diff options
| author | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-17 09:57:18 +0000 |
|---|---|---|
| committer | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-17 09:57:18 +0000 |
| commit | 313834720d46a68071afe305975f8b70e9bc5782 (patch) | |
| tree | 1d7b0dea339a8bcf3499cf29f27217cc985f35a1 /net/socket | |
| parent | 0d18ee21d5ddbfecf3951ac8fc0f5a30465e0ffe (diff) | |
| download | chromium_src-313834720d46a68071afe305975f8b70e9bc5782.zip chromium_src-313834720d46a68071afe305975f8b70e9bc5782.tar.gz chromium_src-313834720d46a68071afe305975f8b70e9bc5782.tar.bz2 | |
Refactor EnsureOpenSSLInit and openssl_util into base
This allows the base/crypto methods to call EnsureOpenSSLInit.
Also factors out the SSL_CTX and X509_STORE to be more closely associated with their consumers (ssl socket and X509Certificate resp.) rather than process wide globals.
BUG=None
TEST=None
Review URL: http://codereview.chromium.org/4963002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@66413 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 3f01db2..62f3dbb 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -10,10 +10,10 @@ #include <openssl/ssl.h> #include <openssl/err.h> -#include "net/base/cert_verifier.h" #include "base/metrics/histogram.h" +#include "base/openssl_util.h" +#include "net/base/cert_verifier.h" #include "net/base/net_errors.h" -#include "net/base/openssl_util.h" #include "net/base/ssl_connection_status_flags.h" #include "net/base/ssl_info.h" @@ -58,6 +58,29 @@ int MapOpenSSLError(int err) { } } +// We do certificate verification after handshake, so we disable the default +// by registering a no-op verify function. +int NoOpVerifyCallback(X509_STORE_CTX*, void *) { + DVLOG(3) << "skipping cert verify"; + return 1; +} + +struct SSLContextSingletonTraits : public DefaultSingletonTraits<SSL_CTX> { + static SSL_CTX* New() { + base::EnsureOpenSSLInit(); + SSL_CTX* self = SSL_CTX_new(SSLv23_client_method()); + SSL_CTX_set_cert_verify_callback(self, NoOpVerifyCallback, NULL); + return self; + } + static void Delete(SSL_CTX* self) { + SSL_CTX_free(self); + } +}; + +SSL_CTX* GetSSLContext() { + return Singleton<SSL_CTX, SSLContextSingletonTraits>::get(); +} + } // namespace SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( @@ -93,7 +116,7 @@ bool SSLClientSocketOpenSSL::Init() { DCHECK(!ssl_); DCHECK(!transport_bio_); - ssl_ = SSL_new(GetOpenSSLInitSingleton()->ssl_ctx()); + ssl_ = SSL_new(GetSSLContext()); if (!ssl_) { MaybeLogSSLError(); return false; @@ -394,8 +417,7 @@ void SSLClientSocketOpenSSL::InvalidateSessionIfBadCertificate() { // see SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_CLIENT). SSL_SESSION* session = SSL_get_session(ssl_); LOG_IF(ERROR, session) << "Connection has a session?? " << session; - int rv = SSL_CTX_remove_session(GetOpenSSLInitSingleton()->ssl_ctx(), - session); + int rv = SSL_CTX_remove_session(GetSSLContext(), session); LOG_IF(ERROR, rv) << "Session was cached?? " << rv; } } @@ -404,7 +426,7 @@ X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() { if (server_cert_) return server_cert_; - ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_)); + base::ScopedOpenSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_)); if (!cert.get()) { LOG(WARNING) << "SSL_get_peer_certificate returned NULL"; return NULL; |