OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
86 #include "crypto/scoped_nss_types.h" | 86 #include "crypto/scoped_nss_types.h" |
87 #include "net/base/address_list.h" | 87 #include "net/base/address_list.h" |
88 #include "net/base/connection_type_histograms.h" | 88 #include "net/base/connection_type_histograms.h" |
89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_objects_extractor.h" | |
97 #include "net/cert/ct_verifier.h" | 96 #include "net/cert/ct_verifier.h" |
98 #include "net/cert/ct_verify_result.h" | 97 #include "net/cert/ct_verify_result.h" |
99 #include "net/cert/scoped_nss_types.h" | 98 #include "net/cert/scoped_nss_types.h" |
100 #include "net/cert/sct_status_flags.h" | 99 #include "net/cert/sct_status_flags.h" |
101 #include "net/cert/single_request_cert_verifier.h" | 100 #include "net/cert/single_request_cert_verifier.h" |
102 #include "net/cert/x509_certificate_net_log_param.h" | 101 #include "net/cert/x509_certificate_net_log_param.h" |
103 #include "net/cert/x509_util.h" | 102 #include "net/cert/x509_util.h" |
104 #include "net/http/transport_security_state.h" | 103 #include "net/http/transport_security_state.h" |
105 #include "net/ocsp/nss_ocsp.h" | 104 #include "net/ocsp/nss_ocsp.h" |
106 #include "net/socket/client_socket_handle.h" | 105 #include "net/socket/client_socket_handle.h" |
(...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
412 HandshakeState() { Reset(); } | 411 HandshakeState() { Reset(); } |
413 | 412 |
414 void Reset() { | 413 void Reset() { |
415 next_proto_status = SSLClientSocket::kNextProtoUnsupported; | 414 next_proto_status = SSLClientSocket::kNextProtoUnsupported; |
416 next_proto.clear(); | 415 next_proto.clear(); |
417 server_protos.clear(); | 416 server_protos.clear(); |
418 channel_id_sent = false; | 417 channel_id_sent = false; |
419 server_cert_chain.Reset(NULL); | 418 server_cert_chain.Reset(NULL); |
420 server_cert = NULL; | 419 server_cert = NULL; |
421 sct_list_from_tls_extension.clear(); | 420 sct_list_from_tls_extension.clear(); |
422 stapled_ocsp_response.clear(); | |
423 resumed_handshake = false; | 421 resumed_handshake = false; |
424 ssl_connection_status = 0; | 422 ssl_connection_status = 0; |
425 } | 423 } |
426 | 424 |
427 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the | 425 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the |
428 // negotiated protocol stored in |next_proto|. | 426 // negotiated protocol stored in |next_proto|. |
429 SSLClientSocket::NextProtoStatus next_proto_status; | 427 SSLClientSocket::NextProtoStatus next_proto_status; |
430 std::string next_proto; | 428 std::string next_proto; |
431 // If the server supports NPN, the protocols supported by the server. | 429 // If the server supports NPN, the protocols supported by the server. |
432 std::string server_protos; | 430 std::string server_protos; |
(...skipping 11 matching lines...) Expand all Loading... |
444 // chain (|server_cert_chain|) and then converted into a platform-specific | 442 // chain (|server_cert_chain|) and then converted into a platform-specific |
445 // X509Certificate object (|server_cert|). It's possible for some | 443 // X509Certificate object (|server_cert|). It's possible for some |
446 // certificates to be successfully parsed by NSS, and not by the platform | 444 // certificates to be successfully parsed by NSS, and not by the platform |
447 // libraries (i.e.: when running within a sandbox, different parsing | 445 // libraries (i.e.: when running within a sandbox, different parsing |
448 // algorithms, etc), so it's not safe to assume that |server_cert| will | 446 // algorithms, etc), so it's not safe to assume that |server_cert| will |
449 // always be non-NULL. | 447 // always be non-NULL. |
450 PeerCertificateChain server_cert_chain; | 448 PeerCertificateChain server_cert_chain; |
451 scoped_refptr<X509Certificate> server_cert; | 449 scoped_refptr<X509Certificate> server_cert; |
452 // SignedCertificateTimestampList received via TLS extension (RFC 6962). | 450 // SignedCertificateTimestampList received via TLS extension (RFC 6962). |
453 std::string sct_list_from_tls_extension; | 451 std::string sct_list_from_tls_extension; |
454 // Stapled OCSP response received. | |
455 std::string stapled_ocsp_response; | |
456 | 452 |
457 // True if the current handshake was the result of TLS session resumption. | 453 // True if the current handshake was the result of TLS session resumption. |
458 bool resumed_handshake; | 454 bool resumed_handshake; |
459 | 455 |
460 // The negotiated security parameters (TLS version, cipher, extensions) of | 456 // The negotiated security parameters (TLS version, cipher, extensions) of |
461 // the SSL connection. | 457 // the SSL connection. |
462 int ssl_connection_status; | 458 int ssl_connection_status; |
463 }; | 459 }; |
464 | 460 |
465 // Client-side error mapping functions. | 461 // Client-side error mapping functions. |
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
757 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and | 753 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and |
758 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success | 754 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success |
759 // and an error code otherwise. | 755 // and an error code otherwise. |
760 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been | 756 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been |
761 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller | 757 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller |
762 // takes ownership of the |*cert| and |*key|. | 758 // takes ownership of the |*cert| and |*key|. |
763 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); | 759 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); |
764 | 760 |
765 // Updates the NSS and platform specific certificates. | 761 // Updates the NSS and platform specific certificates. |
766 void UpdateServerCert(); | 762 void UpdateServerCert(); |
767 // Update the nss_handshake_state_ with the SignedCertificateTimestampList | 763 // Update the nss_handshake_state_ with SignedCertificateTimestampLists |
768 // received in the handshake via a TLS extension. | 764 // received in the handshake, via a TLS extension or (to be implemented) |
| 765 // OCSP stapling. |
769 void UpdateSignedCertTimestamps(); | 766 void UpdateSignedCertTimestamps(); |
770 // Update the OCSP response cache with the stapled response received in the | |
771 // handshake, and update nss_handshake_state_ with | |
772 // the SignedCertificateTimestampList received in the stapled OCSP response. | |
773 void UpdateStapledOCSPResponse(); | |
774 // Updates the nss_handshake_state_ with the negotiated security parameters. | 767 // Updates the nss_handshake_state_ with the negotiated security parameters. |
775 void UpdateConnectionStatus(); | 768 void UpdateConnectionStatus(); |
776 // Record histograms for channel id support during full handshakes - resumed | 769 // Record histograms for channel id support during full handshakes - resumed |
777 // handshakes are ignored. | 770 // handshakes are ignored. |
778 void RecordChannelIDSupportOnNSSTaskRunner(); | 771 void RecordChannelIDSupportOnNSSTaskRunner(); |
779 // UpdateNextProto gets any application-layer protocol that may have been | 772 // UpdateNextProto gets any application-layer protocol that may have been |
780 // negotiated by the TLS connection. | 773 // negotiated by the TLS connection. |
781 void UpdateNextProto(); | 774 void UpdateNextProto(); |
782 | 775 |
783 //////////////////////////////////////////////////////////////////////////// | 776 //////////////////////////////////////////////////////////////////////////// |
(...skipping 879 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1663 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); | 1656 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); |
1664 if (rv == SECSuccess && last_handshake_resumed) { | 1657 if (rv == SECSuccess && last_handshake_resumed) { |
1665 nss_handshake_state_.resumed_handshake = true; | 1658 nss_handshake_state_.resumed_handshake = true; |
1666 } else { | 1659 } else { |
1667 nss_handshake_state_.resumed_handshake = false; | 1660 nss_handshake_state_.resumed_handshake = false; |
1668 } | 1661 } |
1669 | 1662 |
1670 RecordChannelIDSupportOnNSSTaskRunner(); | 1663 RecordChannelIDSupportOnNSSTaskRunner(); |
1671 UpdateServerCert(); | 1664 UpdateServerCert(); |
1672 UpdateSignedCertTimestamps(); | 1665 UpdateSignedCertTimestamps(); |
1673 UpdateStapledOCSPResponse(); | |
1674 UpdateConnectionStatus(); | 1666 UpdateConnectionStatus(); |
1675 UpdateNextProto(); | 1667 UpdateNextProto(); |
1676 | 1668 |
1677 // Update the network task runners view of the handshake state whenever | 1669 // Update the network task runners view of the handshake state whenever |
1678 // a handshake has completed. | 1670 // a handshake has completed. |
1679 PostOrRunCallback( | 1671 PostOrRunCallback( |
1680 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, | 1672 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, |
1681 nss_handshake_state_)); | 1673 nss_handshake_state_)); |
1682 } | 1674 } |
1683 | 1675 |
(...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1835 // so that we won't try to resume the non-client-authenticated session in | 1827 // so that we won't try to resume the non-client-authenticated session in |
1836 // the next handshake. This will cause the server to ask for a client | 1828 // the next handshake. This will cause the server to ask for a client |
1837 // cert again. | 1829 // cert again. |
1838 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) | 1830 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) |
1839 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1831 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
1840 } else if (rv == SECSuccess) { | 1832 } else if (rv == SECSuccess) { |
1841 if (!handshake_callback_called_) { | 1833 if (!handshake_callback_called_) { |
1842 false_started_ = true; | 1834 false_started_ = true; |
1843 HandshakeSucceeded(); | 1835 HandshakeSucceeded(); |
1844 } | 1836 } |
| 1837 |
| 1838 // TODO(wtc): move this block of code to OwnAuthCertHandler. |
| 1839 #if defined(SSL_ENABLE_OCSP_STAPLING) |
| 1840 // TODO(agl): figure out how to plumb an OCSP response into the Mac |
| 1841 // system library and update IsOCSPStaplingSupported for Mac. |
| 1842 if (IsOCSPStaplingSupported()) { |
| 1843 const SECItemArray* ocsp_responses = |
| 1844 SSL_PeerStapledOCSPResponses(nss_fd_); |
| 1845 if (ocsp_responses->len) { |
| 1846 #if defined(OS_WIN) |
| 1847 if (nss_handshake_state_.server_cert) { |
| 1848 CRYPT_DATA_BLOB ocsp_response_blob; |
| 1849 ocsp_response_blob.cbData = ocsp_responses->items[0].len; |
| 1850 ocsp_response_blob.pbData = ocsp_responses->items[0].data; |
| 1851 BOOL ok = CertSetCertificateContextProperty( |
| 1852 nss_handshake_state_.server_cert->os_cert_handle(), |
| 1853 CERT_OCSP_RESPONSE_PROP_ID, |
| 1854 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, |
| 1855 &ocsp_response_blob); |
| 1856 if (!ok) { |
| 1857 VLOG(1) << "Failed to set OCSP response property: " |
| 1858 << GetLastError(); |
| 1859 } |
| 1860 } |
| 1861 #elif defined(USE_NSS) |
| 1862 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = |
| 1863 GetCacheOCSPResponseFromSideChannelFunction(); |
| 1864 |
| 1865 cache_ocsp_response( |
| 1866 CERT_GetDefaultCertDB(), |
| 1867 nss_handshake_state_.server_cert_chain[0], PR_Now(), |
| 1868 &ocsp_responses->items[0], NULL); |
| 1869 #endif |
| 1870 } |
| 1871 } |
| 1872 #endif |
| 1873 // Done! |
1845 } else { | 1874 } else { |
1846 PRErrorCode prerr = PR_GetError(); | 1875 PRErrorCode prerr = PR_GetError(); |
1847 net_error = HandleNSSError(prerr, true); | 1876 net_error = HandleNSSError(prerr, true); |
1848 | 1877 |
1849 // Some network devices that inspect application-layer packets seem to | 1878 // Some network devices that inspect application-layer packets seem to |
1850 // inject TCP reset packets to break the connections when they see | 1879 // inject TCP reset packets to break the connections when they see |
1851 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. | 1880 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. |
1852 // | 1881 // |
1853 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or | 1882 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or |
1854 // 1.2. We don't lose much in this fallback because the explicit IV for CBC | 1883 // 1.2. We don't lose much in this fallback because the explicit IV for CBC |
(...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2400 SSL_PeerSignedCertTimestamps(nss_fd_); | 2429 SSL_PeerSignedCertTimestamps(nss_fd_); |
2401 | 2430 |
2402 if (!signed_cert_timestamps || !signed_cert_timestamps->len) | 2431 if (!signed_cert_timestamps || !signed_cert_timestamps->len) |
2403 return; | 2432 return; |
2404 | 2433 |
2405 nss_handshake_state_.sct_list_from_tls_extension = std::string( | 2434 nss_handshake_state_.sct_list_from_tls_extension = std::string( |
2406 reinterpret_cast<char*>(signed_cert_timestamps->data), | 2435 reinterpret_cast<char*>(signed_cert_timestamps->data), |
2407 signed_cert_timestamps->len); | 2436 signed_cert_timestamps->len); |
2408 } | 2437 } |
2409 | 2438 |
2410 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() { | |
2411 const SECItemArray* ocsp_responses = | |
2412 SSL_PeerStapledOCSPResponses(nss_fd_); | |
2413 if (!ocsp_responses || !ocsp_responses->len) | |
2414 return; | |
2415 | |
2416 nss_handshake_state_.stapled_ocsp_response = std::string( | |
2417 reinterpret_cast<char*>(ocsp_responses->items[0].data), | |
2418 ocsp_responses->items[0].len); | |
2419 | |
2420 // TODO(agl): figure out how to plumb an OCSP response into the Mac | |
2421 // system library and update IsOCSPStaplingSupported for Mac. | |
2422 if (IsOCSPStaplingSupported()) { | |
2423 #if defined(OS_WIN) | |
2424 if (nss_handshake_state_.server_cert) { | |
2425 CRYPT_DATA_BLOB ocsp_response_blob; | |
2426 ocsp_response_blob.cbData = ocsp_responses->items[0].len; | |
2427 ocsp_response_blob.pbData = ocsp_responses->items[0].data; | |
2428 BOOL ok = CertSetCertificateContextProperty( | |
2429 nss_handshake_state_.server_cert->os_cert_handle(), | |
2430 CERT_OCSP_RESPONSE_PROP_ID, | |
2431 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, | |
2432 &ocsp_response_blob); | |
2433 if (!ok) { | |
2434 VLOG(1) << "Failed to set OCSP response property: " | |
2435 << GetLastError(); | |
2436 } | |
2437 } | |
2438 #elif defined(USE_NSS) | |
2439 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = | |
2440 GetCacheOCSPResponseFromSideChannelFunction(); | |
2441 | |
2442 cache_ocsp_response( | |
2443 CERT_GetDefaultCertDB(), | |
2444 nss_handshake_state_.server_cert_chain[0], PR_Now(), | |
2445 &ocsp_responses->items[0], NULL); | |
2446 #endif | |
2447 } // IsOCSPStaplingSupported() | |
2448 } | |
2449 | |
2450 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { | 2439 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { |
2451 SSLChannelInfo channel_info; | 2440 SSLChannelInfo channel_info; |
2452 SECStatus ok = SSL_GetChannelInfo(nss_fd_, | 2441 SECStatus ok = SSL_GetChannelInfo(nss_fd_, |
2453 &channel_info, sizeof(channel_info)); | 2442 &channel_info, sizeof(channel_info)); |
2454 if (ok == SECSuccess && | 2443 if (ok == SECSuccess && |
2455 channel_info.length == sizeof(channel_info) && | 2444 channel_info.length == sizeof(channel_info) && |
2456 channel_info.cipherSuite) { | 2445 channel_info.cipherSuite) { |
2457 nss_handshake_state_.ssl_connection_status |= | 2446 nss_handshake_state_.ssl_connection_status |= |
2458 (static_cast<int>(channel_info.cipherSuite) & | 2447 (static_cast<int>(channel_info.cipherSuite) & |
2459 SSL_CONNECTION_CIPHERSUITE_MASK) << | 2448 SSL_CONNECTION_CIPHERSUITE_MASK) << |
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3206 LogFailedNSSFunction( | 3195 LogFailedNSSFunction( |
3207 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); | 3196 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); |
3208 } | 3197 } |
3209 | 3198 |
3210 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); | 3199 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); |
3211 if (rv != SECSuccess) | 3200 if (rv != SECSuccess) |
3212 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); | 3201 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); |
3213 | 3202 |
3214 // Added in NSS 3.15 | 3203 // Added in NSS 3.15 |
3215 #ifdef SSL_ENABLE_OCSP_STAPLING | 3204 #ifdef SSL_ENABLE_OCSP_STAPLING |
3216 // Request OCSP stapling even on platforms that don't support it, in | 3205 if (IsOCSPStaplingSupported()) { |
3217 // order to extract Certificate Transparency information. | 3206 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); |
3218 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, | 3207 if (rv != SECSuccess) { |
3219 (IsOCSPStaplingSupported() || | 3208 LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
3220 ssl_config_.signed_cert_timestamps_enabled)); | 3209 "SSL_ENABLE_OCSP_STAPLING"); |
3221 if (rv != SECSuccess) { | 3210 } |
3222 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | |
3223 "SSL_ENABLE_OCSP_STAPLING"); | |
3224 } | 3211 } |
3225 #endif | 3212 #endif |
3226 | 3213 |
3227 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, | 3214 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, |
3228 ssl_config_.signed_cert_timestamps_enabled); | 3215 ssl_config_.signed_cert_timestamps_enabled); |
3229 if (rv != SECSuccess) { | 3216 if (rv != SECSuccess) { |
3230 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | 3217 LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
3231 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); | 3218 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); |
3232 } | 3219 } |
3233 | 3220 |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3371 EnterFunction(result); | 3358 EnterFunction(result); |
3372 | 3359 |
3373 if (result == OK) { | 3360 if (result == OK) { |
3374 // SSL handshake is completed. Let's verify the certificate. | 3361 // SSL handshake is completed. Let's verify the certificate. |
3375 GotoState(STATE_VERIFY_CERT); | 3362 GotoState(STATE_VERIFY_CERT); |
3376 // Done! | 3363 // Done! |
3377 } | 3364 } |
3378 set_channel_id_sent(core_->state().channel_id_sent); | 3365 set_channel_id_sent(core_->state().channel_id_sent); |
3379 set_signed_cert_timestamps_received( | 3366 set_signed_cert_timestamps_received( |
3380 !core_->state().sct_list_from_tls_extension.empty()); | 3367 !core_->state().sct_list_from_tls_extension.empty()); |
3381 set_stapled_ocsp_response_received( | |
3382 !core_->state().stapled_ocsp_response.empty()); | |
3383 | 3368 |
3384 LeaveFunction(result); | 3369 LeaveFunction(result); |
3385 return result; | 3370 return result; |
3386 } | 3371 } |
3387 | 3372 |
3388 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3373 int SSLClientSocketNSS::DoVerifyCert(int result) { |
3389 DCHECK(!core_->state().server_cert_chain.empty()); | 3374 DCHECK(!core_->state().server_cert_chain.empty()); |
3390 DCHECK(core_->state().server_cert_chain[0]); | 3375 DCHECK(core_->state().server_cert_chain[0]); |
3391 | 3376 |
3392 GotoState(STATE_VERIFY_CERT_COMPLETE); | 3377 GotoState(STATE_VERIFY_CERT_COMPLETE); |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3530 | 3515 |
3531 void SSLClientSocketNSS::VerifyCT() { | 3516 void SSLClientSocketNSS::VerifyCT() { |
3532 if (!cert_transparency_verifier_) | 3517 if (!cert_transparency_verifier_) |
3533 return; | 3518 return; |
3534 | 3519 |
3535 // Note that this is a completely synchronous operation: The CT Log Verifier | 3520 // Note that this is a completely synchronous operation: The CT Log Verifier |
3536 // gets all the data it needs for SCT verification and does not do any | 3521 // gets all the data it needs for SCT verification and does not do any |
3537 // external communication. | 3522 // external communication. |
3538 int result = cert_transparency_verifier_->Verify( | 3523 int result = cert_transparency_verifier_->Verify( |
3539 server_cert_verify_result_.verified_cert, | 3524 server_cert_verify_result_.verified_cert, |
3540 core_->state().stapled_ocsp_response, | 3525 std::string(), // SCT list from OCSP response |
3541 core_->state().sct_list_from_tls_extension, | 3526 core_->state().sct_list_from_tls_extension, |
3542 &ct_verify_result_, | 3527 &ct_verify_result_, |
3543 net_log_); | 3528 net_log_); |
3544 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | |
3545 // from the state after verification is complete, to conserve memory. | |
3546 | 3529 |
3547 VLOG(1) << "CT Verification complete: result " << result | 3530 VLOG(1) << "CT Verification complete: result " << result |
3548 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3531 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
3549 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3532 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
3550 << " scts from unknown logs: " | 3533 << " scts from unknown logs: " |
3551 << ct_verify_result_.unknown_logs_scts.size(); | 3534 << ct_verify_result_.unknown_logs_scts.size(); |
3552 } | 3535 } |
3553 | 3536 |
3554 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 3537 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
3555 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 3538 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3607 SignedCertificateTimestampAndStatus(*iter, | 3590 SignedCertificateTimestampAndStatus(*iter, |
3608 ct::SCT_STATUS_LOG_UNKNOWN)); | 3591 ct::SCT_STATUS_LOG_UNKNOWN)); |
3609 } | 3592 } |
3610 } | 3593 } |
3611 | 3594 |
3612 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3595 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
3613 return server_bound_cert_service_; | 3596 return server_bound_cert_service_; |
3614 } | 3597 } |
3615 | 3598 |
3616 } // namespace net | 3599 } // namespace net |
OLD | NEW |