OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
14 | 14 |
15 #include "base/bind.h" | 15 #include "base/bind.h" |
16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
17 #include "base/environment.h" | 17 #include "base/environment.h" |
18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
20 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
21 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
22 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
23 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
24 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
26 #include "net/cert/cert_policy_enforcer.h" | |
26 #include "net/cert/cert_verifier.h" | 27 #include "net/cert/cert_verifier.h" |
27 #include "net/cert/ct_ev_whitelist.h" | 28 #include "net/cert/ct_ev_whitelist.h" |
28 #include "net/cert/ct_verifier.h" | 29 #include "net/cert/ct_verifier.h" |
29 #include "net/cert/single_request_cert_verifier.h" | 30 #include "net/cert/single_request_cert_verifier.h" |
30 #include "net/cert/x509_certificate_net_log_param.h" | 31 #include "net/cert/x509_certificate_net_log_param.h" |
31 #include "net/cert/x509_util_openssl.h" | 32 #include "net/cert/x509_util_openssl.h" |
32 #include "net/http/transport_security_state.h" | 33 #include "net/http/transport_security_state.h" |
33 #include "net/socket/ssl_session_cache_openssl.h" | 34 #include "net/socket/ssl_session_cache_openssl.h" |
34 #include "net/ssl/ssl_cert_request_info.h" | 35 #include "net/ssl/ssl_cert_request_info.h" |
35 #include "net/ssl/ssl_connection_status_flags.h" | 36 #include "net/ssl/ssl_connection_status_flags.h" |
(...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
368 host_and_port_(host_and_port), | 369 host_and_port_(host_and_port), |
369 ssl_config_(ssl_config), | 370 ssl_config_(ssl_config), |
370 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 371 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
371 trying_cached_session_(false), | 372 trying_cached_session_(false), |
372 next_handshake_state_(STATE_NONE), | 373 next_handshake_state_(STATE_NONE), |
373 npn_status_(kNextProtoUnsupported), | 374 npn_status_(kNextProtoUnsupported), |
374 channel_id_xtn_negotiated_(false), | 375 channel_id_xtn_negotiated_(false), |
375 handshake_succeeded_(false), | 376 handshake_succeeded_(false), |
376 marked_session_as_good_(false), | 377 marked_session_as_good_(false), |
377 transport_security_state_(context.transport_security_state), | 378 transport_security_state_(context.transport_security_state), |
379 policy_enforcer_(context.cert_policy_enforcer), | |
378 net_log_(transport_->socket()->NetLog()), | 380 net_log_(transport_->socket()->NetLog()), |
379 weak_factory_(this) { | 381 weak_factory_(this) { |
380 } | 382 } |
381 | 383 |
382 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 384 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
383 Disconnect(); | 385 Disconnect(); |
384 } | 386 } |
385 | 387 |
386 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | 388 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { |
387 std::string result = host_and_port_.ToString(); | 389 std::string result = host_and_port_.ToString(); |
(...skipping 734 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1122 (result == OK || | 1124 (result == OK || |
1123 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1125 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
1124 !transport_security_state_->CheckPublicKeyPins( | 1126 !transport_security_state_->CheckPublicKeyPins( |
1125 host_and_port_.host(), | 1127 host_and_port_.host(), |
1126 server_cert_verify_result_.is_issued_by_known_root, | 1128 server_cert_verify_result_.is_issued_by_known_root, |
1127 server_cert_verify_result_.public_key_hashes, | 1129 server_cert_verify_result_.public_key_hashes, |
1128 &pinning_failure_log_)) { | 1130 &pinning_failure_log_)) { |
1129 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1131 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
1130 } | 1132 } |
1131 | 1133 |
1132 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1133 SSLConfigService::GetEVCertsWhitelist(); | |
1134 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
1135 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
1136 const SHA256HashValue fingerprint( | |
1137 X509Certificate::CalculateFingerprint256( | |
1138 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
1139 | |
1140 UMA_HISTOGRAM_BOOLEAN( | |
1141 "Net.SSL_EVCertificateInWhitelist", | |
1142 ev_whitelist->ContainsCertificateHash( | |
1143 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
1144 } | |
1145 } | |
1146 | |
1147 if (result == OK) { | 1134 if (result == OK) { |
1148 // Only check Certificate Transparency if there were no other errors with | 1135 // Only check Certificate Transparency if there were no other errors with |
1149 // the connection. | 1136 // the connection. |
1150 VerifyCT(); | 1137 VerifyCT(); |
1151 | 1138 |
1152 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1139 // TODO(joth): Work out if we need to remember the intermediate CA certs |
1153 // when the server sends them to us, and do so here. | 1140 // when the server sends them to us, and do so here. |
1154 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1141 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
1155 marked_session_as_good_ = true; | 1142 marked_session_as_good_ = true; |
1156 CheckIfHandshakeFinished(); | 1143 CheckIfHandshakeFinished(); |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1237 // gets all the data it needs for SCT verification and does not do any | 1224 // gets all the data it needs for SCT verification and does not do any |
1238 // external communication. | 1225 // external communication. |
1239 int result = cert_transparency_verifier_->Verify( | 1226 int result = cert_transparency_verifier_->Verify( |
1240 server_cert_verify_result_.verified_cert.get(), | 1227 server_cert_verify_result_.verified_cert.get(), |
1241 ocsp_response, sct_list, &ct_verify_result_, net_log_); | 1228 ocsp_response, sct_list, &ct_verify_result_, net_log_); |
1242 | 1229 |
1243 VLOG(1) << "CT Verification complete: result " << result | 1230 VLOG(1) << "CT Verification complete: result " << result |
1244 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 1231 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
1245 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 1232 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
1246 << " scts from unknown logs: " | 1233 << " scts from unknown logs: " |
1247 << ct_verify_result_.unknown_logs_scts.size(); | 1234 << ct_verify_result_.unknown_logs_scts.size(); |
Ryan Sleevi
2014/11/28 15:27:44
Already netlogged as well.
Eran Messeri
2014/12/01 13:59:03
Done.
| |
1235 | |
1236 if (!policy_enforcer_) { | |
1237 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1238 } else { | |
1239 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
1240 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
1241 SSLConfigService::GetEVCertsWhitelist(); | |
1242 if (!policy_enforcer_->DoesConformToCTEVPolicy( | |
1243 server_cert_verify_result_.verified_cert.get(), | |
1244 ev_whitelist.get(), ct_verify_result_)) { | |
1245 VLOG(1) << "EV certificate for " | |
1246 << server_cert_verify_result_.verified_cert->subject() | |
1247 .GetDisplayName() | |
1248 << " does not conform to CT policy, removing EV status."; | |
Ryan Sleevi
2014/11/28 15:27:45
NetLog
Eran Messeri
2014/12/01 13:59:03
Done (added TODO with bug#).
| |
1249 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
1250 } | |
1251 } | |
1252 } | |
1248 } | 1253 } |
1249 | 1254 |
1250 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1255 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
1251 int rv = DoHandshakeLoop(result); | 1256 int rv = DoHandshakeLoop(result); |
1252 if (rv != ERR_IO_PENDING) { | 1257 if (rv != ERR_IO_PENDING) { |
1253 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1258 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
1254 DoConnectCallback(rv); | 1259 DoConnectCallback(rv); |
1255 } | 1260 } |
1256 } | 1261 } |
1257 | 1262 |
(...skipping 615 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1873 ct::SCT_STATUS_LOG_UNKNOWN)); | 1878 ct::SCT_STATUS_LOG_UNKNOWN)); |
1874 } | 1879 } |
1875 } | 1880 } |
1876 | 1881 |
1877 scoped_refptr<X509Certificate> | 1882 scoped_refptr<X509Certificate> |
1878 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1883 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1879 return server_cert_; | 1884 return server_cert_; |
1880 } | 1885 } |
1881 | 1886 |
1882 } // namespace net | 1887 } // namespace net |
OLD | NEW |