OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
14 | 14 |
15 #include "base/bind.h" | 15 #include "base/bind.h" |
16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
17 #include "base/environment.h" | 17 #include "base/environment.h" |
18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
20 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
21 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
22 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
23 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
24 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
26 #include "net/cert/cert_policy_enforcer.h" | |
26 #include "net/cert/cert_verifier.h" | 27 #include "net/cert/cert_verifier.h" |
27 #include "net/cert/ct_ev_whitelist.h" | 28 #include "net/cert/ct_ev_whitelist.h" |
28 #include "net/cert/ct_verifier.h" | 29 #include "net/cert/ct_verifier.h" |
29 #include "net/cert/single_request_cert_verifier.h" | 30 #include "net/cert/single_request_cert_verifier.h" |
30 #include "net/cert/x509_certificate_net_log_param.h" | 31 #include "net/cert/x509_certificate_net_log_param.h" |
31 #include "net/cert/x509_util_openssl.h" | 32 #include "net/cert/x509_util_openssl.h" |
32 #include "net/http/transport_security_state.h" | 33 #include "net/http/transport_security_state.h" |
33 #include "net/socket/ssl_session_cache_openssl.h" | 34 #include "net/socket/ssl_session_cache_openssl.h" |
34 #include "net/ssl/ssl_cert_request_info.h" | 35 #include "net/ssl/ssl_cert_request_info.h" |
35 #include "net/ssl/ssl_connection_status_flags.h" | 36 #include "net/ssl/ssl_connection_status_flags.h" |
(...skipping 319 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
355 host_and_port_(host_and_port), | 356 host_and_port_(host_and_port), |
356 ssl_config_(ssl_config), | 357 ssl_config_(ssl_config), |
357 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 358 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
358 trying_cached_session_(false), | 359 trying_cached_session_(false), |
359 next_handshake_state_(STATE_NONE), | 360 next_handshake_state_(STATE_NONE), |
360 npn_status_(kNextProtoUnsupported), | 361 npn_status_(kNextProtoUnsupported), |
361 channel_id_xtn_negotiated_(false), | 362 channel_id_xtn_negotiated_(false), |
362 handshake_succeeded_(false), | 363 handshake_succeeded_(false), |
363 marked_session_as_good_(false), | 364 marked_session_as_good_(false), |
364 transport_security_state_(context.transport_security_state), | 365 transport_security_state_(context.transport_security_state), |
366 policy_enforcer_(context.cert_policy_enforcer), | |
365 net_log_(transport_->socket()->NetLog()), | 367 net_log_(transport_->socket()->NetLog()), |
366 weak_factory_(this) { | 368 weak_factory_(this) { |
367 } | 369 } |
368 | 370 |
369 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 371 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
370 Disconnect(); | 372 Disconnect(); |
371 } | 373 } |
372 | 374 |
373 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | 375 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { |
374 std::string result = host_and_port_.ToString(); | 376 std::string result = host_and_port_.ToString(); |
(...skipping 725 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1100 (result == OK || | 1102 (result == OK || |
1101 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1103 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
1102 !transport_security_state_->CheckPublicKeyPins( | 1104 !transport_security_state_->CheckPublicKeyPins( |
1103 host_and_port_.host(), | 1105 host_and_port_.host(), |
1104 server_cert_verify_result_.is_issued_by_known_root, | 1106 server_cert_verify_result_.is_issued_by_known_root, |
1105 server_cert_verify_result_.public_key_hashes, | 1107 server_cert_verify_result_.public_key_hashes, |
1106 &pinning_failure_log_)) { | 1108 &pinning_failure_log_)) { |
1107 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1109 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
1108 } | 1110 } |
1109 | 1111 |
1110 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1111 SSLConfigService::GetEVCertsWhitelist(); | |
1112 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
1113 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
1114 const SHA256HashValue fingerprint( | |
1115 X509Certificate::CalculateFingerprint256( | |
1116 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
1117 | |
1118 UMA_HISTOGRAM_BOOLEAN( | |
1119 "Net.SSL_EVCertificateInWhitelist", | |
1120 ev_whitelist->ContainsCertificateHash( | |
1121 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
1122 } | |
1123 } | |
1124 | |
1125 if (result == OK) { | 1112 if (result == OK) { |
1126 // Only check Certificate Transparency if there were no other errors with | 1113 // Only check Certificate Transparency if there were no other errors with |
1127 // the connection. | 1114 // the connection. |
1128 VerifyCT(); | 1115 VerifyCT(); |
1129 | 1116 |
1130 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1117 // TODO(joth): Work out if we need to remember the intermediate CA certs |
1131 // when the server sends them to us, and do so here. | 1118 // when the server sends them to us, and do so here. |
1132 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1119 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
1133 marked_session_as_good_ = true; | 1120 marked_session_as_good_ = true; |
1134 CheckIfHandshakeFinished(); | 1121 CheckIfHandshakeFinished(); |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1191 // external communication. | 1178 // external communication. |
1192 int result = cert_transparency_verifier_->Verify( | 1179 int result = cert_transparency_verifier_->Verify( |
1193 server_cert_verify_result_.verified_cert.get(), | 1180 server_cert_verify_result_.verified_cert.get(), |
1194 ocsp_response, sct_list, &ct_verify_result_, net_log_); | 1181 ocsp_response, sct_list, &ct_verify_result_, net_log_); |
1195 | 1182 |
1196 VLOG(1) << "CT Verification complete: result " << result | 1183 VLOG(1) << "CT Verification complete: result " << result |
1197 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 1184 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
1198 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 1185 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
1199 << " scts from unknown logs: " | 1186 << " scts from unknown logs: " |
1200 << ct_verify_result_.unknown_logs_scts.size(); | 1187 << ct_verify_result_.unknown_logs_scts.size(); |
1188 | |
1189 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && | |
1190 (policy_enforcer_)) { | |
1191 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1192 SSLConfigService::GetEVCertsWhitelist(); | |
1193 | |
1194 if (!policy_enforcer_->DoesConformToCTEVPolicy( | |
1195 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | |
1196 ct_verify_result_)) { | |
1197 VLOG(1) << "EV certificate without enough SCTs, removing EV status."; | |
1198 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1199 } | |
1200 } | |
Ryan Sleevi
2014/11/06 00:16:43
ditto here
Eran Messeri
2014/11/20 11:49:56
Done.
| |
1201 } | 1201 } |
1202 | 1202 |
1203 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1203 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
1204 int rv = DoHandshakeLoop(result); | 1204 int rv = DoHandshakeLoop(result); |
1205 if (rv != ERR_IO_PENDING) { | 1205 if (rv != ERR_IO_PENDING) { |
1206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
1207 DoConnectCallback(rv); | 1207 DoConnectCallback(rv); |
1208 } | 1208 } |
1209 } | 1209 } |
1210 | 1210 |
(...skipping 607 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1818 ct::SCT_STATUS_LOG_UNKNOWN)); | 1818 ct::SCT_STATUS_LOG_UNKNOWN)); |
1819 } | 1819 } |
1820 } | 1820 } |
1821 | 1821 |
1822 scoped_refptr<X509Certificate> | 1822 scoped_refptr<X509Certificate> |
1823 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1823 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1824 return server_cert_; | 1824 return server_cert_; |
1825 } | 1825 } |
1826 | 1826 |
1827 } // namespace net | 1827 } // namespace net |
OLD | NEW |