| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 372 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 383 return new CertVerifyProcIOS(); | 383 return new CertVerifyProcIOS(); |
| 384 #elif defined(OS_MACOSX) | 384 #elif defined(OS_MACOSX) |
| 385 return new CertVerifyProcMac(); | 385 return new CertVerifyProcMac(); |
| 386 #elif defined(OS_WIN) | 386 #elif defined(OS_WIN) |
| 387 return new CertVerifyProcWin(); | 387 return new CertVerifyProcWin(); |
| 388 #else | 388 #else |
| 389 return NULL; | 389 return NULL; |
| 390 #endif | 390 #endif |
| 391 } | 391 } |
| 392 | 392 |
| 393 CertVerifyProc::CertVerifyProc() {} | 393 CertVerifyProc::CertVerifyProc() |
| 394 : sha1_legacy_mode_enabled(base::FeatureList::IsEnabled(kSHA1LegacyMode)) {} |
| 394 | 395 |
| 395 CertVerifyProc::~CertVerifyProc() {} | 396 CertVerifyProc::~CertVerifyProc() {} |
| 396 | 397 |
| 397 int CertVerifyProc::Verify(X509Certificate* cert, | 398 int CertVerifyProc::Verify(X509Certificate* cert, |
| 398 const std::string& hostname, | 399 const std::string& hostname, |
| 399 const std::string& ocsp_response, | 400 const std::string& ocsp_response, |
| 400 int flags, | 401 int flags, |
| 401 CRLSet* crl_set, | 402 CRLSet* crl_set, |
| 402 const CertificateList& additional_trust_anchors, | 403 const CertificateList& additional_trust_anchors, |
| 403 CertVerifyResult* verify_result) { | 404 CertVerifyResult* verify_result) { |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 482 // As the risk is greatest for publicly trusted certificates, prevent | 483 // As the risk is greatest for publicly trusted certificates, prevent |
| 483 // those certificates from being trusted from that date forward. | 484 // those certificates from being trusted from that date forward. |
| 484 // | 485 // |
| 485 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless | 486 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless |
| 486 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present. | 487 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present. |
| 487 if (verify_result->has_md5 || | 488 if (verify_result->has_md5 || |
| 488 // Current SHA-1 behaviour: | 489 // Current SHA-1 behaviour: |
| 489 // - Reject all publicly trusted SHA-1 | 490 // - Reject all publicly trusted SHA-1 |
| 490 // - ... unless it's in the intermediate and SHA-1 intermediates are | 491 // - ... unless it's in the intermediate and SHA-1 intermediates are |
| 491 // allowed for that platform. See https://crbug.com/588789 | 492 // allowed for that platform. See https://crbug.com/588789 |
| 492 (!base::FeatureList::IsEnabled(kSHA1LegacyMode) && | 493 (!sha1_legacy_mode_enabled && |
| 493 (verify_result->is_issued_by_known_root && | 494 (verify_result->is_issued_by_known_root && |
| 494 (verify_result->has_sha1_leaf || | 495 (verify_result->has_sha1_leaf || |
| 495 (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) || | 496 (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) || |
| 496 // Legacy SHA-1 behaviour: | 497 // Legacy SHA-1 behaviour: |
| 497 // - Reject all publicly trusted SHA-1 leaf certs issued after | 498 // - Reject all publicly trusted SHA-1 leaf certs issued after |
| 498 // 2016-01-01. | 499 // 2016-01-01. |
| 499 (base::FeatureList::IsEnabled(kSHA1LegacyMode) && | 500 (sha1_legacy_mode_enabled && (verify_result->has_sha1_leaf && |
| 500 (verify_result->has_sha1_leaf && | 501 verify_result->is_issued_by_known_root && |
| 501 verify_result->is_issued_by_known_root && | 502 IsPastSHA1DeprecationDate(*cert)))) { |
| 502 IsPastSHA1DeprecationDate(*cert)))) { | |
| 503 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 503 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
| 504 // Avoid replacing a more serious error, such as an OS/library failure, | 504 // Avoid replacing a more serious error, such as an OS/library failure, |
| 505 // by ensuring that if verification failed, it failed with a certificate | 505 // by ensuring that if verification failed, it failed with a certificate |
| 506 // error. | 506 // error. |
| 507 if (rv == OK || IsCertificateError(rv)) | 507 if (rv == OK || IsCertificateError(rv)) |
| 508 rv = MapCertStatusToNetError(verify_result->cert_status); | 508 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 509 } | 509 } |
| 510 | 510 |
| 511 // Flag certificates from publicly-trusted CAs that are issued to intranet | 511 // Flag certificates from publicly-trusted CAs that are issued to intranet |
| 512 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit | 512 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
| (...skipping 257 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 770 return true; | 770 return true; |
| 771 | 771 |
| 772 return false; | 772 return false; |
| 773 } | 773 } |
| 774 | 774 |
| 775 // static | 775 // static |
| 776 const base::Feature CertVerifyProc::kSHA1LegacyMode{ | 776 const base::Feature CertVerifyProc::kSHA1LegacyMode{ |
| 777 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; | 777 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; |
| 778 | 778 |
| 779 } // namespace net | 779 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2493593003:
Resolve a TSAN race in CertVerifyProc (Closed)
