OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
85 #include "crypto/nss_util_internal.h" | 85 #include "crypto/nss_util_internal.h" |
86 #include "crypto/rsa_private_key.h" | 86 #include "crypto/rsa_private_key.h" |
87 #include "crypto/scoped_nss_types.h" | 87 #include "crypto/scoped_nss_types.h" |
88 #include "net/base/address_list.h" | 88 #include "net/base/address_list.h" |
89 #include "net/base/connection_type_histograms.h" | 89 #include "net/base/connection_type_histograms.h" |
90 #include "net/base/dns_util.h" | 90 #include "net/base/dns_util.h" |
91 #include "net/base/io_buffer.h" | 91 #include "net/base/io_buffer.h" |
92 #include "net/base/net_errors.h" | 92 #include "net/base/net_errors.h" |
93 #include "net/base/net_log.h" | 93 #include "net/base/net_log.h" |
94 #include "net/cert/asn1_util.h" | 94 #include "net/cert/asn1_util.h" |
95 #include "net/cert/cert_policy_enforcer.h" | |
95 #include "net/cert/cert_status_flags.h" | 96 #include "net/cert/cert_status_flags.h" |
96 #include "net/cert/cert_verifier.h" | 97 #include "net/cert/cert_verifier.h" |
97 #include "net/cert/ct_objects_extractor.h" | 98 #include "net/cert/ct_objects_extractor.h" |
98 #include "net/cert/ct_verifier.h" | 99 #include "net/cert/ct_verifier.h" |
99 #include "net/cert/ct_verify_result.h" | 100 #include "net/cert/ct_verify_result.h" |
100 #include "net/cert/scoped_nss_types.h" | 101 #include "net/cert/scoped_nss_types.h" |
101 #include "net/cert/sct_status_flags.h" | 102 #include "net/cert/sct_status_flags.h" |
102 #include "net/cert/single_request_cert_verifier.h" | 103 #include "net/cert/single_request_cert_verifier.h" |
103 #include "net/cert/x509_certificate_net_log_param.h" | 104 #include "net/cert/x509_certificate_net_log_param.h" |
104 #include "net/cert/x509_util.h" | 105 #include "net/cert/x509_util.h" |
(...skipping 2695 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2800 ssl_config_(ssl_config), | 2801 ssl_config_(ssl_config), |
2801 cert_verifier_(context.cert_verifier), | 2802 cert_verifier_(context.cert_verifier), |
2802 cert_transparency_verifier_(context.cert_transparency_verifier), | 2803 cert_transparency_verifier_(context.cert_transparency_verifier), |
2803 channel_id_service_(context.channel_id_service), | 2804 channel_id_service_(context.channel_id_service), |
2804 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 2805 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
2805 completed_handshake_(false), | 2806 completed_handshake_(false), |
2806 next_handshake_state_(STATE_NONE), | 2807 next_handshake_state_(STATE_NONE), |
2807 nss_fd_(NULL), | 2808 nss_fd_(NULL), |
2808 net_log_(transport_->socket()->NetLog()), | 2809 net_log_(transport_->socket()->NetLog()), |
2809 transport_security_state_(context.transport_security_state), | 2810 transport_security_state_(context.transport_security_state), |
2811 policy_enforcer_(new CertPolicyEnforcer( | |
Ryan Sleevi
2014/10/22 19:48:36
This should be passed in, not created.
Eran Messeri
2014/10/24 12:12:36
Done. It's passed *all* the way from the IOThread.
| |
2812 cert_transparency_verifier_ | |
2813 ? cert_transparency_verifier_->GetNumKnownLogs() | |
2814 : 0)), | |
2810 valid_thread_id_(base::kInvalidThreadId) { | 2815 valid_thread_id_(base::kInvalidThreadId) { |
2811 EnterFunction(""); | 2816 EnterFunction(""); |
2812 InitCore(); | 2817 InitCore(); |
2813 LeaveFunction(""); | 2818 LeaveFunction(""); |
2814 } | 2819 } |
2815 | 2820 |
2816 SSLClientSocketNSS::~SSLClientSocketNSS() { | 2821 SSLClientSocketNSS::~SSLClientSocketNSS() { |
2817 EnterFunction(""); | 2822 EnterFunction(""); |
2818 Disconnect(); | 2823 Disconnect(); |
2819 LeaveFunction(""); | 2824 LeaveFunction(""); |
(...skipping 698 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3518 &ct_verify_result_, | 3523 &ct_verify_result_, |
3519 net_log_); | 3524 net_log_); |
3520 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3525 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3521 // from the state after verification is complete, to conserve memory. | 3526 // from the state after verification is complete, to conserve memory. |
3522 | 3527 |
3523 VLOG(1) << "CT Verification complete: result " << result | 3528 VLOG(1) << "CT Verification complete: result " << result |
3524 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3529 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
3525 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3530 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
3526 << " scts from unknown logs: " | 3531 << " scts from unknown logs: " |
3527 << ct_verify_result_.unknown_logs_scts.size(); | 3532 << ct_verify_result_.unknown_logs_scts.size(); |
3533 | |
3534 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && | |
3535 (!policy_enforcer_->DoesConformToCTEVPolicy( | |
3536 server_cert_verify_result_.verified_cert.get(), ct_verify_result_))) { | |
3537 VLOG(1) << "EV certificate without enough SCTs, removing EV status."; | |
3538 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
3539 } | |
3528 } | 3540 } |
3529 | 3541 |
3530 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 3542 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
3531 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 3543 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
3532 int ssl_version = SSLConnectionStatusToVersion( | 3544 int ssl_version = SSLConnectionStatusToVersion( |
3533 core_->state().ssl_connection_status); | 3545 core_->state().ssl_connection_status); |
3534 switch (ssl_version) { | 3546 switch (ssl_version) { |
3535 case SSL_CONNECTION_VERSION_SSL2: | 3547 case SSL_CONNECTION_VERSION_SSL2: |
3536 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | 3548 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); |
3537 break; | 3549 break; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3588 scoped_refptr<X509Certificate> | 3600 scoped_refptr<X509Certificate> |
3589 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3601 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
3590 return core_->state().server_cert.get(); | 3602 return core_->state().server_cert.get(); |
3591 } | 3603 } |
3592 | 3604 |
3593 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3605 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
3594 return channel_id_service_; | 3606 return channel_id_service_; |
3595 } | 3607 } |
3596 | 3608 |
3597 } // namespace net | 3609 } // namespace net |
OLD | NEW |