diff options
author | davidben <davidben@chromium.org> | 2015-12-21 14:55:50 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-12-21 22:57:41 +0000 |
commit | 752bcf26fe626a42dc392b19ccd0d605cc1c62a6 (patch) | |
tree | 1d8dab6a49075954516a6a56b02de10ba6374e3b | |
parent | dbf2f363526a4a1fc90af90206a2e0e7761eb75d (diff) | |
download | chromium_src-752bcf26fe626a42dc392b19ccd0d605cc1c62a6.zip chromium_src-752bcf26fe626a42dc392b19ccd0d605cc1c62a6.tar.gz chromium_src-752bcf26fe626a42dc392b19ccd0d605cc1c62a6.tar.bz2 |
Log the signature parameters with SSL_PRIVATE_KEY_OPERATION.
This would have been helpful in diagnosing crbug.com/570278, and other TLS 1.2
client certificate problems. It's quite common that the first thing I want to
know is what hash function was signed (TLS 1.2 makes signatures far too
complicated and somehow this is often what goes wrong), but we can't get at
this without logging all bytes.
BUG=570278
Review URL: https://codereview.chromium.org/1536323004
Cr-Commit-Position: refs/heads/master@{#366482}
-rw-r--r-- | net/log/net_log_event_type_list.h | 7 | ||||
-rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 49 |
2 files changed, 53 insertions, 3 deletions
diff --git a/net/log/net_log_event_type_list.h b/net/log/net_log_event_type_list.h index 2dc0eb46..612d08b 100644 --- a/net/log/net_log_event_type_list.h +++ b/net/log/net_log_event_type_list.h @@ -461,7 +461,12 @@ EVENT_TYPE(SSL_SERVER_HANDSHAKE) // The SSL server requested a client certificate. EVENT_TYPE(SSL_CLIENT_CERT_REQUESTED) -// The SSL stack blocked on a private key operation. +// The SSL stack blocked on a private key operation. The following parameters +// are attached to the event. +// { +// "type": <type of the key>, +// "hash": <hash function used>, +// } EVENT_TYPE(SSL_PRIVATE_KEY_OPERATION) // The start/end of getting a domain-bound certificate and private key. diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 6620f28..eeb931c 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -16,6 +16,8 @@ #include <openssl/ssl.h> #include <string.h> +#include <utility> + #include "base/bind.h" #include "base/callback_helpers.h" #include "base/lazy_instance.h" @@ -184,6 +186,46 @@ class ScopedCBB { CBB cbb_; DISALLOW_COPY_AND_ASSIGN(ScopedCBB); }; + +scoped_ptr<base::Value> NetLogPrivateKeyOperationCallback( + SSLPrivateKey::Type type, + SSLPrivateKey::Hash hash, + NetLogCaptureMode mode) { + std::string type_str; + switch (type) { + case SSLPrivateKey::Type::RSA: + type_str = "RSA"; + break; + case SSLPrivateKey::Type::ECDSA: + type_str = "ECDSA"; + break; + } + + std::string hash_str; + switch (hash) { + case SSLPrivateKey::Hash::MD5_SHA1: + hash_str = "MD5_SHA1"; + break; + case SSLPrivateKey::Hash::SHA1: + hash_str = "SHA1"; + break; + case SSLPrivateKey::Hash::SHA256: + hash_str = "SHA256"; + break; + case SSLPrivateKey::Hash::SHA384: + hash_str = "SHA384"; + break; + case SSLPrivateKey::Hash::SHA512: + hash_str = "SHA512"; + break; + } + + scoped_ptr<base::DictionaryValue> value(new base::DictionaryValue); + value->SetString("type", type_str); + value->SetString("hash", hash_str); + return std::move(value); +} + } // namespace class SSLClientSocketOpenSSL::SSLContext { @@ -2129,14 +2171,17 @@ ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback( DCHECK(signature_.empty()); DCHECK(ssl_config_.client_private_key); - net_log_.BeginEvent(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION); - SSLPrivateKey::Hash hash; if (!EVP_MDToPrivateKeyHash(md, &hash)) { OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED); return ssl_private_key_failure; } + net_log_.BeginEvent( + NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION, + base::Bind(&NetLogPrivateKeyOperationCallback, + ssl_config_.client_private_key->GetType(), hash)); + signature_result_ = ERR_IO_PENDING; ssl_config_.client_private_key->SignDigest( hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len), |