Chromium Code Reviews Chromium Code Reviews
Issue 1780983002:
Provide valid port on HPKP reports for QUIC connections (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 56 CTPolicyEnforcer* ct_policy_enforcer, | 56 CTPolicyEnforcer* ct_policy_enforcer, |
| 57 TransportSecurityState* transport_security_state, | 57 TransportSecurityState* transport_security_state, |
| 58 CTVerifier* cert_transparency_verifier, | 58 CTVerifier* cert_transparency_verifier, |
| 59 int cert_verify_flags, | 59 int cert_verify_flags, |
| 60 const BoundNetLog& net_log); | 60 const BoundNetLog& net_log); |
| 61 ~Job(); | 61 ~Job(); |
| 62 | 62 |
| 63 // Starts the proof verification. If |QUIC_PENDING| is returned, then | 63 // Starts the proof verification. If |QUIC_PENDING| is returned, then |
| 64 // |callback| will be invoked asynchronously when the verification completes. | 64 // |callback| will be invoked asynchronously when the verification completes. |
| 65 QuicAsyncStatus VerifyProof(const std::string& hostname, | 65 QuicAsyncStatus VerifyProof(const std::string& hostname, |
| 66 const uint16_t port, | |
| 66 const std::string& server_config, | 67 const std::string& server_config, |
| 67 const std::vector<std::string>& certs, | 68 const std::vector<std::string>& certs, |
| 68 const std::string& cert_sct, | 69 const std::string& cert_sct, |
| 69 const std::string& signature, | 70 const std::string& signature, |
| 70 std::string* error_details, | 71 std::string* error_details, |
| 71 scoped_ptr<ProofVerifyDetails>* verify_details, | 72 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 72 ProofVerifierCallback* callback); | 73 ProofVerifierCallback* callback); |
| 73 | 74 |
| 74 private: | 75 private: |
| 75 enum State { | 76 enum State { |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 95 scoped_ptr<CertVerifier::Request> cert_verifier_request_; | 96 scoped_ptr<CertVerifier::Request> cert_verifier_request_; |
| 96 | 97 |
| 97 CTPolicyEnforcer* policy_enforcer_; | 98 CTPolicyEnforcer* policy_enforcer_; |
| 98 | 99 |
| 99 TransportSecurityState* transport_security_state_; | 100 TransportSecurityState* transport_security_state_; |
| 100 | 101 |
| 101 CTVerifier* cert_transparency_verifier_; | 102 CTVerifier* cert_transparency_verifier_; |
| 102 | 103 |
| 103 // |hostname| specifies the hostname for which |certs| is a valid chain. | 104 // |hostname| specifies the hostname for which |certs| is a valid chain. |
| 104 std::string hostname_; | 105 std::string hostname_; |
| 106 uint16_t port_; | |
|
estark
2016/03/14 20:13:58
Please add a comment on this similar to line 104.
| |
| 105 | 107 |
| 106 scoped_ptr<ProofVerifierCallback> callback_; | 108 scoped_ptr<ProofVerifierCallback> callback_; |
| 107 scoped_ptr<ProofVerifyDetailsChromium> verify_details_; | 109 scoped_ptr<ProofVerifyDetailsChromium> verify_details_; |
| 108 std::string error_details_; | 110 std::string error_details_; |
| 109 | 111 |
| 110 // X509Certificate from a chain of DER encoded certificates. | 112 // X509Certificate from a chain of DER encoded certificates. |
| 111 scoped_refptr<X509Certificate> cert_; | 113 scoped_refptr<X509Certificate> cert_; |
| 112 | 114 |
| 113 // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is | 115 // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is |
| 114 // passed to CertVerifier::Verify. | 116 // passed to CertVerifier::Verify. |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 147 end_time - start_time_); | 149 end_time - start_time_); |
| 148 // |hostname_| will always be canonicalized to lowercase. | 150 // |hostname_| will always be canonicalized to lowercase. |
| 149 if (hostname_.compare("www.google.com") == 0) { | 151 if (hostname_.compare("www.google.com") == 0) { |
| 150 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", | 152 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", |
| 151 end_time - start_time_); | 153 end_time - start_time_); |
| 152 } | 154 } |
| 153 } | 155 } |
| 154 | 156 |
| 155 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof( | 157 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof( |
| 156 const string& hostname, | 158 const string& hostname, |
| 159 const uint16_t port, | |
| 157 const string& server_config, | 160 const string& server_config, |
| 158 const vector<string>& certs, | 161 const vector<string>& certs, |
| 159 const std::string& cert_sct, | 162 const std::string& cert_sct, |
| 160 const string& signature, | 163 const string& signature, |
| 161 std::string* error_details, | 164 std::string* error_details, |
| 162 scoped_ptr<ProofVerifyDetails>* verify_details, | 165 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 163 ProofVerifierCallback* callback) { | 166 ProofVerifierCallback* callback) { |
| 164 DCHECK(error_details); | 167 DCHECK(error_details); |
| 165 DCHECK(verify_details); | 168 DCHECK(verify_details); |
| 166 DCHECK(callback); | 169 DCHECK(callback); |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 210 // signature. | 213 // signature. |
| 211 if (!VerifySignature(server_config, signature, certs[0])) { | 214 if (!VerifySignature(server_config, signature, certs[0])) { |
| 212 *error_details = "Failed to verify signature of server config"; | 215 *error_details = "Failed to verify signature of server config"; |
| 213 DLOG(WARNING) << *error_details; | 216 DLOG(WARNING) << *error_details; |
| 214 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; | 217 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; |
| 215 *verify_details = std::move(verify_details_); | 218 *verify_details = std::move(verify_details_); |
| 216 return QUIC_FAILURE; | 219 return QUIC_FAILURE; |
| 217 } | 220 } |
| 218 | 221 |
| 219 hostname_ = hostname; | 222 hostname_ = hostname; |
| 223 port_ = port; | |
| 220 | 224 |
| 221 next_state_ = STATE_VERIFY_CERT; | 225 next_state_ = STATE_VERIFY_CERT; |
| 222 switch (DoLoop(OK)) { | 226 switch (DoLoop(OK)) { |
| 223 case OK: | 227 case OK: |
| 224 *verify_details = std::move(verify_details_); | 228 *verify_details = std::move(verify_details_); |
| 225 return QUIC_SUCCESS; | 229 return QUIC_SUCCESS; |
| 226 case ERR_IO_PENDING: | 230 case ERR_IO_PENDING: |
| 227 callback_.reset(callback); | 231 callback_.reset(callback); |
| 228 return QUIC_PENDING; | 232 return QUIC_PENDING; |
| 229 default: | 233 default: |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 309 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 313 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 310 } | 314 } |
| 311 } | 315 } |
| 312 | 316 |
| 313 verify_details_->ct_verify_result.cert_policy_compliance = | 317 verify_details_->ct_verify_result.cert_policy_compliance = |
| 314 policy_enforcer_->DoesConformToCertPolicy( | 318 policy_enforcer_->DoesConformToCertPolicy( |
| 315 cert_verify_result.verified_cert.get(), | 319 cert_verify_result.verified_cert.get(), |
| 316 verify_details_->ct_verify_result.verified_scts, net_log_); | 320 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 317 } | 321 } |
| 318 | 322 |
| 319 // TODO(estark): replace 0 below with the port of the connection. | |
| 320 if (transport_security_state_ && | 323 if (transport_security_state_ && |
| 321 (result == OK || | 324 (result == OK || |
| 322 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 325 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 323 !transport_security_state_->CheckPublicKeyPins( | 326 !transport_security_state_->CheckPublicKeyPins( |
| 324 HostPortPair(hostname_, 0), | 327 HostPortPair(hostname_, port_), |
| 325 cert_verify_result.is_issued_by_known_root, | 328 cert_verify_result.is_issued_by_known_root, |
| 326 cert_verify_result.public_key_hashes, cert_.get(), | 329 cert_verify_result.public_key_hashes, cert_.get(), |
| 327 cert_verify_result.verified_cert.get(), | 330 cert_verify_result.verified_cert.get(), |
| 328 TransportSecurityState::ENABLE_PIN_REPORTS, | 331 TransportSecurityState::ENABLE_PIN_REPORTS, |
| 329 &verify_details_->pinning_failure_log)) { | 332 &verify_details_->pinning_failure_log)) { |
| 330 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 333 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 331 } | 334 } |
| 332 | 335 |
| 333 if (result != OK) { | 336 if (result != OK) { |
| 334 std::string error_string = ErrorToString(result); | 337 std::string error_string = ErrorToString(result); |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 407 ct_policy_enforcer_(ct_policy_enforcer), | 410 ct_policy_enforcer_(ct_policy_enforcer), |
| 408 transport_security_state_(transport_security_state), | 411 transport_security_state_(transport_security_state), |
| 409 cert_transparency_verifier_(cert_transparency_verifier) {} | 412 cert_transparency_verifier_(cert_transparency_verifier) {} |
| 410 | 413 |
| 411 ProofVerifierChromium::~ProofVerifierChromium() { | 414 ProofVerifierChromium::~ProofVerifierChromium() { |
| 412 STLDeleteElements(&active_jobs_); | 415 STLDeleteElements(&active_jobs_); |
| 413 } | 416 } |
| 414 | 417 |
| 415 QuicAsyncStatus ProofVerifierChromium::VerifyProof( | 418 QuicAsyncStatus ProofVerifierChromium::VerifyProof( |
| 416 const std::string& hostname, | 419 const std::string& hostname, |
| 420 const uint16_t port, | |
| 417 const std::string& server_config, | 421 const std::string& server_config, |
| 418 const std::vector<std::string>& certs, | 422 const std::vector<std::string>& certs, |
| 419 const std::string& cert_sct, | 423 const std::string& cert_sct, |
| 420 const std::string& signature, | 424 const std::string& signature, |
| 421 const ProofVerifyContext* verify_context, | 425 const ProofVerifyContext* verify_context, |
| 422 std::string* error_details, | 426 std::string* error_details, |
| 423 scoped_ptr<ProofVerifyDetails>* verify_details, | 427 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 424 ProofVerifierCallback* callback) { | 428 ProofVerifierCallback* callback) { |
| 425 if (!verify_context) { | 429 if (!verify_context) { |
| 426 *error_details = "Missing context"; | 430 *error_details = "Missing context"; |
| 427 return QUIC_FAILURE; | 431 return QUIC_FAILURE; |
| 428 } | 432 } |
| 429 const ProofVerifyContextChromium* chromium_context = | 433 const ProofVerifyContextChromium* chromium_context = |
| 430 reinterpret_cast<const ProofVerifyContextChromium*>(verify_context); | 434 reinterpret_cast<const ProofVerifyContextChromium*>(verify_context); |
| 431 scoped_ptr<Job> job( | 435 scoped_ptr<Job> job( |
| 432 new Job(this, cert_verifier_, ct_policy_enforcer_, | 436 new Job(this, cert_verifier_, ct_policy_enforcer_, |
| 433 transport_security_state_, cert_transparency_verifier_, | 437 transport_security_state_, cert_transparency_verifier_, |
| 434 chromium_context->cert_verify_flags, chromium_context->net_log)); | 438 chromium_context->cert_verify_flags, chromium_context->net_log)); |
| 435 QuicAsyncStatus status = | 439 QuicAsyncStatus status = |
| 436 job->VerifyProof(hostname, server_config, certs, cert_sct, signature, | 440 job->VerifyProof(hostname, port, server_config, certs, cert_sct, |
| 437 error_details, verify_details, callback); | 441 signature, error_details, verify_details, callback); |
| 438 if (status == QUIC_PENDING) { | 442 if (status == QUIC_PENDING) { |
| 439 active_jobs_.insert(job.release()); | 443 active_jobs_.insert(job.release()); |
| 440 } | 444 } |
| 441 return status; | 445 return status; |
| 442 } | 446 } |
| 443 | 447 |
| 444 void ProofVerifierChromium::OnJobComplete(Job* job) { | 448 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 445 active_jobs_.erase(job); | 449 active_jobs_.erase(job); |
| 446 delete job; | 450 delete job; |
| 447 } | 451 } |
| 448 | 452 |
| 449 } // namespace net | 453 } // namespace net |
| OLD | NEW |
