Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(81)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1286793002: Treat failure to parse certificates as SSL protocol errors. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: and now with more keys Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 1162 matching lines...) Expand 10 before | Expand all | Expand 10 after
1173 GotoState(STATE_HANDSHAKE); 1173 GotoState(STATE_HANDSHAKE);
1174 return OK; 1174 return OK;
1175 } 1175 }
1176 1176
1177 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { 1177 int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
1178 DCHECK(!server_cert_chain_->empty()); 1178 DCHECK(!server_cert_chain_->empty());
1179 DCHECK(start_cert_verification_time_.is_null()); 1179 DCHECK(start_cert_verification_time_.is_null());
1180 1180
1181 GotoState(STATE_VERIFY_CERT_COMPLETE); 1181 GotoState(STATE_VERIFY_CERT_COMPLETE);
1182 1182
1183 // OpenSSL decoded the certificate, but the platform certificate
1184 // implementation could not. This is treated as a fatal SSL-level protocol
1185 // error rather than a certificate error. See https://crbug.com/91341.
1186 if (!server_cert_.get())
1187 return ERR_SSL_SERVER_CERT_BAD_FORMAT;
1188
1183 // If the certificate is bad and has been previously accepted, use 1189 // If the certificate is bad and has been previously accepted, use
1184 // the previous status and bypass the error. 1190 // the previous status and bypass the error.
1185 base::StringPiece der_cert; 1191 base::StringPiece der_cert;
1186 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) { 1192 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) {
1187 NOTREACHED(); 1193 NOTREACHED();
1188 return ERR_CERT_INVALID; 1194 return ERR_CERT_INVALID;
1189 } 1195 }
1190 CertStatus cert_status; 1196 CertStatus cert_status;
1191 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { 1197 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
1192 VLOG(1) << "Received an expected bad cert with status: " << cert_status; 1198 VLOG(1) << "Received an expected bad cert with status: " << cert_status;
1193 server_cert_verify_result_.Reset(); 1199 server_cert_verify_result_.Reset();
1194 server_cert_verify_result_.cert_status = cert_status; 1200 server_cert_verify_result_.cert_status = cert_status;
1195 server_cert_verify_result_.verified_cert = server_cert_; 1201 server_cert_verify_result_.verified_cert = server_cert_;
1196 return OK; 1202 return OK;
1197 } 1203 }
1198 1204
1199 // When running in a sandbox, it may not be possible to create an
1200 // X509Certificate*, as that may depend on OS functionality blocked
1201 // in the sandbox.
1202 if (!server_cert_.get()) {
1203 server_cert_verify_result_.Reset();
1204 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID;
1205 return ERR_CERT_INVALID;
1206 }
1207
1208 std::string ocsp_response; 1205 std::string ocsp_response;
1209 if (cert_verifier_->SupportsOCSPStapling()) { 1206 if (cert_verifier_->SupportsOCSPStapling()) {
1210 const uint8_t* ocsp_response_raw; 1207 const uint8_t* ocsp_response_raw;
1211 size_t ocsp_response_len; 1208 size_t ocsp_response_len;
1212 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); 1209 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
1213 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), 1210 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw),
1214 ocsp_response_len); 1211 ocsp_response_len);
1215 } 1212 }
1216 1213
1217 start_cert_verification_time_ = base::TimeTicks::Now(); 1214 start_cert_verification_time_ = base::TimeTicks::Now();
(...skipping 923 matching lines...) Expand 10 before | Expand all | Expand 10 after
2141 OnHandshakeIOComplete(signature_result_); 2138 OnHandshakeIOComplete(signature_result_);
2142 return; 2139 return;
2143 } 2140 }
2144 2141
2145 // During a renegotiation, either Read or Write calls may be blocked on an 2142 // During a renegotiation, either Read or Write calls may be blocked on an
2146 // asynchronous private key operation. 2143 // asynchronous private key operation.
2147 PumpReadWriteEvents(); 2144 PumpReadWriteEvents();
2148 } 2145 }
2149 2146
2150 } // namespace net 2147 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698