OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 1413 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1424 // Note that this is a completely synchronous operation: The CT Log Verifier | 1424 // Note that this is a completely synchronous operation: The CT Log Verifier |
1425 // gets all the data it needs for SCT verification and does not do any | 1425 // gets all the data it needs for SCT verification and does not do any |
1426 // external communication. | 1426 // external communication. |
1427 cert_transparency_verifier_->Verify( | 1427 cert_transparency_verifier_->Verify( |
1428 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1428 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
1429 &ct_verify_result_, net_log_); | 1429 &ct_verify_result_, net_log_); |
1430 | 1430 |
1431 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); | 1431 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
1432 ct_verify_result_.ev_policy_compliance = | 1432 ct_verify_result_.ev_policy_compliance = |
1433 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 1433 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
1434 if (policy_enforcer_ && | 1434 if (policy_enforcer_) { |
1435 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 1435 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
1436 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1436 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
1437 SSLConfigService::GetEVCertsWhitelist(); | 1437 SSLConfigService::GetEVCertsWhitelist(); |
1438 ct::EVPolicyCompliance ev_policy_compliance = | 1438 ct::EVPolicyCompliance ev_policy_compliance = |
1439 policy_enforcer_->DoesConformToCTEVPolicy( | 1439 policy_enforcer_->DoesConformToCTEVPolicy( |
1440 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 1440 server_cert_verify_result_.verified_cert.get(), |
| 1441 ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); |
| 1442 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; |
| 1443 if (ev_policy_compliance != |
| 1444 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 1445 ev_policy_compliance != |
| 1446 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 1447 ev_policy_compliance != |
| 1448 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 1449 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 1450 VLOG(1) << "EV certificate for " |
| 1451 << server_cert_verify_result_.verified_cert->subject() |
| 1452 .GetDisplayName() |
| 1453 << " does not conform to CT policy, removing EV status."; |
| 1454 server_cert_verify_result_.cert_status |= |
| 1455 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 1456 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1457 } |
| 1458 } |
| 1459 ct_verify_result_.cert_policy_compliance = |
| 1460 policy_enforcer_->DoesConformToCertPolicy( |
| 1461 server_cert_verify_result_.verified_cert.get(), |
1441 ct_verify_result_.verified_scts, net_log_); | 1462 ct_verify_result_.verified_scts, net_log_); |
1442 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
1443 if (ev_policy_compliance != | |
1444 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
1445 ev_policy_compliance != | |
1446 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
1447 ev_policy_compliance != | |
1448 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
1449 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | |
1450 VLOG(1) << "EV certificate for " | |
1451 << server_cert_verify_result_.verified_cert->subject() | |
1452 .GetDisplayName() | |
1453 << " does not conform to CT policy, removing EV status."; | |
1454 server_cert_verify_result_.cert_status |= | |
1455 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
1456 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1457 } | |
1458 } | 1463 } |
1459 } | 1464 } |
1460 | 1465 |
1461 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1466 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
1462 int rv = DoHandshakeLoop(result); | 1467 int rv = DoHandshakeLoop(result); |
1463 if (rv != ERR_IO_PENDING) { | 1468 if (rv != ERR_IO_PENDING) { |
1464 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1469 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
1465 DoConnectCallback(rv); | 1470 DoConnectCallback(rv); |
1466 } | 1471 } |
1467 } | 1472 } |
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2324 tb_was_negotiated_ = true; | 2329 tb_was_negotiated_ = true; |
2325 return 1; | 2330 return 1; |
2326 } | 2331 } |
2327 } | 2332 } |
2328 | 2333 |
2329 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2334 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
2330 return 0; | 2335 return 0; |
2331 } | 2336 } |
2332 | 2337 |
2333 } // namespace net | 2338 } // namespace net |
OLD | NEW |