Chromium Code Reviews Chromium Code Reviews
Issue 2155753002:
Enable Expect-Staple in SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-reporting| Index: net/socket/ssl_client_socket_impl.cc |
| diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc |
| index 4f5f2c4651d758975e5d522ab2f9201bec0b2426..e070650ba4c33ea52a332b9b36dc488a931a6530 100644 |
| --- a/net/socket/ssl_client_socket_impl.cc |
| +++ b/net/socket/ssl_client_socket_impl.cc |
| @@ -1193,16 +1193,16 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
| RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
| ssl_config_.channel_id_enabled); |
| - // Only record OCSP histograms if OCSP was requested. |
| - if (ssl_config_.signed_cert_timestamps_enabled || |
| - cert_verifier_->SupportsOCSPStapling()) { |
| - const uint8_t* ocsp_response; |
| - size_t ocsp_response_len; |
| - SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); |
| - |
| - set_stapled_ocsp_response_received(ocsp_response_len != 0); |
| - UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
| + const uint8_t* ocsp_response_raw; |
| + size_t ocsp_response_len; |
| + SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| + std::string ocsp_response; |
| + if (ocsp_response_len > 0) { |
| + ocsp_response_.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| + ocsp_response_len); |
| } |
| + set_stapled_ocsp_response_received(ocsp_response_len != 0); |
| + UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
|
svaldez
2016/07/25 14:57:39
Possibly keep this under the same sct_enabled chec
|
| const uint8_t* sct_list; |
| size_t sct_list_len; |
| @@ -1287,19 +1287,12 @@ int SSLClientSocketImpl::DoVerifyCert(int result) { |
| return OK; |
| } |
| - std::string ocsp_response; |
| - const uint8_t* ocsp_response_raw; |
| - size_t ocsp_response_len; |
| - SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| - ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| - ocsp_response_len); |
| - |
| start_cert_verification_time_ = base::TimeTicks::Now(); |
| return cert_verifier_->Verify( |
| CertVerifier::RequestParams(server_cert_, host_and_port_.host(), |
| ssl_config_.GetCertVerifyFlags(), |
| - ocsp_response, CertificateList()), |
| + ocsp_response_, CertificateList()), |
| // TODO(davidben): Route the CRLSet through SSLConfig so |
| // SSLClientSocket doesn't depend on SSLConfigService. |
| SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
| @@ -1354,6 +1347,10 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) { |
| DCHECK(!certificate_verified_); |
| certificate_verified_ = true; |
| MaybeCacheSession(); |
| + SSLInfo ssl_info; |
| + DCHECK(GetSSLInfo(&ssl_info)); |
| + transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info, |
| + ocsp_response_); |
| } |
| completed_connect_ = true; |
| @@ -1769,15 +1766,6 @@ int SSLClientSocketImpl::TransportReadComplete(int result) { |
| } |
| int SSLClientSocketImpl::VerifyCT() { |
| - const uint8_t* ocsp_response_raw; |
| - size_t ocsp_response_len; |
| - SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| - std::string ocsp_response; |
| - if (ocsp_response_len > 0) { |
| - ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| - ocsp_response_len); |
| - } |
| - |
| const uint8_t* sct_list_raw; |
| size_t sct_list_len; |
| SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); |
| @@ -1789,7 +1777,7 @@ int SSLClientSocketImpl::VerifyCT() { |
| // gets all the data it needs for SCT verification and does not do any |
| // external communication. |
| cert_transparency_verifier_->Verify( |
| - server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| + server_cert_verify_result_.verified_cert.get(), ocsp_response_, sct_list, |
| &ct_verify_result_, net_log_); |
| ct_verify_result_.ct_policies_applied = true; |
