1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS.
7
8 #include "net/socket/ssl_client_socket_openssl.h"
9
10 #include <openssl/err.h>
11 #include <openssl/opensslv.h>
12 #include <openssl/ssl.h>
13
14 #include "base/bind.h"
15 #include "base/callback_helpers.h"
16 #include "base/memory/singleton.h"
17 #include "base/metrics/histogram.h"
18 #include "base/synchronization/lock.h"
19 #include "crypto/ec_private_key.h"
20 #include "crypto/openssl_util.h"
21 #include "net/base/net_errors.h"
22 #include "net/cert/cert_verifier.h"
23 #include "net/cert/single_request_cert_verifier.h"
24 #include "net/cert/x509_certificate_net_log_param.h"
25 #include "net/socket/openssl_ssl_util.h"
26 #include "net/socket/ssl_error_params.h"
27 #include "net/socket/ssl_session_cache_openssl.h"
28 #include "net/ssl/openssl_client_key_store.h"
29 #include "net/ssl/ssl_cert_request_info.h"
30 #include "net/ssl/ssl_connection_status_flags.h"
31 #include "net/ssl/ssl_info.h"
32
33 namespace net {
34
35 namespace {
36
37 // Enable this to see logging for state machine state transitions.
38 #if 0
39 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
40 " jump to state " << s; \
41 next_handshake_state_ = s; } while (0)
42 #else
43 #define GotoState(s) next_handshake_state_ = s
44 #endif
45
46 // This constant can be any non-negative/non-zero value (eg: it does not
47 // overlap with any value of the net::Error range, including net::OK).
48 const int kNoPendingReadResult = 1;
49
50 // If a client doesn't have a list of protocols that it supports, but
51 // the server supports NPN, choosing "http/1.1" is the best answer.
52 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
53
54 #if OPENSSL_VERSION_NUMBER < 0x1000103fL
55 // This method doesn't seem to have made it into the OpenSSL headers.
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)56 unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; }
57 #endif
58
59 // Used for encoding the |connection_status| field of an SSLInfo object.
EncodeSSLConnectionStatus(int cipher_suite,int compression,int version)60 int EncodeSSLConnectionStatus(int cipher_suite,
61 int compression,
62 int version) {
63 return ((cipher_suite & SSL_CONNECTION_CIPHERSUITE_MASK) <<
64 SSL_CONNECTION_CIPHERSUITE_SHIFT) |
65 ((compression & SSL_CONNECTION_COMPRESSION_MASK) <<
66 SSL_CONNECTION_COMPRESSION_SHIFT) |
67 ((version & SSL_CONNECTION_VERSION_MASK) <<
68 SSL_CONNECTION_VERSION_SHIFT);
69 }
70
71 // Returns the net SSL version number (see ssl_connection_status_flags.h) for
72 // this SSL connection.
GetNetSSLVersion(SSL * ssl)73 int GetNetSSLVersion(SSL* ssl) {
74 switch (SSL_version(ssl)) {
75 case SSL2_VERSION:
76 return SSL_CONNECTION_VERSION_SSL2;
77 case SSL3_VERSION:
78 return SSL_CONNECTION_VERSION_SSL3;
79 case TLS1_VERSION:
80 return SSL_CONNECTION_VERSION_TLS1;
81 case 0x0302:
82 return SSL_CONNECTION_VERSION_TLS1_1;
83 case 0x0303:
84 return SSL_CONNECTION_VERSION_TLS1_2;
85 default:
86 return SSL_CONNECTION_VERSION_UNKNOWN;
87 }
88 }
89
90 // Compute a unique key string for the SSL session cache. |socket| is an
91 // input socket object. Return a string.
GetSocketSessionCacheKey(const SSLClientSocketOpenSSL & socket)92 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) {
93 std::string result = socket.host_and_port().ToString();
94 result.append("/");
95 result.append(socket.ssl_session_cache_shard());
96 return result;
97 }
98
99 } // namespace
100
101 class SSLClientSocketOpenSSL::SSLContext {
102 public:
GetInstance()103 static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); }
ssl_ctx()104 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
session_cache()105 SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; }
106
GetClientSocketFromSSL(const SSL * ssl)107 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) {
108 DCHECK(ssl);
109 SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>(
110 SSL_get_ex_data(ssl, ssl_socket_data_index_));
111 DCHECK(socket);
112 return socket;
113 }
114
SetClientSocketForSSL(SSL * ssl,SSLClientSocketOpenSSL * socket)115 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) {
116 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0;
117 }
118
119 private:
120 friend struct DefaultSingletonTraits<SSLContext>;
121
SSLContext()122 SSLContext() {
123 crypto::EnsureOpenSSLInit();
124 ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0);
125 DCHECK_NE(ssl_socket_data_index_, -1);
126 ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
127 session_cache_.Reset(ssl_ctx_.get(), kDefaultSessionCacheConfig);
128 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL);
129 SSL_CTX_set_client_cert_cb(ssl_ctx_.get(), ClientCertCallback);
130 SSL_CTX_set_channel_id_cb(ssl_ctx_.get(), ChannelIDCallback);
131 SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL);
132 // TODO(kristianm): Only select this if ssl_config_.next_proto is not empty.
133 // It would be better if the callback were not a global setting,
134 // but that is an OpenSSL issue.
135 SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback,
136 NULL);
137 }
138
GetSessionCacheKey(const SSL * ssl)139 static std::string GetSessionCacheKey(const SSL* ssl) {
140 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
141 DCHECK(socket);
142 return GetSocketSessionCacheKey(*socket);
143 }
144
145 static SSLSessionCacheOpenSSL::Config kDefaultSessionCacheConfig;
146
ClientCertCallback(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)147 static int ClientCertCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey) {
148 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
149 CHECK(socket);
150 return socket->ClientCertRequestCallback(ssl, x509, pkey);
151 }
152
ChannelIDCallback(SSL * ssl,EVP_PKEY ** pkey)153 static void ChannelIDCallback(SSL* ssl, EVP_PKEY** pkey) {
154 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
155 CHECK(socket);
156 socket->ChannelIDRequestCallback(ssl, pkey);
157 }
158
CertVerifyCallback(X509_STORE_CTX * store_ctx,void * arg)159 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
160 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
161 store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
162 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
163 CHECK(socket);
164
165 return socket->CertVerifyCallback(store_ctx);
166 }
167
SelectNextProtoCallback(SSL * ssl,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)168 static int SelectNextProtoCallback(SSL* ssl,
169 unsigned char** out, unsigned char* outlen,
170 const unsigned char* in,
171 unsigned int inlen, void* arg) {
172 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
173 return socket->SelectNextProtoCallback(out, outlen, in, inlen);
174 }
175
176 // This is the index used with SSL_get_ex_data to retrieve the owner
177 // SSLClientSocketOpenSSL object from an SSL instance.
178 int ssl_socket_data_index_;
179
180 crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
181 // |session_cache_| must be destroyed before |ssl_ctx_|.
182 SSLSessionCacheOpenSSL session_cache_;
183 };
184
185 // PeerCertificateChain is a helper object which extracts the certificate
186 // chain, as given by the server, from an OpenSSL socket and performs the needed
187 // resource management. The first element of the chain is the leaf certificate
188 // and the other elements are in the order given by the server.
189 class SSLClientSocketOpenSSL::PeerCertificateChain {
190 public:
PeerCertificateChain(STACK_OF (X509)* chain)191 explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); }
PeerCertificateChain(const PeerCertificateChain & other)192 PeerCertificateChain(const PeerCertificateChain& other) { *this = other; }
~PeerCertificateChain()193 ~PeerCertificateChain() {}
194 PeerCertificateChain& operator=(const PeerCertificateChain& other);
195
196 // Resets the PeerCertificateChain to the set of certificates in|chain|,
197 // which may be NULL, indicating to empty the store certificates.
198 // Note: If an error occurs, such as being unable to parse the certificates,
199 // this will behave as if Reset(NULL) was called.
200 void Reset(STACK_OF(X509)* chain);
201
202 // Note that when USE_OPENSSL is defined, OSCertHandle is X509*
AsOSChain() const203 const scoped_refptr<X509Certificate>& AsOSChain() const { return os_chain_; }
204
size() const205 size_t size() const {
206 if (!openssl_chain_.get())
207 return 0;
208 return sk_X509_num(openssl_chain_.get());
209 }
210
operator [](size_t index) const211 X509* operator[](size_t index) const {
212 DCHECK_LT(index, size());
213 return sk_X509_value(openssl_chain_.get(), index);
214 }
215
IsValid()216 bool IsValid() { return os_chain_.get() && openssl_chain_.get(); }
217
218 private:
FreeX509Stack(STACK_OF (X509)* cert_chain)219 static void FreeX509Stack(STACK_OF(X509)* cert_chain) {
220 sk_X509_pop_free(cert_chain, X509_free);
221 }
222
223 friend class crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>;
224
225 crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack> openssl_chain_;
226
227 scoped_refptr<X509Certificate> os_chain_;
228 };
229
230 SSLClientSocketOpenSSL::PeerCertificateChain&
operator =(const PeerCertificateChain & other)231 SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
232 const PeerCertificateChain& other) {
233 if (this == &other)
234 return *this;
235
236 // os_chain_ is reference counted by scoped_refptr;
237 os_chain_ = other.os_chain_;
238
239 // Must increase the reference count manually for sk_X509_dup
240 openssl_chain_.reset(sk_X509_dup(other.openssl_chain_.get()));
241 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
242 X509* x = sk_X509_value(openssl_chain_.get(), i);
243 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
244 }
245 return *this;
246 }
247
248 #if defined(USE_OPENSSL_CERTS)
249 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut
250 // to avoid converting back and forth between der and X509 struct.
Reset(STACK_OF (X509)* chain)251 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
252 STACK_OF(X509)* chain) {
253 openssl_chain_.reset(NULL);
254 os_chain_ = NULL;
255
256 if (!chain)
257 return;
258
259 X509Certificate::OSCertHandles intermediates;
260 for (int i = 1; i < sk_X509_num(chain); ++i)
261 intermediates.push_back(sk_X509_value(chain, i));
262
263 os_chain_ =
264 X509Certificate::CreateFromHandle(sk_X509_value(chain, 0), intermediates);
265
266 // sk_X509_dup does not increase reference count on the certs in the stack.
267 openssl_chain_.reset(sk_X509_dup(chain));
268
269 std::vector<base::StringPiece> der_chain;
270 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
271 X509* x = sk_X509_value(openssl_chain_.get(), i);
272 // Increase the reference count for the certs in openssl_chain_.
273 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
274 }
275 }
276 #else // !defined(USE_OPENSSL_CERTS)
Reset(STACK_OF (X509)* chain)277 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
278 STACK_OF(X509)* chain) {
279 openssl_chain_.reset(NULL);
280 os_chain_ = NULL;
281
282 if (!chain)
283 return;
284
285 // sk_X509_dup does not increase reference count on the certs in the stack.
286 openssl_chain_.reset(sk_X509_dup(chain));
287
288 std::vector<base::StringPiece> der_chain;
289 for (int i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
290 X509* x = sk_X509_value(openssl_chain_.get(), i);
291
292 // Increase the reference count for the certs in openssl_chain_.
293 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
294
295 unsigned char* cert_data = NULL;
296 int cert_data_length = i2d_X509(x, &cert_data);
297 if (cert_data_length && cert_data)
298 der_chain.push_back(base::StringPiece(reinterpret_cast<char*>(cert_data),
299 cert_data_length));
300 }
301
302 os_chain_ = X509Certificate::CreateFromDERCertChain(der_chain);
303
304 for (size_t i = 0; i < der_chain.size(); ++i) {
305 OPENSSL_free(const_cast<char*>(der_chain[i].data()));
306 }
307
308 if (der_chain.size() !=
309 static_cast<size_t>(sk_X509_num(openssl_chain_.get()))) {
310 openssl_chain_.reset(NULL);
311 os_chain_ = NULL;
312 }
313 }
314 #endif // defined(USE_OPENSSL_CERTS)
315
316 // static
317 SSLSessionCacheOpenSSL::Config
318 SSLClientSocketOpenSSL::SSLContext::kDefaultSessionCacheConfig = {
319 &GetSessionCacheKey, // key_func
320 1024, // max_entries
321 256, // expiration_check_count
322 60 * 60, // timeout_seconds
323 };
324
325 // static
ClearSessionCache()326 void SSLClientSocket::ClearSessionCache() {
327 SSLClientSocketOpenSSL::SSLContext* context =
328 SSLClientSocketOpenSSL::SSLContext::GetInstance();
329 context->session_cache()->Flush();
330 #if defined(USE_OPENSSL_CERTS)
331 OpenSSLClientKeyStore::GetInstance()->Flush();
332 #endif
333 }
334
SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket,const HostPortPair & host_and_port,const SSLConfig & ssl_config,const SSLClientSocketContext & context)335 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
336 scoped_ptr<ClientSocketHandle> transport_socket,
337 const HostPortPair& host_and_port,
338 const SSLConfig& ssl_config,
339 const SSLClientSocketContext& context)
340 : transport_send_busy_(false),
341 transport_recv_busy_(false),
342 transport_recv_eof_(false),
343 weak_factory_(this),
344 pending_read_error_(kNoPendingReadResult),
345 transport_write_error_(OK),
346 server_cert_chain_(new PeerCertificateChain(NULL)),
347 completed_handshake_(false),
348 was_ever_used_(false),
349 client_auth_cert_needed_(false),
350 cert_verifier_(context.cert_verifier),
351 server_bound_cert_service_(context.server_bound_cert_service),
352 ssl_(NULL),
353 transport_bio_(NULL),
354 transport_(transport_socket.Pass()),
355 host_and_port_(host_and_port),
356 ssl_config_(ssl_config),
357 ssl_session_cache_shard_(context.ssl_session_cache_shard),
358 trying_cached_session_(false),
359 next_handshake_state_(STATE_NONE),
360 npn_status_(kNextProtoUnsupported),
361 channel_id_request_return_value_(ERR_UNEXPECTED),
362 channel_id_xtn_negotiated_(false),
363 net_log_(transport_->socket()->NetLog()) {}
364
~SSLClientSocketOpenSSL()365 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
366 Disconnect();
367 }
368
GetSSLCertRequestInfo(SSLCertRequestInfo * cert_request_info)369 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
370 SSLCertRequestInfo* cert_request_info) {
371 cert_request_info->host_and_port = host_and_port_;
372 cert_request_info->cert_authorities = cert_authorities_;
373 cert_request_info->cert_key_types = cert_key_types_;
374 }
375
GetNextProto(std::string * proto,std::string * server_protos)376 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto(
377 std::string* proto, std::string* server_protos) {
378 *proto = npn_proto_;
379 *server_protos = server_protos_;
380 return npn_status_;
381 }
382
383 ServerBoundCertService*
GetServerBoundCertService() const384 SSLClientSocketOpenSSL::GetServerBoundCertService() const {
385 return server_bound_cert_service_;
386 }
387
ExportKeyingMaterial(const base::StringPiece & label,bool has_context,const base::StringPiece & context,unsigned char * out,unsigned int outlen)388 int SSLClientSocketOpenSSL::ExportKeyingMaterial(
389 const base::StringPiece& label,
390 bool has_context, const base::StringPiece& context,
391 unsigned char* out, unsigned int outlen) {
392 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
393
394 int rv = SSL_export_keying_material(
395 ssl_, out, outlen, label.data(), label.size(),
396 reinterpret_cast<const unsigned char*>(context.data()),
397 context.length(), context.length() > 0);
398
399 if (rv != 1) {
400 int ssl_error = SSL_get_error(ssl_, rv);
401 LOG(ERROR) << "Failed to export keying material;"
402 << " returned " << rv
403 << ", SSL error code " << ssl_error;
404 return MapOpenSSLError(ssl_error, err_tracer);
405 }
406 return OK;
407 }
408
GetTLSUniqueChannelBinding(std::string * out)409 int SSLClientSocketOpenSSL::GetTLSUniqueChannelBinding(std::string* out) {
410 NOTIMPLEMENTED();
411 return ERR_NOT_IMPLEMENTED;
412 }
413
Connect(const CompletionCallback & callback)414 int SSLClientSocketOpenSSL::Connect(const CompletionCallback& callback) {
415 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
416
417 // Set up new ssl object.
418 int rv = Init();
419 if (rv != OK) {
420 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
421 return rv;
422 }
423
424 // Set SSL to client mode. Handshake happens in the loop below.
425 SSL_set_connect_state(ssl_);
426
427 GotoState(STATE_HANDSHAKE);
428 rv = DoHandshakeLoop(OK);
429 if (rv == ERR_IO_PENDING) {
430 user_connect_callback_ = callback;
431 } else {
432 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
433 }
434
435 return rv > OK ? OK : rv;
436 }
437
Disconnect()438 void SSLClientSocketOpenSSL::Disconnect() {
439 if (ssl_) {
440 // Calling SSL_shutdown prevents the session from being marked as
441 // unresumable.
442 SSL_shutdown(ssl_);
443 SSL_free(ssl_);
444 ssl_ = NULL;
445 }
446 if (transport_bio_) {
447 BIO_free_all(transport_bio_);
448 transport_bio_ = NULL;
449 }
450
451 // Shut down anything that may call us back.
452 verifier_.reset();
453 transport_->socket()->Disconnect();
454
455 // Null all callbacks, delete all buffers.
456 transport_send_busy_ = false;
457 send_buffer_ = NULL;
458 transport_recv_busy_ = false;
459 transport_recv_eof_ = false;
460 recv_buffer_ = NULL;
461
462 user_connect_callback_.Reset();
463 user_read_callback_.Reset();
464 user_write_callback_.Reset();
465 user_read_buf_ = NULL;
466 user_read_buf_len_ = 0;
467 user_write_buf_ = NULL;
468 user_write_buf_len_ = 0;
469
470 pending_read_error_ = kNoPendingReadResult;
471 transport_write_error_ = OK;
472
473 server_cert_verify_result_.Reset();
474 completed_handshake_ = false;
475
476 cert_authorities_.clear();
477 cert_key_types_.clear();
478 client_auth_cert_needed_ = false;
479 }
480
IsConnected() const481 bool SSLClientSocketOpenSSL::IsConnected() const {
482 // If the handshake has not yet completed.
483 if (!completed_handshake_)
484 return false;
485 // If an asynchronous operation is still pending.
486 if (user_read_buf_.get() || user_write_buf_.get())
487 return true;
488
489 return transport_->socket()->IsConnected();
490 }
491
IsConnectedAndIdle() const492 bool SSLClientSocketOpenSSL::IsConnectedAndIdle() const {
493 // If the handshake has not yet completed.
494 if (!completed_handshake_)
495 return false;
496 // If an asynchronous operation is still pending.
497 if (user_read_buf_.get() || user_write_buf_.get())
498 return false;
499 // If there is data waiting to be sent, or data read from the network that
500 // has not yet been consumed.
501 if (BIO_ctrl_pending(transport_bio_) > 0 ||
502 BIO_ctrl_wpending(transport_bio_) > 0) {
503 return false;
504 }
505
506 return transport_->socket()->IsConnectedAndIdle();
507 }
508
GetPeerAddress(IPEndPoint * addressList) const509 int SSLClientSocketOpenSSL::GetPeerAddress(IPEndPoint* addressList) const {
510 return transport_->socket()->GetPeerAddress(addressList);
511 }
512
GetLocalAddress(IPEndPoint * addressList) const513 int SSLClientSocketOpenSSL::GetLocalAddress(IPEndPoint* addressList) const {
514 return transport_->socket()->GetLocalAddress(addressList);
515 }
516
NetLog() const517 const BoundNetLog& SSLClientSocketOpenSSL::NetLog() const {
518 return net_log_;
519 }
520
SetSubresourceSpeculation()521 void SSLClientSocketOpenSSL::SetSubresourceSpeculation() {
522 if (transport_.get() && transport_->socket()) {
523 transport_->socket()->SetSubresourceSpeculation();
524 } else {
525 NOTREACHED();
526 }
527 }
528
SetOmniboxSpeculation()529 void SSLClientSocketOpenSSL::SetOmniboxSpeculation() {
530 if (transport_.get() && transport_->socket()) {
531 transport_->socket()->SetOmniboxSpeculation();
532 } else {
533 NOTREACHED();
534 }
535 }
536
WasEverUsed() const537 bool SSLClientSocketOpenSSL::WasEverUsed() const {
538 return was_ever_used_;
539 }
540
UsingTCPFastOpen() const541 bool SSLClientSocketOpenSSL::UsingTCPFastOpen() const {
542 if (transport_.get() && transport_->socket())
543 return transport_->socket()->UsingTCPFastOpen();
544
545 NOTREACHED();
546 return false;
547 }
548
GetSSLInfo(SSLInfo * ssl_info)549 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
550 ssl_info->Reset();
551 if (!server_cert_.get())
552 return false;
553
554 ssl_info->cert = server_cert_verify_result_.verified_cert;
555 ssl_info->cert_status = server_cert_verify_result_.cert_status;
556 ssl_info->is_issued_by_known_root =
557 server_cert_verify_result_.is_issued_by_known_root;
558 ssl_info->public_key_hashes =
559 server_cert_verify_result_.public_key_hashes;
560 ssl_info->client_cert_sent =
561 ssl_config_.send_client_cert && ssl_config_.client_cert.get();
562 ssl_info->channel_id_sent = WasChannelIDSent();
563
564 RecordChannelIDSupport(server_bound_cert_service_,
565 channel_id_xtn_negotiated_,
566 ssl_config_.channel_id_enabled,
567 crypto::ECPrivateKey::IsSupported());
568
569 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
570 CHECK(cipher);
571 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
572 const COMP_METHOD* compression = SSL_get_current_compression(ssl_);
573
574 ssl_info->connection_status = EncodeSSLConnectionStatus(
575 SSL_CIPHER_get_id(cipher),
576 compression ? compression->type : 0,
577 GetNetSSLVersion(ssl_));
578
579 bool peer_supports_renego_ext = !!SSL_get_secure_renegotiation_support(ssl_);
580 if (!peer_supports_renego_ext)
581 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
582 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
583 implicit_cast<int>(peer_supports_renego_ext), 2);
584
585 if (ssl_config_.version_fallback)
586 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK;
587
588 ssl_info->handshake_type = SSL_session_reused(ssl_) ?
589 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
590
591 DVLOG(3) << "Encoded connection status: cipher suite = "
592 << SSLConnectionStatusToCipherSuite(ssl_info->connection_status)
593 << " version = "
594 << SSLConnectionStatusToVersion(ssl_info->connection_status);
595 return true;
596 }
597
Read(IOBuffer * buf,int buf_len,const CompletionCallback & callback)598 int SSLClientSocketOpenSSL::Read(IOBuffer* buf,
599 int buf_len,
600 const CompletionCallback& callback) {
601 user_read_buf_ = buf;
602 user_read_buf_len_ = buf_len;
603
604 int rv = DoReadLoop(OK);
605
606 if (rv == ERR_IO_PENDING) {
607 user_read_callback_ = callback;
608 } else {
609 if (rv > 0)
610 was_ever_used_ = true;
611 user_read_buf_ = NULL;
612 user_read_buf_len_ = 0;
613 }
614
615 return rv;
616 }
617
Write(IOBuffer * buf,int buf_len,const CompletionCallback & callback)618 int SSLClientSocketOpenSSL::Write(IOBuffer* buf,
619 int buf_len,
620 const CompletionCallback& callback) {
621 user_write_buf_ = buf;
622 user_write_buf_len_ = buf_len;
623
624 int rv = DoWriteLoop(OK);
625
626 if (rv == ERR_IO_PENDING) {
627 user_write_callback_ = callback;
628 } else {
629 if (rv > 0)
630 was_ever_used_ = true;
631 user_write_buf_ = NULL;
632 user_write_buf_len_ = 0;
633 }
634
635 return rv;
636 }
637
SetReceiveBufferSize(int32 size)638 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) {
639 return transport_->socket()->SetReceiveBufferSize(size);
640 }
641
SetSendBufferSize(int32 size)642 int SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) {
643 return transport_->socket()->SetSendBufferSize(size);
644 }
645
Init()646 int SSLClientSocketOpenSSL::Init() {
647 DCHECK(!ssl_);
648 DCHECK(!transport_bio_);
649
650 SSLContext* context = SSLContext::GetInstance();
651 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
652
653 ssl_ = SSL_new(context->ssl_ctx());
654 if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this))
655 return ERR_UNEXPECTED;
656
657 if (!SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str()))
658 return ERR_UNEXPECTED;
659
660 trying_cached_session_ = context->session_cache()->SetSSLSessionWithKey(
661 ssl_, GetSocketSessionCacheKey(*this));
662
663 BIO* ssl_bio = NULL;
664 // 0 => use default buffer sizes.
665 if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))
666 return ERR_UNEXPECTED;
667 DCHECK(ssl_bio);
668 DCHECK(transport_bio_);
669
670 SSL_set_bio(ssl_, ssl_bio, ssl_bio);
671
672 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
673 // set everything we care about to an absolute value.
674 SslSetClearMask options;
675 options.ConfigureFlag(SSL_OP_NO_SSLv2, true);
676 bool ssl3_enabled = (ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3);
677 options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl3_enabled);
678 bool tls1_enabled = (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1 &&
679 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1);
680 options.ConfigureFlag(SSL_OP_NO_TLSv1, !tls1_enabled);
681 bool tls1_1_enabled =
682 (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1_1 &&
683 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1);
684 options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !tls1_1_enabled);
685 bool tls1_2_enabled =
686 (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1_2 &&
687 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_2);
688 options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !tls1_2_enabled);
689
690 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
691
692 // TODO(joth): Set this conditionally, see http://crbug.com/55410
693 options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true);
694
695 SSL_set_options(ssl_, options.set_mask);
696 SSL_clear_options(ssl_, options.clear_mask);
697
698 // Same as above, this time for the SSL mode.
699 SslSetClearMask mode;
700
701 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
702
703 mode.ConfigureFlag(SSL_MODE_HANDSHAKE_CUTTHROUGH,
704 ssl_config_.false_start_enabled);
705
706 SSL_set_mode(ssl_, mode.set_mask);
707 SSL_clear_mode(ssl_, mode.clear_mask);
708
709 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the
710 // textual name with SSL_set_cipher_list because there is no public API to
711 // directly remove a cipher by ID.
712 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
713 DCHECK(ciphers);
714 // See SSLConfig::disabled_cipher_suites for description of the suites
715 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
716 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
717 // as the handshake hash.
718 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:"
719 "!aECDH:!AESGCM+AES256");
720 // Walk through all the installed ciphers, seeing if any need to be
721 // appended to the cipher removal |command|.
722 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
723 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
724 const uint16 id = SSL_CIPHER_get_id(cipher);
725 // Remove any ciphers with a strength of less than 80 bits. Note the NSS
726 // implementation uses "effective" bits here but OpenSSL does not provide
727 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
728 // both of which are greater than 80 anyway.
729 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80;
730 if (!disable) {
731 disable = std::find(ssl_config_.disabled_cipher_suites.begin(),
732 ssl_config_.disabled_cipher_suites.end(), id) !=
733 ssl_config_.disabled_cipher_suites.end();
734 }
735 if (disable) {
736 const char* name = SSL_CIPHER_get_name(cipher);
737 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id
738 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);
739 command.append(":!");
740 command.append(name);
741 }
742 }
743 int rv = SSL_set_cipher_list(ssl_, command.c_str());
744 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
745 // This will almost certainly result in the socket failing to complete the
746 // handshake at which point the appropriate error is bubbled up to the client.
747 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') "
748 "returned " << rv;
749
750 if (ssl_config_.version_fallback) {
751 #ifdef SSL_MODE_SEND_FALLBACK_SCSV
752 SSL_set_mode(ssl_, SSL_MODE_SEND_FALLBACK_SCSV);
753 #else
754 SSL_enable_fallback_scsv(ssl_);
755 #endif
756 }
757
758 // TLS channel ids.
759 if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) {
760 SSL_enable_tls_channel_id(ssl_);
761 }
762
763 return OK;
764 }
765
DoReadCallback(int rv)766 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
767 // Since Run may result in Read being called, clear |user_read_callback_|
768 // up front.
769 if (rv > 0)
770 was_ever_used_ = true;
771 user_read_buf_ = NULL;
772 user_read_buf_len_ = 0;
773 base::ResetAndReturn(&user_read_callback_).Run(rv);
774 }
775
DoWriteCallback(int rv)776 void SSLClientSocketOpenSSL::DoWriteCallback(int rv) {
777 // Since Run may result in Write being called, clear |user_write_callback_|
778 // up front.
779 if (rv > 0)
780 was_ever_used_ = true;
781 user_write_buf_ = NULL;
782 user_write_buf_len_ = 0;
783 base::ResetAndReturn(&user_write_callback_).Run(rv);
784 }
785
DoTransportIO()786 bool SSLClientSocketOpenSSL::DoTransportIO() {
787 bool network_moved = false;
788 int rv;
789 // Read and write as much data as possible. The loop is necessary because
790 // Write() may return synchronously.
791 do {
792 rv = BufferSend();
793 if (rv != ERR_IO_PENDING && rv != 0)
794 network_moved = true;
795 } while (rv > 0);
796 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING)
797 network_moved = true;
798 return network_moved;
799 }
800
DoHandshake()801 int SSLClientSocketOpenSSL::DoHandshake() {
802 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
803 int net_error = OK;
804 int rv = SSL_do_handshake(ssl_);
805
806 if (client_auth_cert_needed_) {
807 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
808 // If the handshake already succeeded (because the server requests but
809 // doesn't require a client cert), we need to invalidate the SSL session
810 // so that we won't try to resume the non-client-authenticated session in
811 // the next handshake. This will cause the server to ask for a client
812 // cert again.
813 if (rv == 1) {
814 // Remove from session cache but don't clear this connection.
815 SSL_SESSION* session = SSL_get_session(ssl_);
816 if (session) {
817 int rv = SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl_), session);
818 LOG_IF(WARNING, !rv) << "Couldn't invalidate SSL session: " << session;
819 }
820 }
821 } else if (rv == 1) {
822 if (trying_cached_session_ && logging::DEBUG_MODE) {
823 DVLOG(2) << "Result of session reuse for " << host_and_port_.ToString()
824 << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail");
825 }
826 // SSL handshake is completed. Let's verify the certificate.
827 const bool got_cert = !!UpdateServerCert();
828 DCHECK(got_cert);
829 net_log_.AddEvent(
830 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
831 base::Bind(&NetLogX509CertificateCallback,
832 base::Unretained(server_cert_.get())));
833 GotoState(STATE_VERIFY_CERT);
834 } else {
835 int ssl_error = SSL_get_error(ssl_, rv);
836
837 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
838 // The server supports TLS channel id and the lookup is asynchronous.
839 // Retrieve the error from the call to |server_bound_cert_service_|.
840 net_error = channel_id_request_return_value_;
841 } else {
842 net_error = MapOpenSSLError(ssl_error, err_tracer);
843 }
844
845 // If not done, stay in this state
846 if (net_error == ERR_IO_PENDING) {
847 GotoState(STATE_HANDSHAKE);
848 } else {
849 LOG(ERROR) << "handshake failed; returned " << rv
850 << ", SSL error code " << ssl_error
851 << ", net_error " << net_error;
852 net_log_.AddEvent(
853 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
854 CreateNetLogSSLErrorCallback(net_error, ssl_error));
855 }
856 }
857 return net_error;
858 }
859
DoVerifyCert(int result)860 int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
861 DCHECK(server_cert_.get());
862 GotoState(STATE_VERIFY_CERT_COMPLETE);
863
864 CertStatus cert_status;
865 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) {
866 VLOG(1) << "Received an expected bad cert with status: " << cert_status;
867 server_cert_verify_result_.Reset();
868 server_cert_verify_result_.cert_status = cert_status;
869 server_cert_verify_result_.verified_cert = server_cert_;
870 return OK;
871 }
872
873 int flags = 0;
874 if (ssl_config_.rev_checking_enabled)
875 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED;
876 if (ssl_config_.verify_ev_cert)
877 flags |= CertVerifier::VERIFY_EV_CERT;
878 if (ssl_config_.cert_io_enabled)
879 flags |= CertVerifier::VERIFY_CERT_IO_ENABLED;
880 if (ssl_config_.rev_checking_required_local_anchors)
881 flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
882 verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));
883 return verifier_->Verify(
884 server_cert_.get(),
885 host_and_port_.host(),
886 flags,
887 NULL /* no CRL set */,
888 &server_cert_verify_result_,
889 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
890 base::Unretained(this)),
891 net_log_);
892 }
893
DoVerifyCertComplete(int result)894 int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) {
895 verifier_.reset();
896
897 if (result == OK) {
898 // TODO(joth): Work out if we need to remember the intermediate CA certs
899 // when the server sends them to us, and do so here.
900 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_);
901 } else {
902 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result)
903 << " (" << result << ")";
904 }
905
906 completed_handshake_ = true;
907 // Exit DoHandshakeLoop and return the result to the caller to Connect.
908 DCHECK_EQ(STATE_NONE, next_handshake_state_);
909 return result;
910 }
911
DoConnectCallback(int rv)912 void SSLClientSocketOpenSSL::DoConnectCallback(int rv) {
913 if (!user_connect_callback_.is_null()) {
914 CompletionCallback c = user_connect_callback_;
915 user_connect_callback_.Reset();
916 c.Run(rv > OK ? OK : rv);
917 }
918 }
919
UpdateServerCert()920 X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() {
921 server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_));
922 server_cert_ = server_cert_chain_->AsOSChain();
923
924 if (!server_cert_chain_->IsValid())
925 DVLOG(1) << "UpdateServerCert received invalid certificate chain from peer";
926
927 return server_cert_.get();
928 }
929
OnHandshakeIOComplete(int result)930 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) {
931 int rv = DoHandshakeLoop(result);
932 if (rv != ERR_IO_PENDING) {
933 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
934 DoConnectCallback(rv);
935 }
936 }
937
OnSendComplete(int result)938 void SSLClientSocketOpenSSL::OnSendComplete(int result) {
939 if (next_handshake_state_ == STATE_HANDSHAKE) {
940 // In handshake phase.
941 OnHandshakeIOComplete(result);
942 return;
943 }
944
945 // OnSendComplete may need to call DoPayloadRead while the renegotiation
946 // handshake is in progress.
947 int rv_read = ERR_IO_PENDING;
948 int rv_write = ERR_IO_PENDING;
949 bool network_moved;
950 do {
951 if (user_read_buf_.get())
952 rv_read = DoPayloadRead();
953 if (user_write_buf_.get())
954 rv_write = DoPayloadWrite();
955 network_moved = DoTransportIO();
956 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
957 (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
958
959 // Performing the Read callback may cause |this| to be deleted. If this
960 // happens, the Write callback should not be invoked. Guard against this by
961 // holding a WeakPtr to |this| and ensuring it's still valid.
962 base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
963 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
964 DoReadCallback(rv_read);
965
966 if (!guard.get())
967 return;
968
969 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
970 DoWriteCallback(rv_write);
971 }
972
OnRecvComplete(int result)973 void SSLClientSocketOpenSSL::OnRecvComplete(int result) {
974 if (next_handshake_state_ == STATE_HANDSHAKE) {
975 // In handshake phase.
976 OnHandshakeIOComplete(result);
977 return;
978 }
979
980 // Network layer received some data, check if client requested to read
981 // decrypted data.
982 if (!user_read_buf_.get())
983 return;
984
985 int rv = DoReadLoop(result);
986 if (rv != ERR_IO_PENDING)
987 DoReadCallback(rv);
988 }
989
DoHandshakeLoop(int last_io_result)990 int SSLClientSocketOpenSSL::DoHandshakeLoop(int last_io_result) {
991 int rv = last_io_result;
992 do {
993 // Default to STATE_NONE for next state.
994 // (This is a quirk carried over from the windows
995 // implementation. It makes reading the logs a bit harder.)
996 // State handlers can and often do call GotoState just
997 // to stay in the current state.
998 State state = next_handshake_state_;
999 GotoState(STATE_NONE);
1000 switch (state) {
1001 case STATE_HANDSHAKE:
1002 rv = DoHandshake();
1003 break;
1004 case STATE_VERIFY_CERT:
1005 DCHECK(rv == OK);
1006 rv = DoVerifyCert(rv);
1007 break;
1008 case STATE_VERIFY_CERT_COMPLETE:
1009 rv = DoVerifyCertComplete(rv);
1010 break;
1011 case STATE_NONE:
1012 default:
1013 rv = ERR_UNEXPECTED;
1014 NOTREACHED() << "unexpected state" << state;
1015 break;
1016 }
1017
1018 bool network_moved = DoTransportIO();
1019 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) {
1020 // In general we exit the loop if rv is ERR_IO_PENDING. In this
1021 // special case we keep looping even if rv is ERR_IO_PENDING because
1022 // the transport IO may allow DoHandshake to make progress.
1023 rv = OK; // This causes us to stay in the loop.
1024 }
1025 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
1026 return rv;
1027 }
1028
DoReadLoop(int result)1029 int SSLClientSocketOpenSSL::DoReadLoop(int result) {
1030 if (result < 0)
1031 return result;
1032
1033 bool network_moved;
1034 int rv;
1035 do {
1036 rv = DoPayloadRead();
1037 network_moved = DoTransportIO();
1038 } while (rv == ERR_IO_PENDING && network_moved);
1039
1040 return rv;
1041 }
1042
DoWriteLoop(int result)1043 int SSLClientSocketOpenSSL::DoWriteLoop(int result) {
1044 if (result < 0)
1045 return result;
1046
1047 bool network_moved;
1048 int rv;
1049 do {
1050 rv = DoPayloadWrite();
1051 network_moved = DoTransportIO();
1052 } while (rv == ERR_IO_PENDING && network_moved);
1053
1054 return rv;
1055 }
1056
DoPayloadRead()1057 int SSLClientSocketOpenSSL::DoPayloadRead() {
1058 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1059
1060 int rv;
1061 if (pending_read_error_ != kNoPendingReadResult) {
1062 rv = pending_read_error_;
1063 pending_read_error_ = kNoPendingReadResult;
1064 if (rv == 0) {
1065 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
1066 rv, user_read_buf_->data());
1067 }
1068 return rv;
1069 }
1070
1071 int total_bytes_read = 0;
1072 do {
1073 rv = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read,
1074 user_read_buf_len_ - total_bytes_read);
1075 if (rv > 0)
1076 total_bytes_read += rv;
1077 } while (total_bytes_read < user_read_buf_len_ && rv > 0);
1078
1079 if (total_bytes_read == user_read_buf_len_) {
1080 rv = total_bytes_read;
1081 } else {
1082 // Otherwise, an error occurred (rv <= 0). The error needs to be handled
1083 // immediately, while the OpenSSL errors are still available in
1084 // thread-local storage. However, the handled/remapped error code should
1085 // only be returned if no application data was already read; if it was, the
1086 // error code should be deferred until the next call of DoPayloadRead.
1087 //
1088 // If no data was read, |*next_result| will point to the return value of
1089 // this function. If at least some data was read, |*next_result| will point
1090 // to |pending_read_error_|, to be returned in a future call to
1091 // DoPayloadRead() (e.g.: after the current data is handled).
1092 int *next_result = &rv;
1093 if (total_bytes_read > 0) {
1094 pending_read_error_ = rv;
1095 rv = total_bytes_read;
1096 next_result = &pending_read_error_;
1097 }
1098
1099 if (client_auth_cert_needed_) {
1100 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1101 } else if (*next_result < 0) {
1102 int err = SSL_get_error(ssl_, *next_result);
1103 *next_result = MapOpenSSLError(err, err_tracer);
1104 if (rv > 0 && *next_result == ERR_IO_PENDING) {
1105 // If at least some data was read from SSL_read(), do not treat
1106 // insufficient data as an error to return in the next call to
1107 // DoPayloadRead() - instead, let the call fall through to check
1108 // SSL_read() again. This is because DoTransportIO() may complete
1109 // in between the next call to DoPayloadRead(), and thus it is
1110 // important to check SSL_read() on subsequent invocations to see
1111 // if a complete record may now be read.
1112 *next_result = kNoPendingReadResult;
1113 }
1114 }
1115 }
1116
1117 if (rv >= 0) {
1118 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
1119 user_read_buf_->data());
1120 }
1121 return rv;
1122 }
1123
DoPayloadWrite()1124 int SSLClientSocketOpenSSL::DoPayloadWrite() {
1125 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1126 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
1127
1128 if (rv >= 0) {
1129 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
1130 user_write_buf_->data());
1131 return rv;
1132 }
1133
1134 int err = SSL_get_error(ssl_, rv);
1135 return MapOpenSSLError(err, err_tracer);
1136 }
1137
BufferSend(void)1138 int SSLClientSocketOpenSSL::BufferSend(void) {
1139 if (transport_send_busy_)
1140 return ERR_IO_PENDING;
1141
1142 if (!send_buffer_.get()) {
1143 // Get a fresh send buffer out of the send BIO.
1144 size_t max_read = BIO_ctrl_pending(transport_bio_);
1145 if (!max_read)
1146 return 0; // Nothing pending in the OpenSSL write BIO.
1147 send_buffer_ = new DrainableIOBuffer(new IOBuffer(max_read), max_read);
1148 int read_bytes = BIO_read(transport_bio_, send_buffer_->data(), max_read);
1149 DCHECK_GT(read_bytes, 0);
1150 CHECK_EQ(static_cast<int>(max_read), read_bytes);
1151 }
1152
1153 int rv = transport_->socket()->Write(
1154 send_buffer_.get(),
1155 send_buffer_->BytesRemaining(),
1156 base::Bind(&SSLClientSocketOpenSSL::BufferSendComplete,
1157 base::Unretained(this)));
1158 if (rv == ERR_IO_PENDING) {
1159 transport_send_busy_ = true;
1160 } else {
1161 TransportWriteComplete(rv);
1162 }
1163 return rv;
1164 }
1165
BufferRecv(void)1166 int SSLClientSocketOpenSSL::BufferRecv(void) {
1167 if (transport_recv_busy_)
1168 return ERR_IO_PENDING;
1169
1170 // Determine how much was requested from |transport_bio_| that was not
1171 // actually available.
1172 size_t requested = BIO_ctrl_get_read_request(transport_bio_);
1173 if (requested == 0) {
1174 // This is not a perfect match of error codes, as no operation is
1175 // actually pending. However, returning 0 would be interpreted as
1176 // a possible sign of EOF, which is also an inappropriate match.
1177 return ERR_IO_PENDING;
1178 }
1179
1180 // Known Issue: While only reading |requested| data is the more correct
1181 // implementation, it has the downside of resulting in frequent reads:
1182 // One read for the SSL record header (~5 bytes) and one read for the SSL
1183 // record body. Rather than issuing these reads to the underlying socket
1184 // (and constantly allocating new IOBuffers), a single Read() request to
1185 // fill |transport_bio_| is issued. As long as an SSL client socket cannot
1186 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL
1187 // traffic, this over-subscribed Read()ing will not cause issues.
1188 size_t max_write = BIO_ctrl_get_write_guarantee(transport_bio_);
1189 if (!max_write)
1190 return ERR_IO_PENDING;
1191
1192 recv_buffer_ = new IOBuffer(max_write);
1193 int rv = transport_->socket()->Read(
1194 recv_buffer_.get(),
1195 max_write,
1196 base::Bind(&SSLClientSocketOpenSSL::BufferRecvComplete,
1197 base::Unretained(this)));
1198 if (rv == ERR_IO_PENDING) {
1199 transport_recv_busy_ = true;
1200 } else {
1201 rv = TransportReadComplete(rv);
1202 }
1203 return rv;
1204 }
1205
BufferSendComplete(int result)1206 void SSLClientSocketOpenSSL::BufferSendComplete(int result) {
1207 transport_send_busy_ = false;
1208 TransportWriteComplete(result);
1209 OnSendComplete(result);
1210 }
1211
BufferRecvComplete(int result)1212 void SSLClientSocketOpenSSL::BufferRecvComplete(int result) {
1213 result = TransportReadComplete(result);
1214 OnRecvComplete(result);
1215 }
1216
TransportWriteComplete(int result)1217 void SSLClientSocketOpenSSL::TransportWriteComplete(int result) {
1218 DCHECK(ERR_IO_PENDING != result);
1219 if (result < 0) {
1220 // Got a socket write error; close the BIO to indicate this upward.
1221 //
1222 // TODO(davidben): The value of |result| gets lost. Feed the error back into
1223 // the BIO so it gets (re-)detected in OnSendComplete. Perhaps with
1224 // BIO_set_callback.
1225 DVLOG(1) << "TransportWriteComplete error " << result;
1226 (void)BIO_shutdown_wr(SSL_get_wbio(ssl_));
1227
1228 // Match the fix for http://crbug.com/249848 in NSS by erroring future reads
1229 // from the socket after a write error.
1230 //
1231 // TODO(davidben): Avoid having read and write ends interact this way.
1232 transport_write_error_ = result;
1233 (void)BIO_shutdown_wr(transport_bio_);
1234 send_buffer_ = NULL;
1235 } else {
1236 DCHECK(send_buffer_.get());
1237 send_buffer_->DidConsume(result);
1238 DCHECK_GE(send_buffer_->BytesRemaining(), 0);
1239 if (send_buffer_->BytesRemaining() <= 0)
1240 send_buffer_ = NULL;
1241 }
1242 }
1243
TransportReadComplete(int result)1244 int SSLClientSocketOpenSSL::TransportReadComplete(int result) {
1245 DCHECK(ERR_IO_PENDING != result);
1246 if (result <= 0) {
1247 DVLOG(1) << "TransportReadComplete result " << result;
1248 // Received 0 (end of file) or an error. Either way, bubble it up to the
1249 // SSL layer via the BIO. TODO(joth): consider stashing the error code, to
1250 // relay up to the SSL socket client (i.e. via DoReadCallback).
1251 if (result == 0)
1252 transport_recv_eof_ = true;
1253 (void)BIO_shutdown_wr(transport_bio_);
1254 } else if (transport_write_error_ < 0) {
1255 // Mirror transport write errors as read failures; transport_bio_ has been
1256 // shut down by TransportWriteComplete, so the BIO_write will fail, failing
1257 // the CHECK. http://crbug.com/335557.
1258 result = transport_write_error_;
1259 } else {
1260 DCHECK(recv_buffer_.get());
1261 int ret = BIO_write(transport_bio_, recv_buffer_->data(), result);
1262 // A write into a memory BIO should always succeed.
1263 DCHECK_EQ(result, ret);
1264 }
1265 recv_buffer_ = NULL;
1266 transport_recv_busy_ = false;
1267 return result;
1268 }
1269
ClientCertRequestCallback(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)1270 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
1271 X509** x509,
1272 EVP_PKEY** pkey) {
1273 DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
1274 DCHECK(ssl == ssl_);
1275 DCHECK(*x509 == NULL);
1276 DCHECK(*pkey == NULL);
1277 if (!ssl_config_.send_client_cert) {
1278 // First pass: we know that a client certificate is needed, but we do not
1279 // have one at hand.
1280 client_auth_cert_needed_ = true;
1281 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
1282 for (int i = 0; i < sk_X509_NAME_num(authorities); i++) {
1283 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
1284 unsigned char* str = NULL;
1285 int length = i2d_X509_NAME(ca_name, &str);
1286 cert_authorities_.push_back(std::string(
1287 reinterpret_cast<const char*>(str),
1288 static_cast<size_t>(length)));
1289 OPENSSL_free(str);
1290 }
1291
1292 const unsigned char* client_cert_types;
1293 size_t num_client_cert_types;
1294 SSL_get_client_certificate_types(ssl, &client_cert_types,
1295 &num_client_cert_types);
1296 for (size_t i = 0; i < num_client_cert_types; i++) {
1297 cert_key_types_.push_back(
1298 static_cast<SSLClientCertType>(client_cert_types[i]));
1299 }
1300
1301 return -1; // Suspends handshake.
1302 }
1303
1304 // Second pass: a client certificate should have been selected.
1305 if (ssl_config_.client_cert.get()) {
1306 #if defined(USE_OPENSSL_CERTS)
1307 // A note about ownership: FetchClientCertPrivateKey() increments
1308 // the reference count of the EVP_PKEY. Ownership of this reference
1309 // is passed directly to OpenSSL, which will release the reference
1310 // using EVP_PKEY_free() when the SSL object is destroyed.
1311 OpenSSLClientKeyStore::ScopedEVP_PKEY privkey;
1312 if (OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
1313 ssl_config_.client_cert.get(), &privkey)) {
1314 // TODO(joth): (copied from NSS) We should wait for server certificate
1315 // verification before sending our credentials. See http://crbug.com/13934
1316 *x509 = X509Certificate::DupOSCertHandle(
1317 ssl_config_.client_cert->os_cert_handle());
1318 *pkey = privkey.release();
1319 return 1;
1320 }
1321 LOG(WARNING) << "Client cert found without private key";
1322 #else // !defined(USE_OPENSSL_CERTS)
1323 // OS handling of client certificates is not yet implemented.
1324 NOTIMPLEMENTED();
1325 #endif // defined(USE_OPENSSL_CERTS)
1326 }
1327
1328 // Send no client certificate.
1329 return 0;
1330 }
1331
ChannelIDRequestCallback(SSL * ssl,EVP_PKEY ** pkey)1332 void SSLClientSocketOpenSSL::ChannelIDRequestCallback(SSL* ssl,
1333 EVP_PKEY** pkey) {
1334 DVLOG(3) << "OpenSSL ChannelIDRequestCallback called";
1335 DCHECK_EQ(ssl, ssl_);
1336 DCHECK(!*pkey);
1337
1338 channel_id_xtn_negotiated_ = true;
1339 if (!channel_id_private_key_.size()) {
1340 channel_id_request_return_value_ =
1341 server_bound_cert_service_->GetOrCreateDomainBoundCert(
1342 host_and_port_.host(),
1343 &channel_id_private_key_,
1344 &channel_id_cert_,
1345 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
1346 base::Unretained(this)),
1347 &channel_id_request_handle_);
1348 if (channel_id_request_return_value_ != OK)
1349 return;
1350 }
1351
1352 // Decode key.
1353 std::vector<uint8> encrypted_private_key_info;
1354 std::vector<uint8> subject_public_key_info;
1355 encrypted_private_key_info.assign(
1356 channel_id_private_key_.data(),
1357 channel_id_private_key_.data() + channel_id_private_key_.size());
1358 subject_public_key_info.assign(
1359 channel_id_cert_.data(),
1360 channel_id_cert_.data() + channel_id_cert_.size());
1361 scoped_ptr<crypto::ECPrivateKey> ec_private_key(
1362 crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
1363 ServerBoundCertService::kEPKIPassword,
1364 encrypted_private_key_info,
1365 subject_public_key_info));
1366 if (!ec_private_key)
1367 return;
1368 set_channel_id_sent(true);
1369 *pkey = EVP_PKEY_dup(ec_private_key->key());
1370 }
1371
CertVerifyCallback(X509_STORE_CTX * store_ctx)1372 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) {
1373 if (!completed_handshake_) {
1374 // If the first handshake hasn't completed then we accept any certificates
1375 // because we verify after the handshake.
1376 return 1;
1377 }
1378
1379 CHECK(server_cert_.get());
1380
1381 PeerCertificateChain chain(store_ctx->untrusted);
1382 if (chain.IsValid() && server_cert_->Equals(chain.AsOSChain()))
1383 return 1;
1384
1385 if (!chain.IsValid())
1386 LOG(ERROR) << "Received invalid certificate chain between handshakes";
1387 else
1388 LOG(ERROR) << "Server certificate changed between handshakes";
1389 return 0;
1390 }
1391
1392 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the
1393 // server supports NPN, selects a protocol from the list that the server
1394 // provides. According to third_party/openssl/openssl/ssl/ssl_lib.c, the
1395 // callback can assume that |in| is syntactically valid.
SelectNextProtoCallback(unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen)1396 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out,
1397 unsigned char* outlen,
1398 const unsigned char* in,
1399 unsigned int inlen) {
1400 if (ssl_config_.next_protos.empty()) {
1401 *out = reinterpret_cast<uint8*>(
1402 const_cast<char*>(kDefaultSupportedNPNProtocol));
1403 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1;
1404 npn_status_ = kNextProtoUnsupported;
1405 return SSL_TLSEXT_ERR_OK;
1406 }
1407
1408 // Assume there's no overlap between our protocols and the server's list.
1409 npn_status_ = kNextProtoNoOverlap;
1410
1411 // For each protocol in server preference order, see if we support it.
1412 for (unsigned int i = 0; i < inlen; i += in[i] + 1) {
1413 for (std::vector<std::string>::const_iterator
1414 j = ssl_config_.next_protos.begin();
1415 j != ssl_config_.next_protos.end(); ++j) {
1416 if (in[i] == j->size() &&
1417 memcmp(&in[i + 1], j->data(), in[i]) == 0) {
1418 // We found a match.
1419 *out = const_cast<unsigned char*>(in) + i + 1;
1420 *outlen = in[i];
1421 npn_status_ = kNextProtoNegotiated;
1422 break;
1423 }
1424 }
1425 if (npn_status_ == kNextProtoNegotiated)
1426 break;
1427 }
1428
1429 // If we didn't find a protocol, we select the first one from our list.
1430 if (npn_status_ == kNextProtoNoOverlap) {
1431 *out = reinterpret_cast<uint8*>(const_cast<char*>(
1432 ssl_config_.next_protos[0].data()));
1433 *outlen = ssl_config_.next_protos[0].size();
1434 }
1435
1436 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
1437 server_protos_.assign(reinterpret_cast<const char*>(in), inlen);
1438 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_;
1439 return SSL_TLSEXT_ERR_OK;
1440 }
1441
1442 scoped_refptr<X509Certificate>
GetUnverifiedServerCertificateChain() const1443 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
1444 return server_cert_;
1445 }
1446
1447 } // namespace net
1448