OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 3409 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3420 // is fixed, we need to avoid using the NSS database for non-essential | 3420 // is fixed, we need to avoid using the NSS database for non-essential |
3421 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and | 3421 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and |
3422 // http://crbug.com/15630 for more info. | 3422 // http://crbug.com/15630 for more info. |
3423 | 3423 |
3424 // TODO(hclam): Skip logging if server cert was expected to be bad because | 3424 // TODO(hclam): Skip logging if server cert was expected to be bad because |
3425 // |server_cert_verify_result_| doesn't contain all the information about | 3425 // |server_cert_verify_result_| doesn't contain all the information about |
3426 // the cert. | 3426 // the cert. |
3427 if (result == OK) | 3427 if (result == OK) |
3428 LogConnectionTypeMetrics(); | 3428 LogConnectionTypeMetrics(); |
3429 | 3429 |
3430 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) | 3430 bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || |
3431 // Take care of any mandates for public key pinning. | 3431 ssl_config_.version_fallback; |
3432 // | |
3433 // Pinning is only enabled for official builds to make sure that others don't | |
3434 // end up with pins that cannot be easily updated. | |
3435 // | |
3436 // TODO(agl): We might have an issue here where a request for foo.example.com | |
3437 // merges into a SPDY connection to www.example.com, and gets a different | |
3438 // certificate. | |
3439 | |
3440 // Perform pin validation if, and only if, all these conditions obtain: | |
3441 // | |
3442 // * a TransportSecurityState object is available; | |
3443 // * the server's certificate chain is valid (or suffers from only a minor | |
3444 // error); | |
3445 // * the server's certificate chain chains up to a known root (i.e. not a | |
3446 // user-installed trust anchor); and | |
3447 // * the build is recent (very old builds should fail open so that users | |
3448 // have some chance to recover). | |
3449 // | |
3450 const CertStatus cert_status = server_cert_verify_result_.cert_status; | 3432 const CertStatus cert_status = server_cert_verify_result_.cert_status; |
3451 if (transport_security_state_ && | 3433 if (transport_security_state_ && |
3452 (result == OK || | 3434 (result == OK || |
3453 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3435 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
3454 server_cert_verify_result_.is_issued_by_known_root && | 3436 !transport_security_state_->CheckPublicKeyPins( |
3455 TransportSecurityState::IsBuildTimely()) { | 3437 host_and_port_.host(), |
3456 bool sni_available = | 3438 sni_available, |
3457 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || | 3439 server_cert_verify_result_.is_issued_by_known_root, |
3458 ssl_config_.version_fallback; | 3440 server_cert_verify_result_.public_key_hashes, |
3459 const std::string& host = host_and_port_.host(); | 3441 &pinning_failure_log_)) { |
3460 | 3442 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
3461 if (transport_security_state_->HasPublicKeyPins(host, sni_available)) { | |
3462 if (!transport_security_state_->CheckPublicKeyPins( | |
3463 host, | |
3464 sni_available, | |
3465 server_cert_verify_result_.public_key_hashes, | |
3466 &pinning_failure_log_)) { | |
3467 LOG(ERROR) << pinning_failure_log_; | |
3468 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | |
3469 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); | |
3470 TransportSecurityState::ReportUMAOnPinFailure(host); | |
3471 } else { | |
3472 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); | |
3473 } | |
3474 } | |
3475 } | 3443 } |
3476 #endif | |
3477 | 3444 |
3478 if (result == OK) { | 3445 if (result == OK) { |
3479 // Only check Certificate Transparency if there were no other errors with | 3446 // Only check Certificate Transparency if there were no other errors with |
3480 // the connection. | 3447 // the connection. |
3481 VerifyCT(); | 3448 VerifyCT(); |
3482 | 3449 |
3483 // Only cache the session if the certificate verified successfully. | 3450 // Only cache the session if the certificate verified successfully. |
3484 core_->CacheSessionIfNecessary(); | 3451 core_->CacheSessionIfNecessary(); |
3485 } | 3452 } |
3486 | 3453 |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3575 scoped_refptr<X509Certificate> | 3542 scoped_refptr<X509Certificate> |
3576 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3543 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
3577 return core_->state().server_cert.get(); | 3544 return core_->state().server_cert.get(); |
3578 } | 3545 } |
3579 | 3546 |
3580 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3547 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
3581 return channel_id_service_; | 3548 return channel_id_service_; |
3582 } | 3549 } |
3583 | 3550 |
3584 } // namespace net | 3551 } // namespace net |
OLD | NEW |