OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 1162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1173 GotoState(STATE_HANDSHAKE); | 1173 GotoState(STATE_HANDSHAKE); |
1174 return OK; | 1174 return OK; |
1175 } | 1175 } |
1176 | 1176 |
1177 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { | 1177 int SSLClientSocketOpenSSL::DoVerifyCert(int result) { |
1178 DCHECK(!server_cert_chain_->empty()); | 1178 DCHECK(!server_cert_chain_->empty()); |
1179 DCHECK(start_cert_verification_time_.is_null()); | 1179 DCHECK(start_cert_verification_time_.is_null()); |
1180 | 1180 |
1181 GotoState(STATE_VERIFY_CERT_COMPLETE); | 1181 GotoState(STATE_VERIFY_CERT_COMPLETE); |
1182 | 1182 |
| 1183 // OpenSSL decoded the certificate, but the platform certificate |
| 1184 // implementation could not. This is treated as a fatal SSL-level protocol |
| 1185 // error rather than a certificate error. See https://crbug.com/91341. |
| 1186 if (!server_cert_.get()) |
| 1187 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 1188 |
1183 // If the certificate is bad and has been previously accepted, use | 1189 // If the certificate is bad and has been previously accepted, use |
1184 // the previous status and bypass the error. | 1190 // the previous status and bypass the error. |
1185 base::StringPiece der_cert; | 1191 base::StringPiece der_cert; |
1186 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) { | 1192 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) { |
1187 NOTREACHED(); | 1193 NOTREACHED(); |
1188 return ERR_CERT_INVALID; | 1194 return ERR_CERT_INVALID; |
1189 } | 1195 } |
1190 CertStatus cert_status; | 1196 CertStatus cert_status; |
1191 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 1197 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { |
1192 VLOG(1) << "Received an expected bad cert with status: " << cert_status; | 1198 VLOG(1) << "Received an expected bad cert with status: " << cert_status; |
1193 server_cert_verify_result_.Reset(); | 1199 server_cert_verify_result_.Reset(); |
1194 server_cert_verify_result_.cert_status = cert_status; | 1200 server_cert_verify_result_.cert_status = cert_status; |
1195 server_cert_verify_result_.verified_cert = server_cert_; | 1201 server_cert_verify_result_.verified_cert = server_cert_; |
1196 return OK; | 1202 return OK; |
1197 } | 1203 } |
1198 | 1204 |
1199 // When running in a sandbox, it may not be possible to create an | |
1200 // X509Certificate*, as that may depend on OS functionality blocked | |
1201 // in the sandbox. | |
1202 if (!server_cert_.get()) { | |
1203 server_cert_verify_result_.Reset(); | |
1204 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; | |
1205 return ERR_CERT_INVALID; | |
1206 } | |
1207 | |
1208 std::string ocsp_response; | 1205 std::string ocsp_response; |
1209 if (cert_verifier_->SupportsOCSPStapling()) { | 1206 if (cert_verifier_->SupportsOCSPStapling()) { |
1210 const uint8_t* ocsp_response_raw; | 1207 const uint8_t* ocsp_response_raw; |
1211 size_t ocsp_response_len; | 1208 size_t ocsp_response_len; |
1212 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | 1209 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
1213 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), | 1210 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
1214 ocsp_response_len); | 1211 ocsp_response_len); |
1215 } | 1212 } |
1216 | 1213 |
1217 start_cert_verification_time_ = base::TimeTicks::Now(); | 1214 start_cert_verification_time_ = base::TimeTicks::Now(); |
(...skipping 923 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2141 OnHandshakeIOComplete(signature_result_); | 2138 OnHandshakeIOComplete(signature_result_); |
2142 return; | 2139 return; |
2143 } | 2140 } |
2144 | 2141 |
2145 // During a renegotiation, either Read or Write calls may be blocked on an | 2142 // During a renegotiation, either Read or Write calls may be blocked on an |
2146 // asynchronous private key operation. | 2143 // asynchronous private key operation. |
2147 PumpReadWriteEvents(); | 2144 PumpReadWriteEvents(); |
2148 } | 2145 } |
2149 | 2146 |
2150 } // namespace net | 2147 } // namespace net |
OLD | NEW |