| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 1201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1212 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 1212 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
| 1213 npn_status_ = kNextProtoNegotiated; | 1213 npn_status_ = kNextProtoNegotiated; |
| 1214 set_negotiation_extension(kExtensionALPN); | 1214 set_negotiation_extension(kExtensionALPN); |
| 1215 } | 1215 } |
| 1216 } | 1216 } |
| 1217 | 1217 |
| 1218 RecordNegotiationExtension(); | 1218 RecordNegotiationExtension(); |
| 1219 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, | 1219 RecordChannelIDSupport(channel_id_service_, channel_id_sent_, |
| 1220 ssl_config_.channel_id_enabled); | 1220 ssl_config_.channel_id_enabled); |
| 1221 | 1221 |
| 1222 const uint8_t* ocsp_response_raw; | 1222 // Only record OCSP histograms if OCSP was requested. |
| 1223 size_t ocsp_response_len; | 1223 if (ssl_config_.signed_cert_timestamps_enabled || |
| 1224 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); | 1224 cert_verifier_->SupportsOCSPStapling()) { |
| 1225 std::string ocsp_response; | 1225 const uint8_t* ocsp_response; |
| 1226 if (ocsp_response_len > 0) { | 1226 size_t ocsp_response_len; |
| 1227 ocsp_response_.assign(reinterpret_cast<const char*>(ocsp_response_raw), | 1227 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len); |
| 1228 ocsp_response_len); | 1228 |
| 1229 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
| 1230 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
| 1229 } | 1231 } |
| 1230 set_stapled_ocsp_response_received(ocsp_response_len != 0); | |
| 1231 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | |
| 1232 | 1232 |
| 1233 const uint8_t* sct_list; | 1233 const uint8_t* sct_list; |
| 1234 size_t sct_list_len; | 1234 size_t sct_list_len; |
| 1235 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); | 1235 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len); |
| 1236 set_signed_cert_timestamps_received(sct_list_len != 0); | 1236 set_signed_cert_timestamps_received(sct_list_len != 0); |
| 1237 | 1237 |
| 1238 if (IsRenegotiationAllowed()) | 1238 if (IsRenegotiationAllowed()) |
| 1239 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely); | 1239 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely); |
| 1240 | 1240 |
| 1241 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_); | 1241 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_); |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1306 return ERR_CERT_INVALID; | 1306 return ERR_CERT_INVALID; |
| 1307 } | 1307 } |
| 1308 CertStatus cert_status; | 1308 CertStatus cert_status; |
| 1309 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 1309 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { |
| 1310 server_cert_verify_result_.Reset(); | 1310 server_cert_verify_result_.Reset(); |
| 1311 server_cert_verify_result_.cert_status = cert_status; | 1311 server_cert_verify_result_.cert_status = cert_status; |
| 1312 server_cert_verify_result_.verified_cert = server_cert_; | 1312 server_cert_verify_result_.verified_cert = server_cert_; |
| 1313 return OK; | 1313 return OK; |
| 1314 } | 1314 } |
| 1315 | 1315 |
| 1316 std::string ocsp_response; |
| 1317 const uint8_t* ocsp_response_raw; |
| 1318 size_t ocsp_response_len; |
| 1319 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| 1320 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| 1321 ocsp_response_len); |
| 1322 |
| 1316 start_cert_verification_time_ = base::TimeTicks::Now(); | 1323 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 1317 | 1324 |
| 1318 return cert_verifier_->Verify( | 1325 return cert_verifier_->Verify( |
| 1319 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), | 1326 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), |
| 1320 ssl_config_.GetCertVerifyFlags(), | 1327 ssl_config_.GetCertVerifyFlags(), |
| 1321 ocsp_response_, CertificateList()), | 1328 ocsp_response, CertificateList()), |
| 1322 // TODO(davidben): Route the CRLSet through SSLConfig so | 1329 // TODO(davidben): Route the CRLSet through SSLConfig so |
| 1323 // SSLClientSocket doesn't depend on SSLConfigService. | 1330 // SSLClientSocket doesn't depend on SSLConfigService. |
| 1324 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | 1331 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
| 1325 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, | 1332 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, |
| 1326 base::Unretained(this)), | 1333 base::Unretained(this)), |
| 1327 &cert_verifier_request_, net_log_); | 1334 &cert_verifier_request_, net_log_); |
| 1328 } | 1335 } |
| 1329 | 1336 |
| 1330 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { | 1337 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { |
| 1331 cert_verifier_request_.reset(); | 1338 cert_verifier_request_.reset(); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1366 break; | 1373 break; |
| 1367 } | 1374 } |
| 1368 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) | 1375 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) |
| 1369 result = ct_result; | 1376 result = ct_result; |
| 1370 } | 1377 } |
| 1371 | 1378 |
| 1372 if (result == OK) { | 1379 if (result == OK) { |
| 1373 DCHECK(!certificate_verified_); | 1380 DCHECK(!certificate_verified_); |
| 1374 certificate_verified_ = true; | 1381 certificate_verified_ = true; |
| 1375 MaybeCacheSession(); | 1382 MaybeCacheSession(); |
| 1376 SSLInfo ssl_info; | |
| 1377 DCHECK(GetSSLInfo(&ssl_info)); | |
| 1378 transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info, | |
| 1379 ocsp_response_); | |
| 1380 } | 1383 } |
| 1381 | 1384 |
| 1382 completed_connect_ = true; | 1385 completed_connect_ = true; |
| 1383 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1386 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
| 1384 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1387 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 1385 return result; | 1388 return result; |
| 1386 } | 1389 } |
| 1387 | 1390 |
| 1388 void SSLClientSocketImpl::DoConnectCallback(int rv) { | 1391 void SSLClientSocketImpl::DoConnectCallback(int rv) { |
| 1389 if (!user_connect_callback_.is_null()) { | 1392 if (!user_connect_callback_.is_null()) { |
| (...skipping 395 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1785 bytes_read = result; | 1788 bytes_read = result; |
| 1786 } | 1789 } |
| 1787 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read); | 1790 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read); |
| 1788 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read); | 1791 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read); |
| 1789 DCHECK_EQ(1, ret); | 1792 DCHECK_EQ(1, ret); |
| 1790 transport_recv_busy_ = false; | 1793 transport_recv_busy_ = false; |
| 1791 return result; | 1794 return result; |
| 1792 } | 1795 } |
| 1793 | 1796 |
| 1794 int SSLClientSocketImpl::VerifyCT() { | 1797 int SSLClientSocketImpl::VerifyCT() { |
| 1798 const uint8_t* ocsp_response_raw; |
| 1799 size_t ocsp_response_len; |
| 1800 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); |
| 1801 std::string ocsp_response; |
| 1802 if (ocsp_response_len > 0) { |
| 1803 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw), |
| 1804 ocsp_response_len); |
| 1805 } |
| 1806 |
| 1795 const uint8_t* sct_list_raw; | 1807 const uint8_t* sct_list_raw; |
| 1796 size_t sct_list_len; | 1808 size_t sct_list_len; |
| 1797 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); | 1809 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); |
| 1798 std::string sct_list; | 1810 std::string sct_list; |
| 1799 if (sct_list_len > 0) | 1811 if (sct_list_len > 0) |
| 1800 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1812 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
| 1801 | 1813 |
| 1802 // Note that this is a completely synchronous operation: The CT Log Verifier | 1814 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1803 // gets all the data it needs for SCT verification and does not do any | 1815 // gets all the data it needs for SCT verification and does not do any |
| 1804 // external communication. | 1816 // external communication. |
| 1805 cert_transparency_verifier_->Verify( | 1817 cert_transparency_verifier_->Verify( |
| 1806 server_cert_verify_result_.verified_cert.get(), ocsp_response_, sct_list, | 1818 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1807 &ct_verify_result_, net_log_); | 1819 &ct_verify_result_, net_log_); |
| 1808 | 1820 |
| 1809 ct_verify_result_.ct_policies_applied = true; | 1821 ct_verify_result_.ct_policies_applied = true; |
| 1810 ct_verify_result_.ev_policy_compliance = | 1822 ct_verify_result_.ev_policy_compliance = |
| 1811 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 1823 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 1812 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | 1824 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1813 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 1825 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1814 SSLConfigService::GetEVCertsWhitelist(); | 1826 SSLConfigService::GetEVCertsWhitelist(); |
| 1815 ct::EVPolicyCompliance ev_policy_compliance = | 1827 ct::EVPolicyCompliance ev_policy_compliance = |
| 1816 policy_enforcer_->DoesConformToCTEVPolicy( | 1828 policy_enforcer_->DoesConformToCTEVPolicy( |
| (...skipping 519 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2336 if (rv != OK) { | 2348 if (rv != OK) { |
| 2337 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2349 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2338 return; | 2350 return; |
| 2339 } | 2351 } |
| 2340 | 2352 |
| 2341 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2353 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2342 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2354 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2343 } | 2355 } |
| 2344 | 2356 |
| 2345 } // namespace net | 2357 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2176183003:
Revert of Enable Expect-Staple in SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-reporting