OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
14 | 14 |
15 #include "base/bind.h" | 15 #include "base/bind.h" |
16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
17 #include "base/environment.h" | 17 #include "base/environment.h" |
18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
20 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
21 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
22 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
23 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
24 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
26 #include "net/cert/cert_verifier.h" | 26 #include "net/cert/cert_verifier.h" |
| 27 #include "net/cert/ct_ev_whitelist.h" |
27 #include "net/cert/ct_verifier.h" | 28 #include "net/cert/ct_verifier.h" |
28 #include "net/cert/single_request_cert_verifier.h" | 29 #include "net/cert/single_request_cert_verifier.h" |
29 #include "net/cert/x509_certificate_net_log_param.h" | 30 #include "net/cert/x509_certificate_net_log_param.h" |
30 #include "net/cert/x509_util_openssl.h" | 31 #include "net/cert/x509_util_openssl.h" |
31 #include "net/http/transport_security_state.h" | 32 #include "net/http/transport_security_state.h" |
32 #include "net/socket/ssl_session_cache_openssl.h" | 33 #include "net/socket/ssl_session_cache_openssl.h" |
33 #include "net/ssl/openssl_ssl_util.h" | 34 #include "net/ssl/openssl_ssl_util.h" |
34 #include "net/ssl/ssl_cert_request_info.h" | 35 #include "net/ssl/ssl_cert_request_info.h" |
35 #include "net/ssl/ssl_connection_status_flags.h" | 36 #include "net/ssl/ssl_connection_status_flags.h" |
36 #include "net/ssl/ssl_info.h" | 37 #include "net/ssl/ssl_info.h" |
(...skipping 1059 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1096 (result == OK || | 1097 (result == OK || |
1097 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1098 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
1098 !transport_security_state_->CheckPublicKeyPins( | 1099 !transport_security_state_->CheckPublicKeyPins( |
1099 host_and_port_.host(), | 1100 host_and_port_.host(), |
1100 server_cert_verify_result_.is_issued_by_known_root, | 1101 server_cert_verify_result_.is_issued_by_known_root, |
1101 server_cert_verify_result_.public_key_hashes, | 1102 server_cert_verify_result_.public_key_hashes, |
1102 &pinning_failure_log_)) { | 1103 &pinning_failure_log_)) { |
1103 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1104 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
1104 } | 1105 } |
1105 | 1106 |
| 1107 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 1108 SSLConfigService::GetEVCertsWhitelist(); |
| 1109 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 1110 if (ev_whitelist.get() && ev_whitelist->IsValid()) { |
| 1111 const SHA256HashValue fingerprint( |
| 1112 X509Certificate::CalculateFingerprint256( |
| 1113 server_cert_verify_result_.verified_cert->os_cert_handle())); |
| 1114 |
| 1115 UMA_HISTOGRAM_BOOLEAN( |
| 1116 "Net.SSL_EVCertificateInWhitelist", |
| 1117 ev_whitelist->ContainsCertificateHash( |
| 1118 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); |
| 1119 } |
| 1120 } |
| 1121 |
1106 if (result == OK) { | 1122 if (result == OK) { |
1107 // Only check Certificate Transparency if there were no other errors with | 1123 // Only check Certificate Transparency if there were no other errors with |
1108 // the connection. | 1124 // the connection. |
1109 VerifyCT(); | 1125 VerifyCT(); |
1110 | 1126 |
1111 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1127 // TODO(joth): Work out if we need to remember the intermediate CA certs |
1112 // when the server sends them to us, and do so here. | 1128 // when the server sends them to us, and do so here. |
1113 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1129 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
1114 marked_session_as_good_ = true; | 1130 marked_session_as_good_ = true; |
1115 CheckIfHandshakeFinished(); | 1131 CheckIfHandshakeFinished(); |
(...skipping 664 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1780 ct::SCT_STATUS_LOG_UNKNOWN)); | 1796 ct::SCT_STATUS_LOG_UNKNOWN)); |
1781 } | 1797 } |
1782 } | 1798 } |
1783 | 1799 |
1784 scoped_refptr<X509Certificate> | 1800 scoped_refptr<X509Certificate> |
1785 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1801 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1786 return server_cert_; | 1802 return server_cert_; |
1787 } | 1803 } |
1788 | 1804 |
1789 } // namespace net | 1805 } // namespace net |
OLD | NEW |