net/socket/ssl_client_socket_nss.cc - Issue 13466020: Clean up comments and code for pin validation.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 13466020: Clean up comments and code for pin validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 3430 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3441 LogConnectionTypeMetrics();	3441 LogConnectionTypeMetrics();

3442	3442

3443 completed_handshake_ = true;	3443 completed_handshake_ = true;

3444	3444

3445 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)	3445 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)

3446 // Take care of any mandates for public key pinning.	3446 // Take care of any mandates for public key pinning.

3447 //	3447 //

3448 // Pinning is only enabled for official builds to make sure that others don't	3448 // Pinning is only enabled for official builds to make sure that others don't

3449 // end up with pins that cannot be easily updated.	3449 // end up with pins that cannot be easily updated.

3450 //	3450 //

3451 // TODO(agl): we might have an issue here where a request for foo.example.com	3451 // TODO(agl): We might have an issue here where a request for foo.example.com

3452 // merges into a SPDY connection to www.example.com, and gets a different	3452 // merges into a SPDY connection to www.example.com, and gets a different

3453 // certificate.	3453 // certificate.

3454	3454

	3455 // Perform pin validation if, and only if, all these conditions obtain:

	3456 //

	3457 // * the build is recent (very old builds should fail open so that users

	3458 // have some chance to recover);

	3459 // * the server's certificate chain is valid (or suffers from only a minor

	3460 // error);

	3461 // * the server's certificate chain chains up to a known root (i.e. not a

	3462 // user-installed trust anchor); and

	3463 // * a TransportSecurityState object is available.

	3464 //

3455 const CertStatus cert_status = server_cert_verify_result_.cert_status;	3465 const CertStatus cert_status = server_cert_verify_result_.cert_status;

3456 if ((result == OK \|\| (IsCertificateError(result) &&	3466 if (TransportSecurityState::IsBuildTimely() &&
	Ryan Sleevi 2013/04/02 23:28:21 I'm not so sure about moving this clause out, as i I'm not so sure about moving this clause out, as it will prevent dynamic pins from working. Ryan Sleevi 2013/04/03 19:33:10 The only thing I'd do is move the IsBuildTimely() The only thing I'd do is move the IsBuildTimely() check to the last of the conditional, since everything above it is just an integer comparison, and the function naming "suggests" it may be an expensive (eg: non-trivial) call. This is just pedantry though. palmer 2013/04/04 20:56:33 You know I like pedantry. Done. Show quoted text > This is just pedantry though. You know I like pedantry. Done.
3457 IsCertStatusMinorError(cert_status))) &&	3467 (result == OK \|\|

	3468 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&

3458 server_cert_verify_result_.is_issued_by_known_root &&	3469 server_cert_verify_result_.is_issued_by_known_root &&

3459 transport_security_state_) {	3470 transport_security_state_) {

3460 bool sni_available =	3471 bool sni_available =

3461 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 \|\|	3472 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 \|\|

3462 ssl_config_.version_fallback;	3473 ssl_config_.version_fallback;

3463 const std::string& host = host_and_port_.host();	3474 const std::string& host = host_and_port_.host();

3464	3475

3465 TransportSecurityState::DomainState domain_state;	3476 TransportSecurityState::DomainState domain_state;

3466 if (transport_security_state_->GetDomainState(host, sni_available,	3477 if (transport_security_state_->GetDomainState(host, sni_available,

3467 &domain_state) &&	3478 &domain_state) &&

3468 domain_state.HasPublicKeyPins()) {	3479 !domain_state.CheckPublicKeyPins(

3469 if (!domain_state.CheckPublicKeyPins(	3480 server_cert_verify_result_.public_key_hashes)) {

3470 server_cert_verify_result_.public_key_hashes)) {	3481 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

3471 // Pins are not enforced if the build is too old.	3482 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);

3472 if (TransportSecurityState::IsBuildTimely()) {	3483 TransportSecurityState::ReportUMAOnPinFailure(host);

3473 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;	3484 } else {

3474 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);	3485 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
	Ryan Sleevi 2013/04/03 19:33:10 This is going to start artificially increasing thi This is going to start artificially increasing this #. In the previous code, we only UMA' success d on HasPublicKeyPins . You now UMA it unconditionally (CheckPublicKeyPins returns true even if there are no pins) palmer 2013/04/04 20:56:33 Oops. Fixed. Show quoted text > This is going to start artificially increasing this #. > > In the previous code, we only UMA' success d on HasPublicKeyPins . You now UMA > it unconditionally (CheckPublicKeyPins returns true even if there are no pins) Oops. Fixed.
3475 TransportSecurityState::ReportUMAOnPinFailure(host);

3476 }

3477 } else {

3478 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);

3479 }

3480 }	3486 }

3481 }	3487 }

3482 #endif	3488 #endif

3483	3489

3484 // Exit DoHandshakeLoop and return the result to the caller to Connect.	3490 // Exit DoHandshakeLoop and return the result to the caller to Connect.

3485 DCHECK_EQ(STATE_NONE, next_handshake_state_);	3491 DCHECK_EQ(STATE_NONE, next_handshake_state_);

3486 return result;	3492 return result;

3487 }	3493 }

3488	3494

3489 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {	3495 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {

(...skipping 40 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3530 EnsureThreadIdAssigned();	3536 EnsureThreadIdAssigned();

3531 base::AutoLock auto_lock(lock_);	3537 base::AutoLock auto_lock(lock_);

3532 return valid_thread_id_ == base::PlatformThread::CurrentId();	3538 return valid_thread_id_ == base::PlatformThread::CurrentId();

3533 }	3539 }

3534	3540

3535 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {	3541 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {

3536 return server_bound_cert_service_;	3542 return server_bound_cert_service_;

3537 }	3543 }

3538	3544

3539 } // namespace net	3545 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »