File: openssl_ssl_util.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (115 lines) | stat: -rw-r--r-- 4,274 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_SSL_OPENSSL_SSL_UTIL_H_
#define NET_SSL_OPENSSL_SSL_UTIL_H_

#include <stdint.h>

#include "net/base/net_export.h"
#include "net/cert/x509_certificate.h"
#include "net/log/net_log_event_type.h"
#include "third_party/boringssl/src/include/openssl/base.h"

namespace crypto {
class OpenSSLErrStackTracer;
}

namespace base {
class Location;
}

namespace net {

class NetLogWithSource;

// Puts a net error, |err|, on the error stack in OpenSSL. The file and line are
// extracted from |posted_from|. The function code of the error is left as 0.
void OpenSSLPutNetError(const base::Location& posted_from, int err);

// Utility to construct the appropriate set & clear masks for use the OpenSSL
// options and mode configuration functions. (SSL_set_options etc)
struct SslSetClearMask {
  SslSetClearMask();
  void ConfigureFlag(long flag, bool state);

  long set_mask = 0;
  long clear_mask = 0;
};

// Converts an OpenSSL error code into a net error code, walking the OpenSSL
// error stack if needed.
//
// Note that |tracer| is not currently used in the implementation, but is passed
// in anyway as this ensures the caller will clear any residual codes left on
// the error stack.
NET_EXPORT_PRIVATE int MapOpenSSLError(
    int err,
    const crypto::OpenSSLErrStackTracer& tracer);

// Helper struct to store information about an OpenSSL error stack entry.
struct OpenSSLErrorInfo {
  OpenSSLErrorInfo() = default;

  uint32_t error_code = 0;
  const char* file = nullptr;
  int line = 0;
};

// Converts an OpenSSL error code into a net error code, walking the OpenSSL
// error stack if needed. If a value on the stack is used, the error code and
// associated information are returned in |*out_error_info|. Otherwise its
// fields are set to 0 and NULL. This function will never return OK, so
// SSL_ERROR_ZERO_RETURN must be handled externally.
//
// Note that |tracer| is not currently used in the implementation, but is passed
// in anyway as this ensures the caller will clear any residual codes left on
// the error stack.
int MapOpenSSLErrorWithDetails(int err,
                               const crypto::OpenSSLErrStackTracer& tracer,
                               OpenSSLErrorInfo* out_error_info);

// Logs an OpenSSL error to the NetLog.
void NetLogOpenSSLError(const NetLogWithSource& net_log,
                        NetLogEventType type,
                        int net_error,
                        int ssl_error,
                        const OpenSSLErrorInfo& error_info);

// Returns the net SSL version number (see ssl_connection_status_flags.h) for
// this SSL connection.
int GetNetSSLVersion(SSL* ssl);

// Configures |ssl| to send the specified certificate and either |pkey| or
// |custom_key|. This is a wrapper over |SSL_set_chain_and_key|.
bool SetSSLChainAndKey(SSL* ssl,
                       X509Certificate* cert,
                       EVP_PKEY* pkey,
                       const SSL_PRIVATE_KEY_METHOD* custom_key);

// Configures |ssl| to use the specified certificate and either |key| or
// |custom_key| as an available credential. This is a wrapper over
// |SSL_CREDENTIAL| APIs
// (https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Credentials).
//
// |signing_algorithm_prefs|, |ocsp_response|, and |signed_cert_timestamp| are
// configured with the respective SSL_CREDENTIAL APIs if non-empty.
//
// If |trust_anchor_id| is non-empty, it will be configured as the certificate's
// corresponding TLS Trust Anchor ID, and `SSL_CREDENTIAL_set_must_match_issuer`
// will be set to true
// (https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CREDENTIAL_set_must_match_issuer).
bool ConfigureSSLCredential(
    SSL* ssl,
    base::span<const bssl::UniquePtr<CRYPTO_BUFFER>> cert_chain,
    EVP_PKEY* pkey,
    const SSL_PRIVATE_KEY_METHOD* custom_key,
    base::span<const uint16_t> signing_algorithm_prefs,
    base::span<const uint8_t> ocsp_response,
    base::span<const uint8_t> signed_cert_timestamp_list,
    base::span<const uint8_t> trust_anchor_id);

}  // namespace net

#endif  // NET_SSL_OPENSSL_SSL_UTIL_H_