| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 56 CTPolicyEnforcer* ct_policy_enforcer, | 56 CTPolicyEnforcer* ct_policy_enforcer, |
| 57 TransportSecurityState* transport_security_state, | 57 TransportSecurityState* transport_security_state, |
| 58 CTVerifier* cert_transparency_verifier, | 58 CTVerifier* cert_transparency_verifier, |
| 59 int cert_verify_flags, | 59 int cert_verify_flags, |
| 60 const BoundNetLog& net_log); | 60 const BoundNetLog& net_log); |
| 61 ~Job(); | 61 ~Job(); |
| 62 | 62 |
| 63 // Starts the proof verification. If |QUIC_PENDING| is returned, then | 63 // Starts the proof verification. If |QUIC_PENDING| is returned, then |
| 64 // |callback| will be invoked asynchronously when the verification completes. | 64 // |callback| will be invoked asynchronously when the verification completes. |
| 65 QuicAsyncStatus VerifyProof(const std::string& hostname, | 65 QuicAsyncStatus VerifyProof(const std::string& hostname, |
| 66 const uint16_t port, |
| 66 const std::string& server_config, | 67 const std::string& server_config, |
| 67 QuicVersion quic_version, | 68 QuicVersion quic_version, |
| 68 base::StringPiece chlo_hash, | 69 base::StringPiece chlo_hash, |
| 69 const std::vector<std::string>& certs, | 70 const std::vector<std::string>& certs, |
| 70 const std::string& cert_sct, | 71 const std::string& cert_sct, |
| 71 const std::string& signature, | 72 const std::string& signature, |
| 72 std::string* error_details, | 73 std::string* error_details, |
| 73 scoped_ptr<ProofVerifyDetails>* verify_details, | 74 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 74 ProofVerifierCallback* callback); | 75 ProofVerifierCallback* callback); |
| 75 | 76 |
| (...skipping 23 matching lines...) Expand all Loading... |
| 99 scoped_ptr<CertVerifier::Request> cert_verifier_request_; | 100 scoped_ptr<CertVerifier::Request> cert_verifier_request_; |
| 100 | 101 |
| 101 CTPolicyEnforcer* policy_enforcer_; | 102 CTPolicyEnforcer* policy_enforcer_; |
| 102 | 103 |
| 103 TransportSecurityState* transport_security_state_; | 104 TransportSecurityState* transport_security_state_; |
| 104 | 105 |
| 105 CTVerifier* cert_transparency_verifier_; | 106 CTVerifier* cert_transparency_verifier_; |
| 106 | 107 |
| 107 // |hostname| specifies the hostname for which |certs| is a valid chain. | 108 // |hostname| specifies the hostname for which |certs| is a valid chain. |
| 108 std::string hostname_; | 109 std::string hostname_; |
| 110 // |port| specifies the target port for the connection. |
| 111 uint16_t port_; |
| 109 | 112 |
| 110 scoped_ptr<ProofVerifierCallback> callback_; | 113 scoped_ptr<ProofVerifierCallback> callback_; |
| 111 scoped_ptr<ProofVerifyDetailsChromium> verify_details_; | 114 scoped_ptr<ProofVerifyDetailsChromium> verify_details_; |
| 112 std::string error_details_; | 115 std::string error_details_; |
| 113 | 116 |
| 114 // X509Certificate from a chain of DER encoded certificates. | 117 // X509Certificate from a chain of DER encoded certificates. |
| 115 scoped_refptr<X509Certificate> cert_; | 118 scoped_refptr<X509Certificate> cert_; |
| 116 | 119 |
| 117 // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is | 120 // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is |
| 118 // passed to CertVerifier::Verify. | 121 // passed to CertVerifier::Verify. |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 151 end_time - start_time_); | 154 end_time - start_time_); |
| 152 // |hostname_| will always be canonicalized to lowercase. | 155 // |hostname_| will always be canonicalized to lowercase. |
| 153 if (hostname_.compare("www.google.com") == 0) { | 156 if (hostname_.compare("www.google.com") == 0) { |
| 154 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", | 157 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", |
| 155 end_time - start_time_); | 158 end_time - start_time_); |
| 156 } | 159 } |
| 157 } | 160 } |
| 158 | 161 |
| 159 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof( | 162 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof( |
| 160 const string& hostname, | 163 const string& hostname, |
| 164 const uint16_t port, |
| 161 const string& server_config, | 165 const string& server_config, |
| 162 QuicVersion quic_version, | 166 QuicVersion quic_version, |
| 163 StringPiece chlo_hash, | 167 StringPiece chlo_hash, |
| 164 const vector<string>& certs, | 168 const vector<string>& certs, |
| 165 const std::string& cert_sct, | 169 const std::string& cert_sct, |
| 166 const string& signature, | 170 const string& signature, |
| 167 std::string* error_details, | 171 std::string* error_details, |
| 168 scoped_ptr<ProofVerifyDetails>* verify_details, | 172 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 169 ProofVerifierCallback* callback) { | 173 ProofVerifierCallback* callback) { |
| 170 DCHECK(error_details); | 174 DCHECK(error_details); |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 217 if (!VerifySignature(server_config, quic_version, chlo_hash, signature, | 221 if (!VerifySignature(server_config, quic_version, chlo_hash, signature, |
| 218 certs[0])) { | 222 certs[0])) { |
| 219 *error_details = "Failed to verify signature of server config"; | 223 *error_details = "Failed to verify signature of server config"; |
| 220 DLOG(WARNING) << *error_details; | 224 DLOG(WARNING) << *error_details; |
| 221 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; | 225 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; |
| 222 *verify_details = std::move(verify_details_); | 226 *verify_details = std::move(verify_details_); |
| 223 return QUIC_FAILURE; | 227 return QUIC_FAILURE; |
| 224 } | 228 } |
| 225 | 229 |
| 226 hostname_ = hostname; | 230 hostname_ = hostname; |
| 231 port_ = port; |
| 227 | 232 |
| 228 next_state_ = STATE_VERIFY_CERT; | 233 next_state_ = STATE_VERIFY_CERT; |
| 229 switch (DoLoop(OK)) { | 234 switch (DoLoop(OK)) { |
| 230 case OK: | 235 case OK: |
| 231 *verify_details = std::move(verify_details_); | 236 *verify_details = std::move(verify_details_); |
| 232 return QUIC_SUCCESS; | 237 return QUIC_SUCCESS; |
| 233 case ERR_IO_PENDING: | 238 case ERR_IO_PENDING: |
| 234 callback_.reset(callback); | 239 callback_.reset(callback); |
| 235 return QUIC_PENDING; | 240 return QUIC_PENDING; |
| 236 default: | 241 default: |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 316 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 321 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 317 } | 322 } |
| 318 } | 323 } |
| 319 | 324 |
| 320 verify_details_->ct_verify_result.cert_policy_compliance = | 325 verify_details_->ct_verify_result.cert_policy_compliance = |
| 321 policy_enforcer_->DoesConformToCertPolicy( | 326 policy_enforcer_->DoesConformToCertPolicy( |
| 322 cert_verify_result.verified_cert.get(), | 327 cert_verify_result.verified_cert.get(), |
| 323 verify_details_->ct_verify_result.verified_scts, net_log_); | 328 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 324 } | 329 } |
| 325 | 330 |
| 326 // TODO(estark): replace 0 below with the port of the connection. | |
| 327 if (transport_security_state_ && | 331 if (transport_security_state_ && |
| 328 (result == OK || | 332 (result == OK || |
| 329 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 333 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 330 !transport_security_state_->CheckPublicKeyPins( | 334 !transport_security_state_->CheckPublicKeyPins( |
| 331 HostPortPair(hostname_, 0), | 335 HostPortPair(hostname_, port_), |
| 332 cert_verify_result.is_issued_by_known_root, | 336 cert_verify_result.is_issued_by_known_root, |
| 333 cert_verify_result.public_key_hashes, cert_.get(), | 337 cert_verify_result.public_key_hashes, cert_.get(), |
| 334 cert_verify_result.verified_cert.get(), | 338 cert_verify_result.verified_cert.get(), |
| 335 TransportSecurityState::ENABLE_PIN_REPORTS, | 339 TransportSecurityState::ENABLE_PIN_REPORTS, |
| 336 &verify_details_->pinning_failure_log)) { | 340 &verify_details_->pinning_failure_log)) { |
| 337 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 341 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 338 } | 342 } |
| 339 | 343 |
| 340 if (result != OK) { | 344 if (result != OK) { |
| 341 std::string error_string = ErrorToString(result); | 345 std::string error_string = ErrorToString(result); |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 428 ct_policy_enforcer_(ct_policy_enforcer), | 432 ct_policy_enforcer_(ct_policy_enforcer), |
| 429 transport_security_state_(transport_security_state), | 433 transport_security_state_(transport_security_state), |
| 430 cert_transparency_verifier_(cert_transparency_verifier) {} | 434 cert_transparency_verifier_(cert_transparency_verifier) {} |
| 431 | 435 |
| 432 ProofVerifierChromium::~ProofVerifierChromium() { | 436 ProofVerifierChromium::~ProofVerifierChromium() { |
| 433 STLDeleteElements(&active_jobs_); | 437 STLDeleteElements(&active_jobs_); |
| 434 } | 438 } |
| 435 | 439 |
| 436 QuicAsyncStatus ProofVerifierChromium::VerifyProof( | 440 QuicAsyncStatus ProofVerifierChromium::VerifyProof( |
| 437 const std::string& hostname, | 441 const std::string& hostname, |
| 442 const uint16_t port, |
| 438 const std::string& server_config, | 443 const std::string& server_config, |
| 439 QuicVersion quic_version, | 444 QuicVersion quic_version, |
| 440 base::StringPiece chlo_hash, | 445 base::StringPiece chlo_hash, |
| 441 const std::vector<std::string>& certs, | 446 const std::vector<std::string>& certs, |
| 442 const std::string& cert_sct, | 447 const std::string& cert_sct, |
| 443 const std::string& signature, | 448 const std::string& signature, |
| 444 const ProofVerifyContext* verify_context, | 449 const ProofVerifyContext* verify_context, |
| 445 std::string* error_details, | 450 std::string* error_details, |
| 446 scoped_ptr<ProofVerifyDetails>* verify_details, | 451 scoped_ptr<ProofVerifyDetails>* verify_details, |
| 447 ProofVerifierCallback* callback) { | 452 ProofVerifierCallback* callback) { |
| 448 if (!verify_context) { | 453 if (!verify_context) { |
| 449 *error_details = "Missing context"; | 454 *error_details = "Missing context"; |
| 450 return QUIC_FAILURE; | 455 return QUIC_FAILURE; |
| 451 } | 456 } |
| 452 const ProofVerifyContextChromium* chromium_context = | 457 const ProofVerifyContextChromium* chromium_context = |
| 453 reinterpret_cast<const ProofVerifyContextChromium*>(verify_context); | 458 reinterpret_cast<const ProofVerifyContextChromium*>(verify_context); |
| 454 scoped_ptr<Job> job( | 459 scoped_ptr<Job> job( |
| 455 new Job(this, cert_verifier_, ct_policy_enforcer_, | 460 new Job(this, cert_verifier_, ct_policy_enforcer_, |
| 456 transport_security_state_, cert_transparency_verifier_, | 461 transport_security_state_, cert_transparency_verifier_, |
| 457 chromium_context->cert_verify_flags, chromium_context->net_log)); | 462 chromium_context->cert_verify_flags, chromium_context->net_log)); |
| 458 QuicAsyncStatus status = job->VerifyProof( | 463 QuicAsyncStatus status = job->VerifyProof( |
| 459 hostname, server_config, quic_version, chlo_hash, certs, cert_sct, | 464 hostname, port, server_config, quic_version, chlo_hash, certs, cert_sct, |
| 460 signature, error_details, verify_details, callback); | 465 signature, error_details, verify_details, callback); |
| 461 if (status == QUIC_PENDING) { | 466 if (status == QUIC_PENDING) { |
| 462 active_jobs_.insert(job.release()); | 467 active_jobs_.insert(job.release()); |
| 463 } | 468 } |
| 464 return status; | 469 return status; |
| 465 } | 470 } |
| 466 | 471 |
| 467 void ProofVerifierChromium::OnJobComplete(Job* job) { | 472 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 468 active_jobs_.erase(job); | 473 active_jobs_.erase(job); |
| 469 delete job; | 474 delete job; |
| 470 } | 475 } |
| 471 | 476 |
| 472 } // namespace net | 477 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1780983002:
Provide valid port on HPKP reports for QUIC connections (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master