Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(481)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1081913003: Route OCSP stapling through CertVerifier. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_verify_proc_win.cc ('K') | « net/socket/ssl_client_socket_nss.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 7b11ddcb3b4a878aa09aa7217cb220c796c59842..8f98f2a3fa08e3bd460a2c7ff8371692e0d577db 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -145,19 +145,6 @@ int LogErrorCallback(const char* str, size_t len, void* context) {
return 1;
}
-bool IsOCSPStaplingSupported() {
-#if defined(OS_WIN)
- // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
- // set on Windows XP without error. There is some overhead from the server
- // sending the OCSP response if it supports the extension, for the subset of
- // XP clients who will request it but be unable to use it, but this is an
- // acceptable trade-off for simplicity of implementation.
- return true;
-#else
- return false;
-#endif
-}
-
} // namespace
class SSLClientSocketOpenSSL::SSLContext {
@@ -846,7 +833,7 @@ int SSLClientSocketOpenSSL::Init() {
SSL_enable_ocsp_stapling(ssl_);
}
- if (IsOCSPStaplingSupported())
+ if (cert_verifier_->SupportsOCSPStapling())
SSL_enable_ocsp_stapling(ssl_);
// Enable fastradio padding.
@@ -946,7 +933,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
// Only record OCSP histograms if OCSP was requested.
if (ssl_config_.signed_cert_timestamps_enabled ||
- IsOCSPStaplingSupported()) {
+ cert_verifier_->SupportsOCSPStapling()) {
const uint8_t* ocsp_response;
size_t ocsp_response_len;
SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
@@ -1079,6 +1066,15 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
return ERR_CERT_INVALID;
}
+ std::string ocsp_response;
+ if (cert_verifier_->SupportsOCSPStapling()) {
+ const uint8_t* ocsp_response_raw;
+ size_t ocsp_response_len;
+ SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
+ ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw),
+ ocsp_response_len);
+ }
+
start_cert_verification_time_ = base::TimeTicks::Now();
int flags = 0;
@@ -1092,13 +1088,10 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));
return verifier_->Verify(
- server_cert_.get(),
- host_and_port_.host(),
- flags,
+ server_cert_.get(), host_and_port_.host(), ocsp_response, flags,
// TODO(davidben): Route the CRLSet through SSLConfig so
// SSLClientSocket doesn't depend on SSLConfigService.
- SSLConfigService::GetCRLSet().get(),
- &server_cert_verify_result_,
+ SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_,
base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
base::Unretained(this)),
net_log_);
@@ -1174,33 +1167,6 @@ void SSLClientSocketOpenSSL::UpdateServerCert() {
NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
base::Bind(&NetLogX509CertificateCallback,
base::Unretained(server_cert_.get())));
-
- // TODO(rsleevi): Plumb an OCSP response into the Mac system library and
- // update IsOCSPStaplingSupported for Mac. https://crbug.com/430714
- if (IsOCSPStaplingSupported()) {
-#if defined(OS_WIN)
- const uint8_t* ocsp_response_raw;
- size_t ocsp_response_len;
- SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
-
- CRYPT_DATA_BLOB ocsp_response_blob;
- ocsp_response_blob.cbData = ocsp_response_len;
- ocsp_response_blob.pbData = const_cast<BYTE*>(ocsp_response_raw);
- BOOL ok = CertSetCertificateContextProperty(
- server_cert_->os_cert_handle(),
- CERT_OCSP_RESPONSE_PROP_ID,
- CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
- &ocsp_response_blob);
- if (!ok) {
- VLOG(1) << "Failed to set OCSP response property: "
- << GetLastError();
- }
-#else
- // TODO(davidben): Support OCSP stapling when NSS is the system
- // certificate verifier. https://crbug.com/479034.
- NOTREACHED();
-#endif
- }
}
}
« net/cert/cert_verify_proc_win.cc ('K') | « net/socket/ssl_client_socket_nss.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698