Chromium Code Reviews Chromium Code Reviews
Issue 7792077:
Fix a benign off-by-one error of kNumSerials in IsBlacklisted. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <map> | 10 #include <map> |
| (...skipping 623 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 634 cache->Remove(cert_handle_); | 634 cache->Remove(cert_handle_); |
| 635 FreeOSCertHandle(cert_handle_); | 635 FreeOSCertHandle(cert_handle_); |
| 636 } | 636 } |
| 637 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { | 637 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { |
| 638 cache->Remove(intermediate_ca_certs_[i]); | 638 cache->Remove(intermediate_ca_certs_[i]); |
| 639 FreeOSCertHandle(intermediate_ca_certs_[i]); | 639 FreeOSCertHandle(intermediate_ca_certs_[i]); |
| 640 } | 640 } |
| 641 } | 641 } |
| 642 | 642 |
| 643 bool X509Certificate::IsBlacklisted() const { | 643 bool X509Certificate::IsBlacklisted() const { |
| 644 static const unsigned kNumSerials = 257; | 644 static const unsigned kNumSerials = 256; |
|
wtc
2011/09/01 21:15:19
I verified that 256 is correct because 255 results
| |
| 645 static const unsigned kSerialBytes = 16; | 645 static const unsigned kSerialBytes = 16; |
| 646 static const uint8 kSerials[kNumSerials][kSerialBytes] = { | 646 static const uint8 kSerials[kNumSerials][kSerialBytes] = { |
| 647 // Not a real certificate. For testing only. | 647 // Not a real certificate. For testing only. |
| 648 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, | 648 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, |
| 649 | 649 |
| 650 // The next nine certificates all expire on Fri Mar 14 23:59:59 2014. | 650 // The next nine certificates all expire on Fri Mar 14 23:59:59 2014. |
| 651 // Some serial numbers actually have a leading 0x00 byte required to | 651 // Some serial numbers actually have a leading 0x00 byte required to |
| 652 // encode a positive integer in DER if the most significant bit is 0. | 652 // encode a positive integer in DER if the most significant bit is 0. |
| 653 // We omit the leading 0x00 bytes to make all serial numbers 16 bytes. | 653 // We omit the leading 0x00 bytes to make all serial numbers 16 bytes. |
| 654 | 654 |
| (...skipping 285 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 940 } | 940 } |
| 941 | 941 |
| 942 // Special case for DigiNotar: this serial number had a leading 0x00 byte | 942 // Special case for DigiNotar: this serial number had a leading 0x00 byte |
| 943 static const uint8 kDigiNotarLeadingZero[15] = { | 943 static const uint8 kDigiNotarLeadingZero[15] = { |
| 944 0x17,0x7f,0xb6,0x53,0x6b,0x98,0xce,0x40,0xd5,0x4b,0x8b,0x24,0xe3,0x16,0x05 | 944 0x17,0x7f,0xb6,0x53,0x6b,0x98,0xce,0x40,0xd5,0x4b,0x8b,0x24,0xe3,0x16,0x05 |
| 945 }; | 945 }; |
| 946 | 946 |
| 947 if (serial_number_.size() == sizeof(kDigiNotarLeadingZero) && | 947 if (serial_number_.size() == sizeof(kDigiNotarLeadingZero) && |
| 948 memcmp(serial_number_.data(), kDigiNotarLeadingZero, | 948 memcmp(serial_number_.data(), kDigiNotarLeadingZero, |
| 949 sizeof(kDigiNotarLeadingZero)) == 0) { | 949 sizeof(kDigiNotarLeadingZero)) == 0) { |
| 950 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", kNumSerials, kNumSer ials + 1); | 950 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", kNumSerials, |
| 951 return true; | 951 kNumSerials + 1); |
| 952 return true; | |
| 952 } | 953 } |
| 953 | 954 |
| 954 return false; | 955 return false; |
| 955 } | 956 } |
| 956 | 957 |
| 957 // static | 958 // static |
| 958 bool X509Certificate::IsPublicKeyBlacklisted( | 959 bool X509Certificate::IsPublicKeyBlacklisted( |
| 959 const std::vector<SHA1Fingerprint>& public_key_hashes) { | 960 const std::vector<SHA1Fingerprint>& public_key_hashes) { |
| 960 static const unsigned kNumHashes = 3; | 961 static const unsigned kNumHashes = 3; |
| 961 static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = { | 962 static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = { |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 988 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 989 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
| 989 const uint8* array, | 990 const uint8* array, |
| 990 size_t array_byte_len) { | 991 size_t array_byte_len) { |
| 991 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); | 992 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); |
| 992 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; | 993 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; |
| 993 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, | 994 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, |
| 994 CompareSHA1Hashes); | 995 CompareSHA1Hashes); |
| 995 } | 996 } |
| 996 | 997 |
| 997 } // namespace net | 998 } // namespace net |
| OLD | NEW |
