blob: 119863ec4e1275eb7eb180bbe3bd973b02ee622c [file] [log] [blame]
[email protected]013c17c2012-01-21 19:09:011// Copyright (c) 2012 The Chromium Authors. All rights reserved.
[email protected]d518cd92010-09-29 12:27:442// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
svaldeze83af292016-04-26 14:33:375#include "net/socket/ssl_client_socket_impl.h"
[email protected]d518cd92010-09-29 12:27:446
[email protected]edfd0f42014-07-22 18:20:377#include <errno.h>
bnc67da3de2015-01-15 21:02:268#include <string.h>
[email protected]d518cd92010-09-29 12:27:449
mabb51c5142016-12-07 09:32:4010#include <algorithm>
David Benjaminf8ebd2b2017-12-15 19:22:4111#include <map>
davidben752bcf22015-12-21 22:55:5012#include <utility>
13
[email protected]0f7804ec2011-10-07 20:04:1814#include "base/bind.h"
[email protected]f2da6ac2013-02-04 08:22:5315#include "base/callback_helpers.h"
David Benjamin9ba36b02017-11-10 19:01:5316#include "base/containers/span.h"
David Benjamin6f2da652019-06-26 23:36:3517#include "base/feature_list.h"
davidben1d489522015-07-01 18:48:4618#include "base/lazy_instance.h"
Avi Drissman13fc8932015-12-20 04:40:4619#include "base/macros.h"
[email protected]3b63f8f42011-03-28 01:54:1520#include "base/memory/singleton.h"
mmenke1beda3d2016-07-22 03:33:4521#include "base/metrics/field_trial.h"
Adam Langley074164132018-01-17 03:27:3222#include "base/metrics/field_trial_params.h"
Ilya Sherman0eb39802017-12-08 20:58:1823#include "base/metrics/histogram_functions.h"
asvitkinec3c93722015-06-17 14:48:3724#include "base/metrics/histogram_macros.h"
davidben018aad62014-09-12 02:25:1925#include "base/strings/string_piece.h"
xunjieli9f8c5fb52016-12-07 22:59:3326#include "base/strings/stringprintf.h"
[email protected]20305ec2011-01-21 04:55:5227#include "base/synchronization/lock.h"
ssid6d6b40102016-04-05 18:59:5628#include "base/trace_event/trace_event.h"
estade5e5529d2015-05-21 20:59:1129#include "base/values.h"
[email protected]ee0f2aa82013-10-25 11:59:2630#include "crypto/ec_private_key.h"
[email protected]4b559b4d2011-04-14 17:37:1431#include "crypto/openssl_util.h"
David Benjamin570460e2018-10-16 06:01:2932#include "net/base/features.h"
martijna2e83bd2016-03-18 13:10:4533#include "net/base/ip_address.h"
[email protected]d518cd92010-09-29 12:27:4434#include "net/base/net_errors.h"
xunjieli0b7f5b62016-12-06 20:43:4835#include "net/base/trace_constants.h"
David Benjamind5503c82018-02-01 20:59:3836#include "net/base/url_util.h"
[email protected]6e7845ae2013-03-29 21:48:1137#include "net/cert/cert_verifier.h"
estark6f9b3d82016-01-12 21:37:0538#include "net/cert/ct_policy_enforcer.h"
estark723b5eeb2016-02-18 21:01:1239#include "net/cert/ct_policy_status.h"
davidbeneb5f8ef32014-09-04 14:14:3240#include "net/cert/ct_verifier.h"
David Benjaminf8ebd2b2017-12-15 19:22:4141#include "net/cert/internal/parse_certificate.h"
[email protected]6e7845ae2013-03-29 21:48:1142#include "net/cert/x509_certificate_net_log_param.h"
mattm316af822017-02-23 04:05:5643#include "net/cert/x509_util.h"
David Benjaminf8ebd2b2017-12-15 19:22:4144#include "net/der/parse_values.h"
[email protected]8bd4e7a2014-08-09 14:49:1745#include "net/http/transport_security_state.h"
mikecironef22f9812016-10-04 03:40:1946#include "net/log/net_log.h"
mikecirone8b85c432016-09-08 19:11:0047#include "net/log/net_log_event_type.h"
mikecironef22f9812016-10-04 03:40:1948#include "net/log/net_log_parameters_callback.h"
[email protected]536fd0b2013-03-14 17:41:5749#include "net/ssl/ssl_cert_request_info.h"
davidben281d13f02016-04-27 20:43:2850#include "net/ssl/ssl_cipher_suite_names.h"
svaldeze83af292016-04-26 14:33:3751#include "net/ssl/ssl_client_session_cache.h"
[email protected]536fd0b2013-03-14 17:41:5752#include "net/ssl/ssl_connection_status_flags.h"
53#include "net/ssl/ssl_info.h"
David Benjaminbd37c172018-07-11 17:24:5754#include "net/ssl/ssl_key_logger.h"
davidben1d489522015-07-01 18:48:4655#include "net/ssl/ssl_private_key.h"
[email protected]a2b2cfc2017-12-06 09:06:0856#include "net/traffic_annotation/network_traffic_annotation.h"
tfarinae8cb8aa2016-10-21 02:44:0157#include "third_party/boringssl/src/include/openssl/bio.h"
58#include "third_party/boringssl/src/include/openssl/bytestring.h"
59#include "third_party/boringssl/src/include/openssl/err.h"
60#include "third_party/boringssl/src/include/openssl/evp.h"
61#include "third_party/boringssl/src/include/openssl/mem.h"
62#include "third_party/boringssl/src/include/openssl/ssl.h"
[email protected]d518cd92010-09-29 12:27:4463
Adam Langley93cbfad12018-07-06 22:07:1664#if !defined(NET_DISABLE_BROTLI)
65#include "third_party/brotli/include/brotli/decode.h"
66#endif
67
[email protected]d518cd92010-09-29 12:27:4468namespace net {
69
70namespace {
71
[email protected]4b768562013-02-16 04:10:0772// This constant can be any non-negative/non-zero value (eg: it does not
73// overlap with any value of the net::Error range, including net::OK).
Oscar Johanssond49464e2018-07-02 09:35:4574const int kSSLClientSocketNoPendingResult = 1;
Jesse Selover94c9a942019-01-16 01:18:0475// This constant can be any non-negative/non-zero value (eg: it does not
76// overlap with any value of the net::Error range, including net::OK).
77const int kCertVerifyPending = 1;
[email protected]4b768562013-02-16 04:10:0778
haavardm2d92e722014-12-19 13:45:4479// Default size of the internal BoringSSL buffers.
mmenke1beda3d2016-07-22 03:33:4580const int kDefaultOpenSSLBufferSize = 17 * 1024;
haavardm2d92e722014-12-19 13:45:4481
Eric Romanb0436912019-04-30 23:38:4282base::Value NetLogPrivateKeyOperationCallback(uint16_t algorithm,
83 SSLPrivateKey* key,
84 NetLogCaptureMode mode) {
85 base::DictionaryValue value;
86 value.SetString("algorithm", SSL_get_signature_algorithm_name(
87 algorithm, 0 /* exclude curve */));
88 value.SetString("provider", key->GetProviderName());
davidben752bcf22015-12-21 22:55:5089 return std::move(value);
90}
91
Eric Romanb0436912019-04-30 23:38:4292base::Value NetLogSSLInfoCallback(SSLClientSocketImpl* socket,
93 NetLogCaptureMode capture_mode) {
davidben281d13f02016-04-27 20:43:2894 SSLInfo ssl_info;
95 if (!socket->GetSSLInfo(&ssl_info))
Eric Romanb0436912019-04-30 23:38:4296 return base::Value();
davidben281d13f02016-04-27 20:43:2897
Eric Romanb0436912019-04-30 23:38:4298 base::DictionaryValue dict;
davidben281d13f02016-04-27 20:43:2899 const char* version_str;
100 SSLVersionToString(&version_str,
101 SSLConnectionStatusToVersion(ssl_info.connection_status));
Eric Romanb0436912019-04-30 23:38:42102 dict.SetString("version", version_str);
103 dict.SetBoolean("is_resumed",
104 ssl_info.handshake_type == SSLInfo::HANDSHAKE_RESUME);
105 dict.SetInteger("cipher_suite",
106 SSLConnectionStatusToCipherSuite(ssl_info.connection_status));
davidben281d13f02016-04-27 20:43:28107
Eric Romanb0436912019-04-30 23:38:42108 dict.SetString("next_proto",
109 NextProtoToString(socket->GetNegotiatedProtocol()));
davidben281d13f02016-04-27 20:43:28110
111 return std::move(dict);
112}
113
Eric Romanb0436912019-04-30 23:38:42114base::Value NetLogSSLAlertCallback(const void* bytes,
115 size_t len,
116 NetLogCaptureMode capture_mode) {
117 base::DictionaryValue dict;
118 dict.SetKey("bytes", NetLogBinaryValue(bytes, len));
davidbencef9e212017-04-19 15:00:10119 return std::move(dict);
120}
121
Eric Romanb0436912019-04-30 23:38:42122base::Value NetLogSSLMessageCallback(bool is_write,
123 const void* bytes,
124 size_t len,
125 NetLogCaptureMode capture_mode) {
126 base::DictionaryValue dict;
davidbencef9e212017-04-19 15:00:10127 if (len == 0) {
128 NOTREACHED();
129 return std::move(dict);
130 }
131
132 // The handshake message type is the first byte. Include it so elided messages
133 // still report their type.
134 uint8_t type = reinterpret_cast<const uint8_t*>(bytes)[0];
Eric Romanb0436912019-04-30 23:38:42135 dict.SetInteger("type", type);
davidbencef9e212017-04-19 15:00:10136
137 // Elide client certificate messages unless logging socket bytes. The client
138 // certificate does not contain information needed to impersonate the user
139 // (that's the private key which isn't sent over the wire), but it may contain
140 // information on the user's identity.
141 if (!is_write || type != SSL3_MT_CERTIFICATE ||
142 capture_mode.include_socket_bytes()) {
Eric Romanb0436912019-04-30 23:38:42143 dict.SetKey("bytes", NetLogBinaryValue(bytes, len));
davidbencef9e212017-04-19 15:00:10144 }
145
146 return std::move(dict);
147}
148
David Benjaminf8ebd2b2017-12-15 19:22:41149// This enum is used in histograms, so values may not be reused.
150enum class RSAKeyUsage {
151 // The TLS cipher suite was not RSA or ECDHE_RSA.
152 kNotRSA = 0,
153 // The Key Usage extension is not present, which is consistent with TLS usage.
154 kOKNoExtension = 1,
155 // The Key Usage extension has both the digitalSignature and keyEncipherment
156 // bits, which is consistent with TLS usage.
157 kOKHaveBoth = 2,
158 // The Key Usage extension contains only the digitalSignature bit, which is
159 // consistent with TLS usage.
160 kOKHaveDigitalSignature = 3,
161 // The Key Usage extension contains only the keyEncipherment bit, which is
162 // consistent with TLS usage.
163 kOKHaveKeyEncipherment = 4,
164 // The Key Usage extension is missing the digitalSignature bit.
165 kMissingDigitalSignature = 5,
166 // The Key Usage extension is missing the keyEncipherment bit.
167 kMissingKeyEncipherment = 6,
168 // There was an error processing the certificate.
169 kError = 7,
170
171 kLastValue = kError,
172};
173
174RSAKeyUsage CheckRSAKeyUsage(const X509Certificate* cert,
175 const SSL_CIPHER* cipher) {
176 bool need_key_encipherment = false;
177 switch (SSL_CIPHER_get_kx_nid(cipher)) {
178 case NID_kx_rsa:
179 need_key_encipherment = true;
180 break;
181 case NID_kx_ecdhe:
182 if (SSL_CIPHER_get_auth_nid(cipher) != NID_auth_rsa) {
183 return RSAKeyUsage::kNotRSA;
184 }
185 break;
186 default:
187 return RSAKeyUsage::kNotRSA;
188 }
189
190 const CRYPTO_BUFFER* buffer = cert->cert_buffer();
191 der::Input tbs_certificate_tlv;
192 der::Input signature_algorithm_tlv;
193 der::BitString signature_value;
194 ParsedTbsCertificate tbs;
195 if (!ParseCertificate(
196 der::Input(CRYPTO_BUFFER_data(buffer), CRYPTO_BUFFER_len(buffer)),
197 &tbs_certificate_tlv, &signature_algorithm_tlv, &signature_value,
198 nullptr) ||
199 !ParseTbsCertificate(tbs_certificate_tlv,
200 x509_util::DefaultParseCertificateOptions(), &tbs,
201 nullptr)) {
202 return RSAKeyUsage::kError;
203 }
204
205 if (!tbs.has_extensions) {
206 return RSAKeyUsage::kOKNoExtension;
207 }
208
209 std::map<der::Input, ParsedExtension> extensions;
210 if (!ParseExtensions(tbs.extensions_tlv, &extensions)) {
211 return RSAKeyUsage::kError;
212 }
213 ParsedExtension key_usage_ext;
214 if (!ConsumeExtension(KeyUsageOid(), &extensions, &key_usage_ext)) {
215 return RSAKeyUsage::kOKNoExtension;
216 }
217 der::BitString key_usage;
218 if (!ParseKeyUsage(key_usage_ext.value, &key_usage)) {
219 return RSAKeyUsage::kError;
220 }
221
222 bool have_digital_signature =
223 key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE);
224 bool have_key_encipherment =
225 key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT);
226 if (have_digital_signature && have_key_encipherment) {
227 return RSAKeyUsage::kOKHaveBoth;
228 }
229
230 if (need_key_encipherment) {
231 return have_key_encipherment ? RSAKeyUsage::kOKHaveKeyEncipherment
232 : RSAKeyUsage::kMissingKeyEncipherment;
233 }
234 return have_digital_signature ? RSAKeyUsage::kOKHaveDigitalSignature
235 : RSAKeyUsage::kMissingDigitalSignature;
236}
237
Adam Langley93cbfad12018-07-06 22:07:16238#if !defined(NET_DISABLE_BROTLI)
239int DecompressBrotliCert(SSL* ssl,
240 CRYPTO_BUFFER** out,
241 size_t uncompressed_len,
242 const uint8_t* in,
243 size_t in_len) {
244 uint8_t* data;
245 bssl::UniquePtr<CRYPTO_BUFFER> decompressed(
246 CRYPTO_BUFFER_alloc(&data, uncompressed_len));
247 if (!decompressed) {
248 return 0;
249 }
250
251 size_t output_size = uncompressed_len;
252 if (BrotliDecoderDecompress(in_len, in, &output_size, data) !=
253 BROTLI_DECODER_RESULT_SUCCESS ||
254 output_size != uncompressed_len) {
255 return 0;
256 }
257
258 *out = decompressed.release();
259 return 1;
260}
261#endif
262
[email protected]821e3bb2013-11-08 01:06:01263} // namespace
264
svaldeze83af292016-04-26 14:33:37265class SSLClientSocketImpl::SSLContext {
[email protected]fbef13932010-11-23 12:38:53266 public:
olli.raula36aa8be2015-09-10 11:14:22267 static SSLContext* GetInstance() {
fdoray33e7c3c52017-01-19 18:37:23268 return base::Singleton<SSLContext,
269 base::LeakySingletonTraits<SSLContext>>::get();
olli.raula36aa8be2015-09-10 11:14:22270 }
[email protected]fbef13932010-11-23 12:38:53271 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
[email protected]fbef13932010-11-23 12:38:53272
svaldeze83af292016-04-26 14:33:37273 SSLClientSocketImpl* GetClientSocketFromSSL(const SSL* ssl) {
[email protected]fbef13932010-11-23 12:38:53274 DCHECK(ssl);
svaldeze83af292016-04-26 14:33:37275 SSLClientSocketImpl* socket = static_cast<SSLClientSocketImpl*>(
[email protected]fbef13932010-11-23 12:38:53276 SSL_get_ex_data(ssl, ssl_socket_data_index_));
277 DCHECK(socket);
278 return socket;
279 }
280
svaldeze83af292016-04-26 14:33:37281 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketImpl* socket) {
[email protected]fbef13932010-11-23 12:38:53282 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0;
283 }
284
David Benjaminbd37c172018-07-11 17:24:57285 void SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger) {
davidben2a811e4e2015-12-01 10:49:34286 DCHECK(!ssl_key_logger_);
David Benjaminbd37c172018-07-11 17:24:57287 ssl_key_logger_ = std::move(logger);
davidben2a811e4e2015-12-01 10:49:34288 SSL_CTX_set_keylog_callback(ssl_ctx_.get(), KeyLogCallback);
289 }
davidben2a811e4e2015-12-01 10:49:34290
davidben1d489522015-07-01 18:48:46291 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
292
[email protected]fbef13932010-11-23 12:38:53293 private:
olli.raula36aa8be2015-09-10 11:14:22294 friend struct base::DefaultSingletonTraits<SSLContext>;
[email protected]fbef13932010-11-23 12:38:53295
Daniel McArdle3a663d62019-01-31 00:48:47296 SSLContext() {
[email protected]4b559b4d2011-04-14 17:37:14297 crypto::EnsureOpenSSLInit();
Raul Tambre94493c652019-03-11 17:18:35298 ssl_socket_data_index_ =
299 SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
[email protected]fbef13932010-11-23 12:38:53300 DCHECK_NE(ssl_socket_data_index_, -1);
davidbena35b40c32017-03-09 17:33:45301 ssl_ctx_.reset(SSL_CTX_new(TLS_with_buffers_method()));
Raul Tambre94493c652019-03-11 17:18:35302 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, nullptr);
davidbena35b40c32017-03-09 17:33:45303
Jesse Selover94c9a942019-01-16 01:18:04304 // Verifies the server certificate even on resumed sessions.
305 SSL_CTX_set_reverify_on_resume(ssl_ctx_.get(), 1);
Steven Valdez3eaa9962017-07-18 21:51:05306 SSL_CTX_set_custom_verify(ssl_ctx_.get(), SSL_VERIFY_PEER,
Jesse Selover94c9a942019-01-16 01:18:04307 VerifyCertCallback);
davidbendafe4e52015-04-08 22:53:52308 // Disable the internal session cache. Session caching is handled
svaldeze83af292016-04-26 14:33:37309 // externally (i.e. by SSLClientSessionCache).
davidbendafe4e52015-04-08 22:53:52310 SSL_CTX_set_session_cache_mode(
311 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL);
davidben44aeae62015-06-24 20:47:43312 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback);
davidben99ce6302016-11-09 17:30:28313 SSL_CTX_set_timeout(ssl_ctx_.get(), 1 * 60 * 60 /* one hour */);
nharper736ceda2015-11-07 00:16:59314
davidbenfacfac7b2016-09-27 22:39:53315 SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1);
316
davidbenbf0fcf12017-02-10 21:00:34317 // Deduplicate all certificates minted from the SSL_CTX in memory.
318 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool());
319
David Benjamin7a8e4dfa2018-06-12 23:07:21320 SSL_CTX_set_info_callback(ssl_ctx_.get(), InfoCallback);
davidbencef9e212017-04-19 15:00:10321 SSL_CTX_set_msg_callback(ssl_ctx_.get(), MessageCallback);
Adam Langley93cbfad12018-07-06 22:07:16322
323#if !defined(NET_DISABLE_BROTLI)
324 SSL_CTX_add_cert_compression_alg(
325 ssl_ctx_.get(), TLSEXT_cert_compression_brotli,
326 nullptr /* compression not supported */, DecompressBrotliCert);
327#endif
Adam Langleybb7f87fa2019-01-25 02:03:10328
329 if (base::FeatureList::IsEnabled(features::kPostQuantumCECPQ2)) {
330 static const int kCurves[] = {NID_CECPQ2, NID_X25519,
331 NID_X9_62_prime256v1, NID_secp384r1};
332 SSL_CTX_set1_curves(ssl_ctx_.get(), kCurves, base::size(kCurves));
333 }
[email protected]fbef13932010-11-23 12:38:53334 }
335
[email protected]82c59022014-08-15 09:38:27336 static int ClientCertRequestCallback(SSL* ssl, void* arg) {
svaldeze83af292016-04-26 14:33:37337 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
[email protected]82c59022014-08-15 09:38:27338 DCHECK(socket);
339 return socket->ClientCertRequestCallback(ssl);
[email protected]718c9672010-12-02 10:04:10340 }
341
davidben44aeae62015-06-24 20:47:43342 static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
svaldeze83af292016-04-26 14:33:37343 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
davidben44aeae62015-06-24 20:47:43344 return socket->NewSessionCallback(session);
davidbendafe4e52015-04-08 22:53:52345 }
346
David Benjaminb9bafbe2017-11-07 21:41:38347 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl,
348 uint8_t* out,
349 size_t* out_len,
350 size_t max_out,
351 uint16_t algorithm,
352 const uint8_t* in,
353 size_t in_len) {
svaldeze83af292016-04-26 14:33:37354 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
David Benjaminb9bafbe2017-11-07 21:41:38355 return socket->PrivateKeySignCallback(out, out_len, max_out, algorithm, in,
356 in_len);
davidben0bca07fd2016-07-18 15:12:03357 }
358
359 static ssl_private_key_result_t PrivateKeyCompleteCallback(SSL* ssl,
360 uint8_t* out,
361 size_t* out_len,
362 size_t max_out) {
363 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
364 return socket->PrivateKeyCompleteCallback(out, out_len, max_out);
davidben1d489522015-07-01 18:48:46365 }
366
davidben2a811e4e2015-12-01 10:49:34367 static void KeyLogCallback(const SSL* ssl, const char* line) {
368 GetInstance()->ssl_key_logger_->WriteLine(line);
369 }
davidben2a811e4e2015-12-01 10:49:34370
David Benjamin7a8e4dfa2018-06-12 23:07:21371 static void InfoCallback(const SSL* ssl, int type, int value) {
372 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
373 socket->InfoCallback(type, value);
374 }
375
davidbencef9e212017-04-19 15:00:10376 static void MessageCallback(int is_write,
377 int version,
378 int content_type,
379 const void* buf,
380 size_t len,
381 SSL* ssl,
382 void* arg) {
383 SSLClientSocketImpl* socket = GetInstance()->GetClientSocketFromSSL(ssl);
384 return socket->MessageCallback(is_write, content_type, buf, len);
385 }
386
[email protected]fbef13932010-11-23 12:38:53387 // This is the index used with SSL_get_ex_data to retrieve the owner
svaldeze83af292016-04-26 14:33:37388 // SSLClientSocketImpl object from an SSL instance.
[email protected]fbef13932010-11-23 12:38:53389 int ssl_socket_data_index_;
390
davidbend80c12c2016-10-11 00:13:49391 bssl::UniquePtr<SSL_CTX> ssl_ctx_;
davidbendafe4e52015-04-08 22:53:52392
danakj655b66c2016-04-16 00:51:38393 std::unique_ptr<SSLKeyLogger> ssl_key_logger_;
[email protected]1279de12013-12-03 15:13:32394};
395
davidben1d489522015-07-01 18:48:46396const SSL_PRIVATE_KEY_METHOD
svaldeze83af292016-04-26 14:33:37397 SSLClientSocketImpl::SSLContext::kPrivateKeyMethod = {
David Benjaminb9bafbe2017-11-07 21:41:38398 &SSLClientSocketImpl::SSLContext::PrivateKeySignCallback,
davidben0bca07fd2016-07-18 15:12:03399 nullptr /* decrypt */,
400 &SSLClientSocketImpl::SSLContext::PrivateKeyCompleteCallback,
davidben1d489522015-07-01 18:48:46401};
402
svaldeze83af292016-04-26 14:33:37403SSLClientSocketImpl::SSLClientSocketImpl(
Matt Menke841fc412019-03-05 23:20:12404 std::unique_ptr<StreamSocket> stream_socket,
[email protected]055d7f22010-11-15 12:03:12405 const HostPortPair& host_and_port,
[email protected]822581d2010-12-16 17:27:15406 const SSLConfig& ssl_config,
[email protected]feb79bcd2011-07-21 16:55:17407 const SSLClientSocketContext& context)
Oscar Johanssond49464e2018-07-02 09:35:45408 : pending_read_error_(kSSLClientSocketNoPendingResult),
davidbenb8c23212014-10-28 00:12:16409 pending_read_ssl_error_(SSL_ERROR_NONE),
[email protected]64b5c892014-08-08 09:39:26410 completed_connect_(false),
[email protected]0dc88b32014-03-26 20:12:28411 was_ever_used_(false),
[email protected]feb79bcd2011-07-21 16:55:17412 cert_verifier_(context.cert_verifier),
Jesse Selover94c9a942019-01-16 01:18:04413 cert_verification_result_(kCertVerifyPending),
davidbeneb5f8ef32014-09-04 14:14:32414 cert_transparency_verifier_(context.cert_transparency_verifier),
Matt Menke841fc412019-03-05 23:20:12415 stream_socket_(std::move(stream_socket)),
Matt Menkefd956922019-02-04 23:44:03416 host_and_port_(host_and_port),
417 ssl_config_(ssl_config),
418 ssl_client_session_cache_(context.ssl_client_session_cache),
Matt Menkefd956922019-02-04 23:44:03419 next_handshake_state_(STATE_NONE),
420 in_confirm_handshake_(false),
421 disconnected_(false),
422 negotiated_protocol_(kProtoUnknown),
423 certificate_requested_(false),
424 signature_result_(kSSLClientSocketNoPendingResult),
425 transport_security_state_(context.transport_security_state),
426 policy_enforcer_(context.ct_policy_enforcer),
427 pkp_bypassed_(false),
428 is_fatal_cert_error_(false),
429 net_log_(stream_socket_->NetLog()),
kulkarni.acd7b4462014-08-28 07:41:34430 weak_factory_(this) {
rsleevibe81cd62016-06-24 01:38:59431 CHECK(cert_verifier_);
432 CHECK(transport_security_state_);
433 CHECK(cert_transparency_verifier_);
434 CHECK(policy_enforcer_);
[email protected]8e458552014-08-05 00:02:15435}
[email protected]d518cd92010-09-29 12:27:44436
svaldeze83af292016-04-26 14:33:37437SSLClientSocketImpl::~SSLClientSocketImpl() {
[email protected]d518cd92010-09-29 12:27:44438 Disconnect();
439}
440
David Benjaminbd37c172018-07-11 17:24:57441void SSLClientSocketImpl::SetSSLKeyLogger(
442 std::unique_ptr<SSLKeyLogger> logger) {
443 SSLContext::GetInstance()->SetSSLKeyLogger(std::move(logger));
zhongyi81f85c6d92015-10-16 19:34:14444}
445
svaldeze83af292016-04-26 14:33:37446int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label,
447 bool has_context,
448 const base::StringPiece& context,
449 unsigned char* out,
450 unsigned int outlen) {
davidben86935f72015-05-06 22:24:49451 if (!IsConnected())
452 return ERR_SOCKET_NOT_CONNECTED;
453
[email protected]b9b651f2013-11-09 04:32:22454 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
455
davidbenf225b262016-09-15 22:09:22456 if (!SSL_export_keying_material(
davidbend80c12c2016-10-11 00:13:49457 ssl_.get(), out, outlen, label.data(), label.size(),
davidbenf225b262016-09-15 22:09:22458 reinterpret_cast<const unsigned char*>(context.data()),
459 context.length(), has_context ? 1 : 0)) {
460 LOG(ERROR) << "Failed to export keying material.";
461 return ERR_FAILED;
[email protected]b9b651f2013-11-09 04:32:22462 }
davidbenf225b262016-09-15 22:09:22463
[email protected]b9b651f2013-11-09 04:32:22464 return OK;
465}
466
Brad Lassey3a814172018-04-26 03:30:21467int SSLClientSocketImpl::Connect(CompletionOnceCallback callback) {
svaldez4af14d22015-08-20 13:48:24468 // Although StreamSocket does allow calling Connect() after Disconnect(),
469 // this has never worked for layered sockets. CHECK to detect any consumers
470 // reconnecting an SSL socket.
471 //
472 // TODO(davidben,mmenke): Remove this API feature. See
473 // https://crbug.com/499289.
474 CHECK(!disconnected_);
475
mikecirone8b85c432016-09-08 19:11:00476 net_log_.BeginEvent(NetLogEventType::SSL_CONNECT);
[email protected]b9b651f2013-11-09 04:32:22477
478 // Set up new ssl object.
[email protected]c8a80e92014-05-17 16:02:08479 int rv = Init();
480 if (rv != OK) {
davidben281d13f02016-04-27 20:43:28481 LogConnectEndEvent(rv);
[email protected]c8a80e92014-05-17 16:02:08482 return rv;
[email protected]b9b651f2013-11-09 04:32:22483 }
484
485 // Set SSL to client mode. Handshake happens in the loop below.
davidbend80c12c2016-10-11 00:13:49486 SSL_set_connect_state(ssl_.get());
[email protected]b9b651f2013-11-09 04:32:22487
rsleeviadbd4982016-06-13 22:10:27488 next_handshake_state_ = STATE_HANDSHAKE;
[email protected]c8a80e92014-05-17 16:02:08489 rv = DoHandshakeLoop(OK);
[email protected]b9b651f2013-11-09 04:32:22490 if (rv == ERR_IO_PENDING) {
Brad Lassey3a814172018-04-26 03:30:21491 user_connect_callback_ = std::move(callback);
[email protected]b9b651f2013-11-09 04:32:22492 } else {
davidben281d13f02016-04-27 20:43:28493 LogConnectEndEvent(rv);
[email protected]b9b651f2013-11-09 04:32:22494 }
495
496 return rv > OK ? OK : rv;
497}
498
svaldeze83af292016-04-26 14:33:37499void SSLClientSocketImpl::Disconnect() {
svaldez4af14d22015-08-20 13:48:24500 disconnected_ = true;
501
[email protected]b9b651f2013-11-09 04:32:22502 // Shut down anything that may call us back.
eroman7f9236a2015-05-11 21:23:43503 cert_verifier_request_.reset();
davidben67e83912016-10-12 18:36:32504 weak_factory_.InvalidateWeakPtrs();
davidben3418e81f2016-10-19 00:09:45505 transport_adapter_.reset();
[email protected]b9b651f2013-11-09 04:32:22506
davidben67e83912016-10-12 18:36:32507 // Release user callbacks.
[email protected]b9b651f2013-11-09 04:32:22508 user_connect_callback_.Reset();
509 user_read_callback_.Reset();
510 user_write_callback_.Reset();
Raul Tambre94493c652019-03-11 17:18:35511 user_read_buf_ = nullptr;
svaldeze83af292016-04-26 14:33:37512 user_read_buf_len_ = 0;
Raul Tambre94493c652019-03-11 17:18:35513 user_write_buf_ = nullptr;
svaldeze83af292016-04-26 14:33:37514 user_write_buf_len_ = 0;
[email protected]b9b651f2013-11-09 04:32:22515
Matt Menkefd956922019-02-04 23:44:03516 stream_socket_->Disconnect();
[email protected]b9b651f2013-11-09 04:32:22517}
518
Steven Valdez6af02df2018-07-15 21:52:33519// ConfirmHandshake may only be called on a connected socket and, like other
520// socket methods, there may only be one ConfirmHandshake operation in progress
521// at once.
522int SSLClientSocketImpl::ConfirmHandshake(CompletionOnceCallback callback) {
523 CHECK(completed_connect_);
524 CHECK(!in_confirm_handshake_);
525 if (!SSL_in_early_data(ssl_.get())) {
526 return OK;
527 }
528
529 net_log_.BeginEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
530 next_handshake_state_ = STATE_HANDSHAKE;
531 in_confirm_handshake_ = true;
532 int rv = DoHandshakeLoop(OK);
533 if (rv == ERR_IO_PENDING) {
534 user_connect_callback_ = std::move(callback);
535 } else {
536 net_log_.EndEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
537 in_confirm_handshake_ = false;
538 }
539
540 return rv > OK ? OK : rv;
541}
542
svaldeze83af292016-04-26 14:33:37543bool SSLClientSocketImpl::IsConnected() const {
davidben67e83912016-10-12 18:36:32544 // If the handshake has not yet completed or the socket has been explicitly
545 // disconnected.
546 if (!completed_connect_ || disconnected_)
[email protected]b9b651f2013-11-09 04:32:22547 return false;
548 // If an asynchronous operation is still pending.
549 if (user_read_buf_.get() || user_write_buf_.get())
550 return true;
551
Matt Menkefd956922019-02-04 23:44:03552 return stream_socket_->IsConnected();
[email protected]b9b651f2013-11-09 04:32:22553}
554
svaldeze83af292016-04-26 14:33:37555bool SSLClientSocketImpl::IsConnectedAndIdle() const {
davidben67e83912016-10-12 18:36:32556 // If the handshake has not yet completed or the socket has been explicitly
557 // disconnected.
558 if (!completed_connect_ || disconnected_)
[email protected]b9b651f2013-11-09 04:32:22559 return false;
560 // If an asynchronous operation is still pending.
561 if (user_read_buf_.get() || user_write_buf_.get())
562 return false;
davidbenfc9a6b82015-04-15 23:47:32563
564 // If there is data read from the network that has not yet been consumed, do
565 // not treat the connection as idle.
566 //
davidben3418e81f2016-10-19 00:09:45567 // Note that this does not check whether there is ciphertext that has not yet
568 // been flushed to the network. |Write| returns early, so this can cause race
569 // conditions which cause a socket to not be treated reusable when it should
570 // be. See https://crbug.com/466147.
571 if (transport_adapter_->HasPendingReadData())
[email protected]b9b651f2013-11-09 04:32:22572 return false;
[email protected]b9b651f2013-11-09 04:32:22573
Matt Menkefd956922019-02-04 23:44:03574 return stream_socket_->IsConnectedAndIdle();
[email protected]b9b651f2013-11-09 04:32:22575}
576
svaldeze83af292016-04-26 14:33:37577int SSLClientSocketImpl::GetPeerAddress(IPEndPoint* addressList) const {
Matt Menkefd956922019-02-04 23:44:03578 return stream_socket_->GetPeerAddress(addressList);
[email protected]b9b651f2013-11-09 04:32:22579}
580
svaldeze83af292016-04-26 14:33:37581int SSLClientSocketImpl::GetLocalAddress(IPEndPoint* addressList) const {
Matt Menkefd956922019-02-04 23:44:03582 return stream_socket_->GetLocalAddress(addressList);
[email protected]b9b651f2013-11-09 04:32:22583}
584
tfarina428341112016-09-22 13:38:20585const NetLogWithSource& SSLClientSocketImpl::NetLog() const {
[email protected]b9b651f2013-11-09 04:32:22586 return net_log_;
587}
588
svaldeze83af292016-04-26 14:33:37589bool SSLClientSocketImpl::WasEverUsed() const {
[email protected]0dc88b32014-03-26 20:12:28590 return was_ever_used_;
[email protected]b9b651f2013-11-09 04:32:22591}
592
tfarina2846404c2016-12-25 14:31:37593bool SSLClientSocketImpl::WasAlpnNegotiated() const {
bnc3cf2a592016-08-11 14:48:36594 return negotiated_protocol_ != kProtoUnknown;
595}
596
597NextProto SSLClientSocketImpl::GetNegotiatedProtocol() const {
598 return negotiated_protocol_;
599}
600
svaldeze83af292016-04-26 14:33:37601bool SSLClientSocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
[email protected]b9b651f2013-11-09 04:32:22602 ssl_info->Reset();
davidbenc7e06c92017-03-07 18:54:11603 if (!server_cert_)
[email protected]b9b651f2013-11-09 04:32:22604 return false;
605
606 ssl_info->cert = server_cert_verify_result_.verified_cert;
estark03d644f2015-06-13 00:11:32607 ssl_info->unverified_cert = server_cert_;
[email protected]b9b651f2013-11-09 04:32:22608 ssl_info->cert_status = server_cert_verify_result_.cert_status;
609 ssl_info->is_issued_by_known_root =
610 server_cert_verify_result_.is_issued_by_known_root;
dadriandf302c42016-06-10 18:48:59611 ssl_info->pkp_bypassed = pkp_bypassed_;
svaldeze83af292016-04-26 14:33:37612 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
[email protected]b9b651f2013-11-09 04:32:22613 ssl_info->client_cert_sent =
614 ssl_config_.send_client_cert && ssl_config_.client_cert.get();
[email protected]8bd4e7a2014-08-09 14:49:17615 ssl_info->pinning_failure_log = pinning_failure_log_;
dadrian612337a2016-07-20 22:36:58616 ssl_info->ocsp_result = server_cert_verify_result_.ocsp_result;
Carlos IL81133382017-12-06 17:18:45617 ssl_info->is_fatal_cert_error = is_fatal_cert_error_;
estark723b5eeb2016-02-18 21:01:12618 AddCTInfoToSSLInfo(ssl_info);
davidbeneb5f8ef32014-09-04 14:14:32619
davidbend80c12c2016-10-11 00:13:49620 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
[email protected]b9b651f2013-11-09 04:32:22621 CHECK(cipher);
davidben3b00e402016-09-20 14:31:06622 // Historically, the "group" was known as "curve".
davidbend80c12c2016-10-11 00:13:49623 ssl_info->key_exchange_group = SSL_get_curve_id(ssl_.get());
David Benjamine7e073ef2018-10-25 01:26:06624 ssl_info->peer_signature_algorithm =
625 SSL_get_peer_signature_algorithm(ssl_.get());
[email protected]b9b651f2013-11-09 04:32:22626
ryanchung987b2ff2016-02-19 00:17:12627 SSLConnectionStatusSetCipherSuite(
628 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
629 &ssl_info->connection_status);
davidbend80c12c2016-10-11 00:13:49630 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
ryanchung987b2ff2016-02-19 00:17:12631 &ssl_info->connection_status);
[email protected]b9b651f2013-11-09 04:32:22632
davidbend80c12c2016-10-11 00:13:49633 ssl_info->handshake_type = SSL_session_reused(ssl_.get())
svaldeze83af292016-04-26 14:33:37634 ? SSLInfo::HANDSHAKE_RESUME
635 : SSLInfo::HANDSHAKE_FULL;
[email protected]b9b651f2013-11-09 04:32:22636
[email protected]b9b651f2013-11-09 04:32:22637 return true;
638}
639
svaldeze83af292016-04-26 14:33:37640void SSLClientSocketImpl::GetConnectionAttempts(ConnectionAttempts* out) const {
ttuttle23fdb7b2015-05-15 01:28:03641 out->clear();
642}
643
svaldeze83af292016-04-26 14:33:37644int64_t SSLClientSocketImpl::GetTotalReceivedBytes() const {
Matt Menkefd956922019-02-04 23:44:03645 return stream_socket_->GetTotalReceivedBytes();
tbansalf82cc8e2015-10-14 20:05:49646}
647
xunjieli998d2472017-01-12 01:12:28648void SSLClientSocketImpl::DumpMemoryStats(SocketMemoryStats* stats) const {
649 if (transport_adapter_)
650 stats->buffer_size = transport_adapter_->GetAllocationSize();
davidbena35b40c32017-03-09 17:33:45651 const STACK_OF(CRYPTO_BUFFER)* server_cert_chain =
652 SSL_get0_peer_certificates(ssl_.get());
davidbenc7e06c92017-03-07 18:54:11653 if (server_cert_chain) {
David Benjamin8a4bc32b2018-03-30 15:24:53654 for (const CRYPTO_BUFFER* cert : server_cert_chain) {
davidbena35b40c32017-03-09 17:33:45655 stats->cert_size += CRYPTO_BUFFER_len(cert);
xunjieli9f8c5fb52016-12-07 22:59:33656 }
davidbena35b40c32017-03-09 17:33:45657 stats->cert_count = sk_CRYPTO_BUFFER_num(server_cert_chain);
xunjieli9f8c5fb52016-12-07 22:59:33658 }
xunjieliffe62df62017-02-23 18:22:41659 stats->total_size = stats->buffer_size + stats->cert_size;
xunjieli9f8c5fb52016-12-07 22:59:33660}
661
Bence Békydae8af5f2018-04-13 08:53:17662void SSLClientSocketImpl::GetSSLCertRequestInfo(
663 SSLCertRequestInfo* cert_request_info) const {
664 if (!ssl_) {
665 NOTREACHED();
666 return;
667 }
668
669 cert_request_info->host_and_port = host_and_port_;
670
671 cert_request_info->cert_authorities.clear();
672 const STACK_OF(CRYPTO_BUFFER)* authorities =
673 SSL_get0_server_requested_CAs(ssl_.get());
674 for (const CRYPTO_BUFFER* ca_name : authorities) {
675 cert_request_info->cert_authorities.push_back(
676 std::string(reinterpret_cast<const char*>(CRYPTO_BUFFER_data(ca_name)),
677 CRYPTO_BUFFER_len(ca_name)));
678 }
679
680 cert_request_info->cert_key_types.clear();
681 const uint8_t* client_cert_types;
682 size_t num_client_cert_types =
683 SSL_get0_certificate_types(ssl_.get(), &client_cert_types);
684 for (size_t i = 0; i < num_client_cert_types; i++) {
685 cert_request_info->cert_key_types.push_back(
686 static_cast<SSLClientCertType>(client_cert_types[i]));
687 }
688}
689
Paul Jensen0f49dec2017-12-12 23:39:58690void SSLClientSocketImpl::ApplySocketTag(const SocketTag& tag) {
Matt Menkefd956922019-02-04 23:44:03691 return stream_socket_->ApplySocketTag(tag);
Paul Jensen0f49dec2017-12-12 23:39:58692}
693
svaldeze83af292016-04-26 14:33:37694int SSLClientSocketImpl::Read(IOBuffer* buf,
695 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21696 CompletionOnceCallback callback) {
697 int rv = ReadIfReady(buf, buf_len, std::move(callback));
xunjieli321a96f32017-03-07 19:42:17698 if (rv == ERR_IO_PENDING) {
699 user_read_buf_ = buf;
700 user_read_buf_len_ = buf_len;
701 }
702 return rv;
703}
[email protected]b9b651f2013-11-09 04:32:22704
xunjieli321a96f32017-03-07 19:42:17705int SSLClientSocketImpl::ReadIfReady(IOBuffer* buf,
706 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21707 CompletionOnceCallback callback) {
xunjieli321a96f32017-03-07 19:42:17708 int rv = DoPayloadRead(buf, buf_len);
[email protected]b9b651f2013-11-09 04:32:22709
710 if (rv == ERR_IO_PENDING) {
Brad Lassey3a814172018-04-26 03:30:21711 user_read_callback_ = std::move(callback);
[email protected]b9b651f2013-11-09 04:32:22712 } else {
[email protected]0dc88b32014-03-26 20:12:28713 if (rv > 0)
714 was_ever_used_ = true;
[email protected]b9b651f2013-11-09 04:32:22715 }
[email protected]b9b651f2013-11-09 04:32:22716 return rv;
717}
718
Helen Li5f3d96a2018-08-10 20:37:24719int SSLClientSocketImpl::CancelReadIfReady() {
Matt Menkefd956922019-02-04 23:44:03720 int result = stream_socket_->CancelReadIfReady();
Helen Li5f3d96a2018-08-10 20:37:24721 // Cancel |user_read_callback_|, because caller does not expect the callback
722 // to be invoked after they have canceled the ReadIfReady.
723 user_read_callback_.Reset();
724 return result;
725}
726
[email protected]a2b2cfc2017-12-06 09:06:08727int SSLClientSocketImpl::Write(
728 IOBuffer* buf,
729 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21730 CompletionOnceCallback callback,
[email protected]a2b2cfc2017-12-06 09:06:08731 const NetworkTrafficAnnotationTag& traffic_annotation) {
[email protected]b9b651f2013-11-09 04:32:22732 user_write_buf_ = buf;
733 user_write_buf_len_ = buf_len;
734
davidben3418e81f2016-10-19 00:09:45735 int rv = DoPayloadWrite();
[email protected]b9b651f2013-11-09 04:32:22736
737 if (rv == ERR_IO_PENDING) {
Brad Lassey3a814172018-04-26 03:30:21738 user_write_callback_ = std::move(callback);
[email protected]b9b651f2013-11-09 04:32:22739 } else {
[email protected]0dc88b32014-03-26 20:12:28740 if (rv > 0)
741 was_ever_used_ = true;
Raul Tambre94493c652019-03-11 17:18:35742 user_write_buf_ = nullptr;
[email protected]b9b651f2013-11-09 04:32:22743 user_write_buf_len_ = 0;
744 }
745
746 return rv;
747}
748
svaldeze83af292016-04-26 14:33:37749int SSLClientSocketImpl::SetReceiveBufferSize(int32_t size) {
Matt Menkefd956922019-02-04 23:44:03750 return stream_socket_->SetReceiveBufferSize(size);
[email protected]b9b651f2013-11-09 04:32:22751}
752
svaldeze83af292016-04-26 14:33:37753int SSLClientSocketImpl::SetSendBufferSize(int32_t size) {
Matt Menkefd956922019-02-04 23:44:03754 return stream_socket_->SetSendBufferSize(size);
[email protected]b9b651f2013-11-09 04:32:22755}
756
davidben3418e81f2016-10-19 00:09:45757void SSLClientSocketImpl::OnReadReady() {
758 // During a renegotiation, either Read or Write calls may be blocked on a
759 // transport read.
760 RetryAllOperations();
761}
762
763void SSLClientSocketImpl::OnWriteReady() {
764 // During a renegotiation, either Read or Write calls may be blocked on a
765 // transport read.
766 RetryAllOperations();
767}
768
Steven Valdezeec684e3e2018-12-13 16:28:23769static bool EnforceTLS13DowngradeForKnownRootsOnly() {
770 return base::FeatureList::IsEnabled(features::kEnforceTLS13Downgrade) &&
771 base::GetFieldTrialParamByFeatureAsBool(
772 features::kEnforceTLS13Downgrade, "known_roots_only", true);
773}
774
svaldeze83af292016-04-26 14:33:37775int SSLClientSocketImpl::Init() {
[email protected]9e733f32010-10-04 18:19:08776 DCHECK(!ssl_);
[email protected]9e733f32010-10-04 18:19:08777
[email protected]b29af7d2010-12-14 11:52:47778 SSLContext* context = SSLContext::GetInstance();
[email protected]4b559b4d2011-04-14 17:37:14779 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
[email protected]d518cd92010-09-29 12:27:44780
davidbend80c12c2016-10-11 00:13:49781 ssl_.reset(SSL_new(context->ssl_ctx()));
782 if (!ssl_ || !context->SetClientSocketForSSL(ssl_.get(), this))
[email protected]c8a80e92014-05-17 16:02:08783 return ERR_UNEXPECTED;
[email protected]fbef13932010-11-23 12:38:53784
davidben9bc0466f2015-06-16 22:21:27785 // SNI should only contain valid DNS hostnames, not IP addresses (see RFC
786 // 6066, Section 3).
787 //
788 // TODO(rsleevi): Should this code allow hostnames that violate the LDH rule?
789 // See https://crbug.com/496472 and https://crbug.com/496468 for discussion.
martijna2e83bd2016-03-18 13:10:45790 IPAddress unused;
791 if (!unused.AssignFromIPLiteral(host_and_port_.host()) &&
davidbend80c12c2016-10-11 00:13:49792 !SSL_set_tlsext_host_name(ssl_.get(), host_and_port_.host().c_str())) {
[email protected]c8a80e92014-05-17 16:02:08793 return ERR_UNEXPECTED;
davidben9bc0466f2015-06-16 22:21:27794 }
[email protected]fbef13932010-11-23 12:38:53795
Daniel McArdle3a663d62019-01-31 00:48:47796 if (IsCachingEnabled()) {
Steven Valdeze6112f42017-10-05 22:20:12797 bssl::UniquePtr<SSL_SESSION> session =
Daniel McArdle3a663d62019-01-31 00:48:47798 ssl_client_session_cache_->Lookup(GetSessionCacheKey());
David Benjaminb3840f42017-08-03 15:50:16799 if (session)
800 SSL_set_session(ssl_.get(), session.get());
801 }
[email protected]d518cd92010-09-29 12:27:44802
Helen Lif3aa9622018-05-24 00:18:07803 transport_adapter_.reset(
Matt Menke841fc412019-03-05 23:20:12804 new SocketBIOAdapter(stream_socket_.get(), kDefaultOpenSSLBufferSize,
Helen Lif3aa9622018-05-24 00:18:07805 kDefaultOpenSSLBufferSize, this));
davidben3418e81f2016-10-19 00:09:45806 BIO* transport_bio = transport_adapter_->bio();
mmenke1beda3d2016-07-22 03:33:45807
davidben3418e81f2016-10-19 00:09:45808 BIO_up_ref(transport_bio); // SSL_set0_rbio takes ownership.
809 SSL_set0_rbio(ssl_.get(), transport_bio);
haavardm2d92e722014-12-19 13:45:44810
davidben3418e81f2016-10-19 00:09:45811 BIO_up_ref(transport_bio); // SSL_set0_wbio takes ownership.
812 SSL_set0_wbio(ssl_.get(), transport_bio);
[email protected]d518cd92010-09-29 12:27:44813
davidbenb937d6c2015-05-14 04:53:42814 DCHECK_LT(SSL3_VERSION, ssl_config_.version_min);
815 DCHECK_LT(SSL3_VERSION, ssl_config_.version_max);
davidbend80c12c2016-10-11 00:13:49816 if (!SSL_set_min_proto_version(ssl_.get(), ssl_config_.version_min) ||
817 !SSL_set_max_proto_version(ssl_.get(), ssl_config_.version_max)) {
davidben952bdf22016-09-21 23:42:16818 return ERR_UNEXPECTED;
819 }
davidbenb937d6c2015-05-14 04:53:42820
Steven Valdez6af02df2018-07-15 21:52:33821 SSL_set_early_data_enabled(ssl_.get(), ssl_config_.early_data_enabled);
822
Steven Valdez50a3d2c92018-11-14 19:45:59823 if (!base::FeatureList::IsEnabled(features::kEnforceTLS13Downgrade) ||
Steven Valdezeec684e3e2018-12-13 16:28:23824 EnforceTLS13DowngradeForKnownRootsOnly()) {
David Benjamin570460e2018-10-16 06:01:29825 SSL_set_ignore_tls13_downgrade(ssl_.get(), 1);
826 }
827
[email protected]9e733f32010-10-04 18:19:08828 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
829 // set everything we care about to an absolute value.
[email protected]fb10e2282010-12-01 17:08:48830 SslSetClearMask options;
[email protected]d0f00492012-08-03 22:35:13831 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
[email protected]9e733f32010-10-04 18:19:08832
833 // TODO(joth): Set this conditionally, see http://crbug.com/55410
[email protected]fb10e2282010-12-01 17:08:48834 options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true);
[email protected]9e733f32010-10-04 18:19:08835
davidbend80c12c2016-10-11 00:13:49836 SSL_set_options(ssl_.get(), options.set_mask);
837 SSL_clear_options(ssl_.get(), options.clear_mask);
[email protected]9e733f32010-10-04 18:19:08838
[email protected]fb10e2282010-12-01 17:08:48839 // Same as above, this time for the SSL mode.
840 SslSetClearMask mode;
[email protected]9e733f32010-10-04 18:19:08841
[email protected]fb10e2282010-12-01 17:08:48842 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
ishermane5c05e12014-09-09 20:32:15843 mode.ConfigureFlag(SSL_MODE_CBC_RECORD_SPLITTING, true);
[email protected]fb10e2282010-12-01 17:08:48844
davidben818d93b2015-02-19 22:27:32845 mode.ConfigureFlag(SSL_MODE_ENABLE_FALSE_START,
[email protected]b788de02014-04-23 18:06:07846 ssl_config_.false_start_enabled);
847
davidbend80c12c2016-10-11 00:13:49848 SSL_set_mode(ssl_.get(), mode.set_mask);
849 SSL_clear_mode(ssl_.get(), mode.clear_mask);
[email protected]109805a2010-12-07 18:17:06850
Steven Valdez99a85a62018-05-03 18:13:45851 // Use BoringSSL defaults, but disable HMAC-SHA1 ciphers in ECDSA. These are
852 // the remaining CBC-mode ECDSA ciphers.
853 std::string command("ALL::!aPSK:!ECDSA+SHA1");
davidben9b4a9b9c2015-10-12 18:46:51854
855 if (ssl_config_.require_ecdhe)
davidben1863716b2017-05-03 20:06:20856 command.append(":!kRSA");
davidben8ecc3072014-09-03 23:19:09857
davidben9b4a9b9c2015-10-12 18:46:51858 // Remove any disabled ciphers.
859 for (uint16_t id : ssl_config_.disabled_cipher_suites) {
860 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
861 if (cipher) {
862 command.append(":!");
863 command.append(SSL_CIPHER_get_name(cipher));
864 }
865 }
866
davidben1863716b2017-05-03 20:06:20867 if (!SSL_set_strict_cipher_list(ssl_.get(), command.c_str())) {
868 LOG(ERROR) << "SSL_set_cipher_list('" << command << "') failed";
869 return ERR_UNEXPECTED;
870 }
[email protected]ee0f2aa82013-10-25 11:59:26871
bnc1f295372015-10-21 23:24:22872 if (!ssl_config_.alpn_protos.empty()) {
bnc988e68d2016-06-27 14:03:21873 std::vector<uint8_t> wire_protos =
874 SerializeNextProtos(ssl_config_.alpn_protos);
davidbend80c12c2016-10-11 00:13:49875 SSL_set_alpn_protos(ssl_.get(),
Raul Tambre94493c652019-03-11 17:18:35876 wire_protos.empty() ? nullptr : &wire_protos[0],
[email protected]abc44b752014-07-30 03:52:15877 wire_protos.size());
878 }
879
Ryan Sleevid1a894e2018-04-03 20:24:07880 SSL_enable_signed_cert_timestamps(ssl_.get());
881 SSL_enable_ocsp_stapling(ssl_.get());
davidbeneb5f8ef32014-09-04 14:14:32882
davidben971a681a2017-02-16 18:57:46883 // Configure BoringSSL to allow renegotiations. Once the initial handshake
884 // completes, if renegotiations are not allowed, the default reject value will
885 // be restored. This is done in this order to permit a BoringSSL
886 // optimization. See https://crbug.com/boringssl/123.
887 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely);
888
David Benjamin8373dea2018-05-07 15:39:10889 SSL_set_shed_handshake_config(ssl_.get(), 1);
[email protected]c8a80e92014-05-17 16:02:08890 return OK;
[email protected]d518cd92010-09-29 12:27:44891}
892
svaldeze83af292016-04-26 14:33:37893void SSLClientSocketImpl::DoReadCallback(int rv) {
[email protected]b9b651f2013-11-09 04:32:22894 // Since Run may result in Read being called, clear |user_read_callback_|
895 // up front.
[email protected]0dc88b32014-03-26 20:12:28896 if (rv > 0)
897 was_ever_used_ = true;
xunjieli321a96f32017-03-07 19:42:17898 user_read_buf_ = nullptr;
[email protected]b9b651f2013-11-09 04:32:22899 user_read_buf_len_ = 0;
Brad Lassey3a814172018-04-26 03:30:21900 std::move(user_read_callback_).Run(rv);
[email protected]b9b651f2013-11-09 04:32:22901}
902
svaldeze83af292016-04-26 14:33:37903void SSLClientSocketImpl::DoWriteCallback(int rv) {
[email protected]b9b651f2013-11-09 04:32:22904 // Since Run may result in Write being called, clear |user_write_callback_|
905 // up front.
[email protected]0dc88b32014-03-26 20:12:28906 if (rv > 0)
907 was_ever_used_ = true;
Raul Tambre94493c652019-03-11 17:18:35908 user_write_buf_ = nullptr;
[email protected]b9b651f2013-11-09 04:32:22909 user_write_buf_len_ = 0;
Brad Lassey3a814172018-04-26 03:30:21910 std::move(user_write_callback_).Run(rv);
[email protected]b9b651f2013-11-09 04:32:22911}
912
svaldeze83af292016-04-26 14:33:37913int SSLClientSocketImpl::DoHandshake() {
[email protected]b9b651f2013-11-09 04:32:22914 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
vadimt5a243282014-12-24 00:26:16915
David Benjamin5f98efe2018-04-12 07:32:41916 int rv = SSL_do_handshake(ssl_.get());
davidbenc4212c02015-05-12 22:30:18917 int net_error = OK;
918 if (rv <= 0) {
davidbend80c12c2016-10-11 00:13:49919 int ssl_error = SSL_get_error(ssl_.get(), rv);
davidbenced4aa9b2015-05-12 21:22:35920 if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP &&
921 !ssl_config_.send_client_cert) {
922 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
923 }
davidben1d489522015-07-01 18:48:46924 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
svaldez7872fd02015-11-19 21:10:54925 DCHECK(ssl_config_.client_private_key);
Oscar Johanssond49464e2018-07-02 09:35:45926 DCHECK_NE(kSSLClientSocketNoPendingResult, signature_result_);
rsleeviadbd4982016-06-13 22:10:27927 next_handshake_state_ = STATE_HANDSHAKE;
davidben1d489522015-07-01 18:48:46928 return ERR_IO_PENDING;
929 }
Jesse Selover94c9a942019-01-16 01:18:04930 if (ssl_error == SSL_ERROR_WANT_CERTIFICATE_VERIFY) {
931 DCHECK(cert_verifier_request_);
932 next_handshake_state_ = STATE_HANDSHAKE;
933 return ERR_IO_PENDING;
934 }
[email protected]b9b651f2013-11-09 04:32:22935
davidbena4409c62014-08-27 17:05:51936 OpenSSLErrorInfo error_info;
davidbenfe132d92016-09-27 18:07:21937 net_error = MapLastOpenSSLError(ssl_error, err_tracer, &error_info);
[email protected]b9b651f2013-11-09 04:32:22938 if (net_error == ERR_IO_PENDING) {
davidbenc4212c02015-05-12 22:30:18939 // If not done, stay in this state
rsleeviadbd4982016-06-13 22:10:27940 next_handshake_state_ = STATE_HANDSHAKE;
davidbenc4212c02015-05-12 22:30:18941 return ERR_IO_PENDING;
942 }
943
944 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
945 << ssl_error << ", net_error " << net_error;
946 net_log_.AddEvent(
mikecirone8b85c432016-09-08 19:11:00947 NetLogEventType::SSL_HANDSHAKE_ERROR,
davidbenc4212c02015-05-12 22:30:18948 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
949 }
950
rsleeviadbd4982016-06-13 22:10:27951 next_handshake_state_ = STATE_HANDSHAKE_COMPLETE;
davidbenc4212c02015-05-12 22:30:18952 return net_error;
953}
954
svaldeze83af292016-04-26 14:33:37955int SSLClientSocketImpl::DoHandshakeComplete(int result) {
davidbenc4212c02015-05-12 22:30:18956 if (result < 0)
957 return result;
958
Steven Valdez6af02df2018-07-15 21:52:33959 if (in_confirm_handshake_) {
960 next_handshake_state_ = STATE_NONE;
961 return OK;
962 }
963
Daniel McArdle3a663d62019-01-31 00:48:47964 if (IsCachingEnabled()) {
965 ssl_client_session_cache_->ResetLookupCount(GetSessionCacheKey());
David Benjaminb3840f42017-08-03 15:50:16966 }
967
Raul Tambre94493c652019-03-11 17:18:35968 const uint8_t* alpn_proto = nullptr;
bncce6ea242016-09-15 20:22:32969 unsigned alpn_len = 0;
davidbend80c12c2016-10-11 00:13:49970 SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
bncce6ea242016-09-15 20:22:32971 if (alpn_len > 0) {
972 base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto),
973 alpn_len);
974 negotiated_protocol_ = NextProtoFromString(proto);
[email protected]b9b651f2013-11-09 04:32:22975 }
davidbenc4212c02015-05-12 22:30:18976
bncbd442c22016-09-14 20:49:16977 RecordNegotiatedProtocol();
davidbenc4212c02015-05-12 22:30:18978
dadriand476e652016-07-26 21:33:24979 const uint8_t* ocsp_response_raw;
980 size_t ocsp_response_len;
davidbend80c12c2016-10-11 00:13:49981 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len);
dadriand476e652016-07-26 21:33:24982 set_stapled_ocsp_response_received(ocsp_response_len != 0);
davidbenc4212c02015-05-12 22:30:18983
984 const uint8_t* sct_list;
985 size_t sct_list_len;
davidbend80c12c2016-10-11 00:13:49986 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len);
davidbenc4212c02015-05-12 22:30:18987 set_signed_cert_timestamps_received(sct_list_len != 0);
988
davidben971a681a2017-02-16 18:57:46989 if (!IsRenegotiationAllowed())
990 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never);
davidbenc4212c02015-05-12 22:30:18991
davidbend80c12c2016-10-11 00:13:49992 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get());
davidben0653c8d2016-07-08 02:16:17993 if (signature_algorithm != 0) {
Ilya Sherman0eb39802017-12-08 20:58:18994 base::UmaHistogramSparse("Net.SSLSignatureAlgorithm", signature_algorithm);
davidben4fe4f982015-11-11 22:00:12995 }
996
Jesse Seloverdaf87902018-12-03 20:44:30997 SSLInfo ssl_info;
998 bool ok = GetSSLInfo(&ssl_info);
Jesse Selover94c9a942019-01-16 01:18:04999 // Ensure the verify callback was called, and got far enough to fill
1000 // in server_cert_.
1001 CHECK(ok);
Jesse Seloverdaf87902018-12-03 20:44:301002
1003 // See how feasible enforcing RSA key usage would be. See
1004 // https://crbug.com/795089.
1005 RSAKeyUsage rsa_key_usage =
1006 CheckRSAKeyUsage(server_cert_.get(), SSL_get_current_cipher(ssl_.get()));
1007 if (rsa_key_usage != RSAKeyUsage::kNotRSA) {
1008 if (server_cert_verify_result_.is_issued_by_known_root) {
1009 UMA_HISTOGRAM_ENUMERATION("Net.SSLRSAKeyUsage.KnownRoot", rsa_key_usage,
1010 static_cast<int>(RSAKeyUsage::kLastValue) + 1);
1011 } else {
1012 UMA_HISTOGRAM_ENUMERATION("Net.SSLRSAKeyUsage.UnknownRoot", rsa_key_usage,
1013 static_cast<int>(RSAKeyUsage::kLastValue) + 1);
1014 }
1015 }
1016
Jesse Seloverdaf87902018-12-03 20:44:301017 if (!base::FeatureList::IsEnabled(features::kEnforceTLS13Downgrade) ||
Steven Valdezeec684e3e2018-12-13 16:28:231018 EnforceTLS13DowngradeForKnownRootsOnly()) {
Jesse Seloverdaf87902018-12-03 20:44:301019 // Record metrics on the TLS 1.3 anti-downgrade mechanism. This is only
1020 // recorded when enforcement is disabled. (When enforcement is enabled,
1021 // the connection will fail with ERR_TLS13_DOWNGRADE_DETECTED.) See
1022 // https://crbug.com/boringssl/226.
1023 //
1024 // Record metrics for both servers overall and the TLS 1.3 experiment
1025 // set. These metrics are only useful on TLS 1.3 servers, so the latter
1026 // is more precise, but there is a large enough TLS 1.3 deployment that
1027 // the overall numbers may be more robust. In particular, the
1028 // DowngradeType metrics do not need to be filtered.
1029 bool is_downgrade = !!SSL_is_tls13_downgrade(ssl_.get());
1030 UMA_HISTOGRAM_BOOLEAN("Net.SSLTLS13Downgrade", is_downgrade);
1031 bool is_tls13_experiment_host =
1032 IsTLS13ExperimentHost(host_and_port_.host());
1033 if (is_tls13_experiment_host) {
1034 UMA_HISTOGRAM_BOOLEAN("Net.SSLTLS13DowngradeTLS13Experiment",
1035 is_downgrade);
1036 }
1037
1038 if (is_downgrade) {
1039 // Record whether connections which hit the downgrade used known vs
1040 // unknown roots and which key exchange type.
1041
1042 // This enum is persisted into histograms. Values may not be
1043 // renumbered.
1044 enum class DowngradeType {
1045 kKnownRootRSA = 0,
1046 kKnownRootECDHE = 1,
1047 kUnknownRootRSA = 2,
1048 kUnknownRootECDHE = 3,
1049 kMaxValue = kUnknownRootECDHE,
1050 };
1051
1052 DowngradeType type;
1053 int kx_nid = SSL_CIPHER_get_kx_nid(SSL_get_current_cipher(ssl_.get()));
1054 DCHECK(kx_nid == NID_kx_rsa || kx_nid == NID_kx_ecdhe);
David Benjaminf8ebd2b2017-12-15 19:22:411055 if (server_cert_verify_result_.is_issued_by_known_root) {
Jesse Seloverdaf87902018-12-03 20:44:301056 type = kx_nid == NID_kx_rsa ? DowngradeType::kKnownRootRSA
1057 : DowngradeType::kKnownRootECDHE;
David Benjaminf8ebd2b2017-12-15 19:22:411058 } else {
Jesse Seloverdaf87902018-12-03 20:44:301059 type = kx_nid == NID_kx_rsa ? DowngradeType::kUnknownRootRSA
1060 : DowngradeType::kUnknownRootECDHE;
1061 }
1062 UMA_HISTOGRAM_ENUMERATION("Net.SSLTLS13DowngradeType", type);
1063 if (is_tls13_experiment_host) {
1064 UMA_HISTOGRAM_ENUMERATION("Net.SSLTLS13DowngradeTypeTLS13Experiment",
1065 type);
David Benjaminf8ebd2b2017-12-15 19:22:411066 }
David Benjamin570460e2018-10-16 06:01:291067
Steven Valdezeec684e3e2018-12-13 16:28:231068 if (EnforceTLS13DowngradeForKnownRootsOnly() &&
Steven Valdezbf059c752018-12-12 16:32:531069 server_cert_verify_result_.is_issued_by_known_root) {
1070 // Exit DoHandshakeLoop and return the result to the caller to
1071 // Connect.
1072 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1073 return ERR_TLS13_DOWNGRADE_DETECTED;
1074 }
David Benjamin570460e2018-10-16 06:01:291075 }
[email protected]b9b651f2013-11-09 04:32:221076 }
1077
[email protected]64b5c892014-08-08 09:39:261078 completed_connect_ = true;
Jesse Selover94c9a942019-01-16 01:18:041079 next_handshake_state_ = STATE_NONE;
Jesse Seloverdaf87902018-12-03 20:44:301080 return OK;
[email protected]b9b651f2013-11-09 04:32:221081}
1082
Jesse Selover94c9a942019-01-16 01:18:041083ssl_verify_result_t SSLClientSocketImpl::VerifyCertCallback(
1084 SSL* ssl,
1085 uint8_t* out_alert) {
1086 SSLClientSocketImpl* socket =
1087 SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
1088 DCHECK(socket);
1089 return socket->VerifyCert();
1090}
1091
1092// This function is called by BoringSSL, so it has to return an
1093// ssl_verify_result_t. When specific //net errors need to be
1094// returned, use OpenSSLPutNetError to add them directly to the
1095// OpenSSL error queue.
1096ssl_verify_result_t SSLClientSocketImpl::VerifyCert() {
1097 if (cert_verification_result_ != kCertVerifyPending) {
1098 // The certificate verifier updates cert_verification_result_ when
1099 // it returns asynchronously. If there is a result in
1100 // cert_verification_result_, return it instead of triggering
1101 // another verify.
1102 return HandleVerifyResult();
1103 }
1104
1105 // In this configuration, BoringSSL will perform exactly one certificate
1106 // verification, so there cannot be state from a previous verification.
1107 CHECK(!server_cert_);
1108 server_cert_ = x509_util::CreateX509CertificateFromBuffers(
1109 SSL_get0_peer_certificates(ssl_.get()));
1110
1111 // OpenSSL decoded the certificate, but the X509Certificate implementation
1112 // could not. This is treated as a fatal SSL-level protocol error rather than
1113 // a certificate error. See https://crbug.com/91341.
1114 if (!server_cert_) {
1115 OpenSSLPutNetError(FROM_HERE, ERR_SSL_SERVER_CERT_BAD_FORMAT);
1116 return ssl_verify_invalid;
1117 }
1118
1119 net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED,
1120 base::Bind(&NetLogX509CertificateCallback,
1121 base::Unretained(server_cert_.get())));
1122
1123 // If the certificate is bad and has been previously accepted, use
1124 // the previous status and bypass the error.
1125 CertStatus cert_status;
1126 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) {
1127 server_cert_verify_result_.Reset();
1128 server_cert_verify_result_.cert_status = cert_status;
1129 server_cert_verify_result_.verified_cert = server_cert_;
1130 cert_verification_result_ = OK;
1131 return HandleVerifyResult();
1132 }
1133
1134 start_cert_verification_time_ = base::TimeTicks::Now();
1135
1136 const uint8_t* ocsp_response_raw;
1137 size_t ocsp_response_len;
1138 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len);
1139 base::StringPiece ocsp_response(
1140 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len);
1141
Matt Mueller7d5464b2019-05-15 20:18:451142 const uint8_t* sct_list_raw;
1143 size_t sct_list_len;
1144 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list_raw, &sct_list_len);
1145 base::StringPiece sct_list(reinterpret_cast<const char*>(sct_list_raw),
1146 sct_list_len);
1147
Jesse Selover94c9a942019-01-16 01:18:041148 cert_verification_result_ = cert_verifier_->Verify(
Matt Mueller7d5464b2019-05-15 20:18:451149 CertVerifier::RequestParams(
1150 server_cert_, host_and_port_.host(), ssl_config_.GetCertVerifyFlags(),
1151 ocsp_response.as_string(), sct_list.as_string()),
Jesse Selover94c9a942019-01-16 01:18:041152 &server_cert_verify_result_,
1153 base::BindOnce(&SSLClientSocketImpl::OnVerifyComplete,
1154 base::Unretained(this)),
1155 &cert_verifier_request_, net_log_);
1156
Jesse Selover4ae157d2019-04-10 21:06:371157 // Enforce keyUsage extension for RSA leaf certificates chaining up to known
1158 // roots.
1159 // TODO(795089): Enforce this unconditionally.
1160 if (server_cert_verify_result_.is_issued_by_known_root) {
1161 SSL_set_enforce_rsa_key_usage(ssl_.get(), 1);
1162 }
1163
Jesse Selover94c9a942019-01-16 01:18:041164 return HandleVerifyResult();
1165}
1166
1167void SSLClientSocketImpl::OnVerifyComplete(int result) {
1168 cert_verification_result_ = result;
1169 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
1170 OnHandshakeIOComplete(OK);
1171}
1172
1173ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
1174 // Verification is in progress. Inform BoringSSL it should retry the
1175 // callback later. The next call to VerifyCertCallback will be a
1176 // continuation of the same verification, so leave
1177 // cert_verification_result_ as-is.
1178 if (cert_verification_result_ == ERR_IO_PENDING)
1179 return ssl_verify_retry;
1180
1181 // In BoringSSL's calling convention for asynchronous callbacks,
1182 // after a callback returns a non-retry value, the operation has
1183 // completed. Subsequent calls are of new operations with potentially
1184 // different arguments. Reset cert_verification_result_ to inform
1185 // VerifyCertCallback not to replay the result on subsequent calls.
1186 int result = cert_verification_result_;
1187 cert_verification_result_ = kCertVerifyPending;
1188
1189 cert_verifier_request_.reset();
1190
1191 if (!start_cert_verification_time_.is_null()) {
1192 base::TimeDelta verify_time =
1193 base::TimeTicks::Now() - start_cert_verification_time_;
1194 if (result == OK) {
1195 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
1196 } else {
1197 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
1198 }
1199 }
1200
1201 // If the connection was good, check HPKP and CT status simultaneously,
1202 // but prefer to treat the HPKP error as more serious, if there was one.
1203 if ((result == OK ||
1204 (IsCertificateError(result) &&
1205 IsCertStatusMinorError(server_cert_verify_result_.cert_status)))) {
1206 int ct_result = VerifyCT();
1207 TransportSecurityState::PKPStatus pin_validity =
1208 transport_security_state_->CheckPublicKeyPins(
1209 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
1210 server_cert_verify_result_.public_key_hashes, server_cert_.get(),
1211 server_cert_verify_result_.verified_cert.get(),
1212 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_);
1213 switch (pin_validity) {
1214 case TransportSecurityState::PKPStatus::VIOLATED:
1215 server_cert_verify_result_.cert_status |=
1216 CERT_STATUS_PINNED_KEY_MISSING;
1217 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
1218 break;
1219 case TransportSecurityState::PKPStatus::BYPASSED:
1220 pkp_bypassed_ = true;
1221 FALLTHROUGH;
1222 case TransportSecurityState::PKPStatus::OK:
1223 // Do nothing.
1224 break;
1225 }
1226 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK)
1227 result = ct_result;
1228 }
1229
1230 is_fatal_cert_error_ =
1231 IsCertStatusError(server_cert_verify_result_.cert_status) &&
1232 !IsCertStatusMinorError(server_cert_verify_result_.cert_status) &&
1233 transport_security_state_->ShouldSSLErrorsBeFatal(host_and_port_.host());
1234
1235 if (IsCertificateError(result) && ssl_config_.ignore_certificate_errors) {
1236 result = OK;
1237 }
1238
1239 if (result == OK) {
1240 return ssl_verify_ok;
1241 }
1242
1243 OpenSSLPutNetError(FROM_HERE, result);
1244 return ssl_verify_invalid;
1245}
1246
svaldeze83af292016-04-26 14:33:371247void SSLClientSocketImpl::DoConnectCallback(int rv) {
[email protected]b9b651f2013-11-09 04:32:221248 if (!user_connect_callback_.is_null()) {
Brad Lassey3a814172018-04-26 03:30:211249 std::move(user_connect_callback_).Run(rv > OK ? OK : rv);
[email protected]b9b651f2013-11-09 04:32:221250 }
1251}
1252
svaldeze83af292016-04-26 14:33:371253void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
[email protected]b9b651f2013-11-09 04:32:221254 int rv = DoHandshakeLoop(result);
1255 if (rv != ERR_IO_PENDING) {
Steven Valdez6af02df2018-07-15 21:52:331256 if (in_confirm_handshake_) {
1257 in_confirm_handshake_ = false;
1258 net_log_.EndEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
1259 } else {
1260 LogConnectEndEvent(rv);
1261 }
[email protected]b9b651f2013-11-09 04:32:221262 DoConnectCallback(rv);
1263 }
1264}
1265
svaldeze83af292016-04-26 14:33:371266int SSLClientSocketImpl::DoHandshakeLoop(int last_io_result) {
Alexandr Ilin33126632018-11-14 14:48:171267 TRACE_EVENT0(NetTracingCategory(), "SSLClientSocketImpl::DoHandshakeLoop");
[email protected]b9b651f2013-11-09 04:32:221268 int rv = last_io_result;
1269 do {
1270 // Default to STATE_NONE for next state.
1271 // (This is a quirk carried over from the windows
1272 // implementation. It makes reading the logs a bit harder.)
1273 // State handlers can and often do call GotoState just
1274 // to stay in the current state.
1275 State state = next_handshake_state_;
rsleeviadbd4982016-06-13 22:10:271276 next_handshake_state_ = STATE_NONE;
[email protected]b9b651f2013-11-09 04:32:221277 switch (state) {
1278 case STATE_HANDSHAKE:
1279 rv = DoHandshake();
1280 break;
davidbenc4212c02015-05-12 22:30:181281 case STATE_HANDSHAKE_COMPLETE:
1282 rv = DoHandshakeComplete(rv);
1283 break;
[email protected]b9b651f2013-11-09 04:32:221284 case STATE_NONE:
1285 default:
1286 rv = ERR_UNEXPECTED;
1287 NOTREACHED() << "unexpected state" << state;
1288 break;
1289 }
[email protected]b9b651f2013-11-09 04:32:221290 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
1291 return rv;
1292}
1293
xunjieli321a96f32017-03-07 19:42:171294int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
[email protected]b9b651f2013-11-09 04:32:221295 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1296
xunjieli321a96f32017-03-07 19:42:171297 DCHECK_LT(0, buf_len);
1298 DCHECK(buf);
davidben7e555daf2015-03-25 17:03:291299
[email protected]b9b651f2013-11-09 04:32:221300 int rv;
Oscar Johanssond49464e2018-07-02 09:35:451301 if (pending_read_error_ != kSSLClientSocketNoPendingResult) {
[email protected]b9b651f2013-11-09 04:32:221302 rv = pending_read_error_;
Oscar Johanssond49464e2018-07-02 09:35:451303 pending_read_error_ = kSSLClientSocketNoPendingResult;
[email protected]b9b651f2013-11-09 04:32:221304 if (rv == 0) {
mikecirone8b85c432016-09-08 19:11:001305 net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
xunjieli321a96f32017-03-07 19:42:171306 rv, buf->data());
davidbenb8c23212014-10-28 00:12:161307 } else {
1308 net_log_.AddEvent(
mikecirone8b85c432016-09-08 19:11:001309 NetLogEventType::SSL_READ_ERROR,
davidbenb8c23212014-10-28 00:12:161310 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
1311 pending_read_error_info_));
[email protected]b9b651f2013-11-09 04:32:221312 }
davidbenb8c23212014-10-28 00:12:161313 pending_read_ssl_error_ = SSL_ERROR_NONE;
1314 pending_read_error_info_ = OpenSSLErrorInfo();
[email protected]b9b651f2013-11-09 04:32:221315 return rv;
1316 }
1317
1318 int total_bytes_read = 0;
davidben7e555daf2015-03-25 17:03:291319 int ssl_ret;
[email protected]b9b651f2013-11-09 04:32:221320 do {
xunjieli321a96f32017-03-07 19:42:171321 ssl_ret = SSL_read(ssl_.get(), buf->data() + total_bytes_read,
1322 buf_len - total_bytes_read);
davidben7e555daf2015-03-25 17:03:291323 if (ssl_ret > 0)
1324 total_bytes_read += ssl_ret;
davidben8ea6b172017-03-07 23:53:501325 // Continue processing records as long as there is more data available
1326 // synchronously.
1327 } while (total_bytes_read < buf_len && ssl_ret > 0 &&
1328 transport_adapter_->HasPendingReadData());
[email protected]b9b651f2013-11-09 04:32:221329
davidben7e555daf2015-03-25 17:03:291330 // Although only the final SSL_read call may have failed, the failure needs to
1331 // processed immediately, while the information still available in OpenSSL's
1332 // error queue.
davidbenced4aa9b2015-05-12 21:22:351333 if (ssl_ret <= 0) {
davidbend80c12c2016-10-11 00:13:491334 pending_read_ssl_error_ = SSL_get_error(ssl_.get(), ssl_ret);
davidben7e555daf2015-03-25 17:03:291335 if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
1336 pending_read_error_ = 0;
davidbenced4aa9b2015-05-12 21:22:351337 } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
1338 !ssl_config_.send_client_cert) {
1339 pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
davidben1d489522015-07-01 18:48:461340 } else if (pending_read_ssl_error_ ==
1341 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
svaldez7872fd02015-11-19 21:10:541342 DCHECK(ssl_config_.client_private_key);
Oscar Johanssond49464e2018-07-02 09:35:451343 DCHECK_NE(kSSLClientSocketNoPendingResult, signature_result_);
davidben1d489522015-07-01 18:48:461344 pending_read_error_ = ERR_IO_PENDING;
davidben7e555daf2015-03-25 17:03:291345 } else {
davidbenfe132d92016-09-27 18:07:211346 pending_read_error_ = MapLastOpenSSLError(
davidben7e555daf2015-03-25 17:03:291347 pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
[email protected]b9b651f2013-11-09 04:32:221348 }
1349
davidben7e555daf2015-03-25 17:03:291350 // Many servers do not reliably send a close_notify alert when shutting down
1351 // a connection, and instead terminate the TCP connection. This is reported
1352 // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a
1353 // graceful EOF, instead of treating it as an error as it should be.
1354 if (pending_read_error_ == ERR_CONNECTION_CLOSED)
1355 pending_read_error_ = 0;
1356 }
davidbenbe6ce7ec2014-10-20 19:15:561357
davidben7e555daf2015-03-25 17:03:291358 if (total_bytes_read > 0) {
1359 // Return any bytes read to the caller. The error will be deferred to the
1360 // next call of DoPayloadRead.
1361 rv = total_bytes_read;
davidbenbe6ce7ec2014-10-20 19:15:561362
davidben7e555daf2015-03-25 17:03:291363 // Do not treat insufficient data as an error to return in the next call to
1364 // DoPayloadRead() - instead, let the call fall through to check SSL_read()
davidben3418e81f2016-10-19 00:09:451365 // again. The transport may have data available by then.
davidben7e555daf2015-03-25 17:03:291366 if (pending_read_error_ == ERR_IO_PENDING)
Oscar Johanssond49464e2018-07-02 09:35:451367 pending_read_error_ = kSSLClientSocketNoPendingResult;
davidben7e555daf2015-03-25 17:03:291368 } else {
1369 // No bytes were returned. Return the pending read error immediately.
Oscar Johanssond49464e2018-07-02 09:35:451370 DCHECK_NE(kSSLClientSocketNoPendingResult, pending_read_error_);
davidben7e555daf2015-03-25 17:03:291371 rv = pending_read_error_;
Oscar Johanssond49464e2018-07-02 09:35:451372 pending_read_error_ = kSSLClientSocketNoPendingResult;
[email protected]b9b651f2013-11-09 04:32:221373 }
1374
1375 if (rv >= 0) {
mikecirone8b85c432016-09-08 19:11:001376 net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
xunjieli321a96f32017-03-07 19:42:171377 rv, buf->data());
davidbenb8c23212014-10-28 00:12:161378 } else if (rv != ERR_IO_PENDING) {
1379 net_log_.AddEvent(
mikecirone8b85c432016-09-08 19:11:001380 NetLogEventType::SSL_READ_ERROR,
davidbenb8c23212014-10-28 00:12:161381 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
1382 pending_read_error_info_));
1383 pending_read_ssl_error_ = SSL_ERROR_NONE;
1384 pending_read_error_info_ = OpenSSLErrorInfo();
[email protected]b9b651f2013-11-09 04:32:221385 }
1386 return rv;
1387}
1388
svaldeze83af292016-04-26 14:33:371389int SSLClientSocketImpl::DoPayloadWrite() {
[email protected]b9b651f2013-11-09 04:32:221390 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
davidbend80c12c2016-10-11 00:13:491391 int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_);
rsleevif020edc2015-03-16 19:31:241392
[email protected]b9b651f2013-11-09 04:32:221393 if (rv >= 0) {
mikecirone8b85c432016-09-08 19:11:001394 net_log_.AddByteTransferEvent(NetLogEventType::SSL_SOCKET_BYTES_SENT, rv,
[email protected]b9b651f2013-11-09 04:32:221395 user_write_buf_->data());
Adam Langley68df3af2019-01-19 00:37:101396 if (first_post_handshake_write_ && SSL_is_init_finished(ssl_.get())) {
1397 if (base::FeatureList::IsEnabled(features::kTLS13KeyUpdate) &&
1398 SSL_version(ssl_.get()) == TLS1_3_VERSION) {
1399 const int ok = SSL_key_update(ssl_.get(), SSL_KEY_UPDATE_REQUESTED);
1400 DCHECK(ok);
1401 }
1402 first_post_handshake_write_ = false;
1403 }
[email protected]b9b651f2013-11-09 04:32:221404 return rv;
1405 }
1406
davidbend80c12c2016-10-11 00:13:491407 int ssl_error = SSL_get_error(ssl_.get(), rv);
davidben1d489522015-07-01 18:48:461408 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION)
1409 return ERR_IO_PENDING;
davidbenb8c23212014-10-28 00:12:161410 OpenSSLErrorInfo error_info;
davidbenfe132d92016-09-27 18:07:211411 int net_error = MapLastOpenSSLError(ssl_error, err_tracer, &error_info);
davidbenb8c23212014-10-28 00:12:161412
1413 if (net_error != ERR_IO_PENDING) {
1414 net_log_.AddEvent(
mikecirone8b85c432016-09-08 19:11:001415 NetLogEventType::SSL_WRITE_ERROR,
davidbenb8c23212014-10-28 00:12:161416 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
1417 }
1418 return net_error;
[email protected]b9b651f2013-11-09 04:32:221419}
1420
davidben3418e81f2016-10-19 00:09:451421void SSLClientSocketImpl::RetryAllOperations() {
1422 // SSL_do_handshake, SSL_read, and SSL_write may all be retried when blocked,
1423 // so retry all operations for simplicity. (Otherwise, SSL_get_error for each
1424 // operation may be remembered to retry only the blocked ones.)
1425
Steven Valdez6af02df2018-07-15 21:52:331426 // Performing these callbacks may cause |this| to be deleted. If this
1427 // happens, the other callbacks should not be invoked. Guard against this by
1428 // holding a WeakPtr to |this| and ensuring it's still valid.
1429 base::WeakPtr<SSLClientSocketImpl> guard(weak_factory_.GetWeakPtr());
davidben3418e81f2016-10-19 00:09:451430 if (next_handshake_state_ == STATE_HANDSHAKE) {
1431 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
1432 OnHandshakeIOComplete(OK);
davidben3418e81f2016-10-19 00:09:451433 }
1434
Steven Valdez6af02df2018-07-15 21:52:331435 if (!guard.get())
1436 return;
1437
davidben1d489522015-07-01 18:48:461438 int rv_read = ERR_IO_PENDING;
1439 int rv_write = ERR_IO_PENDING;
xunjieli321a96f32017-03-07 19:42:171440 if (user_read_buf_) {
1441 rv_read = DoPayloadRead(user_read_buf_.get(), user_read_buf_len_);
1442 } else if (!user_read_callback_.is_null()) {
1443 // ReadIfReady() is called by the user. Skip DoPayloadRead() and just let
1444 // the user know that read can be retried.
1445 rv_read = OK;
1446 }
1447
davidben3418e81f2016-10-19 00:09:451448 if (user_write_buf_)
1449 rv_write = DoPayloadWrite();
davidben1d489522015-07-01 18:48:461450
davidben3418e81f2016-10-19 00:09:451451 if (rv_read != ERR_IO_PENDING)
davidben1d489522015-07-01 18:48:461452 DoReadCallback(rv_read);
1453
1454 if (!guard.get())
1455 return;
1456
davidben3418e81f2016-10-19 00:09:451457 if (rv_write != ERR_IO_PENDING)
davidben1d489522015-07-01 18:48:461458 DoWriteCallback(rv_write);
1459}
1460
rsleevi4a6ca8c2016-06-24 03:05:221461int SSLClientSocketImpl::VerifyCT() {
rsleevi4a6ca8c2016-06-24 03:05:221462 const uint8_t* sct_list_raw;
1463 size_t sct_list_len;
davidbend80c12c2016-10-11 00:13:491464 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list_raw, &sct_list_len);
rsleevi22cae1672016-12-28 01:53:361465 base::StringPiece sct_list(reinterpret_cast<const char*>(sct_list_raw),
1466 sct_list_len);
1467
1468 const uint8_t* ocsp_response_raw;
1469 size_t ocsp_response_len;
1470 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len);
1471 base::StringPiece ocsp_response(
1472 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len);
rsleevi4a6ca8c2016-06-24 03:05:221473
1474 // Note that this is a completely synchronous operation: The CT Log Verifier
1475 // gets all the data it needs for SCT verification and does not do any
1476 // external communication.
1477 cert_transparency_verifier_->Verify(
Rob Percivalbc658a22017-12-13 08:24:421478 host_and_port().host(), server_cert_verify_result_.verified_cert.get(),
1479 ocsp_response, sct_list, &ct_verify_result_.scts, net_log_);
rsleevi4a6ca8c2016-06-24 03:05:221480
Ryan Sleevi8a9c9c12018-05-09 02:36:231481 ct::SCTList verified_scts =
eranm4bed0b572016-08-14 21:00:351482 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK);
1483
Emily Stark627238f2017-11-29 03:29:541484 ct_verify_result_.policy_compliance = policy_enforcer_->CheckCompliance(
1485 server_cert_verify_result_.verified_cert.get(), verified_scts, net_log_);
Emily Stark0d9809e2017-10-18 08:29:151486 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
Emily Stark627238f2017-11-29 03:29:541487 if (ct_verify_result_.policy_compliance !=
Ryan Sleevi8a9c9c12018-05-09 02:36:231488 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS &&
1489 ct_verify_result_.policy_compliance !=
1490 ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY) {
Emily Stark0d9809e2017-10-18 08:29:151491 server_cert_verify_result_.cert_status |=
1492 CERT_STATUS_CT_COMPLIANCE_FAILED;
1493 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
1494 }
1495
1496 // Record the CT compliance status for connections with EV certificates, to
1497 // distinguish how often EV status is being dropped due to failing CT
1498 // compliance.
Emily Starkefce7832017-11-30 03:16:161499 if (server_cert_verify_result_.is_issued_by_known_root) {
1500 UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.EVCompliance2.SSL",
1501 ct_verify_result_.policy_compliance,
Kunihiko Sakamoto36469732018-09-27 03:33:451502 ct::CTPolicyCompliance::CT_POLICY_COUNT);
Emily Starkefce7832017-11-30 03:16:161503 }
rsleevicd7390e2017-06-14 10:18:261504 }
rsleevi4a6ca8c2016-06-24 03:05:221505
Emily Stark0d9809e2017-10-18 08:29:151506 // Record the CT compliance of every connection to get an overall picture of
1507 // how many connections are CT-compliant.
Emily Starkefce7832017-11-30 03:16:161508 if (server_cert_verify_result_.is_issued_by_known_root) {
1509 UMA_HISTOGRAM_ENUMERATION(
1510 "Net.CertificateTransparency.ConnectionComplianceStatus2.SSL",
1511 ct_verify_result_.policy_compliance,
Kunihiko Sakamoto36469732018-09-27 03:33:451512 ct::CTPolicyCompliance::CT_POLICY_COUNT);
Emily Starkefce7832017-11-30 03:16:161513 }
Emily Starkc96e9bc2017-10-10 00:10:391514
Emily Stark0d9809e2017-10-18 08:29:151515 TransportSecurityState::CTRequirementsStatus ct_requirement_status =
1516 transport_security_state_->CheckCTRequirements(
estarkbf1b52962017-05-05 17:05:251517 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
1518 server_cert_verify_result_.public_key_hashes,
1519 server_cert_verify_result_.verified_cert.get(), server_cert_.get(),
1520 ct_verify_result_.scts,
1521 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
Emily Stark627238f2017-11-29 03:29:541522 ct_verify_result_.policy_compliance);
Emily Stark0d9809e2017-10-18 08:29:151523 if (ct_requirement_status != TransportSecurityState::CT_NOT_REQUIRED) {
Emily Stark8b411de02017-11-23 20:21:271524 ct_verify_result_.policy_compliance_required = true;
Emily Starkefce7832017-11-30 03:16:161525 if (server_cert_verify_result_.is_issued_by_known_root) {
1526 // Record the CT compliance of connections for which compliance is
1527 // required; this helps answer the question: "Of all connections that are
1528 // supposed to be serving valid CT information, how many fail to do so?"
1529 UMA_HISTOGRAM_ENUMERATION(
1530 "Net.CertificateTransparency.CTRequiredConnectionComplianceStatus2."
1531 "SSL",
1532 ct_verify_result_.policy_compliance,
Kunihiko Sakamoto36469732018-09-27 03:33:451533 ct::CTPolicyCompliance::CT_POLICY_COUNT);
Emily Starkefce7832017-11-30 03:16:161534 }
Emily Stark8b411de02017-11-23 20:21:271535 } else {
1536 ct_verify_result_.policy_compliance_required = false;
rsleevi4a6ca8c2016-06-24 03:05:221537 }
1538
Emily Stark0d9809e2017-10-18 08:29:151539 switch (ct_requirement_status) {
1540 case TransportSecurityState::CT_REQUIREMENTS_NOT_MET:
1541 server_cert_verify_result_.cert_status |=
1542 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED;
1543 return ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
1544 case TransportSecurityState::CT_REQUIREMENTS_MET:
1545 case TransportSecurityState::CT_NOT_REQUIRED:
1546 return OK;
1547 }
1548
1549 NOTREACHED();
rsleevi4a6ca8c2016-06-24 03:05:221550 return OK;
1551}
1552
svaldeze83af292016-04-26 14:33:371553int SSLClientSocketImpl::ClientCertRequestCallback(SSL* ssl) {
davidbend80c12c2016-10-11 00:13:491554 DCHECK(ssl == ssl_.get());
[email protected]82c59022014-08-15 09:38:271555
mikecirone8b85c432016-09-08 19:11:001556 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_REQUESTED);
davidbenfe132d92016-09-27 18:07:211557 certificate_requested_ = true;
davidbenaf42cbe2014-11-13 03:27:461558
[email protected]82c59022014-08-15 09:38:271559 // Clear any currently configured certificates.
davidbend80c12c2016-10-11 00:13:491560 SSL_certs_clear(ssl_.get());
[email protected]97a854f2014-07-29 07:51:361561
1562#if defined(OS_IOS)
1563 // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
1564 LOG(WARNING) << "Client auth is not supported";
svaldeze83af292016-04-26 14:33:371565#else // !defined(OS_IOS)
[email protected]5ac981e182010-12-06 17:56:271566 if (!ssl_config_.send_client_cert) {
[email protected]515adc22013-01-09 16:01:231567 // First pass: we know that a client certificate is needed, but we do not
davidbenb11fd212017-01-12 17:08:031568 // have one at hand. Suspend the handshake. SSL_get_error will return
1569 // SSL_ERROR_WANT_X509_LOOKUP.
davidbenced4aa9b2015-05-12 21:22:351570 return -1;
[email protected]5ac981e182010-12-06 17:56:271571 }
1572
1573 // Second pass: a client certificate should have been selected.
[email protected]13914c92013-06-13 22:42:421574 if (ssl_config_.client_cert.get()) {
svaldez7872fd02015-11-19 21:10:541575 if (!ssl_config_.client_private_key) {
1576 // The caller supplied a null private key. Fail the handshake and surface
1577 // an appropriate error to the caller.
davidben1d489522015-07-01 18:48:461578 LOG(WARNING) << "Client cert found without private key";
1579 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
1580 return -1;
1581 }
1582
David Benjaminb8ab3852017-08-04 00:17:321583 if (!SetSSLChainAndKey(ssl_.get(), ssl_config_.client_cert.get(), nullptr,
1584 &SSLContext::kPrivateKeyMethod)) {
davidbena35b40c32017-03-09 17:33:451585 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
1586 return -1;
1587 }
svaldezf3db006f2015-09-29 16:43:581588
David Benjaminb9bafbe2017-11-07 21:41:381589 std::vector<uint16_t> preferences =
1590 ssl_config_.client_private_key->GetAlgorithmPreferences();
1591 SSL_set_signing_algorithm_prefs(ssl_.get(), preferences.data(),
1592 preferences.size());
davidbenaf42cbe2014-11-13 03:27:461593
David Benjaminb8ab3852017-08-04 00:17:321594 net_log_.AddEvent(
1595 NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
1596 NetLog::IntCallback(
1597 "cert_count",
Raul Tambre8335a6d2019-02-21 16:57:431598 base::checked_cast<int>(
1599 1 + ssl_config_.client_cert->intermediate_buffers().size())));
[email protected]6bad5052014-07-12 01:25:131600 return 1;
[email protected]c0787702014-05-20 21:51:441601 }
[email protected]97a854f2014-07-29 07:51:361602#endif // defined(OS_IOS)
[email protected]5ac981e182010-12-06 17:56:271603
1604 // Send no client certificate.
mikecirone8b85c432016-09-08 19:11:001605 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED,
tfarina5e24b242015-10-27 13:11:281606 NetLog::IntCallback("cert_count", 0));
[email protected]82c59022014-08-15 09:38:271607 return 1;
[email protected]5ac981e182010-12-06 17:56:271608}
1609
svaldeze83af292016-04-26 14:33:371610int SSLClientSocketImpl::NewSessionCallback(SSL_SESSION* session) {
Daniel McArdle3a663d62019-01-31 00:48:471611 if (!IsCachingEnabled())
David Benjaminb3840f42017-08-03 15:50:161612 return 0;
1613
David Benjamin6617c392019-02-12 18:08:571614 // OpenSSL optionally passes ownership of |session|. Returning one signals
1615 // that this function has claimed it.
1616 ssl_client_session_cache_->Insert(GetSessionCacheKey(),
1617 bssl::UniquePtr<SSL_SESSION>(session));
1618 return 1;
davidbendafe4e52015-04-08 22:53:521619}
1620
svaldeze83af292016-04-26 14:33:371621void SSLClientSocketImpl::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
estark723b5eeb2016-02-18 21:01:121622 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
davidbeneb5f8ef32014-09-04 14:14:321623}
1624
svaldeze83af292016-04-26 14:33:371625std::string SSLClientSocketImpl::GetSessionCacheKey() const {
David Benjamin6f2da652019-06-26 23:36:351626 if (base::FeatureList::IsEnabled(
1627 features::kPartitionSSLSessionsByNetworkIsolationKey)) {
1628 return host_and_port_.ToString() + '/' +
1629 ssl_config_.network_isolation_key.ToString();
1630 }
David Benjamind61bd532019-04-23 21:11:371631 return host_and_port_.ToString();
rsleevif020edc2015-03-16 19:31:241632}
1633
svaldeze83af292016-04-26 14:33:371634bool SSLClientSocketImpl::IsRenegotiationAllowed() const {
bncce6ea242016-09-15 20:22:321635 if (negotiated_protocol_ == kProtoUnknown)
davidben421116c2015-05-12 19:56:511636 return ssl_config_.renego_allowed_default;
1637
davidben421116c2015-05-12 19:56:511638 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
bnc3cf2a592016-08-11 14:48:361639 if (negotiated_protocol_ == allowed)
davidben421116c2015-05-12 19:56:511640 return true;
1641 }
1642 return false;
1643}
1644
Daniel McArdle3a663d62019-01-31 00:48:471645bool SSLClientSocketImpl::IsCachingEnabled() const {
1646 return ssl_client_session_cache_ != nullptr;
1647}
1648
David Benjaminb9bafbe2017-11-07 21:41:381649ssl_private_key_result_t SSLClientSocketImpl::PrivateKeySignCallback(
davidben1d489522015-07-01 18:48:461650 uint8_t* out,
1651 size_t* out_len,
1652 size_t max_out,
David Benjaminb9bafbe2017-11-07 21:41:381653 uint16_t algorithm,
davidben1d489522015-07-01 18:48:461654 const uint8_t* in,
1655 size_t in_len) {
Oscar Johanssond49464e2018-07-02 09:35:451656 DCHECK_EQ(kSSLClientSocketNoPendingResult, signature_result_);
davidben1d489522015-07-01 18:48:461657 DCHECK(signature_.empty());
svaldez7872fd02015-11-19 21:10:541658 DCHECK(ssl_config_.client_private_key);
davidben1d489522015-07-01 18:48:461659
David Benjaminb9bafbe2017-11-07 21:41:381660 net_log_.BeginEvent(
1661 NetLogEventType::SSL_PRIVATE_KEY_OP,
David Benjaminb65b0732018-11-09 20:33:531662 base::BindRepeating(
1663 &NetLogPrivateKeyOperationCallback, algorithm,
1664 // Pass the SSLPrivateKey pointer to avoid making copies of the
1665 // provider name in the common case with logging disabled.
1666 base::Unretained(ssl_config_.client_private_key.get())));
David Benjaminb9bafbe2017-11-07 21:41:381667
davidben1d489522015-07-01 18:48:461668 signature_result_ = ERR_IO_PENDING;
David Benjamin9ba36b02017-11-10 19:01:531669 ssl_config_.client_private_key->Sign(
1670 algorithm, base::make_span(in, in_len),
David Benjamin8f2d2c12018-02-27 00:08:261671 base::BindOnce(&SSLClientSocketImpl::OnPrivateKeyComplete,
1672 weak_factory_.GetWeakPtr()));
davidben1d489522015-07-01 18:48:461673 return ssl_private_key_retry;
1674}
1675
davidben0bca07fd2016-07-18 15:12:031676ssl_private_key_result_t SSLClientSocketImpl::PrivateKeyCompleteCallback(
davidben1d489522015-07-01 18:48:461677 uint8_t* out,
1678 size_t* out_len,
1679 size_t max_out) {
Oscar Johanssond49464e2018-07-02 09:35:451680 DCHECK_NE(kSSLClientSocketNoPendingResult, signature_result_);
svaldez7872fd02015-11-19 21:10:541681 DCHECK(ssl_config_.client_private_key);
davidben1d489522015-07-01 18:48:461682
1683 if (signature_result_ == ERR_IO_PENDING)
1684 return ssl_private_key_retry;
1685 if (signature_result_ != OK) {
1686 OpenSSLPutNetError(FROM_HERE, signature_result_);
1687 return ssl_private_key_failure;
1688 }
1689 if (signature_.size() > max_out) {
1690 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
1691 return ssl_private_key_failure;
1692 }
davidben5f8b6bc2015-11-25 03:19:541693 memcpy(out, signature_.data(), signature_.size());
davidben1d489522015-07-01 18:48:461694 *out_len = signature_.size();
1695 signature_.clear();
1696 return ssl_private_key_success;
1697}
1698
davidben0bca07fd2016-07-18 15:12:031699void SSLClientSocketImpl::OnPrivateKeyComplete(
davidben1d489522015-07-01 18:48:461700 Error error,
1701 const std::vector<uint8_t>& signature) {
1702 DCHECK_EQ(ERR_IO_PENDING, signature_result_);
1703 DCHECK(signature_.empty());
svaldez7872fd02015-11-19 21:10:541704 DCHECK(ssl_config_.client_private_key);
davidben1d489522015-07-01 18:48:461705
mikecirone8b85c432016-09-08 19:11:001706 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_PRIVATE_KEY_OP, error);
davidben1d489522015-07-01 18:48:461707
1708 signature_result_ = error;
1709 if (signature_result_ == OK)
1710 signature_ = signature;
1711
davidben1d489522015-07-01 18:48:461712 // During a renegotiation, either Read or Write calls may be blocked on an
1713 // asynchronous private key operation.
davidben3418e81f2016-10-19 00:09:451714 RetryAllOperations();
davidben1d489522015-07-01 18:48:461715}
1716
David Benjamin7a8e4dfa2018-06-12 23:07:211717void SSLClientSocketImpl::InfoCallback(int type, int value) {
1718 if (type == SSL_CB_HANDSHAKE_START && completed_connect_) {
1719 UMA_HISTOGRAM_BOOLEAN("Net.SSLSecureRenegotiation",
1720 SSL_get_secure_renegotiation_support(ssl_.get()));
1721 }
1722}
1723
davidbencef9e212017-04-19 15:00:101724void SSLClientSocketImpl::MessageCallback(int is_write,
1725 int content_type,
1726 const void* buf,
1727 size_t len) {
1728 switch (content_type) {
1729 case SSL3_RT_ALERT:
1730 net_log_.AddEvent(is_write ? NetLogEventType::SSL_ALERT_SENT
1731 : NetLogEventType::SSL_ALERT_RECEIVED,
1732 base::Bind(&NetLogSSLAlertCallback, buf, len));
1733 break;
1734 case SSL3_RT_HANDSHAKE:
1735 net_log_.AddEvent(
1736 is_write ? NetLogEventType::SSL_HANDSHAKE_MESSAGE_SENT
1737 : NetLogEventType::SSL_HANDSHAKE_MESSAGE_RECEIVED,
1738 base::Bind(&NetLogSSLMessageCallback, !!is_write, buf, len));
1739 break;
1740 default:
1741 return;
1742 }
1743}
1744
davidben281d13f02016-04-27 20:43:281745void SSLClientSocketImpl::LogConnectEndEvent(int rv) {
1746 if (rv != OK) {
mikecirone8b85c432016-09-08 19:11:001747 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_CONNECT, rv);
davidben281d13f02016-04-27 20:43:281748 return;
1749 }
1750
mikecirone8b85c432016-09-08 19:11:001751 net_log_.EndEvent(NetLogEventType::SSL_CONNECT,
davidben281d13f02016-04-27 20:43:281752 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
1753}
1754
bncbd442c22016-09-14 20:49:161755void SSLClientSocketImpl::RecordNegotiatedProtocol() const {
1756 UMA_HISTOGRAM_ENUMERATION("Net.SSLNegotiatedAlpnProtocol",
1757 negotiated_protocol_, kProtoLast + 1);
bnc3cf2a592016-08-11 14:48:361758}
1759
davidbenfe132d92016-09-27 18:07:211760int SSLClientSocketImpl::MapLastOpenSSLError(
1761 int ssl_error,
1762 const crypto::OpenSSLErrStackTracer& tracer,
1763 OpenSSLErrorInfo* info) {
1764 int net_error = MapOpenSSLErrorWithDetails(ssl_error, tracer, info);
1765
1766 if (ssl_error == SSL_ERROR_SSL &&
1767 ERR_GET_LIB(info->error_code) == ERR_LIB_SSL) {
1768 // TLS does not provide an alert for missing client certificates, so most
1769 // servers send a generic handshake_failure alert. Detect this case by
1770 // checking if we have received a CertificateRequest but sent no
1771 // certificate. See https://crbug.com/646567.
1772 if (ERR_GET_REASON(info->error_code) ==
1773 SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE &&
1774 certificate_requested_ && ssl_config_.send_client_cert &&
1775 !ssl_config_.client_cert) {
1776 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT;
1777 }
1778
1779 // Per spec, access_denied is only for client-certificate-based access
1780 // control, but some buggy firewalls use it when blocking a page. To avoid a
1781 // confusing error, map it to a generic protocol error if no
1782 // CertificateRequest was sent. See https://crbug.com/630883.
1783 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED &&
1784 !certificate_requested_) {
1785 net_error = ERR_SSL_PROTOCOL_ERROR;
1786 }
David Benjamin5b4410e2017-11-10 21:50:231787
1788 // This error is specific to the client, so map it here.
1789 if (ERR_GET_REASON(info->error_code) ==
1790 SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS) {
1791 net_error = ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS;
1792 }
davidbenfe132d92016-09-27 18:07:211793 }
1794
1795 return net_error;
1796}
1797
[email protected]7e5dd49f2010-12-08 18:33:491798} // namespace net