OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
78 | 78 |
79 // TLS extension number use for Token Binding. | 79 // TLS extension number use for Token Binding. |
80 const unsigned int kTbExtNum = 24; | 80 const unsigned int kTbExtNum = 24; |
81 | 81 |
82 // Token Binding ProtocolVersions supported. | 82 // Token Binding ProtocolVersions supported. |
83 const uint8_t kTbProtocolVersionMajor = 0; | 83 const uint8_t kTbProtocolVersionMajor = 0; |
84 const uint8_t kTbProtocolVersionMinor = 5; | 84 const uint8_t kTbProtocolVersionMinor = 5; |
85 const uint8_t kTbMinProtocolVersionMajor = 0; | 85 const uint8_t kTbMinProtocolVersionMajor = 0; |
86 const uint8_t kTbMinProtocolVersionMinor = 3; | 86 const uint8_t kTbMinProtocolVersionMinor = 3; |
87 | 87 |
88 // Max age for OCSP responses | |
89 const base::TimeDelta kOCSPResponseMaxAge = base::TimeDelta::FromDays(7); | |
Ryan Sleevi
2016/06/16 21:49:30
Why is this an aspect of the socket? This is about
| |
90 | |
88 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 91 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
89 switch (EVP_MD_type(md)) { | 92 switch (EVP_MD_type(md)) { |
90 case NID_md5_sha1: | 93 case NID_md5_sha1: |
91 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 94 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
92 return true; | 95 return true; |
93 case NID_sha1: | 96 case NID_sha1: |
94 *hash = SSLPrivateKey::Hash::SHA1; | 97 *hash = SSLPrivateKey::Hash::SHA1; |
95 return true; | 98 return true; |
96 case NID_sha256: | 99 case NID_sha256: |
97 *hash = SSLPrivateKey::Hash::SHA256; | 100 *hash = SSLPrivateKey::Hash::SHA256; |
(...skipping 1244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1342 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1345 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
1343 else | 1346 else |
1344 pkp_bypassed_ = true; | 1347 pkp_bypassed_ = true; |
1345 } | 1348 } |
1346 | 1349 |
1347 if (result == OK) { | 1350 if (result == OK) { |
1348 // Only check Certificate Transparency if there were no other errors with | 1351 // Only check Certificate Transparency if there were no other errors with |
1349 // the connection. | 1352 // the connection. |
1350 VerifyCT(); | 1353 VerifyCT(); |
1351 | 1354 |
1355 ReportOCSP(); | |
1356 | |
1352 DCHECK(!certificate_verified_); | 1357 DCHECK(!certificate_verified_); |
1353 certificate_verified_ = true; | 1358 certificate_verified_ = true; |
1354 MaybeCacheSession(); | 1359 MaybeCacheSession(); |
1355 } | 1360 } |
1356 | 1361 |
1357 completed_connect_ = true; | 1362 completed_connect_ = true; |
1358 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1363 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
1359 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1364 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
1360 return result; | 1365 return result; |
1361 } | 1366 } |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1428 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1433 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
1429 } | 1434 } |
1430 } | 1435 } |
1431 ct_verify_result_.cert_policy_compliance = | 1436 ct_verify_result_.cert_policy_compliance = |
1432 policy_enforcer_->DoesConformToCertPolicy( | 1437 policy_enforcer_->DoesConformToCertPolicy( |
1433 server_cert_verify_result_.verified_cert.get(), | 1438 server_cert_verify_result_.verified_cert.get(), |
1434 ct_verify_result_.verified_scts, net_log_); | 1439 ct_verify_result_.verified_scts, net_log_); |
1435 } | 1440 } |
1436 } | 1441 } |
1437 | 1442 |
1443 void SSLClientSocketImpl::ReportOCSP() { | |
1444 base::Time verify_time = base::Time::Now(); | |
1445 transport_security_state_->CheckExpectStaple( | |
Ryan Sleevi
2016/06/16 21:49:30
Putting it at this layer creates issues when multi
dadrian
2016/06/17 17:26:55
Why isn't this an issue for Expect CT?
estark
2016/06/17 18:33:02
Expect-CT is processed per-request at the URLReque
| |
1446 host_and_port_, *server_cert_verify_result_.verified_cert, *server_cert_, | |
1447 server_cert_verify_result_.is_issued_by_known_root, verify_time, | |
1448 kOCSPResponseMaxAge, ocsp_response_); | |
Ryan Sleevi
2016/06/16 21:49:30
BUG: You never set |ocsp_response_|
DESIGN: Why ev
svaldez
2016/06/17 13:33:51
CT and ExpectStaple should probably use a shared o
| |
1449 } | |
1450 | |
1438 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { | 1451 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { |
1439 int rv = DoHandshakeLoop(result); | 1452 int rv = DoHandshakeLoop(result); |
1440 if (rv != ERR_IO_PENDING) { | 1453 if (rv != ERR_IO_PENDING) { |
1441 LogConnectEndEvent(rv); | 1454 LogConnectEndEvent(rv); |
1442 DoConnectCallback(rv); | 1455 DoConnectCallback(rv); |
1443 } | 1456 } |
1444 } | 1457 } |
1445 | 1458 |
1446 void SSLClientSocketImpl::OnSendComplete(int result) { | 1459 void SSLClientSocketImpl::OnSendComplete(int result) { |
1447 if (next_handshake_state_ == STATE_HANDSHAKE) { | 1460 if (next_handshake_state_ == STATE_HANDSHAKE) { |
(...skipping 862 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2310 if (rv != OK) { | 2323 if (rv != OK) { |
2311 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2324 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
2312 return; | 2325 return; |
2313 } | 2326 } |
2314 | 2327 |
2315 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2328 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
2316 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2329 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
2317 } | 2330 } |
2318 | 2331 |
2319 } // namespace net | 2332 } // namespace net |
OLD | NEW |