OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 1341 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1352 server_cert_verify_result_.verified_cert.get(), | 1352 server_cert_verify_result_.verified_cert.get(), |
1353 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { | 1353 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { |
1354 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1354 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
1355 } | 1355 } |
1356 | 1356 |
1357 if (result == OK) { | 1357 if (result == OK) { |
1358 // Only check Certificate Transparency if there were no other errors with | 1358 // Only check Certificate Transparency if there were no other errors with |
1359 // the connection. | 1359 // the connection. |
1360 VerifyCT(); | 1360 VerifyCT(); |
1361 | 1361 |
1362 CheckOCSP(); | |
estark
2016/06/09 21:24:15
Could you pass in |server_cert_| as an argument so
dadrian
2016/06/10 01:05:53
Yes, though it will eventually need both the certi
| |
1363 | |
1362 DCHECK(!certificate_verified_); | 1364 DCHECK(!certificate_verified_); |
1363 certificate_verified_ = true; | 1365 certificate_verified_ = true; |
1364 MaybeCacheSession(); | 1366 MaybeCacheSession(); |
1365 } else { | 1367 } else { |
1366 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) << " (" | 1368 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) << " (" |
1367 << result << ")"; | 1369 << result << ")"; |
1368 } | 1370 } |
1369 | 1371 |
1370 completed_connect_ = true; | 1372 completed_connect_ = true; |
1371 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1373 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1446 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1448 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
1447 } | 1449 } |
1448 } | 1450 } |
1449 ct_verify_result_.cert_policy_compliance = | 1451 ct_verify_result_.cert_policy_compliance = |
1450 policy_enforcer_->DoesConformToCertPolicy( | 1452 policy_enforcer_->DoesConformToCertPolicy( |
1451 server_cert_verify_result_.verified_cert.get(), | 1453 server_cert_verify_result_.verified_cert.get(), |
1452 ct_verify_result_.verified_scts, net_log_); | 1454 ct_verify_result_.verified_scts, net_log_); |
1453 } | 1455 } |
1454 } | 1456 } |
1455 | 1457 |
1458 void SSLClientSocketImpl::CheckOCSP() { | |
1459 TransportSecurityState::ExpectStapleState expect_staple_state; | |
1460 if (!transport_security_state_->GetStaticExpectStapleState( | |
1461 host_and_port_.host(), &expect_staple_state)) { | |
1462 return; | |
1463 } | |
1464 SSLInfo ssl_info; | |
1465 GetSSLInfo(&ssl_info); | |
1466 transport_security_state_->CheckExpectStaple( | |
1467 host_and_port_, expect_staple_state, *ssl_info.cert, ocsp_response_); | |
estark
2016/06/09 21:24:15
Is |ocsp_response_| already always populated? I th
dadrian
2016/06/10 01:05:53
I'll make sure it gets populated if enable_static_
| |
1468 } | |
1469 | |
1456 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { | 1470 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { |
1457 int rv = DoHandshakeLoop(result); | 1471 int rv = DoHandshakeLoop(result); |
1458 if (rv != ERR_IO_PENDING) { | 1472 if (rv != ERR_IO_PENDING) { |
1459 LogConnectEndEvent(rv); | 1473 LogConnectEndEvent(rv); |
1460 DoConnectCallback(rv); | 1474 DoConnectCallback(rv); |
1461 } | 1475 } |
1462 } | 1476 } |
1463 | 1477 |
1464 void SSLClientSocketImpl::OnSendComplete(int result) { | 1478 void SSLClientSocketImpl::OnSendComplete(int result) { |
1465 if (next_handshake_state_ == STATE_HANDSHAKE) { | 1479 if (next_handshake_state_ == STATE_HANDSHAKE) { |
(...skipping 865 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2331 if (rv != OK) { | 2345 if (rv != OK) { |
2332 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2346 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
2333 return; | 2347 return; |
2334 } | 2348 } |
2335 | 2349 |
2336 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2350 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
2337 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2351 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
2338 } | 2352 } |
2339 | 2353 |
2340 } // namespace net | 2354 } // namespace net |
OLD | NEW |