OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 20 matching lines...) Expand all Loading... |
31 #include "base/threading/thread_local.h" | 31 #include "base/threading/thread_local.h" |
32 #include "base/values.h" | 32 #include "base/values.h" |
33 #include "crypto/ec_private_key.h" | 33 #include "crypto/ec_private_key.h" |
34 #include "crypto/openssl_util.h" | 34 #include "crypto/openssl_util.h" |
35 #include "crypto/scoped_openssl_types.h" | 35 #include "crypto/scoped_openssl_types.h" |
36 #include "net/base/ip_address_number.h" | 36 #include "net/base/ip_address_number.h" |
37 #include "net/base/net_errors.h" | 37 #include "net/base/net_errors.h" |
38 #include "net/cert/cert_verifier.h" | 38 #include "net/cert/cert_verifier.h" |
39 #include "net/cert/ct_ev_whitelist.h" | 39 #include "net/cert/ct_ev_whitelist.h" |
40 #include "net/cert/ct_policy_enforcer.h" | 40 #include "net/cert/ct_policy_enforcer.h" |
| 41 #include "net/cert/ct_policy_status.h" |
41 #include "net/cert/ct_verifier.h" | 42 #include "net/cert/ct_verifier.h" |
42 #include "net/cert/x509_certificate_net_log_param.h" | 43 #include "net/cert/x509_certificate_net_log_param.h" |
43 #include "net/cert/x509_util_openssl.h" | 44 #include "net/cert/x509_util_openssl.h" |
44 #include "net/http/transport_security_state.h" | 45 #include "net/http/transport_security_state.h" |
45 #include "net/ssl/scoped_openssl_types.h" | 46 #include "net/ssl/scoped_openssl_types.h" |
46 #include "net/ssl/ssl_cert_request_info.h" | 47 #include "net/ssl/ssl_cert_request_info.h" |
47 #include "net/ssl/ssl_client_session_cache_openssl.h" | 48 #include "net/ssl/ssl_client_session_cache_openssl.h" |
48 #include "net/ssl/ssl_connection_status_flags.h" | 49 #include "net/ssl/ssl_connection_status_flags.h" |
49 #include "net/ssl/ssl_failure_state.h" | 50 #include "net/ssl/ssl_failure_state.h" |
50 #include "net/ssl/ssl_info.h" | 51 #include "net/ssl/ssl_info.h" |
(...skipping 779 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
830 server_cert_verify_result_.is_issued_by_known_root; | 831 server_cert_verify_result_.is_issued_by_known_root; |
831 ssl_info->public_key_hashes = | 832 ssl_info->public_key_hashes = |
832 server_cert_verify_result_.public_key_hashes; | 833 server_cert_verify_result_.public_key_hashes; |
833 ssl_info->client_cert_sent = | 834 ssl_info->client_cert_sent = |
834 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 835 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
835 ssl_info->channel_id_sent = channel_id_sent_; | 836 ssl_info->channel_id_sent = channel_id_sent_; |
836 ssl_info->token_binding_negotiated = tb_was_negotiated_; | 837 ssl_info->token_binding_negotiated = tb_was_negotiated_; |
837 ssl_info->token_binding_key_param = tb_negotiated_param_; | 838 ssl_info->token_binding_key_param = tb_negotiated_param_; |
838 ssl_info->pinning_failure_log = pinning_failure_log_; | 839 ssl_info->pinning_failure_log = pinning_failure_log_; |
839 | 840 |
840 AddSCTInfoToSSLInfo(ssl_info); | 841 AddCTInfoToSSLInfo(ssl_info); |
841 | 842 |
842 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | 843 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); |
843 CHECK(cipher); | 844 CHECK(cipher); |
844 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); | 845 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL); |
845 ssl_info->key_exchange_info = | 846 ssl_info->key_exchange_info = |
846 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); | 847 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_)); |
847 | 848 |
848 ssl_info->connection_status = EncodeSSLConnectionStatus( | 849 ssl_info->connection_status = EncodeSSLConnectionStatus( |
849 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, | 850 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */, |
850 GetNetSSLVersion(ssl_)); | 851 GetNetSSLVersion(ssl_)); |
(...skipping 587 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1438 if (sct_list_len > 0) | 1439 if (sct_list_len > 0) |
1439 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1440 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
1440 | 1441 |
1441 // Note that this is a completely synchronous operation: The CT Log Verifier | 1442 // Note that this is a completely synchronous operation: The CT Log Verifier |
1442 // gets all the data it needs for SCT verification and does not do any | 1443 // gets all the data it needs for SCT verification and does not do any |
1443 // external communication. | 1444 // external communication. |
1444 cert_transparency_verifier_->Verify( | 1445 cert_transparency_verifier_->Verify( |
1445 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1446 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
1446 &ct_verify_result_, net_log_); | 1447 &ct_verify_result_, net_log_); |
1447 | 1448 |
| 1449 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
| 1450 ct_verify_result_.ev_policy_compliance = |
| 1451 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
1448 if (policy_enforcer_ && | 1452 if (policy_enforcer_ && |
1449 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 1453 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
1450 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1454 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
1451 SSLConfigService::GetEVCertsWhitelist(); | 1455 SSLConfigService::GetEVCertsWhitelist(); |
1452 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 1456 ct::EVPolicyCompliance ev_policy_compliance = |
| 1457 policy_enforcer_->DoesConformToCTEVPolicy( |
1453 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 1458 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
1454 ct_verify_result_, net_log_)) { | 1459 ct_verify_result_.verified_scts, net_log_); |
| 1460 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; |
| 1461 if (ev_policy_compliance != |
| 1462 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 1463 ev_policy_compliance != |
| 1464 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 1465 ev_policy_compliance != |
| 1466 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
1455 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 1467 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
1456 VLOG(1) << "EV certificate for " | 1468 VLOG(1) << "EV certificate for " |
1457 << server_cert_verify_result_.verified_cert->subject() | 1469 << server_cert_verify_result_.verified_cert->subject() |
1458 .GetDisplayName() | 1470 .GetDisplayName() |
1459 << " does not conform to CT policy, removing EV status."; | 1471 << " does not conform to CT policy, removing EV status."; |
1460 server_cert_verify_result_.cert_status |= | 1472 server_cert_verify_result_.cert_status |= |
1461 CERT_STATUS_CT_COMPLIANCE_FAILED; | 1473 CERT_STATUS_CT_COMPLIANCE_FAILED; |
1462 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1474 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
1463 } | 1475 } |
1464 } | 1476 } |
(...skipping 641 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2106 // be signaled on abbreviated handshakes if the ticket was renewed. | 2118 // be signaled on abbreviated handshakes if the ticket was renewed. |
2107 session_pending_ = true; | 2119 session_pending_ = true; |
2108 MaybeCacheSession(); | 2120 MaybeCacheSession(); |
2109 | 2121 |
2110 // OpenSSL passes a reference to |session|, but the session cache does not | 2122 // OpenSSL passes a reference to |session|, but the session cache does not |
2111 // take this reference, so release it. | 2123 // take this reference, so release it. |
2112 SSL_SESSION_free(session); | 2124 SSL_SESSION_free(session); |
2113 return 1; | 2125 return 1; |
2114 } | 2126 } |
2115 | 2127 |
2116 void SSLClientSocketOpenSSL::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { | 2128 void SSLClientSocketOpenSSL::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
2117 ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); | 2129 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); |
2118 } | 2130 } |
2119 | 2131 |
2120 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | 2132 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { |
2121 std::string result = host_and_port_.ToString(); | 2133 std::string result = host_and_port_.ToString(); |
2122 result.append("/"); | 2134 result.append("/"); |
2123 result.append(ssl_session_cache_shard_); | 2135 result.append(ssl_session_cache_shard_); |
2124 | 2136 |
2125 // Shard the session cache based on maximum protocol version. This causes | 2137 // Shard the session cache based on maximum protocol version. This causes |
2126 // fallback connections to use a separate session cache. | 2138 // fallback connections to use a separate session cache. |
2127 result.append("/"); | 2139 result.append("/"); |
(...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2330 tb_was_negotiated_ = true; | 2342 tb_was_negotiated_ = true; |
2331 return 1; | 2343 return 1; |
2332 } | 2344 } |
2333 } | 2345 } |
2334 | 2346 |
2335 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2347 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
2336 return 0; | 2348 return 0; |
2337 } | 2349 } |
2338 | 2350 |
2339 } // namespace net | 2351 } // namespace net |
OLD | NEW |