| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 1154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1165 alpn_len); | 1165 alpn_len); |
| 1166 negotiated_protocol_ = NextProtoFromString(proto); | 1166 negotiated_protocol_ = NextProtoFromString(proto); |
| 1167 } | 1167 } |
| 1168 | 1168 |
| 1169 RecordNegotiatedProtocol(); | 1169 RecordNegotiatedProtocol(); |
| 1170 RecordChannelIDSupport(); | 1170 RecordChannelIDSupport(); |
| 1171 | 1171 |
| 1172 const uint8_t* ocsp_response_raw; | 1172 const uint8_t* ocsp_response_raw; |
| 1173 size_t ocsp_response_len; | 1173 size_t ocsp_response_len; |
| 1174 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); | 1174 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); |
| 1175 std::string ocsp_response; | |
| 1176 if (ocsp_response_len > 0) { | |
| 1177 ocsp_response_.assign(reinterpret_cast<const char*>(ocsp_response_raw), | |
| 1178 ocsp_response_len); | |
| 1179 } | |
| 1180 set_stapled_ocsp_response_received(ocsp_response_len != 0); | 1175 set_stapled_ocsp_response_received(ocsp_response_len != 0); |
| 1181 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); | 1176 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0); |
| 1182 | 1177 |
| 1183 const uint8_t* sct_list; | 1178 const uint8_t* sct_list; |
| 1184 size_t sct_list_len; | 1179 size_t sct_list_len; |
| 1185 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len); | 1180 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list, &sct_list_len); |
| 1186 set_signed_cert_timestamps_received(sct_list_len != 0); | 1181 set_signed_cert_timestamps_received(sct_list_len != 0); |
| 1187 | 1182 |
| 1188 if (IsRenegotiationAllowed()) | 1183 if (IsRenegotiationAllowed()) |
| 1189 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); | 1184 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_freely); |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1251 CertStatus cert_status; | 1246 CertStatus cert_status; |
| 1252 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) { | 1247 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) { |
| 1253 server_cert_verify_result_.Reset(); | 1248 server_cert_verify_result_.Reset(); |
| 1254 server_cert_verify_result_.cert_status = cert_status; | 1249 server_cert_verify_result_.cert_status = cert_status; |
| 1255 server_cert_verify_result_.verified_cert = server_cert_; | 1250 server_cert_verify_result_.verified_cert = server_cert_; |
| 1256 return OK; | 1251 return OK; |
| 1257 } | 1252 } |
| 1258 | 1253 |
| 1259 start_cert_verification_time_ = base::TimeTicks::Now(); | 1254 start_cert_verification_time_ = base::TimeTicks::Now(); |
| 1260 | 1255 |
| 1256 const uint8_t* ocsp_response_raw; |
| 1257 size_t ocsp_response_len; |
| 1258 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); |
| 1259 base::StringPiece ocsp_response( |
| 1260 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); |
| 1261 |
| 1261 return cert_verifier_->Verify( | 1262 return cert_verifier_->Verify( |
| 1262 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), | 1263 CertVerifier::RequestParams(server_cert_, host_and_port_.host(), |
| 1263 ssl_config_.GetCertVerifyFlags(), | 1264 ssl_config_.GetCertVerifyFlags(), |
| 1264 ocsp_response_, CertificateList()), | 1265 ocsp_response.as_string(), CertificateList()), |
| 1265 // TODO(davidben): Route the CRLSet through SSLConfig so | 1266 // TODO(davidben): Route the CRLSet through SSLConfig so |
| 1266 // SSLClientSocket doesn't depend on SSLConfigService. | 1267 // SSLClientSocket doesn't depend on SSLConfigService. |
| 1267 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | 1268 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
| 1268 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, | 1269 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, |
| 1269 base::Unretained(this)), | 1270 base::Unretained(this)), |
| 1270 &cert_verifier_request_, net_log_); | 1271 &cert_verifier_request_, net_log_); |
| 1271 } | 1272 } |
| 1272 | 1273 |
| 1273 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { | 1274 int SSLClientSocketImpl::DoVerifyCertComplete(int result) { |
| 1274 cert_verifier_request_.reset(); | 1275 cert_verifier_request_.reset(); |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1312 result = ct_result; | 1313 result = ct_result; |
| 1313 } | 1314 } |
| 1314 | 1315 |
| 1315 if (result == OK) { | 1316 if (result == OK) { |
| 1316 DCHECK(!certificate_verified_); | 1317 DCHECK(!certificate_verified_); |
| 1317 certificate_verified_ = true; | 1318 certificate_verified_ = true; |
| 1318 MaybeCacheSession(); | 1319 MaybeCacheSession(); |
| 1319 SSLInfo ssl_info; | 1320 SSLInfo ssl_info; |
| 1320 bool ok = GetSSLInfo(&ssl_info); | 1321 bool ok = GetSSLInfo(&ssl_info); |
| 1321 DCHECK(ok); | 1322 DCHECK(ok); |
| 1323 |
| 1324 const uint8_t* ocsp_response_raw; |
| 1325 size_t ocsp_response_len; |
| 1326 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); |
| 1327 base::StringPiece ocsp_response( |
| 1328 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); |
| 1329 |
| 1322 transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info, | 1330 transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info, |
| 1323 ocsp_response_); | 1331 ocsp_response); |
| 1324 } | 1332 } |
| 1325 | 1333 |
| 1326 completed_connect_ = true; | 1334 completed_connect_ = true; |
| 1327 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 1335 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
| 1328 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 1336 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 1329 return result; | 1337 return result; |
| 1330 } | 1338 } |
| 1331 | 1339 |
| 1332 void SSLClientSocketImpl::DoConnectCallback(int rv) { | 1340 void SSLClientSocketImpl::DoConnectCallback(int rv) { |
| 1333 if (!user_connect_callback_.is_null()) { | 1341 if (!user_connect_callback_.is_null()) { |
| (...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1550 return; | 1558 return; |
| 1551 | 1559 |
| 1552 if (rv_write != ERR_IO_PENDING) | 1560 if (rv_write != ERR_IO_PENDING) |
| 1553 DoWriteCallback(rv_write); | 1561 DoWriteCallback(rv_write); |
| 1554 } | 1562 } |
| 1555 | 1563 |
| 1556 int SSLClientSocketImpl::VerifyCT() { | 1564 int SSLClientSocketImpl::VerifyCT() { |
| 1557 const uint8_t* sct_list_raw; | 1565 const uint8_t* sct_list_raw; |
| 1558 size_t sct_list_len; | 1566 size_t sct_list_len; |
| 1559 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list_raw, &sct_list_len); | 1567 SSL_get0_signed_cert_timestamp_list(ssl_.get(), &sct_list_raw, &sct_list_len); |
| 1560 std::string sct_list; | 1568 base::StringPiece sct_list(reinterpret_cast<const char*>(sct_list_raw), |
| 1561 if (sct_list_len > 0) | 1569 sct_list_len); |
| 1562 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1570 |
| 1571 const uint8_t* ocsp_response_raw; |
| 1572 size_t ocsp_response_len; |
| 1573 SSL_get0_ocsp_response(ssl_.get(), &ocsp_response_raw, &ocsp_response_len); |
| 1574 base::StringPiece ocsp_response( |
| 1575 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); |
| 1563 | 1576 |
| 1564 // Note that this is a completely synchronous operation: The CT Log Verifier | 1577 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1565 // gets all the data it needs for SCT verification and does not do any | 1578 // gets all the data it needs for SCT verification and does not do any |
| 1566 // external communication. | 1579 // external communication. |
| 1567 cert_transparency_verifier_->Verify( | 1580 cert_transparency_verifier_->Verify( |
| 1568 server_cert_verify_result_.verified_cert.get(), ocsp_response_, sct_list, | 1581 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1569 &ct_verify_result_.scts, net_log_); | 1582 &ct_verify_result_.scts, net_log_); |
| 1570 | 1583 |
| 1571 ct_verify_result_.ct_policies_applied = true; | 1584 ct_verify_result_.ct_policies_applied = true; |
| 1572 ct_verify_result_.ev_policy_compliance = | 1585 ct_verify_result_.ev_policy_compliance = |
| 1573 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 1586 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 1574 | 1587 |
| 1575 SCTList verified_scts = | 1588 SCTList verified_scts = |
| 1576 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); | 1589 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); |
| 1577 | 1590 |
| 1578 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | 1591 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| (...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2045 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 2058 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
| 2046 !certificate_requested_) { | 2059 !certificate_requested_) { |
| 2047 net_error = ERR_SSL_PROTOCOL_ERROR; | 2060 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 2048 } | 2061 } |
| 2049 } | 2062 } |
| 2050 | 2063 |
| 2051 return net_error; | 2064 return net_error; |
| 2052 } | 2065 } |
| 2053 | 2066 |
| 2054 } // namespace net | 2067 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2604513002:
Optimize CT & OCSP handling code (Closed)
