| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <utility> | 11 #include <utility> |
| 12 | 12 |
| 13 #include "base/bind.h" | 13 #include "base/bind.h" |
| 14 #include "base/callback_helpers.h" | 14 #include "base/callback_helpers.h" |
| 15 #include "base/feature_list.h" | 15 #include "base/feature_list.h" |
| 16 #include "base/lazy_instance.h" | 16 #include "base/lazy_instance.h" |
| 17 #include "base/macros.h" | 17 #include "base/macros.h" |
| 18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 19 #include "base/metrics/field_trial.h" | 19 #include "base/metrics/field_trial.h" |
| 20 #include "base/metrics/histogram_macros.h" | 20 #include "base/metrics/histogram_macros.h" |
| 21 #include "base/metrics/sparse_histogram.h" | 21 #include "base/metrics/sparse_histogram.h" |
| 22 #include "base/profiler/scoped_tracker.h" | 22 #include "base/profiler/scoped_tracker.h" |
| 23 #include "base/strings/string_number_conversions.h" | 23 #include "base/strings/string_number_conversions.h" |
| 24 #include "base/strings/string_piece.h" | 24 #include "base/strings/string_piece.h" |
| 25 #include "base/strings/stringprintf.h" | 25 #include "base/strings/stringprintf.h" |
| 26 #include "base/synchronization/lock.h" | 26 #include "base/synchronization/lock.h" |
| 27 #include "base/task_runner_util.h" |
| 27 #include "base/threading/thread_local.h" | 28 #include "base/threading/thread_local.h" |
| 29 #include "base/threading/worker_pool.h" |
| 28 #include "base/trace_event/process_memory_dump.h" | 30 #include "base/trace_event/process_memory_dump.h" |
| 29 #include "base/trace_event/trace_event.h" | 31 #include "base/trace_event/trace_event.h" |
| 30 #include "base/values.h" | 32 #include "base/values.h" |
| 31 #include "crypto/ec_private_key.h" | 33 #include "crypto/ec_private_key.h" |
| 32 #include "crypto/openssl_util.h" | 34 #include "crypto/openssl_util.h" |
| 33 #include "net/base/ip_address.h" | 35 #include "net/base/ip_address.h" |
| 34 #include "net/base/net_errors.h" | 36 #include "net/base/net_errors.h" |
| 35 #include "net/base/trace_constants.h" | 37 #include "net/base/trace_constants.h" |
| 36 #include "net/cert/cert_verifier.h" | 38 #include "net/cert/cert_verifier.h" |
| 37 #include "net/cert/ct_ev_whitelist.h" | 39 #include "net/cert/ct_ev_whitelist.h" |
| (...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 227 // TODO(davidben): Remove this after the ECDSA CBC removal sticks. | 229 // TODO(davidben): Remove this after the ECDSA CBC removal sticks. |
| 228 // https:/crbug.com/666191. | 230 // https:/crbug.com/666191. |
| 229 const base::Feature kLegacyECDSACiphersFeature{ | 231 const base::Feature kLegacyECDSACiphersFeature{ |
| 230 "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT}; | 232 "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT}; |
| 231 | 233 |
| 232 bool AreLegacyECDSACiphersEnabled() { | 234 bool AreLegacyECDSACiphersEnabled() { |
| 233 return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature); | 235 return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature); |
| 234 } | 236 } |
| 235 #endif | 237 #endif |
| 236 | 238 |
| 237 scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * | 239 int GetOSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * openssl_chain, |
| 238 openssl_chain) { | 240 scoped_refptr<X509Certificate>* server_cert) { |
| 239 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { | 241 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { |
| 240 NOTREACHED(); | 242 NOTREACHED(); |
| 241 return nullptr; | 243 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 242 } | 244 } |
| 243 | 245 |
| 244 // Convert the certificate chains to a platform certificate handle. | 246 // Convert the certificate chains to a platform certificate handle. |
| 245 std::vector<base::StringPiece> der_chain; | 247 std::vector<base::StringPiece> der_chain; |
| 246 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); | 248 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); |
| 247 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { | 249 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { |
| 248 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); | 250 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); |
| 249 base::StringPiece der; | 251 base::StringPiece der; |
| 250 der_chain.push_back(base::StringPiece( | 252 der_chain.push_back(base::StringPiece( |
| 251 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), | 253 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), |
| 252 CRYPTO_BUFFER_len(cert))); | 254 CRYPTO_BUFFER_len(cert))); |
| 253 } | 255 } |
| 254 return X509Certificate::CreateFromDERCertChain(der_chain); | 256 *server_cert = X509Certificate::CreateFromDERCertChain(der_chain); |
| 257 |
| 258 // OpenSSL decoded the certificate, but the platform certificate |
| 259 // implementation could not. This is treated as a fatal SSL-level protocol |
| 260 // error rather than a certificate error. See https://crbug.com/91341. |
| 261 if (!*server_cert) |
| 262 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 263 return OK; |
| 255 } | 264 } |
| 256 | 265 |
| 257 #if !defined(OS_IOS) | 266 #if !defined(OS_IOS) |
| 258 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( | 267 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( |
| 259 X509Certificate::OSCertHandle os_handle) { | 268 X509Certificate::OSCertHandle os_handle) { |
| 260 std::string der_encoded; | 269 std::string der_encoded; |
| 261 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 270 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
| 262 return nullptr; | 271 return nullptr; |
| 263 return x509_util::CreateCryptoBuffer(der_encoded); | 272 return x509_util::CreateCryptoBuffer(der_encoded); |
| 264 } | 273 } |
| (...skipping 858 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1123 | 1132 |
| 1124 if (!IsRenegotiationAllowed()) | 1133 if (!IsRenegotiationAllowed()) |
| 1125 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never); | 1134 SSL_set_renegotiate_mode(ssl_.get(), ssl_renegotiate_never); |
| 1126 | 1135 |
| 1127 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get()); | 1136 uint16_t signature_algorithm = SSL_get_peer_signature_algorithm(ssl_.get()); |
| 1128 if (signature_algorithm != 0) { | 1137 if (signature_algorithm != 0) { |
| 1129 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm", | 1138 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLSignatureAlgorithm", |
| 1130 signature_algorithm); | 1139 signature_algorithm); |
| 1131 } | 1140 } |
| 1132 | 1141 |
| 1133 // Verify the certificate. | 1142 // Decode the certificate. |
| 1134 next_handshake_state_ = STATE_VERIFY_CERT; | 1143 next_handshake_state_ = STATE_DECODE_CERT; |
| 1135 return OK; | 1144 return OK; |
| 1136 } | 1145 } |
| 1137 | 1146 |
| 1138 int SSLClientSocketImpl::DoChannelIDLookup() { | 1147 int SSLClientSocketImpl::DoChannelIDLookup() { |
| 1139 NetLogParametersCallback callback = base::Bind( | 1148 NetLogParametersCallback callback = base::Bind( |
| 1140 &NetLogChannelIDLookupCallback, base::Unretained(channel_id_service_)); | 1149 &NetLogChannelIDLookupCallback, base::Unretained(channel_id_service_)); |
| 1141 net_log_.BeginEvent(NetLogEventType::SSL_GET_CHANNEL_ID, callback); | 1150 net_log_.BeginEvent(NetLogEventType::SSL_GET_CHANNEL_ID, callback); |
| 1142 next_handshake_state_ = STATE_CHANNEL_ID_LOOKUP_COMPLETE; | 1151 next_handshake_state_ = STATE_CHANNEL_ID_LOOKUP_COMPLETE; |
| 1143 return channel_id_service_->GetOrCreateChannelID( | 1152 return channel_id_service_->GetOrCreateChannelID( |
| 1144 host_and_port_.host(), &channel_id_key_, | 1153 host_and_port_.host(), &channel_id_key_, |
| (...skipping 17 matching lines...) Expand all Loading... |
| 1162 LOG(ERROR) << "Failed to set Channel ID."; | 1171 LOG(ERROR) << "Failed to set Channel ID."; |
| 1163 return ERR_FAILED; | 1172 return ERR_FAILED; |
| 1164 } | 1173 } |
| 1165 | 1174 |
| 1166 // Return to the handshake. | 1175 // Return to the handshake. |
| 1167 channel_id_sent_ = true; | 1176 channel_id_sent_ = true; |
| 1168 next_handshake_state_ = STATE_HANDSHAKE; | 1177 next_handshake_state_ = STATE_HANDSHAKE; |
| 1169 return OK; | 1178 return OK; |
| 1170 } | 1179 } |
| 1171 | 1180 |
| 1181 int SSLClientSocketImpl::DoDecodeCert(int result) { |
| 1182 scoped_refptr<base::TaskRunner> slow_task_runner = |
| 1183 base::WorkerPool::GetTaskRunner(true /* task_is_slow */); |
| 1184 base::PostTaskAndReplyWithResult( |
| 1185 slow_task_runner.get(), FROM_HERE, |
| 1186 base::Bind(&GetOSChainFromBuffers, SSL_get0_peer_certificates(ssl_.get()), |
| 1187 &server_cert_), |
| 1188 base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete, |
| 1189 base::Unretained(this))); |
| 1190 next_handshake_state_ = STATE_DECODE_CERT_COMPLETE; |
| 1191 return ERR_IO_PENDING; |
| 1192 } |
| 1193 |
| 1194 int SSLClientSocketImpl::DoDecodeCertComplete(int result) { |
| 1195 if (result != OK) |
| 1196 return result; |
| 1197 |
| 1198 net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED, |
| 1199 base::Bind(&NetLogX509CertificateCallback, |
| 1200 base::Unretained(server_cert_.get()))); |
| 1201 |
| 1202 next_handshake_state_ = STATE_VERIFY_CERT; |
| 1203 return OK; |
| 1204 } |
| 1205 |
| 1172 int SSLClientSocketImpl::DoVerifyCert(int result) { | 1206 int SSLClientSocketImpl::DoVerifyCert(int result) { |
| 1173 DCHECK(start_cert_verification_time_.is_null()); | 1207 DCHECK(start_cert_verification_time_.is_null()); |
| 1174 | 1208 |
| 1175 server_cert_ = OSChainFromBuffers(SSL_get0_peer_certificates(ssl_.get())); | |
| 1176 | |
| 1177 // OpenSSL decoded the certificate, but the platform certificate | |
| 1178 // implementation could not. This is treated as a fatal SSL-level protocol | |
| 1179 // error rather than a certificate error. See https://crbug.com/91341. | |
| 1180 if (!server_cert_) | |
| 1181 return ERR_SSL_SERVER_CERT_BAD_FORMAT; | |
| 1182 | |
| 1183 net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED, | |
| 1184 base::Bind(&NetLogX509CertificateCallback, | |
| 1185 base::Unretained(server_cert_.get()))); | |
| 1186 | |
| 1187 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; | 1209 next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE; |
| 1188 | 1210 |
| 1189 // If the certificate is bad and has been previously accepted, use | 1211 // If the certificate is bad and has been previously accepted, use |
| 1190 // the previous status and bypass the error. | 1212 // the previous status and bypass the error. |
| 1191 CertStatus cert_status; | 1213 CertStatus cert_status; |
| 1192 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) { | 1214 if (ssl_config_.IsAllowedBadCert(server_cert_.get(), &cert_status)) { |
| 1193 server_cert_verify_result_.Reset(); | 1215 server_cert_verify_result_.Reset(); |
| 1194 server_cert_verify_result_.cert_status = cert_status; | 1216 server_cert_verify_result_.cert_status = cert_status; |
| 1195 server_cert_verify_result_.verified_cert = server_cert_; | 1217 server_cert_verify_result_.verified_cert = server_cert_; |
| 1196 return OK; | 1218 return OK; |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1316 case STATE_HANDSHAKE_COMPLETE: | 1338 case STATE_HANDSHAKE_COMPLETE: |
| 1317 rv = DoHandshakeComplete(rv); | 1339 rv = DoHandshakeComplete(rv); |
| 1318 break; | 1340 break; |
| 1319 case STATE_CHANNEL_ID_LOOKUP: | 1341 case STATE_CHANNEL_ID_LOOKUP: |
| 1320 DCHECK_EQ(OK, rv); | 1342 DCHECK_EQ(OK, rv); |
| 1321 rv = DoChannelIDLookup(); | 1343 rv = DoChannelIDLookup(); |
| 1322 break; | 1344 break; |
| 1323 case STATE_CHANNEL_ID_LOOKUP_COMPLETE: | 1345 case STATE_CHANNEL_ID_LOOKUP_COMPLETE: |
| 1324 rv = DoChannelIDLookupComplete(rv); | 1346 rv = DoChannelIDLookupComplete(rv); |
| 1325 break; | 1347 break; |
| 1348 case STATE_DECODE_CERT: |
| 1349 DCHECK_EQ(OK, rv); |
| 1350 rv = DoDecodeCert(rv); |
| 1351 break; |
| 1352 case STATE_DECODE_CERT_COMPLETE: |
| 1353 rv = DoDecodeCertComplete(rv); |
| 1354 break; |
| 1326 case STATE_VERIFY_CERT: | 1355 case STATE_VERIFY_CERT: |
| 1327 DCHECK_EQ(OK, rv); | 1356 DCHECK_EQ(OK, rv); |
| 1328 rv = DoVerifyCert(rv); | 1357 rv = DoVerifyCert(rv); |
| 1329 break; | 1358 break; |
| 1330 case STATE_VERIFY_CERT_COMPLETE: | 1359 case STATE_VERIFY_CERT_COMPLETE: |
| 1331 rv = DoVerifyCertComplete(rv); | 1360 rv = DoVerifyCertComplete(rv); |
| 1332 break; | 1361 break; |
| 1333 case STATE_NONE: | 1362 case STATE_NONE: |
| 1334 default: | 1363 default: |
| 1335 rv = ERR_UNEXPECTED; | 1364 rv = ERR_UNEXPECTED; |
| (...skipping 626 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1962 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 1991 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
| 1963 !certificate_requested_) { | 1992 !certificate_requested_) { |
| 1964 net_error = ERR_SSL_PROTOCOL_ERROR; | 1993 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 1965 } | 1994 } |
| 1966 } | 1995 } |
| 1967 | 1996 |
| 1968 return net_error; | 1997 return net_error; |
| 1969 } | 1998 } |
| 1970 | 1999 |
| 1971 } // namespace net | 2000 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2767883002:
Call the platform certificate parser in WorkerPool. (Closed)
