net/socket/ssl_client_socket_impl.cc - Issue 2016143002: Expose when PKP is bypassed in SSLInfo.

Side by Side Diff: net/socket/ssl_client_socket_impl.cc

Issue 2016143002: Expose when PKP is bypassed in SSLInfo. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Add test Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/ssl_client_socket_impl.h"	5 #include "net/socket/ssl_client_socket_impl.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <openssl/bio.h>	8 #include <openssl/bio.h>

9 #include <openssl/bytestring.h>	9 #include <openssl/bytestring.h>

10 #include <openssl/err.h>	10 #include <openssl/err.h>

(...skipping 1338 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1349	1349

1350 const CertStatus cert_status = server_cert_verify_result_.cert_status;	1350 const CertStatus cert_status = server_cert_verify_result_.cert_status;

1351 if (transport_security_state_ &&	1351 if (transport_security_state_ &&

1352 (result == OK \|\|	1352 (result == OK \|\|

1353 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&	1353 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&

1354 !transport_security_state_->CheckPublicKeyPins(	1354 !transport_security_state_->CheckPublicKeyPins(

1355 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,	1355 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,

1356 server_cert_verify_result_.public_key_hashes, server_cert_.get(),	1356 server_cert_verify_result_.public_key_hashes, server_cert_.get(),

1357 server_cert_verify_result_.verified_cert.get(),	1357 server_cert_verify_result_.verified_cert.get(),

1358 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {	1358 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {

1359 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;	1359 if (server_cert_verify_result_.is_issued_by_known_root)
	estark 2016/05/31 14:59:57 I think we need to apply the same logic to the cor I think we need to apply the same logic to the corresponding check for QUIC connections: https://code.google.com/p/chromium/codesearch#chromium/src/net/quic/crypto/pr... We probably also need to think about what to do for the SPDY pinning check here: https://code.google.com/p/chromium/codesearch#chromium/src/net/spdy/spdy_sess... That SPDY check is for whether or not a request can be pooled with an existing connection: in order to be allowed, the connection must not violate pins for the request's host. I suppose what we want to do there is continue to return true if \|is_issued_by_known_root\| is false...? dadrian 2016/05/31 18:58:31 I implemented the same logic for QUIC, but I'm wor Show quoted text On 2016/05/31 14:59:57, estark wrote: > I think we need to apply the same logic to the corresponding check for QUIC > connections: > https://code.google.com/p/chromium/codesearch#chromium/src/net/quic/crypto/pr... > > We probably also need to think about what to do for the SPDY pinning check here: > https://code.google.com/p/chromium/codesearch#chromium/src/net/spdy/spdy_sess... > > That SPDY check is for whether or not a request can be pooled with an existing > connection: in order to be allowed, the connection must not violate pins for the > request's host. I suppose what we want to do there is continue to return true if > \|is_issued_by_known_root\| is false...? I implemented the same logic for QUIC, but I'm worried this CL is getting a little out of hand. I'm taking what was unified logic in TransportSecurityState and reimplementing it in three places. It does seem like the most straightforward way, but I'm anticipating net owners won't be happy.
	1360 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

	1361 else

	1362 server_cert_verify_result_.cert_status \|= CERT_STATUS_PKP_BYPASSED;

1360 }	1363 }

1361	1364

1362 if (result == OK) {	1365 if (result == OK) {

1363 // Only check Certificate Transparency if there were no other errors with	1366 // Only check Certificate Transparency if there were no other errors with

1364 // the connection.	1367 // the connection.

1365 VerifyCT();	1368 VerifyCT();

1366	1369

1367 DCHECK(!certificate_verified_);	1370 DCHECK(!certificate_verified_);

1368 certificate_verified_ = true;	1371 certificate_verified_ = true;

1369 MaybeCacheSession();	1372 MaybeCacheSession();

(...skipping 966 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2336 if (rv != OK) {	2339 if (rv != OK) {

2337 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);	2340 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);

2338 return;	2341 return;

2339 }	2342 }

2340	2343

2341 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,	2344 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,

2342 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));	2345 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));

2343 }	2346 }

2344	2347

2345 } // namespace net	2348 } // namespace net

OLD	NEW

« no previous file with comments | « net/http/transport_security_state_unittest.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »