Chromium Code Reviews Chromium Code Reviews
Issue 2300533002:
Stop caching DER-encoded certificates unnecessarily (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 251 if (is_ssl_server()) { | 251 if (is_ssl_server()) { |
| 252 #if defined(OS_NACL) | 252 #if defined(OS_NACL) |
| 253 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket | 253 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket |
| 254 // implementation is not compiled for NaCl as part of net_nacl. | 254 // implementation is not compiled for NaCl as part of net_nacl. |
| 255 NOTREACHED(); | 255 NOTREACHED(); |
| 256 result = net::ERR_FAILED; | 256 result = net::ERR_FAILED; |
| 257 #else | 257 #else |
| 258 scoped_refptr<net::X509Certificate> cert = | 258 scoped_refptr<net::X509Certificate> cert = |
| 259 net::X509Certificate::CreateFromBytes(local_cert_.data(), | 259 net::X509Certificate::CreateFromBytes(local_cert_.data(), |
| 260 local_cert_.length()); | 260 local_cert_.length()); |
| 261 if (!cert.get()) { | 261 if (!cert) { |
| 262 LOG(ERROR) << "Failed to parse X509Certificate"; | 262 LOG(ERROR) << "Failed to parse X509Certificate"; |
| 263 NotifyError(net::ERR_FAILED); | 263 NotifyError(net::ERR_FAILED); |
| 264 return; | 264 return; |
| 265 } | 265 } |
| 266 | 266 |
| 267 net::SSLServerConfig ssl_config; | 267 net::SSLServerConfig ssl_config; |
| 268 ssl_config.require_ecdhe = true; | 268 ssl_config.require_ecdhe = true; |
| 269 | 269 |
| 270 server_context_ = net::CreateSSLServerContext( | 270 server_context_ = net::CreateSSLServerContext( |
| 271 cert.get(), *local_key_pair_->private_key(), ssl_config); | 271 cert.get(), *local_key_pair_->private_key(), ssl_config); |
| 272 | 272 |
| 273 std::unique_ptr<net::SSLServerSocket> server_socket = | 273 std::unique_ptr<net::SSLServerSocket> server_socket = |
| 274 server_context_->CreateSSLServerSocket( | 274 server_context_->CreateSSLServerSocket( |
| 275 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket))); | 275 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket))); |
| 276 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 276 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
| 277 socket_ = std::move(server_socket); | 277 socket_ = std::move(server_socket); |
| 278 result = raw_server_socket->Handshake( | 278 result = raw_server_socket->Handshake( |
| 279 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 279 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
| 280 base::Unretained(this))); | 280 base::Unretained(this))); |
| 281 #endif | 281 #endif |
| 282 } else { | 282 } else { |
| 283 transport_security_state_.reset(new net::TransportSecurityState); | 283 transport_security_state_.reset(new net::TransportSecurityState); |
| 284 cert_verifier_.reset(new FailingCertVerifier); | 284 cert_verifier_.reset(new FailingCertVerifier); |
| 285 ct_verifier_.reset(new IgnoresCTVerifier); | 285 ct_verifier_.reset(new IgnoresCTVerifier); |
| 286 ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer); | 286 ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer); |
| 287 | 287 |
| 288 net::SSLConfig::CertAndStatus cert_and_status; | |
| 289 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | |
| 290 cert_and_status.der_cert = remote_cert_; | |
| 291 | |
| 292 net::SSLConfig ssl_config; | 288 net::SSLConfig ssl_config; |
| 293 // Certificate verification and revocation checking are not needed | 289 // Certificate verification and revocation checking are not needed |
| 294 // because we use self-signed certs. Disable it so that the SSL | 290 // because we use self-signed certs. Disable it so that the SSL |
| 295 // layer doesn't try to initialize OCSP (OCSP works only on the IO | 291 // layer doesn't try to initialize OCSP (OCSP works only on the IO |
| 296 // thread). | 292 // thread). |
| 297 ssl_config.cert_io_enabled = false; | 293 ssl_config.cert_io_enabled = false; |
| 298 ssl_config.rev_checking_enabled = false; | 294 ssl_config.rev_checking_enabled = false; |
| 299 ssl_config.allowed_bad_certs.push_back(cert_and_status); | |
| 300 ssl_config.require_ecdhe = true; | 295 ssl_config.require_ecdhe = true; |
| 301 | 296 |
| 297 scoped_refptr<net::X509Certificate> cert = | |
| 298 net::X509Certificate::CreateFromBytes(remote_cert_.data(), | |
| 299 remote_cert_.length()); | |
| 300 if (!cert) { | |
| 301 LOG(ERROR) << "Failed to parse X509Certificate"; | |
| 302 NotifyError(net::ERR_FAILED); | |
| 303 return; | |
| 304 } | |
| 305 | |
| 306 net::SSLConfig::CertAndStatus cert_and_status; | |
| 307 cert_and_status.cert = std::move(cert); | |
| 308 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | |
| 309 ssl_config.allowed_bad_certs.emplace_back(std::move(cert_and_status)); | |
|
davidben
2016/09/01 19:44:40
Ditto
| |
| 310 | |
| 302 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 311 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
| 303 net::SSLClientSocketContext context; | 312 net::SSLClientSocketContext context; |
| 304 context.transport_security_state = transport_security_state_.get(); | 313 context.transport_security_state = transport_security_state_.get(); |
| 305 context.cert_verifier = cert_verifier_.get(); | 314 context.cert_verifier = cert_verifier_.get(); |
| 306 context.cert_transparency_verifier = ct_verifier_.get(); | 315 context.cert_transparency_verifier = ct_verifier_.get(); |
| 307 context.ct_policy_enforcer = ct_policy_enforcer_.get(); | 316 context.ct_policy_enforcer = ct_policy_enforcer_.get(); |
| 308 std::unique_ptr<net::ClientSocketHandle> socket_handle( | 317 std::unique_ptr<net::ClientSocketHandle> socket_handle( |
| 309 new net::ClientSocketHandle); | 318 new net::ClientSocketHandle); |
| 310 socket_handle->SetSocket( | 319 socket_handle->SetSocket( |
| 311 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket))); | 320 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket))); |
| (...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 480 std::move(socket_), std::move(server_context_))); | 489 std::move(socket_), std::move(server_context_))); |
| 481 } | 490 } |
| 482 } | 491 } |
| 483 | 492 |
| 484 void SslHmacChannelAuthenticator::NotifyError(int error) { | 493 void SslHmacChannelAuthenticator::NotifyError(int error) { |
| 485 base::ResetAndReturn(&done_callback_).Run(error, nullptr); | 494 base::ResetAndReturn(&done_callback_).Run(error, nullptr); |
| 486 } | 495 } |
| 487 | 496 |
| 488 } // namespace protocol | 497 } // namespace protocol |
| 489 } // namespace remoting | 498 } // namespace remoting |
| OLD | NEW |
