| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 | 14 |
| 15 #include "base/bind.h" | 15 #include "base/bind.h" |
| 16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
| 17 #include "base/environment.h" | 17 #include "base/environment.h" |
| 18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
| 20 #include "base/profiler/scoped_tracker.h" | 20 #include "base/profiler/scoped_tracker.h" |
| 21 #include "base/strings/string_piece.h" | 21 #include "base/strings/string_piece.h" |
| 22 #include "base/synchronization/lock.h" | 22 #include "base/synchronization/lock.h" |
| 23 #include "crypto/ec_private_key.h" | 23 #include "crypto/ec_private_key.h" |
| 24 #include "crypto/openssl_util.h" | 24 #include "crypto/openssl_util.h" |
| 25 #include "crypto/scoped_openssl_types.h" | 25 #include "crypto/scoped_openssl_types.h" |
| 26 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
| 27 #include "net/cert/cert_policy_enforcer.h" |
| 27 #include "net/cert/cert_verifier.h" | 28 #include "net/cert/cert_verifier.h" |
| 28 #include "net/cert/ct_ev_whitelist.h" | 29 #include "net/cert/ct_ev_whitelist.h" |
| 29 #include "net/cert/ct_verifier.h" | 30 #include "net/cert/ct_verifier.h" |
| 30 #include "net/cert/single_request_cert_verifier.h" | 31 #include "net/cert/single_request_cert_verifier.h" |
| 31 #include "net/cert/x509_certificate_net_log_param.h" | 32 #include "net/cert/x509_certificate_net_log_param.h" |
| 32 #include "net/cert/x509_util_openssl.h" | 33 #include "net/cert/x509_util_openssl.h" |
| 33 #include "net/http/transport_security_state.h" | 34 #include "net/http/transport_security_state.h" |
| 34 #include "net/socket/ssl_session_cache_openssl.h" | 35 #include "net/socket/ssl_session_cache_openssl.h" |
| 35 #include "net/ssl/ssl_cert_request_info.h" | 36 #include "net/ssl/ssl_cert_request_info.h" |
| 36 #include "net/ssl/ssl_connection_status_flags.h" | 37 #include "net/ssl/ssl_connection_status_flags.h" |
| (...skipping 336 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 373 host_and_port_(host_and_port), | 374 host_and_port_(host_and_port), |
| 374 ssl_config_(ssl_config), | 375 ssl_config_(ssl_config), |
| 375 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 376 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 376 trying_cached_session_(false), | 377 trying_cached_session_(false), |
| 377 next_handshake_state_(STATE_NONE), | 378 next_handshake_state_(STATE_NONE), |
| 378 npn_status_(kNextProtoUnsupported), | 379 npn_status_(kNextProtoUnsupported), |
| 379 channel_id_xtn_negotiated_(false), | 380 channel_id_xtn_negotiated_(false), |
| 380 handshake_succeeded_(false), | 381 handshake_succeeded_(false), |
| 381 marked_session_as_good_(false), | 382 marked_session_as_good_(false), |
| 382 transport_security_state_(context.transport_security_state), | 383 transport_security_state_(context.transport_security_state), |
| 384 policy_enforcer_(context.cert_policy_enforcer), |
| 383 net_log_(transport_->socket()->NetLog()), | 385 net_log_(transport_->socket()->NetLog()), |
| 384 weak_factory_(this) { | 386 weak_factory_(this) { |
| 385 } | 387 } |
| 386 | 388 |
| 387 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 389 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
| 388 Disconnect(); | 390 Disconnect(); |
| 389 } | 391 } |
| 390 | 392 |
| 391 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | 393 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { |
| 392 std::string result = host_and_port_.ToString(); | 394 std::string result = host_and_port_.ToString(); |
| (...skipping 744 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1137 (result == OK || | 1139 (result == OK || |
| 1138 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1140 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 1139 !transport_security_state_->CheckPublicKeyPins( | 1141 !transport_security_state_->CheckPublicKeyPins( |
| 1140 host_and_port_.host(), | 1142 host_and_port_.host(), |
| 1141 server_cert_verify_result_.is_issued_by_known_root, | 1143 server_cert_verify_result_.is_issued_by_known_root, |
| 1142 server_cert_verify_result_.public_key_hashes, | 1144 server_cert_verify_result_.public_key_hashes, |
| 1143 &pinning_failure_log_)) { | 1145 &pinning_failure_log_)) { |
| 1144 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1146 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 1145 } | 1147 } |
| 1146 | 1148 |
| 1147 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
| 1148 SSLConfigService::GetEVCertsWhitelist(); | |
| 1149 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
| 1150 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
| 1151 const SHA256HashValue fingerprint( | |
| 1152 X509Certificate::CalculateFingerprint256( | |
| 1153 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
| 1154 | |
| 1155 UMA_HISTOGRAM_BOOLEAN( | |
| 1156 "Net.SSL_EVCertificateInWhitelist", | |
| 1157 ev_whitelist->ContainsCertificateHash( | |
| 1158 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
| 1159 } | |
| 1160 } | |
| 1161 | |
| 1162 if (result == OK) { | 1149 if (result == OK) { |
| 1163 // Only check Certificate Transparency if there were no other errors with | 1150 // Only check Certificate Transparency if there were no other errors with |
| 1164 // the connection. | 1151 // the connection. |
| 1165 VerifyCT(); | 1152 VerifyCT(); |
| 1166 | 1153 |
| 1167 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1154 // TODO(joth): Work out if we need to remember the intermediate CA certs |
| 1168 // when the server sends them to us, and do so here. | 1155 // when the server sends them to us, and do so here. |
| 1169 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1156 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
| 1170 marked_session_as_good_ = true; | 1157 marked_session_as_good_ = true; |
| 1171 CheckIfHandshakeFinished(); | 1158 CheckIfHandshakeFinished(); |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1244 const uint8_t* sct_list_raw; | 1231 const uint8_t* sct_list_raw; |
| 1245 size_t sct_list_len; | 1232 size_t sct_list_len; |
| 1246 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); | 1233 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len); |
| 1247 std::string sct_list; | 1234 std::string sct_list; |
| 1248 if (sct_list_len > 0) | 1235 if (sct_list_len > 0) |
| 1249 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); | 1236 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len); |
| 1250 | 1237 |
| 1251 // Note that this is a completely synchronous operation: The CT Log Verifier | 1238 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1252 // gets all the data it needs for SCT verification and does not do any | 1239 // gets all the data it needs for SCT verification and does not do any |
| 1253 // external communication. | 1240 // external communication. |
| 1254 int result = cert_transparency_verifier_->Verify( | 1241 cert_transparency_verifier_->Verify( |
| 1255 server_cert_verify_result_.verified_cert.get(), | 1242 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1256 ocsp_response, sct_list, &ct_verify_result_, net_log_); | 1243 &ct_verify_result_, net_log_); |
| 1257 | 1244 |
| 1258 VLOG(1) << "CT Verification complete: result " << result | 1245 if (!policy_enforcer_) { |
| 1259 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 1246 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1260 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 1247 } else { |
| 1261 << " scts from unknown logs: " | 1248 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1262 << ct_verify_result_.unknown_logs_scts.size(); | 1249 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1250 SSLConfigService::GetEVCertsWhitelist(); |
| 1251 if (!policy_enforcer_->DoesConformToCTEVPolicy( |
| 1252 server_cert_verify_result_.verified_cert.get(), |
| 1253 ev_whitelist.get(), ct_verify_result_)) { |
| 1254 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 1255 VLOG(1) << "EV certificate for " |
| 1256 << server_cert_verify_result_.verified_cert->subject() |
| 1257 .GetDisplayName() |
| 1258 << " does not conform to CT policy, removing EV status."; |
| 1259 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1260 } |
| 1261 } |
| 1262 } |
| 1263 } | 1263 } |
| 1264 | 1264 |
| 1265 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1265 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
| 1266 int rv = DoHandshakeLoop(result); | 1266 int rv = DoHandshakeLoop(result); |
| 1267 if (rv != ERR_IO_PENDING) { | 1267 if (rv != ERR_IO_PENDING) { |
| 1268 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1268 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 1269 DoConnectCallback(rv); | 1269 DoConnectCallback(rv); |
| 1270 } | 1270 } |
| 1271 } | 1271 } |
| 1272 | 1272 |
| (...skipping 630 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1903 ct::SCT_STATUS_LOG_UNKNOWN)); | 1903 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 1904 } | 1904 } |
| 1905 } | 1905 } |
| 1906 | 1906 |
| 1907 scoped_refptr<X509Certificate> | 1907 scoped_refptr<X509Certificate> |
| 1908 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1908 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1909 return server_cert_; | 1909 return server_cert_; |
| 1910 } | 1910 } |
| 1911 | 1911 |
| 1912 } // namespace net | 1912 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master