Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1084)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2067843003: Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket.h ('k') | net/socket/ssl_client_socket_pool_unittest.cc » ('j') | net/spdy/spdy_test_util_common.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index ed29a96da730a36e9dc5e1b46ff3c55760a3fdc7..c7b65e0c94f4e1f6831b77eda3d1863c18af0061 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -530,6 +530,8 @@ SSLClientSocketImpl::SSLClientSocketImpl(
net_log_(transport_->socket()->NetLog()),
weak_factory_(this) {
DCHECK(cert_verifier_);
+ DCHECK(transport_security_state_);
+ DCHECK(policy_enforcer_);
}
SSLClientSocketImpl::~SSLClientSocketImpl() {
@@ -627,10 +629,6 @@ int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label,
}
int SSLClientSocketImpl::Connect(const CompletionCallback& callback) {
- // It is an error to create an SSLClientSocket whose context has no
- // TransportSecurityState.
- DCHECK(transport_security_state_);
-
// Although StreamSocket does allow calling Connect() after Disconnect(),
// this has never worked for layered sockets. CHECK to detect any consumers
// reconnecting an SSL socket.
@@ -1346,8 +1344,7 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) {
}
const CertStatus cert_status = server_cert_verify_result_.cert_status;
- if (transport_security_state_ &&
- (result == OK ||
+ if ((result == OK ||
(IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
!transport_security_state_->CheckPublicKeyPins(
host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
@@ -1398,9 +1395,6 @@ void SSLClientSocketImpl::UpdateServerCert() {
}
void SSLClientSocketImpl::VerifyCT() {
- if (!cert_transparency_verifier_)
- return;
-
const uint8_t* ocsp_response_raw;
size_t ocsp_response_len;
SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
@@ -1427,36 +1421,34 @@ void SSLClientSocketImpl::VerifyCT() {
ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
ct_verify_result_.ev_policy_compliance =
ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
- if (policy_enforcer_) {
- if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
- scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
- SSLConfigService::GetEVCertsWhitelist();
- ct::EVPolicyCompliance ev_policy_compliance =
- policy_enforcer_->DoesConformToCTEVPolicy(
- server_cert_verify_result_.verified_cert.get(),
- ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_);
- ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
- if (ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
- ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
- ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
- // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
- VLOG(1) << "EV certificate for "
- << server_cert_verify_result_.verified_cert->subject()
- .GetDisplayName()
- << " does not conform to CT policy, removing EV status.";
- server_cert_verify_result_.cert_status |=
- CERT_STATUS_CT_COMPLIANCE_FAILED;
- server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
- }
- }
- ct_verify_result_.cert_policy_compliance =
- policy_enforcer_->DoesConformToCertPolicy(
- server_cert_verify_result_.verified_cert.get(),
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
+ SSLConfigService::GetEVCertsWhitelist();
+ ct::EVPolicyCompliance ev_policy_compliance =
+ policy_enforcer_->DoesConformToCTEVPolicy(
+ server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
ct_verify_result_.verified_scts, net_log_);
+ ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
+ if (ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
+ // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
+ VLOG(1) << "EV certificate for "
+ << server_cert_verify_result_.verified_cert->subject()
+ .GetDisplayName()
+ << " does not conform to CT policy, removing EV status.";
+ server_cert_verify_result_.cert_status |=
+ CERT_STATUS_CT_COMPLIANCE_FAILED;
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+ }
}
+ ct_verify_result_.cert_policy_compliance =
+ policy_enforcer_->DoesConformToCertPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ ct_verify_result_.verified_scts, net_log_);
}
void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
« no previous file with comments | « net/socket/ssl_client_socket.h ('k') | net/socket/ssl_client_socket_pool_unittest.cc » ('j') | net/spdy/spdy_test_util_common.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698