net/socket/ssl_client_socket_nss.cc - Issue 13466020: Clean up comments and code for pin validation.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 13466020: Clean up comments and code for pin validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Oops, put the #ifdefs back in. Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 3414 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3425 LogConnectionTypeMetrics();	3425 LogConnectionTypeMetrics();

3426	3426

3427 completed_handshake_ = true;	3427 completed_handshake_ = true;

3428	3428

3429 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)	3429 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)

3430 // Take care of any mandates for public key pinning.	3430 // Take care of any mandates for public key pinning.

3431 //	3431 //

3432 // Pinning is only enabled for official builds to make sure that others don't	3432 // Pinning is only enabled for official builds to make sure that others don't

3433 // end up with pins that cannot be easily updated.	3433 // end up with pins that cannot be easily updated.

3434 //	3434 //

3435 // TODO(agl): we might have an issue here where a request for foo.example.com	3435 // TODO(agl): We might have an issue here where a request for foo.example.com

3436 // merges into a SPDY connection to www.example.com, and gets a different	3436 // merges into a SPDY connection to www.example.com, and gets a different

3437 // certificate.	3437 // certificate.

3438	3438

	3439 // Perform pin validation if, and only if, all these conditions obtain:

	3440 //

	3441 // * the build is recent (very old builds should fail open so that users

	3442 // have some chance to recover);

	3443 // * the server's certificate chain is valid (or suffers from only a minor

	3444 // error);

	3445 // * the server's certificate chain chains up to a known root (i.e. not a

	3446 // user-installed trust anchor); and

	3447 // * a TransportSecurityState object is available.

	3448 //

3439 const CertStatus cert_status = server_cert_verify_result_.cert_status;	3449 const CertStatus cert_status = server_cert_verify_result_.cert_status;

3440 if ((result == OK \|\| (IsCertificateError(result) &&	3450 if (transport_security_state_ &&

3441 IsCertStatusMinorError(cert_status))) &&	3451 (result == OK \|\|

	3452 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&

3442 server_cert_verify_result_.is_issued_by_known_root &&	3453 server_cert_verify_result_.is_issued_by_known_root &&

3443 transport_security_state_) {	3454 TransportSecurityState::IsBuildTimely()) {

3444 bool sni_available =	3455 bool sni_available =

3445 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 \|\|	3456 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 \|\|

3446 ssl_config_.version_fallback;	3457 ssl_config_.version_fallback;

3447 const std::string& host = host_and_port_.host();	3458 const std::string& host = host_and_port_.host();

3448	3459

3449 TransportSecurityState::DomainState domain_state;	3460 TransportSecurityState::DomainState domain_state;

3450 if (transport_security_state_->GetDomainState(host, sni_available,	3461 if (transport_security_state_->GetDomainState(host, sni_available,

3451 &domain_state) &&	3462 &domain_state) &&

3452 domain_state.HasPublicKeyPins()) {	3463 domain_state.HasPublicKeyPins()) {

3453 if (!domain_state.CheckPublicKeyPins(	3464 if (domain_state.CheckPublicKeyPins(

3454 server_cert_verify_result_.public_key_hashes)) {	3465 server_cert_verify_result_.public_key_hashes)) {
	Ryan Sleevi 2013/04/04 21:24:02 nit: The original form matches our common pattern nit: The original form matches our common pattern of "Handle errors first" - the point being so that errors are close to their conditionals. palmer 2013/04/04 21:34:53 Done. Show quoted text On 2013/04/04 21:24:02, Ryan Sleevi wrote: > nit: The original form matches our common pattern of "Handle errors first" - the > point being so that errors are close to their conditionals. Done.
3455 // Pins are not enforced if the build is too old.	3466 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);

3456 if (TransportSecurityState::IsBuildTimely()) {	3467 DLOG(ERROR) << "pin success";

3457 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

3458 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);

3459 TransportSecurityState::ReportUMAOnPinFailure(host);

3460 }

3461 } else {	3468 } else {

3462 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);	3469 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

	3470 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);

	3471 TransportSecurityState::ReportUMAOnPinFailure(host);

	3472 DLOG(ERROR) << "pin failure";

3463 }	3473 }

3464 }	3474 }

3465 }	3475 }

3466 #endif	3476 #endif

3467	3477

3468 // Exit DoHandshakeLoop and return the result to the caller to Connect.	3478 // Exit DoHandshakeLoop and return the result to the caller to Connect.

3469 DCHECK_EQ(STATE_NONE, next_handshake_state_);	3479 DCHECK_EQ(STATE_NONE, next_handshake_state_);

3470 return result;	3480 return result;

3471 }	3481 }

3472	3482

(...skipping 41 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3514 EnsureThreadIdAssigned();	3524 EnsureThreadIdAssigned();

3515 base::AutoLock auto_lock(lock_);	3525 base::AutoLock auto_lock(lock_);

3516 return valid_thread_id_ == base::PlatformThread::CurrentId();	3526 return valid_thread_id_ == base::PlatformThread::CurrentId();

3517 }	3527 }

3518	3528

3519 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {	3529 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {

3520 return server_bound_cert_service_;	3530 return server_bound_cert_service_;

3521 }	3531 }

3522	3532

3523 } // namespace net	3533 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »