diff options
| author | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-04 10:54:49 +0000 |
|---|---|---|
| committer | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-04 10:54:49 +0000 |
| commit | 3b1127720790197ff2e6f92ee4fdf4c878d3a49a (patch) | |
| tree | 0ada866f73803042e0e653d8298aea244954f550 /net | |
| parent | 2fad94b2a40a9da9d39ee130d0cefed176fb071d (diff) | |
| download | chromium_src-3b1127720790197ff2e6f92ee4fdf4c878d3a49a.zip chromium_src-3b1127720790197ff2e6f92ee4fdf4c878d3a49a.tar.gz chromium_src-3b1127720790197ff2e6f92ee4fdf4c878d3a49a.tar.bz2 | |
Verify server cert using default host CA cert store
BUG=none
TEST=build with use_openssl=1 and open some https pages
Review URL: http://codereview.chromium.org/3518004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61355 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 52 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.h | 6 |
2 files changed, 50 insertions, 8 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index c0ed36d..6dc3c51 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -21,7 +21,7 @@ namespace { // Enable this to see logging for state machine state transitions. #if 0 -#define GotoState(s) do { LOG(INFO) << (void *)this << " " << __FUNCTION__ << \ +#define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ " jump to state " << s; \ next_handshake_state_ = s; } while (0) #else @@ -29,13 +29,15 @@ namespace { #endif const size_t kMaxRecvBufferSize = 4096; +static SSL_CTX* g_ctx = NULL; +static int g_app_data_index = -1; void MaybeLogSSLError() { int error_num; while ((error_num = ERR_get_error()) != 0) { char buf[128]; // this buffer must be at least 120 chars long. ERR_error_string_n(error_num, buf, arraysize(buf)); - LOG(INFO) << "SSL error " << error_num << ": " << buf; + DVLOG(1) << "SSL error " << error_num << ": " << buf; } } @@ -52,10 +54,23 @@ int MapOpenSSLError(int err) { } } -} // namespace +// Registered with |g_ctx| as global verify callback handler; we unpack the +// SSLClientSocketOpenSSL instance associated with this callback and delegate +// the handling to it. +int VerifyCallback(int preverify_ok, X509_STORE_CTX* x509_ctx) { + DCHECK_GE(g_app_data_index, 0); + // Retrieve the pointer to the SSL of the connection currently treated + // and from there, the application specific data stored in the SSL object. + SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data( + x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); + DCHECK(ssl); + SSLClientSocketOpenSSL* self = static_cast<SSLClientSocketOpenSSL*>( + SSL_get_ex_data(ssl, g_app_data_index)); + DCHECK(self); + return self->SSLVerifyCallback(preverify_ok, ssl, x509_ctx); +} -// static -SSL_CTX* SSLClientSocketOpenSSL::g_ctx = NULL; +} // namespace SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( ClientSocketHandle* transport_socket, @@ -100,8 +115,16 @@ bool SSLClientSocketOpenSSL::InitOpenSSL() { MaybeLogSSLError(); return false; } + g_app_data_index = SSL_get_ex_new_index(__LINE__, g_ctx, NULL, NULL, NULL); + DCHECK_GE(g_app_data_index, 0); + + SSL_CTX_set_verify(g_ctx, SSL_VERIFY_PEER, VerifyCallback); - SSL_CTX_set_verify(g_ctx, SSL_VERIFY_NONE, NULL /*callback*/); + // For now, just let OpenSSL load CA certs directly from the filesystem. + if (!SSL_CTX_set_default_verify_paths(g_ctx)) { + MaybeLogSSLError(); + return false; + } return true; } @@ -114,6 +137,11 @@ bool SSLClientSocketOpenSSL::Init() { return false; } + if (!SSL_set_ex_data(ssl_, g_app_data_index, this)) { + MaybeLogSSLError(); + return false; + } + if (!SSL_set_tlsext_host_name(ssl_, hostname_.c_str())) { MaybeLogSSLError(); return false; @@ -133,6 +161,18 @@ bool SSLClientSocketOpenSSL::Init() { return true; } +int SSLClientSocketOpenSSL::SSLVerifyCallback(int preverify_ok, + SSL* ssl, + X509_STORE_CTX* x509_ctx) { + DCHECK_EQ(ssl_, ssl); + if (!preverify_ok) { + int depth = X509_STORE_CTX_get_error_depth(x509_ctx); + DVLOG(2) << "SSLVerifyCallback " << preverify_ok << " depth " << depth; + MaybeLogSSLError(); + } + return preverify_ok; +} + // SSLClientSocket methods void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 7d850f8..1799a62 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -14,8 +14,8 @@ #include "net/socket/client_socket_handle.h" typedef struct bio_st BIO; -typedef struct ssl_ctx_st SSL_CTX; typedef struct ssl_st SSL; +typedef struct x509_store_ctx_st X509_STORE_CTX; namespace net { @@ -35,6 +35,9 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { const SSLConfig& ssl_config); ~SSLClientSocketOpenSSL(); + // Called back from OpenSSL during cert verification (see SSL_CTX_set_verify). + int SSLVerifyCallback(int preverify_ok, SSL* ssl, X509_STORE_CTX* ctx); + // SSLClientSocket methods: virtual void GetSSLInfo(SSLInfo* ssl_info); virtual void GetSSLCertRequestInfo(SSLCertRequestInfo* cert_request_info); @@ -109,7 +112,6 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { bool client_auth_cert_needed_; // OpenSSL stuff - static SSL_CTX* g_ctx; SSL* ssl_; BIO* transport_bio_; |