diff options
Diffstat (limited to 'net/socket/ssl_client_socket_openssl.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 3f01db2..62f3dbb 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -10,10 +10,10 @@ #include <openssl/ssl.h> #include <openssl/err.h> -#include "net/base/cert_verifier.h" #include "base/metrics/histogram.h" +#include "base/openssl_util.h" +#include "net/base/cert_verifier.h" #include "net/base/net_errors.h" -#include "net/base/openssl_util.h" #include "net/base/ssl_connection_status_flags.h" #include "net/base/ssl_info.h" @@ -58,6 +58,29 @@ int MapOpenSSLError(int err) { } } +// We do certificate verification after handshake, so we disable the default +// by registering a no-op verify function. +int NoOpVerifyCallback(X509_STORE_CTX*, void *) { + DVLOG(3) << "skipping cert verify"; + return 1; +} + +struct SSLContextSingletonTraits : public DefaultSingletonTraits<SSL_CTX> { + static SSL_CTX* New() { + base::EnsureOpenSSLInit(); + SSL_CTX* self = SSL_CTX_new(SSLv23_client_method()); + SSL_CTX_set_cert_verify_callback(self, NoOpVerifyCallback, NULL); + return self; + } + static void Delete(SSL_CTX* self) { + SSL_CTX_free(self); + } +}; + +SSL_CTX* GetSSLContext() { + return Singleton<SSL_CTX, SSLContextSingletonTraits>::get(); +} + } // namespace SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( @@ -93,7 +116,7 @@ bool SSLClientSocketOpenSSL::Init() { DCHECK(!ssl_); DCHECK(!transport_bio_); - ssl_ = SSL_new(GetOpenSSLInitSingleton()->ssl_ctx()); + ssl_ = SSL_new(GetSSLContext()); if (!ssl_) { MaybeLogSSLError(); return false; @@ -394,8 +417,7 @@ void SSLClientSocketOpenSSL::InvalidateSessionIfBadCertificate() { // see SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_CLIENT). SSL_SESSION* session = SSL_get_session(ssl_); LOG_IF(ERROR, session) << "Connection has a session?? " << session; - int rv = SSL_CTX_remove_session(GetOpenSSLInitSingleton()->ssl_ctx(), - session); + int rv = SSL_CTX_remove_session(GetSSLContext(), session); LOG_IF(ERROR, rv) << "Session was cached?? " << rv; } } @@ -404,7 +426,7 @@ X509Certificate* SSLClientSocketOpenSSL::UpdateServerCert() { if (server_cert_) return server_cert_; - ScopedSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_)); + base::ScopedOpenSSL<X509, X509_free> cert(SSL_get_peer_certificate(ssl_)); if (!cert.get()) { LOG(WARNING) << "SSL_get_peer_certificate returned NULL"; return NULL; |