net: move pinning checks into the SSL socket.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 48 matching lines @@
 #include <ssl.h>
 #include <sslerr.h>
 #include <sslproto.h>
 
 #include <algorithm>
 #include <limits>
 #include <map>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/build_time.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
@@ skipping 10 matching lines @@
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/ssl_connection_status_flags.h"
 #include "net/base/ssl_info.h"
 #include "net/base/sys_addrinfo.h"
 #include "net/base/x509_certificate_net_log_param.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
-#include "net/socket/dns_cert_provenance_checker.h"
 #include "net/socket/nss_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/socket/ssl_host_info.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <wincrypt.h>
 #elif defined(OS_MACOSX)
 #include <Security/SecBase.h>
 #include <Security/SecCertificate.h>
@@ skipping 351 matching lines @@
       handshake_callback_called_(false),
       completed_handshake_(false),
       eset_mitm_detected_(false),
       kaspersky_mitm_detected_(false),
       predicted_cert_chain_correct_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       ssl_host_info_(ssl_host_info),
-      dns_cert_checker_(context.dns_cert_checker),
+      transport_security_state_(context.transport_security_state),
       next_proto_status_(kNextProtoUnsupported),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
 }
 
 SSLClientSocketNSS::~SSLClientSocketNSS() {
   EnterFunction("");
   Disconnect();
   LeaveFunction("");
 }
@@ skipping 1232 matching lines @@
   SECStatus rv;
   rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain);
   if (rv != SECSuccess)
     return MapNSSError(PORT_GetError());
 
   GotoState(STATE_HANDSHAKE);
   return OK;
 }
 
 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
-  if (ssl_config_.dns_cert_provenance_checking_enabled &&
-      dns_cert_checker_) {
-    PeerCertificateChain certs(nss_fd_);
-    dns_cert_checker_->DoAsyncVerification(
-        host_and_port_.host(), certs.AsStringPieceVector());
-  }
-
   DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
                                            server_cert_nss_,
                                            host_and_port_.port());
   if (r == DNSVR_SUCCESS) {
     local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
     local_server_cert_verify_result_.verified_cert = server_cert_;
     server_cert_verify_result_ = &local_server_cert_verify_result_;
     GotoState(STATE_VERIFY_CERT_COMPLETE);
     return OK;
   }
@@ skipping 141 matching lines @@
   // persistently.  However, NSS opens a connection to the SQLite database
   // during NSS initialization and doesn't close the connection until NSS
   // shuts down.  If the file system where the database resides is gone,
   // the database connection goes bad.  What's worse, the connection won't
   // recover when the file system comes back.  Until this NSS or SQLite bug
   // is fixed, we need to  avoid using the NSS database for non-essential
   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
   // http://crbug.com/15630 for more info.
 
   // TODO(hclam): Skip logging if server cert was expected to be bad because
-  // |server_cert_verify_results_| doesn't contain all the information about
+  // |server_cert_verify_result_| doesn't contain all the information about
   // the cert.
   if (result == OK)
     LogConnectionTypeMetrics();
 
   completed_handshake_ = true;
 
   if (old_user_read_callback_ || !user_read_callback_.is_null()) {
     int rv = DoReadLoop(OK);
     if (rv != ERR_IO_PENDING)
       DoReadCallback(rv);
   }
 
+//#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID)
+  // Take care of any mandates for public key pinning.
+  //
+  // Pinning is only enabled for official builds to make sure that others don't
+  // end up with pins that cannot be easily updated.
+  //
+  // TODO(agl): we might have an issue here where a request for foo.example.com
+  // merges into a SPDY connection to www.example.com, and gets a different
+  // certificate.
+
+  const CertStatus cert_status = server_cert_verify_result_->cert_status;
+  if ((result == OK || (IsCertificateError(result) &&
+                        IsCertStatusMinorError(cert_status))) &&
+      server_cert_verify_result_->is_issued_by_known_root &&
+      transport_security_state_) {
+    bool sni_available = ssl_config_.tls1_enabled || ssl_config_.ssl3_fallback;
+    const std::string& host = host_and_port_.host();
+
+    TransportSecurityState::DomainState domain_state;
+    if (transport_security_state_->HasPinsForHost(
+            &domain_state, host, sni_available)) {
+      if (!domain_state.IsChainOfPublicKeysPermitted(
+               server_cert_verify_result_->public_key_hashes)) {
+        const base::Time build_time = base::GetBuildTime();
+        // Pins are not enforced if the build is sufficiently old. Chrome
+        // users should get updates every six weeks or so, but it's possible
+        // that some users will stop getting updates for some reason. We
+        // don't want those users building up as a pool of people with bad
+        // pins.
+        if ((base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */) {
+          result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+          UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
+          TransportSecurityState::ReportUMAOnPinFailure(host);
+        }
+      } else {
+        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
+      }
+    }
+  }
+//#endif
+
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
   DCHECK(next_handshake_state_ == STATE_NONE);
   return result;
 }
 
 int SSLClientSocketNSS::DoPayloadRead() {
   EnterFunction(user_read_buf_len_);
   DCHECK(user_read_buf_);
   DCHECK_GT(user_read_buf_len_, 0);
   int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_);
@@ skipping 839 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net