Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(502)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_impl.cc

Issue 2066603004: Return enum from TransportSecurityState::CheckPublicKeyPins (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Set CERT_STATUS_PINNED_KEY_MISSING Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/ssl_client_socket_impl.h" 5 #include "net/socket/ssl_client_socket_impl.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <openssl/bio.h> 8 #include <openssl/bio.h>
9 #include <openssl/bytestring.h> 9 #include <openssl/bytestring.h>
10 #include <openssl/err.h> 10 #include <openssl/err.h>
(...skipping 1310 matching lines...) Expand 10 before | Expand all | Expand 10 after
1321 base::TimeDelta verify_time = 1321 base::TimeDelta verify_time =
1322 base::TimeTicks::Now() - start_cert_verification_time_; 1322 base::TimeTicks::Now() - start_cert_verification_time_;
1323 if (result == OK) { 1323 if (result == OK) {
1324 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time); 1324 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
1325 } else { 1325 } else {
1326 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time); 1326 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
1327 } 1327 }
1328 } 1328 }
1329 1329
1330 const CertStatus cert_status = server_cert_verify_result_.cert_status; 1330 const CertStatus cert_status = server_cert_verify_result_.cert_status;
1331 if ((result == OK || 1331 if (transport_security_state_ &&
1332 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && 1332 (result == OK ||
1333 !transport_security_state_->CheckPublicKeyPins( 1333 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) {
1334 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, 1334 TransportSecurityState::PKPStatus pin_validity =
1335 server_cert_verify_result_.public_key_hashes, server_cert_.get(), 1335 transport_security_state_->CheckPublicKeyPins(
1336 server_cert_verify_result_.verified_cert.get(), 1336 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
1337 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { 1337 server_cert_verify_result_.public_key_hashes, server_cert_.get(),
1338 if (server_cert_verify_result_.is_issued_by_known_root) { 1338 server_cert_verify_result_.verified_cert.get(),
1339 server_cert_verify_result_.cert_status |= CERT_STATUS_PINNED_KEY_MISSING; 1339 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_);
1340 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; 1340 switch (pin_validity) {
1341 } else { 1341 case TransportSecurityState::PKPStatus::VIOLATED:
1342 pkp_bypassed_ = true; 1342 server_cert_verify_result_.cert_status |=
1343 CERT_STATUS_PINNED_KEY_MISSING;
1344 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
1345 break;
1346 case TransportSecurityState::PKPStatus::BYPASSED:
1347 pkp_bypassed_ = true;
1348 // Fall through.
1349 case TransportSecurityState::PKPStatus::OK:
1350 // Do nothing.
1351 break;
1343 } 1352 }
1344 } 1353 }
1345 1354
1346 if (result == OK) { 1355 if (result == OK) {
1347 // Only check Certificate Transparency if there were no other errors with 1356 // Only check Certificate Transparency if there were no other errors with
1348 // the connection. 1357 // the connection.
1349 VerifyCT(); 1358 VerifyCT();
1350 1359
1351 DCHECK(!certificate_verified_); 1360 DCHECK(!certificate_verified_);
1352 certificate_verified_ = true; 1361 certificate_verified_ = true;
(...skipping 951 matching lines...) Expand 10 before | Expand all | Expand 10 after
2304 if (rv != OK) { 2313 if (rv != OK) {
2305 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); 2314 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2306 return; 2315 return;
2307 } 2316 }
2308 2317
2309 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, 2318 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,
2310 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); 2319 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
2311 } 2320 }
2312 2321
2313 } // namespace net 2322 } // namespace net
OLDNEW
« no previous file with comments | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698