OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/ssl_client_socket_win.h" | 5 #include "net/base/ssl_client_socket_win.h" |
6 | 6 |
7 #include <schnlsp.h> | 7 #include <schnlsp.h> |
8 | 8 |
9 #include "base/lock.h" | 9 #include "base/lock.h" |
10 #include "base/singleton.h" | 10 #include "base/singleton.h" |
(...skipping 1015 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1026 void SSLClientSocketWin::LogConnectionTypeMetrics( | 1026 void SSLClientSocketWin::LogConnectionTypeMetrics( |
1027 PCCERT_CHAIN_CONTEXT chain_context) { | 1027 PCCERT_CHAIN_CONTEXT chain_context) { |
1028 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 1028 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
1029 | 1029 |
1030 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 1030 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
1031 int num_elements = first_chain->cElement; | 1031 int num_elements = first_chain->cElement; |
1032 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 1032 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
1033 bool has_md5 = false; | 1033 bool has_md5 = false; |
1034 bool has_md2 = false; | 1034 bool has_md2 = false; |
1035 bool has_md4 = false; | 1035 bool has_md4 = false; |
| 1036 bool has_md5_ca = false; |
1036 | 1037 |
1037 // Each chain starts with the end entity certificate and ends with the root | 1038 // Each chain starts with the end entity certificate (i = 0) and ends with |
1038 // CA certificate. Do not inspect the signature algorithm of the root CA | 1039 // the root CA certificate (i = num_elements - 1). Do not inspect the |
1039 // certificate because the signature on the trust anchor is not important. | 1040 // signature algorithm of the root CA certificate because the signature on |
| 1041 // the trust anchor is not important. |
1040 for (int i = 0; i < num_elements - 1; ++i) { | 1042 for (int i = 0; i < num_elements - 1; ++i) { |
1041 PCCERT_CONTEXT cert = element[i]->pCertContext; | 1043 PCCERT_CONTEXT cert = element[i]->pCertContext; |
1042 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; | 1044 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; |
1043 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { | 1045 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { |
1044 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 | 1046 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 |
1045 has_md5 = true; | 1047 has_md5 = true; |
| 1048 if (i != 0) |
| 1049 has_md5_ca = true; |
1046 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { | 1050 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { |
1047 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 | 1051 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 |
1048 has_md2 = true; | 1052 has_md2 = true; |
1049 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { | 1053 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { |
1050 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 | 1054 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 |
1051 has_md4 = true; | 1055 has_md4 = true; |
1052 } | 1056 } |
1053 } | 1057 } |
1054 | 1058 |
1055 if (has_md5) | 1059 if (has_md5) |
1056 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); | 1060 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); |
1057 if (has_md2) | 1061 if (has_md2) |
1058 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); | 1062 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2); |
1059 if (has_md4) | 1063 if (has_md4) |
1060 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4); | 1064 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4); |
| 1065 if (has_md5_ca) |
| 1066 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5_CA); |
1061 } | 1067 } |
1062 | 1068 |
1063 // Set server_cert_status_ and return OK or a network error. | 1069 // Set server_cert_status_ and return OK or a network error. |
1064 int SSLClientSocketWin::VerifyServerCert() { | 1070 int SSLClientSocketWin::VerifyServerCert() { |
1065 DCHECK(server_cert_); | 1071 DCHECK(server_cert_); |
1066 server_cert_status_ = 0; | 1072 server_cert_status_ = 0; |
1067 | 1073 |
1068 // Build and validate certificate chain. | 1074 // Build and validate certificate chain. |
1069 | 1075 |
1070 CERT_CHAIN_PARA chain_para; | 1076 CERT_CHAIN_PARA chain_para; |
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1184 // compatible with WinHTTP, which doesn't report this error (bug 3004). | 1190 // compatible with WinHTTP, which doesn't report this error (bug 3004). |
1185 server_cert_status_ &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; | 1191 server_cert_status_ &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; |
1186 | 1192 |
1187 if (IsCertStatusError(server_cert_status_)) | 1193 if (IsCertStatusError(server_cert_status_)) |
1188 return MapCertStatusToNetError(server_cert_status_); | 1194 return MapCertStatusToNetError(server_cert_status_); |
1189 return OK; | 1195 return OK; |
1190 } | 1196 } |
1191 | 1197 |
1192 } // namespace net | 1198 } // namespace net |
1193 | 1199 |
OLD | NEW |