OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 1204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1215 if (sct_list_len > 0) | 1215 if (sct_list_len > 0) |
1216 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1216 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
1217 | 1217 |
1218 // Note that this is a completely synchronous operation: The CT Log Verifier | 1218 // Note that this is a completely synchronous operation: The CT Log Verifier |
1219 // gets all the data it needs for SCT verification and does not do any | 1219 // gets all the data it needs for SCT verification and does not do any |
1220 // external communication. | 1220 // external communication. |
1221 cert_transparency_verifier_->Verify( | 1221 cert_transparency_verifier_->Verify( |
1222 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1222 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
1223 &ct_verify_result_, net_log_); | 1223 &ct_verify_result_, net_log_); |
1224 | 1224 |
1225 if (!policy_enforcer_) { | 1225 if (policy_enforcer_ && |
1226 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1226 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
1227 } else { | 1227 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
1228 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | 1228 SSLConfigService::GetEVCertsWhitelist(); |
1229 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1229 if (!policy_enforcer_->DoesConformToCTEVPolicy( |
1230 SSLConfigService::GetEVCertsWhitelist(); | 1230 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
1231 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 1231 ct_verify_result_, net_log_)) { |
1232 server_cert_verify_result_.verified_cert.get(), | 1232 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
1233 ev_whitelist.get(), ct_verify_result_, net_log_)) { | 1233 VLOG(1) << "EV certificate for " |
1234 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 1234 << server_cert_verify_result_.verified_cert->subject() |
1235 VLOG(1) << "EV certificate for " | 1235 .GetDisplayName() |
1236 << server_cert_verify_result_.verified_cert->subject() | 1236 << " does not conform to CT policy, removing EV status."; |
1237 .GetDisplayName() | 1237 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
1238 << " does not conform to CT policy, removing EV status."; | |
1239 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1240 } | |
1241 } | 1238 } |
1242 } | 1239 } |
1243 } | 1240 } |
1244 | 1241 |
1245 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1242 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
1246 int rv = DoHandshakeLoop(result); | 1243 int rv = DoHandshakeLoop(result); |
1247 if (rv != ERR_IO_PENDING) { | 1244 if (rv != ERR_IO_PENDING) { |
1248 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1245 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
1249 DoConnectCallback(rv); | 1246 DoConnectCallback(rv); |
1250 } | 1247 } |
(...skipping 670 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1921 | 1918 |
1922 NextProto next_proto = NextProtoFromString(npn_proto_); | 1919 NextProto next_proto = NextProtoFromString(npn_proto_); |
1923 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { | 1920 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { |
1924 if (next_proto == allowed) | 1921 if (next_proto == allowed) |
1925 return true; | 1922 return true; |
1926 } | 1923 } |
1927 return false; | 1924 return false; |
1928 } | 1925 } |
1929 | 1926 |
1930 } // namespace net | 1927 } // namespace net |
OLD | NEW |