| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 1407 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1418 if (sct_list_len > 0) | 1418 if (sct_list_len > 0) |
| 1419 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1419 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
| 1420 | 1420 |
| 1421 // Note that this is a completely synchronous operation: The CT Log Verifier | 1421 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1422 // gets all the data it needs for SCT verification and does not do any | 1422 // gets all the data it needs for SCT verification and does not do any |
| 1423 // external communication. | 1423 // external communication. |
| 1424 cert_transparency_verifier_->Verify( | 1424 cert_transparency_verifier_->Verify( |
| 1425 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1425 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1426 &ct_verify_result_, net_log_); | 1426 &ct_verify_result_, net_log_); |
| 1427 | 1427 |
| 1428 if (policy_enforcer_ && | 1428 if (policy_enforcer_) { |
| 1429 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | |
| 1430 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1429 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1431 SSLConfigService::GetEVCertsWhitelist(); | 1430 SSLConfigService::GetEVCertsWhitelist(); |
| 1432 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 1431 if (!policy_enforcer_->DoesConformToCertPolicy( |
| 1433 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 1432 server_cert_verify_result_.verified_cert.get(), |
| 1434 ct_verify_result_, net_log_)) { | 1433 ct_verify_result_)) { |
| 1434 server_cert_verify_result_.cert_status |= |
| 1435 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 1436 } |
| 1437 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
| 1438 !policy_enforcer_->DoesConformToEVPolicy( |
| 1439 server_cert_verify_result_.verified_cert.get(), |
| 1440 server_cert_verify_result_.cert_status, ev_whitelist.get(), |
| 1441 net_log_)) { |
| 1435 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 1442 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 1436 VLOG(1) << "EV certificate for " | 1443 VLOG(1) << "EV certificate for " |
| 1437 << server_cert_verify_result_.verified_cert->subject() | 1444 << server_cert_verify_result_.verified_cert->subject() |
| 1438 .GetDisplayName() | 1445 .GetDisplayName() |
| 1439 << " does not conform to CT policy, removing EV status."; | 1446 << " does not conform to CT policy, removing EV status."; |
| 1440 server_cert_verify_result_.cert_status |= | |
| 1441 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 1442 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1447 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1443 } | 1448 } |
| 1444 } | 1449 } |
| 1445 } | 1450 } |
| 1446 | 1451 |
| 1447 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1452 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
| 1448 int rv = DoHandshakeLoop(result); | 1453 int rv = DoHandshakeLoop(result); |
| 1449 if (rv != ERR_IO_PENDING) { | 1454 if (rv != ERR_IO_PENDING) { |
| 1450 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1455 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 1451 DoConnectCallback(rv); | 1456 DoConnectCallback(rv); |
| (...skipping 858 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2310 tb_was_negotiated_ = true; | 2315 tb_was_negotiated_ = true; |
| 2311 return 1; | 2316 return 1; |
| 2312 } | 2317 } |
| 2313 } | 2318 } |
| 2314 | 2319 |
| 2315 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2320 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2316 return 0; | 2321 return 0; |
| 2317 } | 2322 } |
| 2318 | 2323 |
| 2319 } // namespace net | 2324 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master