Chromium Code Reviews Chromium Code Reviews
Issue 2155753002:
Enable Expect-Staple in SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-reporting| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 1175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1186 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 1186 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
| 1187 npn_status_ = kNextProtoNegotiated; | 1187 npn_status_ = kNextProtoNegotiated; |
| 1188 set_negotiation_extension(kExtensionALPN); | 1188 set_negotiation_extension(kExtensionALPN); |
| 1189 } | 1189 } |
| 1190 } | 1190 } |
| 1191 | 1191 |
| 1192 RecordNegotiationExtension(); | 1192 RecordNegotiationExtension(); |
| 1193 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, | 1193 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
| 1194 ssl_config_.channel_id_enabled); | 1194 ssl_config_.channel_id_enabled); |
| 1195 | 1195 |
| 1196 // Only record OCSP histograms if OCSP was requested. | 1196 const uint8_t* ocsp_response_raw; |
| 1197 if (ssl_config_.signed_cert_timestamps_enabled || | 1197 size_t ocsp_response_len; |
| 1198 cert_verifier_->SupportsOCSPStapling()) { | 1198 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| 1199 const uint8_t* ocsp_response; | 1199 std::string ocsp_response; |
| 1200 size_t ocsp_response_len; | 1200 if (ocsp_response_len > 0) { |
| 1201 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); | 1201 ocsp_response_.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| 1202 | 1202 ocsp_response_len); |
| 1203 set_stapled_ocsp_response_received(ocsp_response_len != 0); | |
| 1204 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | |
| 1205 } | 1203 } |
| 1204 set_stapled_ocsp_response_received(ocsp_response_len != 0); | |
| 1205 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | |
|
svaldez
2016/07/25 14:57:39
Possibly keep this under the same sct_enabled chec
| |
| 1206 | 1206 |
| 1207 const uint8_t* sct_list; | 1207 const uint8_t* sct_list; |
| 1208 size_t sct_list_len; | 1208 size_t sct_list_len; |
| 1209 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | 1209 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); |
| 1210 set_signed_cert_timestamps_received(sct_list_len != 0); | 1210 set_signed_cert_timestamps_received(sct_list_len != 0); |
| 1211 | 1211 |
| 1212 if (IsRenegotiationAllowed()) | 1212 if (IsRenegotiationAllowed()) |
| 1213 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely); | 1213 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely); |
| 1214 | 1214 |
| 1215 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_); | 1215 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_); |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1280 return ERR_CERT_INVALID; | 1280 return ERR_CERT_INVALID; |
| 1281 } | 1281 } |
| 1282 CertStatus cert_status; | 1282 CertStatus cert_status; |
| 1283 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 1283 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { |
| 1284 server_cert_verify_result_.Reset(); | 1284 server_cert_verify_result_.Reset(); |
| 1285 server_cert_verify_result_.cert_status = cert_status; | 1285 server_cert_verify_result_.cert_status = cert_status; |
| 1286 server_cert_verify_result_.verified_cert = server_cert_; | 1286 server_cert_verify_result_.verified_cert = server_cert_; |
| 1287 return OK; | 1287 return OK; |
| 1288 } | 1288 } |
| 1289 | 1289 |
| 1290 std::string ocsp_response; | |
| 1291 const uint8_t* ocsp_response_raw; | |
| 1292 size_t ocsp_response_len; | |
| 1293 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | |
| 1294 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), | |
| 1295 ocsp_response_len); | |
| 1296 | |
| 1297 start_cert_verification_time_ = base::TimeTicks::Now(); | 1290 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 1298 | 1291 |
| 1299 return cert_verifier_->Verify( | 1292 return cert_verifier_->Verify( |
| 1300 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), | 1293 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), |
| 1301 ssl_config_.GetCertVerifyFlags(), | 1294 ssl_config_.GetCertVerifyFlags(), |
| 1302 ocsp_response, CertificateList()), | 1295 ocsp_response_, CertificateList()), |
| 1303 // TODO(davidben): Route the CRLSet through SSLConfig so | 1296 // TODO(davidben): Route the CRLSet through SSLConfig so |
| 1304 // SSLClientSocket doesn't depend on SSLConfigService. | 1297 // SSLClientSocket doesn't depend on SSLConfigService. |
| 1305 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | 1298 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
| 1306 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, | 1299 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, |
| 1307 base::Unretained(this)), | 1300 base::Unretained(this)), |
| 1308 &cert_verifier_request_, net_log_); | 1301 &cert_verifier_request_, net_log_); |
| 1309 } | 1302 } |
| 1310 | 1303 |
| 1311 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { | 1304 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { |
| 1312 cert_verifier_request_.reset(); | 1305 cert_verifier_request_.reset(); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1347 break; | 1340 break; |
| 1348 } | 1341 } |
| 1349 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) | 1342 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) |
| 1350 result = ct_result; | 1343 result = ct_result; |
| 1351 } | 1344 } |
| 1352 | 1345 |
| 1353 if (result == OK) { | 1346 if (result == OK) { |
| 1354 DCHECK(!certificate_verified_); | 1347 DCHECK(!certificate_verified_); |
| 1355 certificate_verified_ = true; | 1348 certificate_verified_ = true; |
| 1356 MaybeCacheSession(); | 1349 MaybeCacheSession(); |
| 1350 SSLInfo ssl_info; | |
| 1351 DCHECK(GetSSLInfo(&ssl_info)); | |
| 1352 transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info, | |
| 1353 ocsp_response_); | |
| 1357 } | 1354 } |
| 1358 | 1355 |
| 1359 completed_connect_ = true; | 1356 completed_connect_ = true; |
| 1360 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1357 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
| 1361 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1358 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 1362 return result; | 1359 return result; |
| 1363 } | 1360 } |
| 1364 | 1361 |
| 1365 void SSLClientSocketImpl::DoConnectCallback(int rv) { | 1362 void SSLClientSocketImpl::DoConnectCallback(int rv) { |
| 1366 if (!user_connect_callback_.is_null()) { | 1363 if (!user_connect_callback_.is_null()) { |
| (...skipping 395 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1762 bytes_read = result; | 1759 bytes_read = result; |
| 1763 } | 1760 } |
| 1764 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read); | 1761 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read); |
| 1765 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read); | 1762 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read); |
| 1766 DCHECK_EQ(1, ret); | 1763 DCHECK_EQ(1, ret); |
| 1767 transport_recv_busy_ = false; | 1764 transport_recv_busy_ = false; |
| 1768 return result; | 1765 return result; |
| 1769 } | 1766 } |
| 1770 | 1767 |
| 1771 int SSLClientSocketImpl::VerifyCT() { | 1768 int SSLClientSocketImpl::VerifyCT() { |
| 1772 const uint8_t* ocsp_response_raw; | |
| 1773 size_t ocsp_response_len; | |
| 1774 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | |
| 1775 std::string ocsp_response; | |
| 1776 if (ocsp_response_len > 0) { | |
| 1777 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), | |
| 1778 ocsp_response_len); | |
| 1779 } | |
| 1780 | |
| 1781 const uint8_t* sct_list_raw; | 1769 const uint8_t* sct_list_raw; |
| 1782 size_t sct_list_len; | 1770 size_t sct_list_len; |
| 1783 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); | 1771 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); |
| 1784 std::string sct_list; | 1772 std::string sct_list; |
| 1785 if (sct_list_len > 0) | 1773 if (sct_list_len > 0) |
| 1786 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1774 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
| 1787 | 1775 |
| 1788 // Note that this is a completely synchronous operation: The CT Log Verifier | 1776 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1789 // gets all the data it needs for SCT verification and does not do any | 1777 // gets all the data it needs for SCT verification and does not do any |
| 1790 // external communication. | 1778 // external communication. |
| 1791 cert_transparency_verifier_->Verify( | 1779 cert_transparency_verifier_->Verify( |
| 1792 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1780 server_cert_verify_result_.verified_cert.get(), ocsp_response_, sct_list, |
| 1793 &ct_verify_result_, net_log_); | 1781 &ct_verify_result_, net_log_); |
| 1794 | 1782 |
| 1795 ct_verify_result_.ct_policies_applied = true; | 1783 ct_verify_result_.ct_policies_applied = true; |
| 1796 ct_verify_result_.ev_policy_compliance = | 1784 ct_verify_result_.ev_policy_compliance = |
| 1797 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 1785 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 1798 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | 1786 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1799 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1787 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1800 SSLConfigService::GetEVCertsWhitelist(); | 1788 SSLConfigService::GetEVCertsWhitelist(); |
| 1801 ct::EVPolicyCompliance ev_policy_compliance = | 1789 ct::EVPolicyCompliance ev_policy_compliance = |
| 1802 policy_enforcer_->DoesConformToCTEVPolicy( | 1790 policy_enforcer_->DoesConformToCTEVPolicy( |
| (...skipping 519 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2322 if (rv != OK) { | 2310 if (rv != OK) { |
| 2323 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2311 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2324 return; | 2312 return; |
| 2325 } | 2313 } |
| 2326 | 2314 |
| 2327 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2315 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2328 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2316 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2329 } | 2317 } |
| 2330 | 2318 |
| 2331 } // namespace net | 2319 } // namespace net |
| OLD | NEW |
