| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_stream_factory_impl_job.h" | 5 #include "net/http/http_stream_factory_impl_job.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| 11 #include "base/bind_helpers.h" | 11 #include "base/bind_helpers.h" |
| 12 #include "base/feature_list.h" | 12 #include "base/feature_list.h" |
| 13 #include "base/location.h" | 13 #include "base/location.h" |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
| 16 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
| 17 #include "base/profiler/scoped_tracker.h" | 17 #include "base/profiler/scoped_tracker.h" |
| 18 #include "base/single_thread_task_runner.h" | 18 #include "base/single_thread_task_runner.h" |
| 19 #include "base/stl_util.h" | 19 #include "base/stl_util.h" |
| 20 #include "base/strings/string_number_conversions.h" | 20 #include "base/strings/string_number_conversions.h" |
| 21 #include "base/strings/string_util.h" | 21 #include "base/strings/string_util.h" |
| 22 #include "base/threading/thread_task_runner_handle.h" | 22 #include "base/threading/thread_task_runner_handle.h" |
| 23 #include "base/trace_event/trace_event.h" | 23 #include "base/trace_event/trace_event.h" |
| 24 #include "base/values.h" | 24 #include "base/values.h" |
| 25 #include "build/build_config.h" | 25 #include "build/build_config.h" |
| 26 #include "crypto/sha2.h" |
| 26 #include "net/base/port_util.h" | 27 #include "net/base/port_util.h" |
| 27 #include "net/base/proxy_delegate.h" | 28 #include "net/base/proxy_delegate.h" |
| 28 #include "net/base/trace_constants.h" | 29 #include "net/base/trace_constants.h" |
| 30 #include "net/cert/asn1_util.h" |
| 29 #include "net/cert/cert_verifier.h" | 31 #include "net/cert/cert_verifier.h" |
| 30 #include "net/http/bidirectional_stream_impl.h" | 32 #include "net/http/bidirectional_stream_impl.h" |
| 31 #include "net/http/http_basic_stream.h" | 33 #include "net/http/http_basic_stream.h" |
| 32 #include "net/http/http_network_session.h" | 34 #include "net/http/http_network_session.h" |
| 33 #include "net/http/http_proxy_client_socket.h" | 35 #include "net/http/http_proxy_client_socket.h" |
| 34 #include "net/http/http_proxy_client_socket_pool.h" | 36 #include "net/http/http_proxy_client_socket_pool.h" |
| 35 #include "net/http/http_request_info.h" | 37 #include "net/http/http_request_info.h" |
| 36 #include "net/http/http_server_properties.h" | 38 #include "net/http/http_server_properties.h" |
| 37 #include "net/http/http_stream_factory.h" | 39 #include "net/http/http_stream_factory.h" |
| 38 #include "net/http/http_stream_factory_impl_request.h" | 40 #include "net/http/http_stream_factory_impl_request.h" |
| (...skipping 1482 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1521 // RestartIgnoringLastError(). And the user will be asked interactively | 1523 // RestartIgnoringLastError(). And the user will be asked interactively |
| 1522 // before RestartIgnoringLastError() is ever called. | 1524 // before RestartIgnoringLastError() is ever called. |
| 1523 server_ssl_config_.allowed_bad_certs.emplace_back(ssl_info_.cert, | 1525 server_ssl_config_.allowed_bad_certs.emplace_back(ssl_info_.cert, |
| 1524 ssl_info_.cert_status); | 1526 ssl_info_.cert_status); |
| 1525 | 1527 |
| 1526 int load_flags = request_info_.load_flags; | 1528 int load_flags = request_info_.load_flags; |
| 1527 if (session_->params().ignore_certificate_errors) | 1529 if (session_->params().ignore_certificate_errors) |
| 1528 load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS; | 1530 load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS; |
| 1529 if (ssl_socket->IgnoreCertError(error, load_flags)) | 1531 if (ssl_socket->IgnoreCertError(error, load_flags)) |
| 1530 return OK; | 1532 return OK; |
| 1533 |
| 1534 // Ignore errors for certificates that chain up to switch-whitelisted certs. |
| 1535 if (!session_->params().ignore_certificate_error_spki_set.empty()) { |
| 1536 base::flat_set<SHA256HashValue, SHA256HashValueLessThan> hashes; |
| 1537 std::string certDer; |
| 1538 base::StringPiece spki; |
| 1539 SHA256HashValue hash; |
| 1540 if (X509Certificate::GetDEREncoded( |
| 1541 ssl_info_.unverified_cert->os_cert_handle(), &certDer) && |
| 1542 asn1::ExtractSPKIFromDERCert(certDer, &spki)) { |
| 1543 crypto::SHA256HashString(spki, &hash, sizeof(SHA256HashValue)); |
| 1544 hashes.insert(hash); |
| 1545 } |
| 1546 for (const net::X509Certificate::OSCertHandle& intermediate : |
| 1547 ssl_info_.unverified_cert->GetIntermediateCertificates()) { |
| 1548 if (X509Certificate::GetDEREncoded(intermediate, &certDer) && |
| 1549 asn1::ExtractSPKIFromDERCert(certDer, &spki)) { |
| 1550 crypto::SHA256HashString(spki, &hash, sizeof(SHA256HashValue)); |
| 1551 hashes.insert(hash); |
| 1552 } |
| 1553 } |
| 1554 |
| 1555 // Try to intersect SPKIs from the chain with the switch whitelist. |
| 1556 auto a = session_->params().ignore_certificate_error_spki_set.begin(); |
| 1557 auto aEnd = session_->params().ignore_certificate_error_spki_set.end(); |
| 1558 auto b = hashes.begin(); |
| 1559 auto bEnd = hashes.end(); |
| 1560 static const net::SHA256HashValueLessThan sha256_lt; |
| 1561 while (a != aEnd && b != bEnd) { |
| 1562 if (sha256_lt(*a, *b)) |
| 1563 ++a; |
| 1564 else if (sha256_lt(*b, *a)) |
| 1565 ++b; |
| 1566 else |
| 1567 return OK; |
| 1568 } |
| 1569 } |
| 1570 |
| 1531 return error; | 1571 return error; |
| 1532 } | 1572 } |
| 1533 | 1573 |
| 1534 ClientSocketPoolManager::SocketGroupType | 1574 ClientSocketPoolManager::SocketGroupType |
| 1535 HttpStreamFactoryImpl::Job::GetSocketGroup() const { | 1575 HttpStreamFactoryImpl::Job::GetSocketGroup() const { |
| 1536 std::string scheme = origin_url_.scheme(); | 1576 std::string scheme = origin_url_.scheme(); |
| 1537 if (scheme == url::kHttpsScheme || scheme == url::kWssScheme) | 1577 if (scheme == url::kHttpsScheme || scheme == url::kWssScheme) |
| 1538 return ClientSocketPoolManager::SSL_GROUP; | 1578 return ClientSocketPoolManager::SSL_GROUP; |
| 1539 | 1579 |
| 1540 if (scheme == url::kFtpScheme) | 1580 if (scheme == url::kFtpScheme) |
| (...skipping 14 matching lines...) Expand all Loading... |
| 1555 | 1595 |
| 1556 ConnectionAttempts socket_attempts = connection_->connection_attempts(); | 1596 ConnectionAttempts socket_attempts = connection_->connection_attempts(); |
| 1557 if (connection_->socket()) { | 1597 if (connection_->socket()) { |
| 1558 connection_->socket()->GetConnectionAttempts(&socket_attempts); | 1598 connection_->socket()->GetConnectionAttempts(&socket_attempts); |
| 1559 } | 1599 } |
| 1560 | 1600 |
| 1561 delegate_->AddConnectionAttemptsToRequest(this, socket_attempts); | 1601 delegate_->AddConnectionAttemptsToRequest(this, socket_attempts); |
| 1562 } | 1602 } |
| 1563 | 1603 |
| 1564 } // namespace net | 1604 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2753123002:
Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
