| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 431 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 442 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get())); | 442 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get())); |
| 443 return *this; | 443 return *this; |
| 444 } | 444 } |
| 445 | 445 |
| 446 void SSLClientSocketImpl::PeerCertificateChain::Reset(STACK_OF(X509) * chain) { | 446 void SSLClientSocketImpl::PeerCertificateChain::Reset(STACK_OF(X509) * chain) { |
| 447 openssl_chain_.reset(chain ? X509_chain_up_ref(chain) : NULL); | 447 openssl_chain_.reset(chain ? X509_chain_up_ref(chain) : NULL); |
| 448 } | 448 } |
| 449 | 449 |
| 450 scoped_refptr<X509Certificate> | 450 scoped_refptr<X509Certificate> |
| 451 SSLClientSocketImpl::PeerCertificateChain::AsOSChain() const { | 451 SSLClientSocketImpl::PeerCertificateChain::AsOSChain() const { |
| 452 #if defined(USE_OPENSSL_CERTS) | |
| 453 // When OSCertHandle is typedef'ed to X509, this implementation does a short | |
| 454 // cut to avoid converting back and forth between DER and the X509 struct. | |
| 455 X509Certificate::OSCertHandles intermediates; | |
| 456 for (size_t i = 1; i < sk_X509_num(openssl_chain_.get()); ++i) { | |
| 457 intermediates.push_back(sk_X509_value(openssl_chain_.get(), i)); | |
| 458 } | |
| 459 | |
| 460 return X509Certificate::CreateFromHandle( | |
| 461 sk_X509_value(openssl_chain_.get(), 0), intermediates); | |
| 462 #else | |
| 463 // DER-encode the chain and convert to a platform certificate handle. | 452 // DER-encode the chain and convert to a platform certificate handle. |
| 464 std::vector<base::StringPiece> der_chain; | 453 std::vector<std::string> chain; |
| 454 chain.reserve(sk_X509_num(openssl_chain_.get())); |
| 465 for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { | 455 for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) { |
| 466 X509* x = sk_X509_value(openssl_chain_.get(), i); | 456 X509* x = sk_X509_value(openssl_chain_.get(), i); |
| 467 base::StringPiece der; | 457 // Note: This intentionally avoids using x509_util::GetDER(), which may |
| 468 if (!x509_util::GetDER(x, &der)) | 458 // cache the encoded DER on |x|, as |x| is shared with the underlying |
| 469 return NULL; | 459 // socket (SSL*) this chain belongs to. As the DER will only be used |
| 470 der_chain.push_back(der); | 460 // once in //net, within this code, this avoids needlessly caching |
| 461 // additional data. See https://crbug.com/642082 |
| 462 int len = i2d_X509(x, nullptr); |
| 463 if (len < 0) |
| 464 return nullptr; |
| 465 std::string cert; |
| 466 uint8_t* ptr = reinterpret_cast<uint8_t*>(base::WriteInto(&cert, len + 1)); |
| 467 len = i2d_X509(x, &ptr); |
| 468 if (len < 0) { |
| 469 NOTREACHED(); |
| 470 return nullptr; |
| 471 } |
| 472 chain.push_back(std::move(cert)); |
| 471 } | 473 } |
| 474 std::vector<base::StringPiece> stringpiece_chain; |
| 475 for (const auto& cert : chain) |
| 476 stringpiece_chain.push_back(cert); |
| 472 | 477 |
| 473 return X509Certificate::CreateFromDERCertChain(der_chain); | 478 return X509Certificate::CreateFromDERCertChain(stringpiece_chain); |
| 474 #endif | |
| 475 } | 479 } |
| 476 | 480 |
| 477 // static | 481 // static |
| 478 void SSLClientSocket::ClearSessionCache() { | 482 void SSLClientSocket::ClearSessionCache() { |
| 479 SSLClientSocketImpl::SSLContext* context = | 483 SSLClientSocketImpl::SSLContext* context = |
| 480 SSLClientSocketImpl::SSLContext::GetInstance(); | 484 SSLClientSocketImpl::SSLContext::GetInstance(); |
| 481 context->session_cache()->Flush(); | 485 context->session_cache()->Flush(); |
| 482 } | 486 } |
| 483 | 487 |
| 484 SSLClientSocketImpl::SSLClientSocketImpl( | 488 SSLClientSocketImpl::SSLClientSocketImpl( |
| (...skipping 801 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1286 | 1290 |
| 1287 int SSLClientSocketImpl::DoVerifyCert(int result) { | 1291 int SSLClientSocketImpl::DoVerifyCert(int result) { |
| 1288 DCHECK(!server_cert_chain_->empty()); | 1292 DCHECK(!server_cert_chain_->empty()); |
| 1289 DCHECK(start_cert_verification_time_.is_null()); | 1293 DCHECK(start_cert_verification_time_.is_null()); |
| 1290 | 1294 |
| 1291 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; | 1295 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; |
| 1292 | 1296 |
| 1293 // OpenSSL decoded the certificate, but the platform certificate | 1297 // OpenSSL decoded the certificate, but the platform certificate |
| 1294 // implementation could not. This is treated as a fatal SSL-level protocol | 1298 // implementation could not. This is treated as a fatal SSL-level protocol |
| 1295 // error rather than a certificate error. See https://crbug.com/91341. | 1299 // error rather than a certificate error. See https://crbug.com/91341. |
| 1296 if (!server_cert_.get()) | 1300 if (!server_cert_) |
| 1297 return ERR_SSL_SERVER_CERT_BAD_FORMAT; | 1301 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 1298 | 1302 |
| 1299 // If the certificate is bad and has been previously accepted, use | 1303 // If the certificate is bad and has been previously accepted, use |
| 1300 // the previous status and bypass the error. | 1304 // the previous status and bypass the error. |
| 1301 base::StringPiece der_cert; | |
| 1302 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) { | |
| 1303 NOTREACHED(); | |
| 1304 return ERR_CERT_INVALID; | |
| 1305 } | |
| 1306 CertStatus cert_status; | 1305 CertStatus cert_status; |
| 1307 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 1306 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) { |
| 1308 server_cert_verify_result_.Reset(); | 1307 server_cert_verify_result_.Reset(); |
| 1309 server_cert_verify_result_.cert_status = cert_status; | 1308 server_cert_verify_result_.cert_status = cert_status; |
| 1310 server_cert_verify_result_.verified_cert = server_cert_; | 1309 server_cert_verify_result_.verified_cert = server_cert_; |
| 1311 return OK; | 1310 return OK; |
| 1312 } | 1311 } |
| 1313 | 1312 |
| 1314 start_cert_verification_time_ = base::TimeTicks::Now(); | 1313 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 1315 | 1314 |
| 1316 return cert_verifier_->Verify( | 1315 return cert_verifier_->Verify( |
| 1317 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), | 1316 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), |
| (...skipping 1064 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2382 } | 2381 } |
| 2383 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, | 2382 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, |
| 2384 CHANNEL_ID_USAGE_MAX); | 2383 CHANNEL_ID_USAGE_MAX); |
| 2385 } | 2384 } |
| 2386 | 2385 |
| 2387 bool SSLClientSocketImpl::IsChannelIDEnabled() const { | 2386 bool SSLClientSocketImpl::IsChannelIDEnabled() const { |
| 2388 return ssl_config_.channel_id_enabled && channel_id_service_; | 2387 return ssl_config_.channel_id_enabled && channel_id_service_; |
| 2389 } | 2388 } |
| 2390 | 2389 |
| 2391 } // namespace net | 2390 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2300533002:
Stop caching DER-encoded certificates unnecessarily (Closed)
