remoting/protocol/ssl_hmac_channel_authenticator.cc - Issue 2604513002: Optimize CT & OCSP handling code

Side by Side Diff: remoting/protocol/ssl_hmac_channel_authenticator.cc

Issue 2604513002: Optimize CT & OCSP handling code (Closed)

Patch Set: Actually optimize for OCSP Created 3 years, 12 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h"	5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <utility>	9 #include <utility>

10	10

11 #include "base/bind.h"	11 #include "base/bind.h"

12 #include "base/bind_helpers.h"	12 #include "base/bind_helpers.h"

13 #include "base/callback_helpers.h"	13 #include "base/callback_helpers.h"

14 #include "base/logging.h"	14 #include "base/logging.h"

15 #include "base/memory/ptr_util.h"	15 #include "base/memory/ptr_util.h"

16 #include "build/build_config.h"	16 #include "build/build_config.h"

17 #include "crypto/secure_util.h"	17 #include "crypto/secure_util.h"

18 #include "net/base/host_port_pair.h"	18 #include "net/base/host_port_pair.h"

19 #include "net/base/io_buffer.h"	19 #include "net/base/io_buffer.h"

20 #include "net/base/ip_address.h"	20 #include "net/base/ip_address.h"

21 #include "net/base/net_errors.h"	21 #include "net/base/net_errors.h"

22 #include "net/cert/cert_status_flags.h"	22 #include "net/cert/cert_status_flags.h"

23 #include "net/cert/cert_verifier.h"	23 #include "net/cert/cert_verifier.h"

24 #include "net/cert/cert_verify_result.h"	24 #include "net/cert/cert_verify_result.h"

25 #include "net/cert/ct_policy_enforcer.h"	25 #include "net/cert/ct_policy_enforcer.h"

26 #include "net/cert/ct_policy_status.h"	26 #include "net/cert/ct_policy_status.h"

27 #include "net/cert/ct_verifier.h"	27 #include "net/cert/do_nothing_ct_verifier.h"

28 #include "net/cert/signed_certificate_timestamp_and_status.h"	28 #include "net/cert/signed_certificate_timestamp_and_status.h"

29 #include "net/cert/x509_certificate.h"	29 #include "net/cert/x509_certificate.h"

30 #include "net/http/transport_security_state.h"	30 #include "net/http/transport_security_state.h"

31 #include "net/log/net_log_with_source.h"	31 #include "net/log/net_log_with_source.h"

32 #include "net/socket/client_socket_handle.h"	32 #include "net/socket/client_socket_handle.h"

33 #include "net/socket/ssl_client_socket.h"	33 #include "net/socket/ssl_client_socket.h"

34 #include "net/socket/ssl_server_socket.h"	34 #include "net/socket/ssl_server_socket.h"

35 #include "net/ssl/ssl_config_service.h"	35 #include "net/ssl/ssl_config_service.h"

36 #include "net/ssl/ssl_server_config.h"	36 #include "net/ssl/ssl_server_config.h"

37 #include "remoting/base/rsa_key_pair.h"	37 #include "remoting/base/rsa_key_pair.h"

(...skipping 22 matching lines...) Expand all Loading...
60 net::CertVerifyResult* verify_result,	60 net::CertVerifyResult* verify_result,

61 const net::CompletionCallback& callback,	61 const net::CompletionCallback& callback,

62 std::unique_ptr<Request>* out_req,	62 std::unique_ptr<Request>* out_req,

63 const net::NetLogWithSource& net_log) override {	63 const net::NetLogWithSource& net_log) override {

64 verify_result->verified_cert = params.certificate();	64 verify_result->verified_cert = params.certificate();

65 verify_result->cert_status = net::CERT_STATUS_INVALID;	65 verify_result->cert_status = net::CERT_STATUS_INVALID;

66 return net::ERR_CERT_INVALID;	66 return net::ERR_CERT_INVALID;

67 }	67 }

68 };	68 };

69	69

70 // A CTVerifier which ignores Certificate Transparency information.

71 class IgnoresCTVerifier : public net::CTVerifier {

72 public:

73 IgnoresCTVerifier() = default;

74 ~IgnoresCTVerifier() override = default;

75

76 int Verify(net::X509Certificate* cert,

77 const std::string& stapled_ocsp_response,

78 const std::string& sct_list_from_tls_extension,

79 net::SignedCertificateTimestampAndStatusList* output_scts,

80 const net::NetLogWithSource& net_log) override {

81 return net::OK;

82 }

83

84 void SetObserver(Observer* observer) override {}

85 };

86

87 // A CTPolicyEnforcer that accepts all certificates.	70 // A CTPolicyEnforcer that accepts all certificates.

88 class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer {	71 class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer {

89 public:	72 public:

90 IgnoresCTPolicyEnforcer() = default;	73 IgnoresCTPolicyEnforcer() = default;

91 ~IgnoresCTPolicyEnforcer() override = default;	74 ~IgnoresCTPolicyEnforcer() override = default;

92	75

93 net::ct::CertPolicyCompliance DoesConformToCertPolicy(	76 net::ct::CertPolicyCompliance DoesConformToCertPolicy(

94 net::X509Certificate* cert,	77 net::X509Certificate* cert,

95 const net::SCTList& verified_scts,	78 const net::SCTList& verified_scts,

96 const net::NetLogWithSource& net_log) override {	79 const net::NetLogWithSource& net_log) override {

(...skipping 180 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
277 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket)));	260 base::MakeUnique<NetStreamSocketAdapter>(std::move(socket)));

278 net::SSLServerSocket* raw_server_socket = server_socket.get();	261 net::SSLServerSocket* raw_server_socket = server_socket.get();

279 socket_ = std::move(server_socket);	262 socket_ = std::move(server_socket);

280 result = raw_server_socket->Handshake(	263 result = raw_server_socket->Handshake(

281 base::Bind(&SslHmacChannelAuthenticator::OnConnected,	264 base::Bind(&SslHmacChannelAuthenticator::OnConnected,

282 base::Unretained(this)));	265 base::Unretained(this)));

283 #endif	266 #endif

284 } else {	267 } else {

285 transport_security_state_.reset(new net::TransportSecurityState);	268 transport_security_state_.reset(new net::TransportSecurityState);

286 cert_verifier_.reset(new FailingCertVerifier);	269 cert_verifier_.reset(new FailingCertVerifier);

287 ct_verifier_.reset(new IgnoresCTVerifier);	270 ct_verifier_.reset(new net::DoNothingCTVerifier);

288 ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer);	271 ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer);

289	272

290 net::SSLConfig ssl_config;	273 net::SSLConfig ssl_config;

291 // Certificate verification and revocation checking are not needed	274 // Certificate verification and revocation checking are not needed

292 // because we use self-signed certs. Disable it so that the SSL	275 // because we use self-signed certs. Disable it so that the SSL

293 // layer doesn't try to initialize OCSP (OCSP works only on the IO	276 // layer doesn't try to initialize OCSP (OCSP works only on the IO

294 // thread).	277 // thread).

295 ssl_config.cert_io_enabled = false;	278 ssl_config.cert_io_enabled = false;

296 ssl_config.rev_checking_enabled = false;	279 ssl_config.rev_checking_enabled = false;

297 ssl_config.require_ecdhe = true;	280 ssl_config.require_ecdhe = true;

(...skipping 191 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
489 std::move(socket_), std::move(server_context_)));	472 std::move(socket_), std::move(server_context_)));

490 }	473 }

491 }	474 }

492	475

493 void SslHmacChannelAuthenticator::NotifyError(int error) {	476 void SslHmacChannelAuthenticator::NotifyError(int error) {

494 base::ResetAndReturn(&done_callback_).Run(error, nullptr);	477 base::ResetAndReturn(&done_callback_).Run(error, nullptr);

495 }	478 }

496	479

497 } // namespace protocol	480 } // namespace protocol

498 } // namespace remoting	481 } // namespace remoting

OLD	NEW

« net/spdy/spdy_test_util_common.cc ('K') | « net/url_request/url_request_unittest.cc ('k') | no next file » | no next file with comments »