Chromium Code Reviews Chromium Code Reviews
Issue 2084783002:
Cleanup HPKP error handling and weak DH key handling (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@require_ct_enforcer| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 1317 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1328 } | 1328 } |
| 1329 | 1329 |
| 1330 const CertStatus cert_status = server_cert_verify_result_.cert_status; | 1330 const CertStatus cert_status = server_cert_verify_result_.cert_status; |
| 1331 if ((result == OK || | 1331 if ((result == OK || |
| 1332 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1332 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 1333 !transport_security_state_->CheckPublicKeyPins( | 1333 !transport_security_state_->CheckPublicKeyPins( |
| 1334 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, | 1334 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, |
| 1335 server_cert_verify_result_.public_key_hashes, server_cert_.get(), | 1335 server_cert_verify_result_.public_key_hashes, server_cert_.get(), |
| 1336 server_cert_verify_result_.verified_cert.get(), | 1336 server_cert_verify_result_.verified_cert.get(), |
| 1337 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { | 1337 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) { |
| 1338 if (server_cert_verify_result_.is_issued_by_known_root) | 1338 if (server_cert_verify_result_.is_issued_by_known_root) { |
| 1339 server_cert_verify_result_.cert_status |= CERT_STATUS_PINNED_KEY_MISSING; | |
|
davidben
2016/06/21 00:14:12
Think it's worth adding a line to SSLClientSocketT
| |
| 1339 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1340 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
|
davidben
2016/06/21 00:14:12
[Confirmed these are the two places in //net which
| |
| 1340 else | 1341 } else { |
| 1341 pkp_bypassed_ = true; | 1342 pkp_bypassed_ = true; |
| 1343 } | |
| 1342 } | 1344 } |
| 1343 | 1345 |
| 1344 if (result == OK) { | 1346 if (result == OK) { |
| 1345 // Only check Certificate Transparency if there were no other errors with | 1347 // Only check Certificate Transparency if there were no other errors with |
| 1346 // the connection. | 1348 // the connection. |
| 1347 VerifyCT(); | 1349 VerifyCT(); |
| 1348 | 1350 |
| 1349 DCHECK(!certificate_verified_); | 1351 DCHECK(!certificate_verified_); |
| 1350 certificate_verified_ = true; | 1352 certificate_verified_ = true; |
| 1351 MaybeCacheSession(); | 1353 MaybeCacheSession(); |
| (...skipping 950 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2302 if (rv != OK) { | 2304 if (rv != OK) { |
| 2303 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2305 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2304 return; | 2306 return; |
| 2305 } | 2307 } |
| 2306 | 2308 |
| 2307 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2309 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2308 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2310 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2309 } | 2311 } |
| 2310 | 2312 |
| 2311 } // namespace net | 2313 } // namespace net |
| OLD | NEW |
