Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(94)

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 761903003: Update from https://crrev.com/306655 (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_pool.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 05eb1cb6ceab3798581bc792ca87e215c71332f8..4e86c055932ed7517600625db0179d13ee720029 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -24,6 +24,7 @@
#include "crypto/openssl_util.h"
#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
+#include "net/cert/cert_policy_enforcer.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_ev_whitelist.h"
#include "net/cert/ct_verifier.h"
@@ -81,11 +82,10 @@ unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; }
#endif
// Used for encoding the |connection_status| field of an SSLInfo object.
-int EncodeSSLConnectionStatus(int cipher_suite,
+int EncodeSSLConnectionStatus(uint16 cipher_suite,
int compression,
int version) {
- return ((cipher_suite & SSL_CONNECTION_CIPHERSUITE_MASK) <<
- SSL_CONNECTION_CIPHERSUITE_SHIFT) |
+ return cipher_suite |
((compression & SSL_CONNECTION_COMPRESSION_MASK) <<
SSL_CONNECTION_COMPRESSION_SHIFT) |
((version & SSL_CONNECTION_VERSION_MASK) <<
@@ -345,6 +345,11 @@ void SSLClientSocket::ClearSessionCache() {
context->session_cache()->Flush();
}
+// static
+uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
+ return SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
scoped_ptr<ClientSocketHandle> transport_socket,
const HostPortPair& host_and_port,
@@ -376,6 +381,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
handshake_succeeded_(false),
marked_session_as_good_(false),
transport_security_state_(context.transport_security_state),
+ policy_enforcer_(context.cert_policy_enforcer),
net_log_(transport_->socket()->NetLog()),
weak_factory_(this) {
}
@@ -625,7 +631,7 @@ bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
ssl_info->connection_status = EncodeSSLConnectionStatus(
- SSL_CIPHER_get_id(cipher), 0 /* no compression */,
+ static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */,
GetNetSSLVersion(ssl_));
if (!SSL_get_secure_renegotiation_support(ssl_))
@@ -788,7 +794,7 @@ int SSLClientSocketOpenSSL::Init() {
// appended to the cipher removal |command|.
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
- const uint16 id = SSL_CIPHER_get_id(cipher);
+ const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher));
// Remove any ciphers with a strength of less than 80 bits. Note the NSS
// implementation uses "effective" bits here but OpenSSL does not provide
// this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
@@ -960,7 +966,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
// Only record OCSP histograms if OCSP was requested.
if (ssl_config_.signed_cert_timestamps_enabled ||
IsOCSPStaplingSupported()) {
- uint8_t* ocsp_response;
+ const uint8_t* ocsp_response;
size_t ocsp_response_len;
SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
@@ -968,7 +974,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
}
- uint8_t* sct_list;
+ const uint8_t* sct_list;
size_t sct_list_len;
SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len);
set_signed_cert_timestamps_received(sct_list_len != 0);
@@ -1140,21 +1146,6 @@ int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) {
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
}
- scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
- SSLConfigService::GetEVCertsWhitelist();
- if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
- if (ev_whitelist.get() && ev_whitelist->IsValid()) {
- const SHA256HashValue fingerprint(
- X509Certificate::CalculateFingerprint256(
- server_cert_verify_result_.verified_cert->os_cert_handle()));
-
- UMA_HISTOGRAM_BOOLEAN(
- "Net.SSL_EVCertificateInWhitelist",
- ev_whitelist->ContainsCertificateHash(
- std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
- }
- }
-
if (result == OK) {
// Only check Certificate Transparency if there were no other errors with
// the connection.
@@ -1201,13 +1192,13 @@ void SSLClientSocketOpenSSL::UpdateServerCert() {
// update IsOCSPStaplingSupported for Mac. https://crbug.com/430714
if (IsOCSPStaplingSupported()) {
#if defined(OS_WIN)
- uint8_t* ocsp_response_raw;
+ const uint8_t* ocsp_response_raw;
size_t ocsp_response_len;
SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
CRYPT_DATA_BLOB ocsp_response_blob;
ocsp_response_blob.cbData = ocsp_response_len;
- ocsp_response_blob.pbData = ocsp_response_raw;
+ ocsp_response_blob.pbData = const_cast<BYTE*>(ocsp_response_raw);
BOOL ok = CertSetCertificateContextProperty(
server_cert_->os_cert_handle(),
CERT_OCSP_RESPONSE_PROP_ID,
@@ -1228,7 +1219,7 @@ void SSLClientSocketOpenSSL::VerifyCT() {
if (!cert_transparency_verifier_)
return;
- uint8_t* ocsp_response_raw;
+ const uint8_t* ocsp_response_raw;
size_t ocsp_response_len;
SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
std::string ocsp_response;
@@ -1237,7 +1228,7 @@ void SSLClientSocketOpenSSL::VerifyCT() {
ocsp_response_len);
}
- uint8_t* sct_list_raw;
+ const uint8_t* sct_list_raw;
size_t sct_list_len;
SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len);
std::string sct_list;
@@ -1247,15 +1238,28 @@ void SSLClientSocketOpenSSL::VerifyCT() {
// Note that this is a completely synchronous operation: The CT Log Verifier
// gets all the data it needs for SCT verification and does not do any
// external communication.
- int result = cert_transparency_verifier_->Verify(
- server_cert_verify_result_.verified_cert.get(),
- ocsp_response, sct_list, &ct_verify_result_, net_log_);
-
- VLOG(1) << "CT Verification complete: result " << result
- << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
- << " Verified scts: " << ct_verify_result_.verified_scts.size()
- << " scts from unknown logs: "
- << ct_verify_result_.unknown_logs_scts.size();
+ cert_transparency_verifier_->Verify(
+ server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list,
+ &ct_verify_result_, net_log_);
+
+ if (!policy_enforcer_) {
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+ } else {
+ if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
+ SSLConfigService::GetEVCertsWhitelist();
+ if (!policy_enforcer_->DoesConformToCTEVPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ ev_whitelist.get(), ct_verify_result_)) {
+ // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
+ VLOG(1) << "EV certificate for "
+ << server_cert_verify_result_.verified_cert->subject()
+ .GetDisplayName()
+ << " does not conform to CT policy, removing EV status.";
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+ }
+ }
+ }
}
void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) {
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_pool.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698