| Index: net/socket/ssl_client_socket_nss.cc
|
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
|
| index 3e5bde05fa7ce8a8619b29dae69c7181192147df..3651e8d62466696169433993af5f4cd92d62b67b 100644
|
| --- a/net/socket/ssl_client_socket_nss.cc
|
| +++ b/net/socket/ssl_client_socket_nss.cc
|
| @@ -91,6 +91,7 @@
|
| #include "net/base/net_errors.h"
|
| #include "net/base/net_log.h"
|
| #include "net/cert/asn1_util.h"
|
| +#include "net/cert/cert_policy_enforcer.h"
|
| #include "net/cert/cert_status_flags.h"
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/ct_ev_whitelist.h"
|
| @@ -2473,10 +2474,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
|
| if (ok == SECSuccess &&
|
| channel_info.length == sizeof(channel_info) &&
|
| channel_info.cipherSuite) {
|
| - nss_handshake_state_.ssl_connection_status |=
|
| - (static_cast<int>(channel_info.cipherSuite) &
|
| - SSL_CONNECTION_CIPHERSUITE_MASK) <<
|
| - SSL_CONNECTION_CIPHERSUITE_SHIFT;
|
| + nss_handshake_state_.ssl_connection_status |= channel_info.cipherSuite;
|
|
|
| nss_handshake_state_.ssl_connection_status |=
|
| (static_cast<int>(channel_info.compressionMethod) &
|
| @@ -2834,6 +2832,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(
|
| nss_fd_(NULL),
|
| net_log_(transport_->socket()->NetLog()),
|
| transport_security_state_(context.transport_security_state),
|
| + policy_enforcer_(context.cert_policy_enforcer),
|
| valid_thread_id_(base::kInvalidThreadId) {
|
| EnterFunction("");
|
| InitCore();
|
| @@ -2856,6 +2855,19 @@ void SSLClientSocket::ClearSessionCache() {
|
| SSL_ClearSessionCache();
|
| }
|
|
|
| +#if !defined(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)
|
| +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
|
| +#endif
|
| +
|
| +// static
|
| +uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
|
| + if (PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
|
| + return SSL_PROTOCOL_VERSION_TLS1_2;
|
| + } else {
|
| + return SSL_PROTOCOL_VERSION_TLS1_1;
|
| + }
|
| +}
|
| +
|
| bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
|
| EnterFunction("");
|
| ssl_info->Reset();
|
| @@ -3518,21 +3530,6 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
|
| result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| }
|
|
|
| - scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| - SSLConfigService::GetEVCertsWhitelist();
|
| - if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
|
| - if (ev_whitelist.get() && ev_whitelist->IsValid()) {
|
| - const SHA256HashValue fingerprint(
|
| - X509Certificate::CalculateFingerprint256(
|
| - server_cert_verify_result_.verified_cert->os_cert_handle()));
|
| -
|
| - UMA_HISTOGRAM_BOOLEAN(
|
| - "Net.SSL_EVCertificateInWhitelist",
|
| - ev_whitelist->ContainsCertificateHash(
|
| - std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
|
| - }
|
| - }
|
| -
|
| if (result == OK) {
|
| // Only check Certificate Transparency if there were no other errors with
|
| // the connection.
|
| @@ -3556,20 +3553,31 @@ void SSLClientSocketNSS::VerifyCT() {
|
| // Note that this is a completely synchronous operation: The CT Log Verifier
|
| // gets all the data it needs for SCT verification and does not do any
|
| // external communication.
|
| - int result = cert_transparency_verifier_->Verify(
|
| + cert_transparency_verifier_->Verify(
|
| server_cert_verify_result_.verified_cert.get(),
|
| core_->state().stapled_ocsp_response,
|
| - core_->state().sct_list_from_tls_extension,
|
| - &ct_verify_result_,
|
| - net_log_);
|
| + core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_);
|
| // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
|
| // from the state after verification is complete, to conserve memory.
|
|
|
| - VLOG(1) << "CT Verification complete: result " << result
|
| - << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
|
| - << " Verified scts: " << ct_verify_result_.verified_scts.size()
|
| - << " scts from unknown logs: "
|
| - << ct_verify_result_.unknown_logs_scts.size();
|
| + if (!policy_enforcer_) {
|
| + server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
|
| + } else {
|
| + if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
|
| + scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| + SSLConfigService::GetEVCertsWhitelist();
|
| + if (!policy_enforcer_->DoesConformToCTEVPolicy(
|
| + server_cert_verify_result_.verified_cert.get(),
|
| + ev_whitelist.get(), ct_verify_result_)) {
|
| + // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
|
| + VLOG(1) << "EV certificate for "
|
| + << server_cert_verify_result_.verified_cert->subject()
|
| + .GetDisplayName()
|
| + << " does not conform to CT policy, removing EV status.";
|
| + server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
|
| + }
|
| + }
|
| + }
|
| }
|
|
|
| void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
|
|
|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master