Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(411)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 103803012: Make HSTS headers not clobber preloaded pins. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase and refactor. (Not done yet.) Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/http/transport_security_state.h ('K') | « net/http/transport_security_state_unittest.cc ('k') | net/socket_stream/socket_stream.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 3478 matching lines...) Expand 10 before | Expand all | Expand 10 after
3489 if (transport_security_state_ && 3489 if (transport_security_state_ &&
3490 (result == OK || 3490 (result == OK ||
3491 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && 3491 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
3492 server_cert_verify_result_.is_issued_by_known_root && 3492 server_cert_verify_result_.is_issued_by_known_root &&
3493 TransportSecurityState::IsBuildTimely()) { 3493 TransportSecurityState::IsBuildTimely()) {
3494 bool sni_available = 3494 bool sni_available =
3495 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || 3495 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
3496 ssl_config_.version_fallback; 3496 ssl_config_.version_fallback;
3497 const std::string& host = host_and_port_.host(); 3497 const std::string& host = host_and_port_.host();
3498 3498
3499 TransportSecurityState::DomainState domain_state; 3499 if (transport_security_state_->HasPublicKeyPins(host, sni_available)) {
3500 if (transport_security_state_->GetDomainState(host, sni_available, 3500 if (!transport_security_state_->CheckPublicKeyPins(
Ryan Sleevi 2014/04/08 20:29:11 There's a potential of a perf hit here from having
3501 &domain_state) && 3501 host, sni_available,
3502 domain_state.HasPublicKeyPins()) {
3503 if (!domain_state.CheckPublicKeyPins(
3504 server_cert_verify_result_.public_key_hashes)) { 3502 server_cert_verify_result_.public_key_hashes)) {
3505 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; 3503 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
3506 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); 3504 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
3507 TransportSecurityState::ReportUMAOnPinFailure(host); 3505 TransportSecurityState::ReportUMAOnPinFailure(host);
3508 } else { 3506 } else {
3509 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); 3507 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
3510 } 3508 }
3511 } 3509 }
3512 } 3510 }
3513 #endif 3511 #endif
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after
3612 scoped_refptr<X509Certificate> 3610 scoped_refptr<X509Certificate>
3613 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { 3611 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3614 return core_->state().server_cert.get(); 3612 return core_->state().server_cert.get();
3615 } 3613 }
3616 3614
3617 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3615 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3618 return server_bound_cert_service_; 3616 return server_bound_cert_service_;
3619 } 3617 }
3620 3618
3621 } // namespace net 3619 } // namespace net
OLDNEW
« net/http/transport_security_state.h ('K') | « net/http/transport_security_state_unittest.cc ('k') | net/socket_stream/socket_stream.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698