| Index: net/socket/ssl_client_socket_nss.cc
|
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
|
| index 0d3c53d891e98c06de0fcaa0aeac4d286e2b89ab..92af627b7f871e3edc19ae201c9da6919fc0a5ee 100644
|
| --- a/net/socket/ssl_client_socket_nss.cc
|
| +++ b/net/socket/ssl_client_socket_nss.cc
|
| @@ -3427,53 +3427,20 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
|
| if (result == OK)
|
| LogConnectionTypeMetrics();
|
|
|
| -#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
|
| - // Take care of any mandates for public key pinning.
|
| - //
|
| - // Pinning is only enabled for official builds to make sure that others don't
|
| - // end up with pins that cannot be easily updated.
|
| - //
|
| - // TODO(agl): We might have an issue here where a request for foo.example.com
|
| - // merges into a SPDY connection to www.example.com, and gets a different
|
| - // certificate.
|
| -
|
| - // Perform pin validation if, and only if, all these conditions obtain:
|
| - //
|
| - // * a TransportSecurityState object is available;
|
| - // * the server's certificate chain is valid (or suffers from only a minor
|
| - // error);
|
| - // * the server's certificate chain chains up to a known root (i.e. not a
|
| - // user-installed trust anchor); and
|
| - // * the build is recent (very old builds should fail open so that users
|
| - // have some chance to recover).
|
| - //
|
| + bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
|
| + ssl_config_.version_fallback;
|
| const CertStatus cert_status = server_cert_verify_result_.cert_status;
|
| if (transport_security_state_ &&
|
| (result == OK ||
|
| (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
|
| - server_cert_verify_result_.is_issued_by_known_root &&
|
| - TransportSecurityState::IsBuildTimely()) {
|
| - bool sni_available =
|
| - ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
|
| - ssl_config_.version_fallback;
|
| - const std::string& host = host_and_port_.host();
|
| -
|
| - if (transport_security_state_->HasPublicKeyPins(host, sni_available)) {
|
| - if (!transport_security_state_->CheckPublicKeyPins(
|
| - host,
|
| - sni_available,
|
| - server_cert_verify_result_.public_key_hashes,
|
| - &pinning_failure_log_)) {
|
| - LOG(ERROR) << pinning_failure_log_;
|
| - result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| - UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
|
| - TransportSecurityState::ReportUMAOnPinFailure(host);
|
| - } else {
|
| - UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
|
| - }
|
| - }
|
| + !transport_security_state_->CheckPublicKeyPins(
|
| + host_and_port_.host(),
|
| + sni_available,
|
| + server_cert_verify_result_.is_issued_by_known_root,
|
| + server_cert_verify_result_.public_key_hashes,
|
| + &pinning_failure_log_)) {
|
| + result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| }
|
| -#endif
|
|
|
| if (result == OK) {
|
| // Only check Certificate Transparency if there were no other errors with
|
|
|
Chromium Code Reviews
Issue 433123003:
Centralize the logic for checking public key pins (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src