TokenBindingExtension::RegisterCallbacks(ssl_ctx_.get())) { | |
262 NOTREACHED(); | |
263 } | |
258 } | 264 } |
259 | 265 |
260 static int ClientCertRequestCallback(SSL* ssl, void* arg) { | 266 static int ClientCertRequestCallback(SSL* ssl, void* arg) { |
261 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); | 267 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl); |
262 DCHECK(socket); | 268 DCHECK(socket); |
263 return socket->ClientCertRequestCallback(ssl); | 269 return socket->ClientCertRequestCallback(ssl); |
264 } | 270 } |
265 | 271 |
266 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { | 272 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { |
267 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( | 273 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data( |
(...skipping 266 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
534 | 540 |
535 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); | 541 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); |
536 | 542 |
537 // Set up new ssl object. | 543 // Set up new ssl object. |
538 int rv = Init(); | 544 int rv = Init(); |
539 if (rv != OK) { | 545 if (rv != OK) { |
540 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 546 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
541 return rv; | 547 return rv; |
542 } | 548 } |
543 | 549 |
550 // Set params for TokenBindingExtension object. | |
551 if (IsTokenBindingEnabled(ssl_config_, channel_id_service_)) { | |
552 token_binding_extension_.SetParams(ssl_config_.token_binding_params); | |
553 } | |
554 | |
544 // Set SSL to client mode. Handshake happens in the loop below. | 555 // Set SSL to client mode. Handshake happens in the loop below. |
545 SSL_set_connect_state(ssl_); | 556 SSL_set_connect_state(ssl_); |
546 | 557 |
547 GotoState(STATE_HANDSHAKE); | 558 GotoState(STATE_HANDSHAKE); |
548 rv = DoHandshakeLoop(OK); | 559 rv = DoHandshakeLoop(OK); |
549 if (rv == ERR_IO_PENDING) { | 560 if (rv == ERR_IO_PENDING) { |
550 user_connect_callback_ = callback; | 561 user_connect_callback_ = callback; |
551 } else { | 562 } else { |
552 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 563 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
553 } | 564 } |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
697 ssl_info->cert = server_cert_verify_result_.verified_cert; | 708 ssl_info->cert = server_cert_verify_result_.verified_cert; |
698 ssl_info->unverified_cert = server_cert_; | 709 ssl_info->unverified_cert = server_cert_; |
699 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 710 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
700 ssl_info->is_issued_by_known_root = | 711 ssl_info->is_issued_by_known_root = |
701 server_cert_verify_result_.is_issued_by_known_root; | 712 server_cert_verify_result_.is_issued_by_known_root; |
702 ssl_info->public_key_hashes = | 713 ssl_info->public_key_hashes = |
703 server_cert_verify_result_.public_key_hashes; | 714 server_cert_verify_result_.public_key_hashes; |
704 ssl_info->client_cert_sent = | 715 ssl_info->client_cert_sent = |
705 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 716 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
706 ssl_info->channel_id_sent = channel_id_sent_; | 717 ssl_info->channel_id_sent = channel_id_sent_; |
718 ssl_info->token_binding_negotiated = token_binding_extension_.WasNegotiated(); | |
707 ssl_info->pinning_failure_log = pinning_failure_log_; | 719 ssl_info->pinning_failure_log = pinning_failure_log_; |
708 | 720 |
709 AddSCTInfoToSSLInfo(ssl_info); | 721 AddSCTInfoToSSLInfo(ssl_info); |
710 | 722 |
711 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 723 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
712 CHECK(cipher); | 724 CHECK(cipher); |
713 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 725 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
714 ssl_info->key_exchange_info = | 726 ssl_info->key_exchange_info = |
715 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 727 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
716 | 728 |
(...skipping 378 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1095 | 1107 |
1096 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { | 1108 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { |
1097 if (result < 0) | 1109 if (result < 0) |
1098 return result; | 1110 return result; |
1099 | 1111 |
1100 if (ssl_config_.version_fallback && | 1112 if (ssl_config_.version_fallback && |
1101 ssl_config_.version_max < ssl_config_.version_fallback_min) { | 1113 ssl_config_.version_max < ssl_config_.version_fallback_min) { |
1102 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | 1114 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; |
1103 } | 1115 } |
1104 | 1116 |
1117 // Check that if token binding was negotiated, then extended master secret | |
1118 // must also be negotiated. | |
1119 if (token_binding_extension_.WasNegotiated() && | |
1120 !ssl_->session->extended_master_secret) { | |
1121 return ERR_SSL_PROTOCOL_ERROR; | |
1122 } | |
1123 | |
1124 if (token_binding_extension_.WasNegotiated() && !channel_id_key_) { | |
1125 GotoState(STATE_TOKEN_BINDING_LOOKUP); | |
1126 return OK; | |
1127 } | |
1128 | |
1105 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. | 1129 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
1106 if (npn_status_ == kNextProtoUnsupported) { | 1130 if (npn_status_ == kNextProtoUnsupported) { |
1107 const uint8_t* alpn_proto = NULL; | 1131 const uint8_t* alpn_proto = NULL; |
1108 unsigned alpn_len = 0; | 1132 unsigned alpn_len = 0; |
1109 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | 1133 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
1110 if (alpn_len > 0) { | 1134 if (alpn_len > 0) { |
1111 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 1135 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
1112 npn_status_ = kNextProtoNegotiated; | 1136 npn_status_ = kNextProtoNegotiated; |
1113 set_negotiation_extension(kExtensionALPN); | 1137 set_negotiation_extension(kExtensionALPN); |
1114 } | 1138 } |
1115 } | 1139 } |
1116 | 1140 |
1117 RecordNegotiationExtension(); | 1141 RecordNegotiationExtension(); |
1118 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, | 1142 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
1119 ssl_config_.channel_id_enabled, | 1143 ssl_config_.channel_id_enabled, |
1120 crypto::ECPrivateKey::IsSupported()); | 1144 crypto::ECPrivateKey::IsSupported()); |
1145 RecordTokenBindingSupport(ssl_config_, channel_id_service_, | |
1146 token_binding_extension_.WasNegotiated()); | |
1121 | 1147 |
1122 // Only record OCSP histograms if OCSP was requested. | 1148 // Only record OCSP histograms if OCSP was requested. |
1123 if (ssl_config_.signed_cert_timestamps_enabled || | 1149 if (ssl_config_.signed_cert_timestamps_enabled || |
1124 cert_verifier_->SupportsOCSPStapling()) { | 1150 cert_verifier_->SupportsOCSPStapling()) { |
1125 const uint8_t* ocsp_response; | 1151 const uint8_t* ocsp_response; |
1126 size_t ocsp_response_len; | 1152 size_t ocsp_response_len; |
1127 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); | 1153 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); |
1128 | 1154 |
1129 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 1155 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
1130 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 1156 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1173 return MapOpenSSLError(err, err_tracer); | 1199 return MapOpenSSLError(err, err_tracer); |
1174 } | 1200 } |
1175 | 1201 |
1176 // Return to the handshake. | 1202 // Return to the handshake. |
1177 channel_id_sent_ = true; | 1203 channel_id_sent_ = true; |
1178 net_log_.AddEvent(NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED); | 1204 net_log_.AddEvent(NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED); |
1179 GotoState(STATE_HANDSHAKE); | 1205 GotoState(STATE_HANDSHAKE); |
1180 return OK; | 1206 return OK; |
1181 } | 1207 } |
1182 | 1208 |
1209 int SSLClientSocketOpenSSL::DoTokenBindingLookup() { | |
1210 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_TOKEN_BINDING_KEY); | |
1211 GotoState(STATE_TOKEN_BINDING_LOOKUP_COMPLETE); | |
1212 return channel_id_service_->GetOrCreateChannelID( | |
1213 host_and_port_.host(), &channel_id_key_, | |
1214 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete, | |
1215 base::Unretained(this)), | |
1216 &channel_id_request_); | |
davidben
2015/10/01 16:15:17
What does this do? Do we even use this key for any
nharper
2015/10/01 19:12:23
We use this key once at the SSL layer to generate
| |
1217 } | |
1218 | |
1219 int SSLClientSocketOpenSSL::DoTokenBindingLookupComplete(int result) { | |
1220 if (!channel_id_key_) { | |
1221 LOG(ERROR) << "Failed to import Channel ID."; | |
1222 result = ERR_CHANNEL_ID_IMPORT_FAILED; | |
1223 } | |
1224 | |
1225 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_TOKEN_BINDING_KEY, | |
1226 result); | |
1227 if (result < 0) | |
1228 return result; | |
1229 | |
1230 GotoState(STATE_HANDSHAKE_COMPLETE); | |
1231 return OK; | |
1232 } | |
1233 | |
1183 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { | 1234 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { |
1184 DCHECK(!server_cert_chain_->empty()); | 1235 DCHECK(!server_cert_chain_->empty()); |
1185 DCHECK(start_cert_verification_time_.is_null()); | 1236 DCHECK(start_cert_verification_time_.is_null()); |
1186 | 1237 |
1187 GotoState(STATE_VERIFY_CERT_COMPLETE); | 1238 GotoState(STATE_VERIFY_CERT_COMPLETE); |
1188 | 1239 |
1189 // OpenSSL decoded the certificate, but the platform certificate | 1240 // OpenSSL decoded the certificate, but the platform certificate |
1190 // implementation could not. This is treated as a fatal SSL-level protocol | 1241 // implementation could not. This is treated as a fatal SSL-level protocol |
1191 // error rather than a certificate error. See https://crbug.com/91341. | 1242 // error rather than a certificate error. See https://crbug.com/91341. |
1192 if (!server_cert_.get()) | 1243 if (!server_cert_.get()) |
(...skipping 210 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1403 case STATE_HANDSHAKE_COMPLETE: | 1454 case STATE_HANDSHAKE_COMPLETE: |
1404 rv = DoHandshakeComplete(rv); | 1455 rv = DoHandshakeComplete(rv); |
1405 break; | 1456 break; |
1406 case STATE_CHANNEL_ID_LOOKUP: | 1457 case STATE_CHANNEL_ID_LOOKUP: |
1407 DCHECK_EQ(OK, rv); | 1458 DCHECK_EQ(OK, rv); |
1408 rv = DoChannelIDLookup(); | 1459 rv = DoChannelIDLookup(); |
1409 break; | 1460 break; |
1410 case STATE_CHANNEL_ID_LOOKUP_COMPLETE: | 1461 case STATE_CHANNEL_ID_LOOKUP_COMPLETE: |
1411 rv = DoChannelIDLookupComplete(rv); | 1462 rv = DoChannelIDLookupComplete(rv); |
1412 break; | 1463 break; |
1464 case STATE_TOKEN_BINDING_LOOKUP: | |
1465 DCHECK_EQ(OK, rv); | |
1466 rv = DoTokenBindingLookup(); | |
1467 break; | |
1468 case STATE_TOKEN_BINDING_LOOKUP_COMPLETE: | |
1469 rv = DoTokenBindingLookupComplete(rv); | |
1470 break; | |
1413 case STATE_VERIFY_CERT: | 1471 case STATE_VERIFY_CERT: |
1414 DCHECK_EQ(OK, rv); | 1472 DCHECK_EQ(OK, rv); |
1415 rv = DoVerifyCert(rv); | 1473 rv = DoVerifyCert(rv); |
1416 break; | 1474 break; |
1417 case STATE_VERIFY_CERT_COMPLETE: | 1475 case STATE_VERIFY_CERT_COMPLETE: |
1418 rv = DoVerifyCertComplete(rv); | 1476 rv = DoVerifyCertComplete(rv); |
1419 break; | 1477 break; |
1420 case STATE_NONE: | 1478 case STATE_NONE: |
1421 default: | 1479 default: |
1422 rv = ERR_UNEXPECTED; | 1480 rv = ERR_UNEXPECTED; |
(...skipping 731 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2154 if (next_handshake_state_ == STATE_HANDSHAKE) { | 2212 if (next_handshake_state_ == STATE_HANDSHAKE) { |
2155 OnHandshakeIOComplete(signature_result_); | 2213 OnHandshakeIOComplete(signature_result_); |
2156 return; | 2214 return; |
2157 } | 2215 } |
2158 | 2216 |
2159 // During a renegotiation, either Read or Write calls may be blocked on an | 2217 // During a renegotiation, either Read or Write calls may be blocked on an |
2160 // asynchronous private key operation. | 2218 // asynchronous private key operation. |
2161 PumpReadWriteEvents(); | 2219 PumpReadWriteEvents(); |
2162 } | 2220 } |
2163 | 2221 |
2222 SSLClientSocketOpenSSL::TokenBindingExtension::TokenBindingExtension() | |
2223 : negotiated_(false), negotiated_param_(TokenBindingParam(0)) {} | |
2224 | |
2225 SSLClientSocketOpenSSL::TokenBindingExtension::~TokenBindingExtension() {} | |
2226 | |
2227 bool SSLClientSocketOpenSSL::TokenBindingExtension::WasNegotiated() const { | |
2228 return negotiated_; | |
2229 } | |
2230 | |
2231 TokenBindingParam | |
2232 SSLClientSocketOpenSSL::TokenBindingExtension::NegotiationResult() const { | |
2233 return negotiated_param_; | |
2234 }; | |
2235 | |
2236 void SSLClientSocketOpenSSL::TokenBindingExtension::SetParams( | |
2237 const std::vector<TokenBindingParam>& params) { | |
2238 supported_params_.clear(); | |
2239 for (TokenBindingParam param : params) { | |
2240 supported_params_.push_back(param); | |
2241 } | |
2242 }; | |
2243 | |
2244 // static | |
2245 bool SSLClientSocketOpenSSL::TokenBindingExtension::RegisterCallbacks( | |
2246 SSL_CTX* ssl_ctx) { | |
2247 return SSL_CTX_add_client_custom_ext( | |
2248 ssl_ctx, kExtNum, &TokenBindingExtension::ClientAddCallback, | |
2249 &TokenBindingExtension::ClientFreeCallback, nullptr, | |
2250 &TokenBindingExtension::ClientParseCallback, nullptr); | |
2251 } | |
2252 | |
2253 int SSLClientSocketOpenSSL::TokenBindingExtension::ClientAdd( | |
2254 const uint8_t** out, | |
2255 size_t* out_len, | |
2256 int* out_alert_value) { | |
2257 if (supported_params_.empty()) { | |
2258 return 0; | |
2259 } | |
2260 CBB output, parameters_list; | |
2261 int retval = -1; | |
2262 if (!CBB_init(&output, 7)) | |
2263 goto end; | |
2264 if (!CBB_add_u8(&output, kProtocolVersionMajor) || | |
2265 !CBB_add_u8(&output, kProtocolVersionMinor) || | |
2266 !CBB_add_u8_length_prefixed(&output, ¶meters_list)) { | |
2267 goto end; | |
2268 } | |
2269 for (size_t i = 0; i < supported_params_.size(); ++i) { | |
2270 if (!CBB_add_u8(¶meters_list, supported_params_[i])) { | |
2271 goto end; | |
2272 } | |
2273 } | |
2274 if (!CBB_finish(&output, const_cast<uint8_t**>(out), out_len)) | |
2275 goto end; | |
2276 | |
2277 retval = 1; | |
2278 | |
2279 end: | |
2280 CBB_cleanup(&output); | |
2281 if (retval == -1) | |
2282 *out_alert_value = SSL_AD_INTERNAL_ERROR; | |
2283 return retval; | |
2284 } | |
2285 | |
2286 int SSLClientSocketOpenSSL::TokenBindingExtension::ClientParse( | |
2287 const uint8_t* contents, | |
2288 size_t contents_len, | |
2289 int* out_alert_value) { | |
2290 CBS extension; | |
2291 CBS_init(&extension, contents, contents_len); | |
2292 | |
2293 CBS parameters_list; | |
2294 uint8_t version_major, version_minor, param; | |
2295 if (!CBS_get_u8(&extension, &version_major) || | |
2296 !CBS_get_u8(&extension, &version_minor) || | |
2297 version_major != kProtocolVersionMajor || | |
2298 version_minor != kProtocolVersionMinor || | |
2299 !CBS_get_u8_length_prefixed(&extension, ¶meters_list) || | |
2300 !CBS_get_u8(¶meters_list, ¶m) || CBS_len(&extension) > 0) { | |
2301 *out_alert_value = SSL_AD_DECODE_ERROR; | |
2302 return 0; | |
2303 } | |
2304 bool valid_param = false; | |
2305 for (size_t i = 0; i < supported_params_.size(); ++i) { | |
2306 if (param == supported_params_[i]) { | |
2307 negotiated_param_ = TokenBindingParam(param); | |
2308 valid_param = true; | |
2309 break; | |
2310 } | |
2311 } | |
2312 | |
2313 // The server-negotiated version must be less than or equal to our version. | |
2314 if (version_major > kProtocolVersionMajor || | |
2315 (version_minor > kProtocolVersionMinor && | |
2316 version_major == kProtocolVersionMajor)) { | |
2317 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2318 return 0; | |
2319 } | |
2320 | |
2321 // Although the server returns the negotiated key param in a list, it must | |
2322 // only send one element in that list. | |
2323 if (CBS_len(¶meters_list) > 0 || !valid_param) { | |
2324 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | |
2325 return 0; | |
2326 } | |
2327 | |
2328 // If the version the server negotiated is older than we support, don't fail | |
2329 // parsing the extension, but also don't set |negotiated_|. | |
2330 if (version_major < kMinProtocolVersionMajor || | |
2331 (version_minor < kMinProtocolVersionMinor && | |
2332 version_major == kMinProtocolVersionMajor)) { | |
2333 return 1; | |
2334 } | |
2335 | |
2336 negotiated_ = true; | |
2337 return 1; | |
2338 } | |
2339 | |
2340 // static | |
2341 int SSLClientSocketOpenSSL::TokenBindingExtension::ClientAddCallback( | |
2342 SSL* ssl, | |
2343 unsigned int extension_value, | |
2344 const uint8_t** out, | |
2345 size_t* out_len, | |
2346 int* out_alert_value, | |
2347 void* add_arg) { | |
2348 DCHECK(extension_value == kExtNum); | |
2349 SSLClientSocketOpenSSL* socket = | |
2350 SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL( | |
2351 ssl); | |
2352 return socket->token_binding_extension_.ClientAdd(out, out_len, | |
2353 out_alert_value); | |
2354 } | |
2355 | |
2356 // static | |
2357 void SSLClientSocketOpenSSL::TokenBindingExtension::ClientFreeCallback( | |
2358 SSL* ssl, | |
2359 unsigned extension_value, | |
2360 const uint8_t* out, | |
2361 void* add_arg) { | |
2362 DCHECK(extension_value == kExtNum); | |
2363 OPENSSL_free(const_cast<unsigned char*>(out)); | |
2364 } | |
2365 | |
2366 // static | |
2367 int SSLClientSocketOpenSSL::TokenBindingExtension::ClientParseCallback( | |
2368 SSL* ssl, | |
2369 unsigned int extension_value, | |
2370 const uint8_t* contents, | |
2371 size_t contents_len, | |
2372 int* out_alert_value, | |
2373 void* parse_arg) { | |
2374 DCHECK(extension_value == kExtNum); | |
2375 SSLClientSocketOpenSSL* socket = | |
2376 SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL( | |
2377 ssl); | |
2378 return socket->token_binding_extension_.ClientParse(contents, contents_len, | |
2379 out_alert_value); | |
2380 } | |
2381 | |
2164 } // namespace net | 2382 } // namespace net |
OLD | NEW |