Chromium Code Reviews Chromium Code Reviews
Issue 2016143002:
Expose when PKP is bypassed in SSLInfo. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 781 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 792 bool SSLClientSocketImpl::GetSSLInfo(SSLInfo* ssl_info) { | 792 bool SSLClientSocketImpl::GetSSLInfo(SSLInfo* ssl_info) { |
| 793 ssl_info->Reset(); | 793 ssl_info->Reset(); |
| 794 if (server_cert_chain_->empty()) | 794 if (server_cert_chain_->empty()) |
| 795 return false; | 795 return false; |
| 796 | 796 |
| 797 ssl_info->cert = server_cert_verify_result_.verified_cert; | 797 ssl_info->cert = server_cert_verify_result_.verified_cert; |
| 798 ssl_info->unverified_cert = server_cert_; | 798 ssl_info->unverified_cert = server_cert_; |
| 799 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 799 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
| 800 ssl_info->is_issued_by_known_root = | 800 ssl_info->is_issued_by_known_root = |
| 801 server_cert_verify_result_.is_issued_by_known_root; | 801 server_cert_verify_result_.is_issued_by_known_root; |
| 802 ssl_info->pkp_bypassed = server_cert_verify_result_.pkp_bypassed; | |
| 802 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; | 803 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; |
| 803 ssl_info->client_cert_sent = | 804 ssl_info->client_cert_sent = |
| 804 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 805 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
| 805 ssl_info->channel_id_sent = channel_id_sent_; | 806 ssl_info->channel_id_sent = channel_id_sent_; |
| 806 ssl_info->token_binding_negotiated = tb_was_negotiated_; | 807 ssl_info->token_binding_negotiated = tb_was_negotiated_; |
| 807 ssl_info->token_binding_key_param = tb_negotiated_param_; | 808 ssl_info->token_binding_key_param = tb_negotiated_param_; |
| 808 ssl_info->pinning_failure_log = pinning_failure_log_; | 809 ssl_info->pinning_failure_log = pinning_failure_log_; |
| 809 | 810 |
| 810 AddCTInfoToSSLInfo(ssl_info); | 811 AddCTInfoToSSLInfo(ssl_info); |
| 811 | 812 |
| (...skipping 532 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1344 | 1345 |
| 1345 const CertStatus cert_status = server_cert_verify_result_.cert_status; | 1346 const CertStatus cert_status = server_cert_verify_result_.cert_status; |
| 1346 if (transport_security_state_ && | 1347 if (transport_security_state_ && |
| 1347 (result == OK || | 1348 (result == OK || |
| 1348 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1349 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 1349 !transport_security_state_->CheckPublicKeyPins( | 1350 !transport_security_state_->CheckPublicKeyPins( |
| 1350 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, | 1351 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, |
| 1351 server_cert_verify_result_.public_key_hashes, server_cert_.get(), | 1352 server_cert_verify_result_.public_key_hashes, server_cert_.get(), |
| 1352 server_cert_verify_result_.verified_cert.get(), | 1353 server_cert_verify_result_.verified_cert.get(), |
| 1353 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { | 1354 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { |
| 1354 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1355 if (server_cert_verify_result_.is_issued_by_known_root) |
| 1356 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | |
| 1357 else | |
| 1358 server_cert_verify_result_.pkp_bypassed = true; | |
|
Ryan Sleevi
2016/06/09 22:09:05
Here, it'd be a local member that then gets popula
| |
| 1355 } | 1359 } |
| 1356 | 1360 |
| 1357 if (result == OK) { | 1361 if (result == OK) { |
| 1358 // Only check Certificate Transparency if there were no other errors with | 1362 // Only check Certificate Transparency if there were no other errors with |
| 1359 // the connection. | 1363 // the connection. |
| 1360 VerifyCT(); | 1364 VerifyCT(); |
| 1361 | 1365 |
| 1362 DCHECK(!certificate_verified_); | 1366 DCHECK(!certificate_verified_); |
| 1363 certificate_verified_ = true; | 1367 certificate_verified_ = true; |
| 1364 MaybeCacheSession(); | 1368 MaybeCacheSession(); |
| (...skipping 966 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2331 if (rv != OK) { | 2335 if (rv != OK) { |
| 2332 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2336 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2333 return; | 2337 return; |
| 2334 } | 2338 } |
| 2335 | 2339 |
| 2336 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2340 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2337 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2341 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2338 } | 2342 } |
| 2339 | 2343 |
| 2340 } // namespace net | 2344 } // namespace net |
| OLD | NEW |
