| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 89 | 89 |
| 90 // TLS extension number use for Token Binding. | 90 // TLS extension number use for Token Binding. |
| 91 const unsigned int kTbExtNum = 24; | 91 const unsigned int kTbExtNum = 24; |
| 92 | 92 |
| 93 // Token Binding ProtocolVersions supported. | 93 // Token Binding ProtocolVersions supported. |
| 94 const uint8_t kTbProtocolVersionMajor = 0; | 94 const uint8_t kTbProtocolVersionMajor = 0; |
| 95 const uint8_t kTbProtocolVersionMinor = 5; | 95 const uint8_t kTbProtocolVersionMinor = 5; |
| 96 const uint8_t kTbMinProtocolVersionMajor = 0; | 96 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 97 const uint8_t kTbMinProtocolVersionMinor = 3; | 97 const uint8_t kTbMinProtocolVersionMinor = 3; |
| 98 | 98 |
| 99 // Max age for OCSP responses |
| 100 const base::TimeDelta kAgeOneWeek = base::TimeDelta::FromDays(7); |
| 101 |
| 99 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 102 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 100 switch (EVP_MD_type(md)) { | 103 switch (EVP_MD_type(md)) { |
| 101 case NID_md5_sha1: | 104 case NID_md5_sha1: |
| 102 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 105 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 103 return true; | 106 return true; |
| 104 case NID_sha1: | 107 case NID_sha1: |
| 105 *hash = SSLPrivateKey::Hash::SHA1; | 108 *hash = SSLPrivateKey::Hash::SHA1; |
| 106 return true; | 109 return true; |
| 107 case NID_sha256: | 110 case NID_sha256: |
| 108 *hash = SSLPrivateKey::Hash::SHA256; | 111 *hash = SSLPrivateKey::Hash::SHA256; |
| (...skipping 1243 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1352 server_cert_verify_result_.verified_cert.get(), | 1355 server_cert_verify_result_.verified_cert.get(), |
| 1353 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { | 1356 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { |
| 1354 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1357 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 1355 } | 1358 } |
| 1356 | 1359 |
| 1357 if (result == OK) { | 1360 if (result == OK) { |
| 1358 // Only check Certificate Transparency if there were no other errors with | 1361 // Only check Certificate Transparency if there were no other errors with |
| 1359 // the connection. | 1362 // the connection. |
| 1360 VerifyCT(); | 1363 VerifyCT(); |
| 1361 | 1364 |
| 1365 CheckOCSP(*server_cert_verify_result_.verified_cert, *server_cert_); |
| 1366 |
| 1362 DCHECK(!certificate_verified_); | 1367 DCHECK(!certificate_verified_); |
| 1363 certificate_verified_ = true; | 1368 certificate_verified_ = true; |
| 1364 MaybeCacheSession(); | 1369 MaybeCacheSession(); |
| 1365 } else { | 1370 } else { |
| 1366 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) << " (" | 1371 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) << " (" |
| 1367 << result << ")"; | 1372 << result << ")"; |
| 1368 } | 1373 } |
| 1369 | 1374 |
| 1370 completed_connect_ = true; | 1375 completed_connect_ = true; |
| 1371 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1376 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1446 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 1451 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1447 } | 1452 } |
| 1448 } | 1453 } |
| 1449 ct_verify_result_.cert_policy_compliance = | 1454 ct_verify_result_.cert_policy_compliance = |
| 1450 policy_enforcer_->DoesConformToCertPolicy( | 1455 policy_enforcer_->DoesConformToCertPolicy( |
| 1451 server_cert_verify_result_.verified_cert.get(), | 1456 server_cert_verify_result_.verified_cert.get(), |
| 1452 ct_verify_result_.verified_scts, net_log_); | 1457 ct_verify_result_.verified_scts, net_log_); |
| 1453 } | 1458 } |
| 1454 } | 1459 } |
| 1455 | 1460 |
| 1461 void SSLClientSocketImpl::CheckOCSP( |
| 1462 const X509Certificate& verified_certificate, |
| 1463 const X509Certificate& unverified_certificate) { |
| 1464 base::Time verify_time = base::Time::Now(); |
| 1465 transport_security_state_->CheckExpectStaple( |
| 1466 host_and_port_, verified_certificate, unverified_certificate, verify_time, |
| 1467 kAgeOneWeek, ocsp_response_); |
| 1468 } |
| 1469 |
| 1456 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { | 1470 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { |
| 1457 int rv = DoHandshakeLoop(result); | 1471 int rv = DoHandshakeLoop(result); |
| 1458 if (rv != ERR_IO_PENDING) { | 1472 if (rv != ERR_IO_PENDING) { |
| 1459 LogConnectEndEvent(rv); | 1473 LogConnectEndEvent(rv); |
| 1460 DoConnectCallback(rv); | 1474 DoConnectCallback(rv); |
| 1461 } | 1475 } |
| 1462 } | 1476 } |
| 1463 | 1477 |
| 1464 void SSLClientSocketImpl::OnSendComplete(int result) { | 1478 void SSLClientSocketImpl::OnSendComplete(int result) { |
| 1465 if (next_handshake_state_ == STATE_HANDSHAKE) { | 1479 if (next_handshake_state_ == STATE_HANDSHAKE) { |
| (...skipping 865 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2331 if (rv != OK) { | 2345 if (rv != OK) { |
| 2332 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2346 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2333 return; | 2347 return; |
| 2334 } | 2348 } |
| 2335 | 2349 |
| 2336 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2350 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2337 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2351 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2338 } | 2352 } |
| 2339 | 2353 |
| 2340 } // namespace net | 2354 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2040513003:
Implement Expect-Staple (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master