OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
218 return buffer_size; | 218 return buffer_size; |
219 } | 219 } |
220 | 220 |
221 scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * | 221 scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * |
222 openssl_chain) { | 222 openssl_chain) { |
223 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { | 223 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { |
224 NOTREACHED(); | 224 NOTREACHED(); |
225 return nullptr; | 225 return nullptr; |
226 } | 226 } |
227 | 227 |
| 228 #if BUILDFLAG(USE_BYTE_CERTS) |
| 229 std::vector<CRYPTO_BUFFER*> intermediate_chain; |
| 230 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) |
| 231 intermediate_chain.push_back(sk_CRYPTO_BUFFER_value(openssl_chain, i)); |
| 232 return X509Certificate::CreateFromHandle( |
| 233 sk_CRYPTO_BUFFER_value(openssl_chain, 0), intermediate_chain); |
| 234 #else |
228 // Convert the certificate chains to a platform certificate handle. | 235 // Convert the certificate chains to a platform certificate handle. |
229 std::vector<base::StringPiece> der_chain; | 236 std::vector<base::StringPiece> der_chain; |
230 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); | 237 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); |
231 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { | 238 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { |
232 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); | 239 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); |
233 base::StringPiece der; | 240 base::StringPiece der; |
234 der_chain.push_back(base::StringPiece( | 241 der_chain.push_back(base::StringPiece( |
235 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), | 242 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), |
236 CRYPTO_BUFFER_len(cert))); | 243 CRYPTO_BUFFER_len(cert))); |
237 } | 244 } |
238 return X509Certificate::CreateFromDERCertChain(der_chain); | 245 return X509Certificate::CreateFromDERCertChain(der_chain); |
| 246 #endif |
239 } | 247 } |
240 | 248 |
241 #if !defined(OS_IOS) | 249 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) |
242 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( | 250 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( |
243 X509Certificate::OSCertHandle os_handle) { | 251 X509Certificate::OSCertHandle os_handle) { |
244 std::string der_encoded; | 252 std::string der_encoded; |
245 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 253 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
246 return nullptr; | 254 return nullptr; |
247 return x509_util::CreateCryptoBuffer(der_encoded); | 255 return x509_util::CreateCryptoBuffer(der_encoded); |
248 } | 256 } |
249 #endif | 257 #endif |
250 | 258 |
251 } // namespace | 259 } // namespace |
(...skipping 1323 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1575 // Second pass: a client certificate should have been selected. | 1583 // Second pass: a client certificate should have been selected. |
1576 if (ssl_config_.client_cert.get()) { | 1584 if (ssl_config_.client_cert.get()) { |
1577 if (!ssl_config_.client_private_key) { | 1585 if (!ssl_config_.client_private_key) { |
1578 // The caller supplied a null private key. Fail the handshake and surface | 1586 // The caller supplied a null private key. Fail the handshake and surface |
1579 // an appropriate error to the caller. | 1587 // an appropriate error to the caller. |
1580 LOG(WARNING) << "Client cert found without private key"; | 1588 LOG(WARNING) << "Client cert found without private key"; |
1581 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1589 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
1582 return -1; | 1590 return -1; |
1583 } | 1591 } |
1584 | 1592 |
| 1593 #if BUILDFLAG(USE_BYTE_CERTS) |
| 1594 std::vector<CRYPTO_BUFFER*> chain_raw; |
| 1595 chain_raw.push_back(ssl_config_.client_cert->os_cert_handle()); |
| 1596 for (X509Certificate::OSCertHandle cert : |
| 1597 ssl_config_.client_cert->GetIntermediateCertificates()) { |
| 1598 chain_raw.push_back(cert); |
| 1599 } |
| 1600 #else |
1585 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain; | 1601 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain; |
1586 std::vector<CRYPTO_BUFFER*> chain_raw; | 1602 std::vector<CRYPTO_BUFFER*> chain_raw; |
1587 bssl::UniquePtr<CRYPTO_BUFFER> buf = | 1603 bssl::UniquePtr<CRYPTO_BUFFER> buf = |
1588 OSCertHandleToBuffer(ssl_config_.client_cert->os_cert_handle()); | 1604 OSCertHandleToBuffer(ssl_config_.client_cert->os_cert_handle()); |
1589 if (!buf) { | 1605 if (!buf) { |
1590 LOG(WARNING) << "Failed to import certificate"; | 1606 LOG(WARNING) << "Failed to import certificate"; |
1591 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1607 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
1592 return -1; | 1608 return -1; |
1593 } | 1609 } |
1594 chain_raw.push_back(buf.get()); | 1610 chain_raw.push_back(buf.get()); |
1595 chain.push_back(std::move(buf)); | 1611 chain.push_back(std::move(buf)); |
1596 | 1612 |
1597 for (X509Certificate::OSCertHandle cert : | 1613 for (X509Certificate::OSCertHandle cert : |
1598 ssl_config_.client_cert->GetIntermediateCertificates()) { | 1614 ssl_config_.client_cert->GetIntermediateCertificates()) { |
1599 bssl::UniquePtr<CRYPTO_BUFFER> buf = OSCertHandleToBuffer(cert); | 1615 bssl::UniquePtr<CRYPTO_BUFFER> buf = OSCertHandleToBuffer(cert); |
1600 if (!buf) { | 1616 if (!buf) { |
1601 LOG(WARNING) << "Failed to import intermediate"; | 1617 LOG(WARNING) << "Failed to import intermediate"; |
1602 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1618 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
1603 return -1; | 1619 return -1; |
1604 } | 1620 } |
1605 chain_raw.push_back(buf.get()); | 1621 chain_raw.push_back(buf.get()); |
1606 chain.push_back(std::move(buf)); | 1622 chain.push_back(std::move(buf)); |
1607 } | 1623 } |
| 1624 #endif |
1608 | 1625 |
1609 if (!SSL_set_chain_and_key(ssl_.get(), chain_raw.data(), chain_raw.size(), | 1626 if (!SSL_set_chain_and_key(ssl_.get(), chain_raw.data(), chain_raw.size(), |
1610 nullptr, &SSLContext::kPrivateKeyMethod)) { | 1627 nullptr, &SSLContext::kPrivateKeyMethod)) { |
1611 LOG(WARNING) << "Failed to set client certificate"; | 1628 LOG(WARNING) << "Failed to set client certificate"; |
1612 return -1; | 1629 return -1; |
1613 } | 1630 } |
1614 | 1631 |
1615 std::vector<SSLPrivateKey::Hash> digest_prefs = | 1632 std::vector<SSLPrivateKey::Hash> digest_prefs = |
1616 ssl_config_.client_private_key->GetDigestPreferences(); | 1633 ssl_config_.client_private_key->GetDigestPreferences(); |
1617 | 1634 |
(...skipping 16 matching lines...) Expand all Loading... |
1634 case SSLPrivateKey::Hash::MD5_SHA1: | 1651 case SSLPrivateKey::Hash::MD5_SHA1: |
1635 // MD5-SHA1 is not used in TLS 1.2. | 1652 // MD5-SHA1 is not used in TLS 1.2. |
1636 break; | 1653 break; |
1637 } | 1654 } |
1638 } | 1655 } |
1639 | 1656 |
1640 SSL_set_private_key_digest_prefs(ssl_.get(), digests.data(), | 1657 SSL_set_private_key_digest_prefs(ssl_.get(), digests.data(), |
1641 digests.size()); | 1658 digests.size()); |
1642 | 1659 |
1643 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, | 1660 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, |
1644 NetLog::IntCallback("cert_count", chain.size())); | 1661 NetLog::IntCallback("cert_count", chain_raw.size())); |
1645 return 1; | 1662 return 1; |
1646 } | 1663 } |
1647 #endif // defined(OS_IOS) | 1664 #endif // defined(OS_IOS) |
1648 | 1665 |
1649 // Send no client certificate. | 1666 // Send no client certificate. |
1650 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, | 1667 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, |
1651 NetLog::IntCallback("cert_count", 0)); | 1668 NetLog::IntCallback("cert_count", 0)); |
1652 return 1; | 1669 return 1; |
1653 } | 1670 } |
1654 | 1671 |
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1943 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 1960 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
1944 !certificate_requested_) { | 1961 !certificate_requested_) { |
1945 net_error = ERR_SSL_PROTOCOL_ERROR; | 1962 net_error = ERR_SSL_PROTOCOL_ERROR; |
1946 } | 1963 } |
1947 } | 1964 } |
1948 | 1965 |
1949 return net_error; | 1966 return net_error; |
1950 } | 1967 } |
1951 | 1968 |
1952 } // namespace net | 1969 } // namespace net |
OLD | NEW |