| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 1413 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1424 // Note that this is a completely synchronous operation: The CT Log Verifier | 1424 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1425 // gets all the data it needs for SCT verification and does not do any | 1425 // gets all the data it needs for SCT verification and does not do any |
| 1426 // external communication. | 1426 // external communication. |
| 1427 cert_transparency_verifier_->Verify( | 1427 cert_transparency_verifier_->Verify( |
| 1428 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1428 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1429 &ct_verify_result_, net_log_); | 1429 &ct_verify_result_, net_log_); |
| 1430 | 1430 |
| 1431 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); | 1431 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
| 1432 ct_verify_result_.ev_policy_compliance = | 1432 ct_verify_result_.ev_policy_compliance = |
| 1433 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 1433 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 1434 if (policy_enforcer_ && | 1434 if (policy_enforcer_) { |
| 1435 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 1435 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
| 1436 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1436 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1437 SSLConfigService::GetEVCertsWhitelist(); | 1437 SSLConfigService::GetEVCertsWhitelist(); |
| 1438 ct::EVPolicyCompliance ev_policy_compliance = | 1438 ct::EVPolicyCompliance ev_policy_compliance = |
| 1439 policy_enforcer_->DoesConformToCTEVPolicy( | 1439 policy_enforcer_->DoesConformToCTEVPolicy( |
| 1440 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 1440 server_cert_verify_result_.verified_cert.get(), |
| 1441 ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); |
| 1442 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; |
| 1443 if (ev_policy_compliance != |
| 1444 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 1445 ev_policy_compliance != |
| 1446 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 1447 ev_policy_compliance != |
| 1448 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 1449 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 1450 VLOG(1) << "EV certificate for " |
| 1451 << server_cert_verify_result_.verified_cert->subject() |
| 1452 .GetDisplayName() |
| 1453 << " does not conform to CT policy, removing EV status."; |
| 1454 server_cert_verify_result_.cert_status |= |
| 1455 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 1456 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1457 } |
| 1458 } |
| 1459 ct_verify_result_.cert_policy_compliance = |
| 1460 policy_enforcer_->DoesConformToCertPolicy( |
| 1461 server_cert_verify_result_.verified_cert.get(), |
| 1441 ct_verify_result_.verified_scts, net_log_); | 1462 ct_verify_result_.verified_scts, net_log_); |
| 1442 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
| 1443 if (ev_policy_compliance != | |
| 1444 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
| 1445 ev_policy_compliance != | |
| 1446 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
| 1447 ev_policy_compliance != | |
| 1448 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
| 1449 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | |
| 1450 VLOG(1) << "EV certificate for " | |
| 1451 << server_cert_verify_result_.verified_cert->subject() | |
| 1452 .GetDisplayName() | |
| 1453 << " does not conform to CT policy, removing EV status."; | |
| 1454 server_cert_verify_result_.cert_status |= | |
| 1455 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 1456 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
| 1457 } | |
| 1458 } | 1463 } |
| 1459 } | 1464 } |
| 1460 | 1465 |
| 1461 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1466 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
| 1462 int rv = DoHandshakeLoop(result); | 1467 int rv = DoHandshakeLoop(result); |
| 1463 if (rv != ERR_IO_PENDING) { | 1468 if (rv != ERR_IO_PENDING) { |
| 1464 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1469 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 1465 DoConnectCallback(rv); | 1470 DoConnectCallback(rv); |
| 1466 } | 1471 } |
| 1467 } | 1472 } |
| (...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2324 tb_was_negotiated_ = true; | 2329 tb_was_negotiated_ = true; |
| 2325 return 1; | 2330 return 1; |
| 2326 } | 2331 } |
| 2327 } | 2332 } |
| 2328 | 2333 |
| 2329 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2334 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2330 return 0; | 2335 return 0; |
| 2331 } | 2336 } |
| 2332 | 2337 |
| 2333 } // namespace net | 2338 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master