OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 15 matching lines...) Expand all Loading... |
26 #include "base/threading/thread_local.h" | 26 #include "base/threading/thread_local.h" |
27 #include "base/trace_event/process_memory_dump.h" | 27 #include "base/trace_event/process_memory_dump.h" |
28 #include "base/trace_event/trace_event.h" | 28 #include "base/trace_event/trace_event.h" |
29 #include "base/values.h" | 29 #include "base/values.h" |
30 #include "crypto/ec_private_key.h" | 30 #include "crypto/ec_private_key.h" |
31 #include "crypto/openssl_util.h" | 31 #include "crypto/openssl_util.h" |
32 #include "net/base/ip_address.h" | 32 #include "net/base/ip_address.h" |
33 #include "net/base/net_errors.h" | 33 #include "net/base/net_errors.h" |
34 #include "net/base/trace_constants.h" | 34 #include "net/base/trace_constants.h" |
35 #include "net/cert/cert_verifier.h" | 35 #include "net/cert/cert_verifier.h" |
36 #include "net/cert/ct_ev_whitelist.h" | |
37 #include "net/cert/ct_policy_enforcer.h" | 36 #include "net/cert/ct_policy_enforcer.h" |
38 #include "net/cert/ct_policy_status.h" | 37 #include "net/cert/ct_policy_status.h" |
39 #include "net/cert/ct_verifier.h" | 38 #include "net/cert/ct_verifier.h" |
40 #include "net/cert/x509_certificate_net_log_param.h" | 39 #include "net/cert/x509_certificate_net_log_param.h" |
41 #include "net/cert/x509_util.h" | 40 #include "net/cert/x509_util.h" |
42 #include "net/http/transport_security_state.h" | 41 #include "net/http/transport_security_state.h" |
43 #include "net/log/net_log.h" | 42 #include "net/log/net_log.h" |
44 #include "net/log/net_log_event_type.h" | 43 #include "net/log/net_log_event_type.h" |
45 #include "net/log/net_log_parameters_callback.h" | 44 #include "net/log/net_log_parameters_callback.h" |
46 #include "net/ssl/ssl_cert_request_info.h" | 45 #include "net/ssl/ssl_cert_request_info.h" |
(...skipping 1484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1531 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); | 1530 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); |
1532 | 1531 |
1533 // Note that this is a completely synchronous operation: The CT Log Verifier | 1532 // Note that this is a completely synchronous operation: The CT Log Verifier |
1534 // gets all the data it needs for SCT verification and does not do any | 1533 // gets all the data it needs for SCT verification and does not do any |
1535 // external communication. | 1534 // external communication. |
1536 cert_transparency_verifier_->Verify( | 1535 cert_transparency_verifier_->Verify( |
1537 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1536 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
1538 &ct_verify_result_.scts, net_log_); | 1537 &ct_verify_result_.scts, net_log_); |
1539 | 1538 |
1540 ct_verify_result_.ct_policies_applied = true; | 1539 ct_verify_result_.ct_policies_applied = true; |
1541 ct_verify_result_.ev_policy_compliance = | |
1542 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
1543 | 1540 |
1544 SCTList verified_scts = | 1541 SCTList verified_scts = |
1545 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); | 1542 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); |
1546 | 1543 |
1547 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
1548 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1549 SSLConfigService::GetEVCertsWhitelist(); | |
1550 ct::EVPolicyCompliance ev_policy_compliance = | |
1551 policy_enforcer_->DoesConformToCTEVPolicy( | |
1552 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | |
1553 verified_scts, net_log_); | |
1554 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
1555 if (ev_policy_compliance != | |
1556 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
1557 ev_policy_compliance != | |
1558 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
1559 ev_policy_compliance != | |
1560 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
1561 server_cert_verify_result_.cert_status |= | |
1562 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
1563 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1564 } | |
1565 } | |
1566 ct_verify_result_.cert_policy_compliance = | 1544 ct_verify_result_.cert_policy_compliance = |
1567 policy_enforcer_->DoesConformToCertPolicy( | 1545 policy_enforcer_->DoesConformToCertPolicy( |
1568 server_cert_verify_result_.verified_cert.get(), verified_scts, | 1546 server_cert_verify_result_.verified_cert.get(), verified_scts, |
1569 net_log_); | 1547 net_log_); |
| 1548 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
| 1549 (ct_verify_result_.cert_policy_compliance != |
| 1550 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)) { |
| 1551 server_cert_verify_result_.cert_status |= CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 1552 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1553 } |
1570 | 1554 |
1571 if (transport_security_state_->CheckCTRequirements( | 1555 if (transport_security_state_->CheckCTRequirements( |
1572 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, | 1556 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, |
1573 server_cert_verify_result_.public_key_hashes, | 1557 server_cert_verify_result_.public_key_hashes, |
1574 server_cert_verify_result_.verified_cert.get(), server_cert_.get(), | 1558 server_cert_verify_result_.verified_cert.get(), server_cert_.get(), |
1575 ct_verify_result_.scts, | 1559 ct_verify_result_.scts, |
1576 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 1560 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
1577 ct_verify_result_.cert_policy_compliance) != | 1561 ct_verify_result_.cert_policy_compliance) != |
1578 TransportSecurityState::CT_REQUIREMENTS_MET) { | 1562 TransportSecurityState::CT_REQUIREMENTS_MET) { |
1579 server_cert_verify_result_.cert_status |= | 1563 server_cert_verify_result_.cert_status |= |
(...skipping 399 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1979 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 1963 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
1980 !certificate_requested_) { | 1964 !certificate_requested_) { |
1981 net_error = ERR_SSL_PROTOCOL_ERROR; | 1965 net_error = ERR_SSL_PROTOCOL_ERROR; |
1982 } | 1966 } |
1983 } | 1967 } |
1984 | 1968 |
1985 return net_error; | 1969 return net_error; |
1986 } | 1970 } |
1987 | 1971 |
1988 } // namespace net | 1972 } // namespace net |
OLD | NEW |