Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(177)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 108113006: Revert of Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts
Patch Set: Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/ssl_client_socket.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 #include "crypto/scoped_nss_types.h" 86 #include "crypto/scoped_nss_types.h"
87 #include "net/base/address_list.h" 87 #include "net/base/address_list.h"
88 #include "net/base/connection_type_histograms.h" 88 #include "net/base/connection_type_histograms.h"
89 #include "net/base/dns_util.h" 89 #include "net/base/dns_util.h"
90 #include "net/base/io_buffer.h" 90 #include "net/base/io_buffer.h"
91 #include "net/base/net_errors.h" 91 #include "net/base/net_errors.h"
92 #include "net/base/net_log.h" 92 #include "net/base/net_log.h"
93 #include "net/cert/asn1_util.h" 93 #include "net/cert/asn1_util.h"
94 #include "net/cert/cert_status_flags.h" 94 #include "net/cert/cert_status_flags.h"
95 #include "net/cert/cert_verifier.h" 95 #include "net/cert/cert_verifier.h"
96 #include "net/cert/ct_objects_extractor.h"
97 #include "net/cert/ct_verifier.h" 96 #include "net/cert/ct_verifier.h"
98 #include "net/cert/ct_verify_result.h" 97 #include "net/cert/ct_verify_result.h"
99 #include "net/cert/scoped_nss_types.h" 98 #include "net/cert/scoped_nss_types.h"
100 #include "net/cert/sct_status_flags.h" 99 #include "net/cert/sct_status_flags.h"
101 #include "net/cert/single_request_cert_verifier.h" 100 #include "net/cert/single_request_cert_verifier.h"
102 #include "net/cert/x509_certificate_net_log_param.h" 101 #include "net/cert/x509_certificate_net_log_param.h"
103 #include "net/cert/x509_util.h" 102 #include "net/cert/x509_util.h"
104 #include "net/http/transport_security_state.h" 103 #include "net/http/transport_security_state.h"
105 #include "net/ocsp/nss_ocsp.h" 104 #include "net/ocsp/nss_ocsp.h"
106 #include "net/socket/client_socket_handle.h" 105 #include "net/socket/client_socket_handle.h"
(...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after
412 HandshakeState() { Reset(); } 411 HandshakeState() { Reset(); }
413 412
414 void Reset() { 413 void Reset() {
415 next_proto_status = SSLClientSocket::kNextProtoUnsupported; 414 next_proto_status = SSLClientSocket::kNextProtoUnsupported;
416 next_proto.clear(); 415 next_proto.clear();
417 server_protos.clear(); 416 server_protos.clear();
418 channel_id_sent = false; 417 channel_id_sent = false;
419 server_cert_chain.Reset(NULL); 418 server_cert_chain.Reset(NULL);
420 server_cert = NULL; 419 server_cert = NULL;
421 sct_list_from_tls_extension.clear(); 420 sct_list_from_tls_extension.clear();
422 stapled_ocsp_response.clear();
423 resumed_handshake = false; 421 resumed_handshake = false;
424 ssl_connection_status = 0; 422 ssl_connection_status = 0;
425 } 423 }
426 424
427 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the 425 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
428 // negotiated protocol stored in |next_proto|. 426 // negotiated protocol stored in |next_proto|.
429 SSLClientSocket::NextProtoStatus next_proto_status; 427 SSLClientSocket::NextProtoStatus next_proto_status;
430 std::string next_proto; 428 std::string next_proto;
431 // If the server supports NPN, the protocols supported by the server. 429 // If the server supports NPN, the protocols supported by the server.
432 std::string server_protos; 430 std::string server_protos;
(...skipping 11 matching lines...) Expand all
444 // chain (|server_cert_chain|) and then converted into a platform-specific 442 // chain (|server_cert_chain|) and then converted into a platform-specific
445 // X509Certificate object (|server_cert|). It's possible for some 443 // X509Certificate object (|server_cert|). It's possible for some
446 // certificates to be successfully parsed by NSS, and not by the platform 444 // certificates to be successfully parsed by NSS, and not by the platform
447 // libraries (i.e.: when running within a sandbox, different parsing 445 // libraries (i.e.: when running within a sandbox, different parsing
448 // algorithms, etc), so it's not safe to assume that |server_cert| will 446 // algorithms, etc), so it's not safe to assume that |server_cert| will
449 // always be non-NULL. 447 // always be non-NULL.
450 PeerCertificateChain server_cert_chain; 448 PeerCertificateChain server_cert_chain;
451 scoped_refptr<X509Certificate> server_cert; 449 scoped_refptr<X509Certificate> server_cert;
452 // SignedCertificateTimestampList received via TLS extension (RFC 6962). 450 // SignedCertificateTimestampList received via TLS extension (RFC 6962).
453 std::string sct_list_from_tls_extension; 451 std::string sct_list_from_tls_extension;
454 // Stapled OCSP response received.
455 std::string stapled_ocsp_response;
456 452
457 // True if the current handshake was the result of TLS session resumption. 453 // True if the current handshake was the result of TLS session resumption.
458 bool resumed_handshake; 454 bool resumed_handshake;
459 455
460 // The negotiated security parameters (TLS version, cipher, extensions) of 456 // The negotiated security parameters (TLS version, cipher, extensions) of
461 // the SSL connection. 457 // the SSL connection.
462 int ssl_connection_status; 458 int ssl_connection_status;
463 }; 459 };
464 460
465 // Client-side error mapping functions. 461 // Client-side error mapping functions.
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after
757 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and 753 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
758 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success 754 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
759 // and an error code otherwise. 755 // and an error code otherwise.
760 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been 756 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
761 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller 757 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
762 // takes ownership of the |*cert| and |*key|. 758 // takes ownership of the |*cert| and |*key|.
763 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); 759 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
764 760
765 // Updates the NSS and platform specific certificates. 761 // Updates the NSS and platform specific certificates.
766 void UpdateServerCert(); 762 void UpdateServerCert();
767 // Update the nss_handshake_state_ with the SignedCertificateTimestampList 763 // Update the nss_handshake_state_ with SignedCertificateTimestampLists
768 // received in the handshake via a TLS extension. 764 // received in the handshake, via a TLS extension or (to be implemented)
765 // OCSP stapling.
769 void UpdateSignedCertTimestamps(); 766 void UpdateSignedCertTimestamps();
770 // Update the OCSP response cache with the stapled response received in the
771 // handshake, and update nss_handshake_state_ with
772 // the SignedCertificateTimestampList received in the stapled OCSP response.
773 void UpdateStapledOCSPResponse();
774 // Updates the nss_handshake_state_ with the negotiated security parameters. 767 // Updates the nss_handshake_state_ with the negotiated security parameters.
775 void UpdateConnectionStatus(); 768 void UpdateConnectionStatus();
776 // Record histograms for channel id support during full handshakes - resumed 769 // Record histograms for channel id support during full handshakes - resumed
777 // handshakes are ignored. 770 // handshakes are ignored.
778 void RecordChannelIDSupportOnNSSTaskRunner(); 771 void RecordChannelIDSupportOnNSSTaskRunner();
779 // UpdateNextProto gets any application-layer protocol that may have been 772 // UpdateNextProto gets any application-layer protocol that may have been
780 // negotiated by the TLS connection. 773 // negotiated by the TLS connection.
781 void UpdateNextProto(); 774 void UpdateNextProto();
782 775
783 //////////////////////////////////////////////////////////////////////////// 776 ////////////////////////////////////////////////////////////////////////////
(...skipping 879 matching lines...) Expand 10 before | Expand all | Expand 10 after
1663 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); 1656 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
1664 if (rv == SECSuccess && last_handshake_resumed) { 1657 if (rv == SECSuccess && last_handshake_resumed) {
1665 nss_handshake_state_.resumed_handshake = true; 1658 nss_handshake_state_.resumed_handshake = true;
1666 } else { 1659 } else {
1667 nss_handshake_state_.resumed_handshake = false; 1660 nss_handshake_state_.resumed_handshake = false;
1668 } 1661 }
1669 1662
1670 RecordChannelIDSupportOnNSSTaskRunner(); 1663 RecordChannelIDSupportOnNSSTaskRunner();
1671 UpdateServerCert(); 1664 UpdateServerCert();
1672 UpdateSignedCertTimestamps(); 1665 UpdateSignedCertTimestamps();
1673 UpdateStapledOCSPResponse();
1674 UpdateConnectionStatus(); 1666 UpdateConnectionStatus();
1675 UpdateNextProto(); 1667 UpdateNextProto();
1676 1668
1677 // Update the network task runners view of the handshake state whenever 1669 // Update the network task runners view of the handshake state whenever
1678 // a handshake has completed. 1670 // a handshake has completed.
1679 PostOrRunCallback( 1671 PostOrRunCallback(
1680 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, 1672 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
1681 nss_handshake_state_)); 1673 nss_handshake_state_));
1682 } 1674 }
1683 1675
(...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after
1835 // so that we won't try to resume the non-client-authenticated session in 1827 // so that we won't try to resume the non-client-authenticated session in
1836 // the next handshake. This will cause the server to ask for a client 1828 // the next handshake. This will cause the server to ask for a client
1837 // cert again. 1829 // cert again.
1838 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) 1830 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
1839 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); 1831 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
1840 } else if (rv == SECSuccess) { 1832 } else if (rv == SECSuccess) {
1841 if (!handshake_callback_called_) { 1833 if (!handshake_callback_called_) {
1842 false_started_ = true; 1834 false_started_ = true;
1843 HandshakeSucceeded(); 1835 HandshakeSucceeded();
1844 } 1836 }
1837
1838 // TODO(wtc): move this block of code to OwnAuthCertHandler.
1839 #if defined(SSL_ENABLE_OCSP_STAPLING)
1840 // TODO(agl): figure out how to plumb an OCSP response into the Mac
1841 // system library and update IsOCSPStaplingSupported for Mac.
1842 if (IsOCSPStaplingSupported()) {
1843 const SECItemArray* ocsp_responses =
1844 SSL_PeerStapledOCSPResponses(nss_fd_);
1845 if (ocsp_responses->len) {
1846 #if defined(OS_WIN)
1847 if (nss_handshake_state_.server_cert) {
1848 CRYPT_DATA_BLOB ocsp_response_blob;
1849 ocsp_response_blob.cbData = ocsp_responses->items[0].len;
1850 ocsp_response_blob.pbData = ocsp_responses->items[0].data;
1851 BOOL ok = CertSetCertificateContextProperty(
1852 nss_handshake_state_.server_cert->os_cert_handle(),
1853 CERT_OCSP_RESPONSE_PROP_ID,
1854 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
1855 &ocsp_response_blob);
1856 if (!ok) {
1857 VLOG(1) << "Failed to set OCSP response property: "
1858 << GetLastError();
1859 }
1860 }
1861 #elif defined(USE_NSS)
1862 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
1863 GetCacheOCSPResponseFromSideChannelFunction();
1864
1865 cache_ocsp_response(
1866 CERT_GetDefaultCertDB(),
1867 nss_handshake_state_.server_cert_chain[0], PR_Now(),
1868 &ocsp_responses->items[0], NULL);
1869 #endif
1870 }
1871 }
1872 #endif
1873 // Done!
1845 } else { 1874 } else {
1846 PRErrorCode prerr = PR_GetError(); 1875 PRErrorCode prerr = PR_GetError();
1847 net_error = HandleNSSError(prerr, true); 1876 net_error = HandleNSSError(prerr, true);
1848 1877
1849 // Some network devices that inspect application-layer packets seem to 1878 // Some network devices that inspect application-layer packets seem to
1850 // inject TCP reset packets to break the connections when they see 1879 // inject TCP reset packets to break the connections when they see
1851 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. 1880 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
1852 // 1881 //
1853 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or 1882 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or
1854 // 1.2. We don't lose much in this fallback because the explicit IV for CBC 1883 // 1.2. We don't lose much in this fallback because the explicit IV for CBC
(...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after
2400 SSL_PeerSignedCertTimestamps(nss_fd_); 2429 SSL_PeerSignedCertTimestamps(nss_fd_);
2401 2430
2402 if (!signed_cert_timestamps || !signed_cert_timestamps->len) 2431 if (!signed_cert_timestamps || !signed_cert_timestamps->len)
2403 return; 2432 return;
2404 2433
2405 nss_handshake_state_.sct_list_from_tls_extension = std::string( 2434 nss_handshake_state_.sct_list_from_tls_extension = std::string(
2406 reinterpret_cast<char*>(signed_cert_timestamps->data), 2435 reinterpret_cast<char*>(signed_cert_timestamps->data),
2407 signed_cert_timestamps->len); 2436 signed_cert_timestamps->len);
2408 } 2437 }
2409 2438
2410 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
2411 const SECItemArray* ocsp_responses =
2412 SSL_PeerStapledOCSPResponses(nss_fd_);
2413 if (!ocsp_responses || !ocsp_responses->len)
2414 return;
2415
2416 nss_handshake_state_.stapled_ocsp_response = std::string(
2417 reinterpret_cast<char*>(ocsp_responses->items[0].data),
2418 ocsp_responses->items[0].len);
2419
2420 // TODO(agl): figure out how to plumb an OCSP response into the Mac
2421 // system library and update IsOCSPStaplingSupported for Mac.
2422 if (IsOCSPStaplingSupported()) {
2423 #if defined(OS_WIN)
2424 if (nss_handshake_state_.server_cert) {
2425 CRYPT_DATA_BLOB ocsp_response_blob;
2426 ocsp_response_blob.cbData = ocsp_responses->items[0].len;
2427 ocsp_response_blob.pbData = ocsp_responses->items[0].data;
2428 BOOL ok = CertSetCertificateContextProperty(
2429 nss_handshake_state_.server_cert->os_cert_handle(),
2430 CERT_OCSP_RESPONSE_PROP_ID,
2431 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
2432 &ocsp_response_blob);
2433 if (!ok) {
2434 VLOG(1) << "Failed to set OCSP response property: "
2435 << GetLastError();
2436 }
2437 }
2438 #elif defined(USE_NSS)
2439 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
2440 GetCacheOCSPResponseFromSideChannelFunction();
2441
2442 cache_ocsp_response(
2443 CERT_GetDefaultCertDB(),
2444 nss_handshake_state_.server_cert_chain[0], PR_Now(),
2445 &ocsp_responses->items[0], NULL);
2446 #endif
2447 } // IsOCSPStaplingSupported()
2448 }
2449
2450 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { 2439 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
2451 SSLChannelInfo channel_info; 2440 SSLChannelInfo channel_info;
2452 SECStatus ok = SSL_GetChannelInfo(nss_fd_, 2441 SECStatus ok = SSL_GetChannelInfo(nss_fd_,
2453 &channel_info, sizeof(channel_info)); 2442 &channel_info, sizeof(channel_info));
2454 if (ok == SECSuccess && 2443 if (ok == SECSuccess &&
2455 channel_info.length == sizeof(channel_info) && 2444 channel_info.length == sizeof(channel_info) &&
2456 channel_info.cipherSuite) { 2445 channel_info.cipherSuite) {
2457 nss_handshake_state_.ssl_connection_status |= 2446 nss_handshake_state_.ssl_connection_status |=
2458 (static_cast<int>(channel_info.cipherSuite) & 2447 (static_cast<int>(channel_info.cipherSuite) &
2459 SSL_CONNECTION_CIPHERSUITE_MASK) << 2448 SSL_CONNECTION_CIPHERSUITE_MASK) <<
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after
3206 LogFailedNSSFunction( 3195 LogFailedNSSFunction(
3207 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); 3196 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
3208 } 3197 }
3209 3198
3210 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); 3199 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
3211 if (rv != SECSuccess) 3200 if (rv != SECSuccess)
3212 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); 3201 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
3213 3202
3214 // Added in NSS 3.15 3203 // Added in NSS 3.15
3215 #ifdef SSL_ENABLE_OCSP_STAPLING 3204 #ifdef SSL_ENABLE_OCSP_STAPLING
3216 // Request OCSP stapling even on platforms that don't support it, in 3205 if (IsOCSPStaplingSupported()) {
3217 // order to extract Certificate Transparency information. 3206 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
3218 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, 3207 if (rv != SECSuccess) {
3219 (IsOCSPStaplingSupported() || 3208 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
3220 ssl_config_.signed_cert_timestamps_enabled)); 3209 "SSL_ENABLE_OCSP_STAPLING");
3221 if (rv != SECSuccess) { 3210 }
3222 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
3223 "SSL_ENABLE_OCSP_STAPLING");
3224 } 3211 }
3225 #endif 3212 #endif
3226 3213
3227 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, 3214 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
3228 ssl_config_.signed_cert_timestamps_enabled); 3215 ssl_config_.signed_cert_timestamps_enabled);
3229 if (rv != SECSuccess) { 3216 if (rv != SECSuccess) {
3230 LogFailedNSSFunction(net_log_, "SSL_OptionSet", 3217 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
3231 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); 3218 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
3232 } 3219 }
3233 3220
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
3371 EnterFunction(result); 3358 EnterFunction(result);
3372 3359
3373 if (result == OK) { 3360 if (result == OK) {
3374 // SSL handshake is completed. Let's verify the certificate. 3361 // SSL handshake is completed. Let's verify the certificate.
3375 GotoState(STATE_VERIFY_CERT); 3362 GotoState(STATE_VERIFY_CERT);
3376 // Done! 3363 // Done!
3377 } 3364 }
3378 set_channel_id_sent(core_->state().channel_id_sent); 3365 set_channel_id_sent(core_->state().channel_id_sent);
3379 set_signed_cert_timestamps_received( 3366 set_signed_cert_timestamps_received(
3380 !core_->state().sct_list_from_tls_extension.empty()); 3367 !core_->state().sct_list_from_tls_extension.empty());
3381 set_stapled_ocsp_response_received(
3382 !core_->state().stapled_ocsp_response.empty());
3383 3368
3384 LeaveFunction(result); 3369 LeaveFunction(result);
3385 return result; 3370 return result;
3386 } 3371 }
3387 3372
3388 int SSLClientSocketNSS::DoVerifyCert(int result) { 3373 int SSLClientSocketNSS::DoVerifyCert(int result) {
3389 DCHECK(!core_->state().server_cert_chain.empty()); 3374 DCHECK(!core_->state().server_cert_chain.empty());
3390 DCHECK(core_->state().server_cert_chain[0]); 3375 DCHECK(core_->state().server_cert_chain[0]);
3391 3376
3392 GotoState(STATE_VERIFY_CERT_COMPLETE); 3377 GotoState(STATE_VERIFY_CERT_COMPLETE);
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
3530 3515
3531 void SSLClientSocketNSS::VerifyCT() { 3516 void SSLClientSocketNSS::VerifyCT() {
3532 if (!cert_transparency_verifier_) 3517 if (!cert_transparency_verifier_)
3533 return; 3518 return;
3534 3519
3535 // Note that this is a completely synchronous operation: The CT Log Verifier 3520 // Note that this is a completely synchronous operation: The CT Log Verifier
3536 // gets all the data it needs for SCT verification and does not do any 3521 // gets all the data it needs for SCT verification and does not do any
3537 // external communication. 3522 // external communication.
3538 int result = cert_transparency_verifier_->Verify( 3523 int result = cert_transparency_verifier_->Verify(
3539 server_cert_verify_result_.verified_cert, 3524 server_cert_verify_result_.verified_cert,
3540 core_->state().stapled_ocsp_response, 3525 std::string(), // SCT list from OCSP response
3541 core_->state().sct_list_from_tls_extension, 3526 core_->state().sct_list_from_tls_extension,
3542 &ct_verify_result_, 3527 &ct_verify_result_,
3543 net_log_); 3528 net_log_);
3544 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
3545 // from the state after verification is complete, to conserve memory.
3546 3529
3547 VLOG(1) << "CT Verification complete: result " << result 3530 VLOG(1) << "CT Verification complete: result " << result
3548 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() 3531 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
3549 << " Verified scts: " << ct_verify_result_.verified_scts.size() 3532 << " Verified scts: " << ct_verify_result_.verified_scts.size()
3550 << " scts from unknown logs: " 3533 << " scts from unknown logs: "
3551 << ct_verify_result_.unknown_logs_scts.size(); 3534 << ct_verify_result_.unknown_logs_scts.size();
3552 } 3535 }
3553 3536
3554 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { 3537 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
3555 UpdateConnectionTypeHistograms(CONNECTION_SSL); 3538 UpdateConnectionTypeHistograms(CONNECTION_SSL);
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
3607 SignedCertificateTimestampAndStatus(*iter, 3590 SignedCertificateTimestampAndStatus(*iter,
3608 ct::SCT_STATUS_LOG_UNKNOWN)); 3591 ct::SCT_STATUS_LOG_UNKNOWN));
3609 } 3592 }
3610 } 3593 }
3611 3594
3612 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3595 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3613 return server_bound_cert_service_; 3596 return server_bound_cert_service_;
3614 } 3597 }
3615 3598
3616 } // namespace net 3599 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698