| Index: net/socket/ssl_client_socket_openssl.cc
|
| diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
|
| index 05eb1cb6ceab3798581bc792ca87e215c71332f8..4e86c055932ed7517600625db0179d13ee720029 100644
|
| --- a/net/socket/ssl_client_socket_openssl.cc
|
| +++ b/net/socket/ssl_client_socket_openssl.cc
|
| @@ -24,6 +24,7 @@
|
| #include "crypto/openssl_util.h"
|
| #include "crypto/scoped_openssl_types.h"
|
| #include "net/base/net_errors.h"
|
| +#include "net/cert/cert_policy_enforcer.h"
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/ct_ev_whitelist.h"
|
| #include "net/cert/ct_verifier.h"
|
| @@ -81,11 +82,10 @@ unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; }
|
| #endif
|
|
|
| // Used for encoding the |connection_status| field of an SSLInfo object.
|
| -int EncodeSSLConnectionStatus(int cipher_suite,
|
| +int EncodeSSLConnectionStatus(uint16 cipher_suite,
|
| int compression,
|
| int version) {
|
| - return ((cipher_suite & SSL_CONNECTION_CIPHERSUITE_MASK) <<
|
| - SSL_CONNECTION_CIPHERSUITE_SHIFT) |
|
| + return cipher_suite |
|
| ((compression & SSL_CONNECTION_COMPRESSION_MASK) <<
|
| SSL_CONNECTION_COMPRESSION_SHIFT) |
|
| ((version & SSL_CONNECTION_VERSION_MASK) <<
|
| @@ -345,6 +345,11 @@ void SSLClientSocket::ClearSessionCache() {
|
| context->session_cache()->Flush();
|
| }
|
|
|
| +// static
|
| +uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
|
| + return SSL_PROTOCOL_VERSION_TLS1_2;
|
| +}
|
| +
|
| SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
|
| scoped_ptr<ClientSocketHandle> transport_socket,
|
| const HostPortPair& host_and_port,
|
| @@ -376,6 +381,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
|
| handshake_succeeded_(false),
|
| marked_session_as_good_(false),
|
| transport_security_state_(context.transport_security_state),
|
| + policy_enforcer_(context.cert_policy_enforcer),
|
| net_log_(transport_->socket()->NetLog()),
|
| weak_factory_(this) {
|
| }
|
| @@ -625,7 +631,7 @@ bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
|
| ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
|
|
|
| ssl_info->connection_status = EncodeSSLConnectionStatus(
|
| - SSL_CIPHER_get_id(cipher), 0 /* no compression */,
|
| + static_cast<uint16>(SSL_CIPHER_get_id(cipher)), 0 /* no compression */,
|
| GetNetSSLVersion(ssl_));
|
|
|
| if (!SSL_get_secure_renegotiation_support(ssl_))
|
| @@ -788,7 +794,7 @@ int SSLClientSocketOpenSSL::Init() {
|
| // appended to the cipher removal |command|.
|
| for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
|
| const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
|
| - const uint16 id = SSL_CIPHER_get_id(cipher);
|
| + const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher));
|
| // Remove any ciphers with a strength of less than 80 bits. Note the NSS
|
| // implementation uses "effective" bits here but OpenSSL does not provide
|
| // this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
|
| @@ -960,7 +966,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
|
| // Only record OCSP histograms if OCSP was requested.
|
| if (ssl_config_.signed_cert_timestamps_enabled ||
|
| IsOCSPStaplingSupported()) {
|
| - uint8_t* ocsp_response;
|
| + const uint8_t* ocsp_response;
|
| size_t ocsp_response_len;
|
| SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
|
|
|
| @@ -968,7 +974,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
|
| UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
|
| }
|
|
|
| - uint8_t* sct_list;
|
| + const uint8_t* sct_list;
|
| size_t sct_list_len;
|
| SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len);
|
| set_signed_cert_timestamps_received(sct_list_len != 0);
|
| @@ -1140,21 +1146,6 @@ int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) {
|
| result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| }
|
|
|
| - scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| - SSLConfigService::GetEVCertsWhitelist();
|
| - if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
|
| - if (ev_whitelist.get() && ev_whitelist->IsValid()) {
|
| - const SHA256HashValue fingerprint(
|
| - X509Certificate::CalculateFingerprint256(
|
| - server_cert_verify_result_.verified_cert->os_cert_handle()));
|
| -
|
| - UMA_HISTOGRAM_BOOLEAN(
|
| - "Net.SSL_EVCertificateInWhitelist",
|
| - ev_whitelist->ContainsCertificateHash(
|
| - std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
|
| - }
|
| - }
|
| -
|
| if (result == OK) {
|
| // Only check Certificate Transparency if there were no other errors with
|
| // the connection.
|
| @@ -1201,13 +1192,13 @@ void SSLClientSocketOpenSSL::UpdateServerCert() {
|
| // update IsOCSPStaplingSupported for Mac. https://crbug.com/430714
|
| if (IsOCSPStaplingSupported()) {
|
| #if defined(OS_WIN)
|
| - uint8_t* ocsp_response_raw;
|
| + const uint8_t* ocsp_response_raw;
|
| size_t ocsp_response_len;
|
| SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
|
|
|
| CRYPT_DATA_BLOB ocsp_response_blob;
|
| ocsp_response_blob.cbData = ocsp_response_len;
|
| - ocsp_response_blob.pbData = ocsp_response_raw;
|
| + ocsp_response_blob.pbData = const_cast<BYTE*>(ocsp_response_raw);
|
| BOOL ok = CertSetCertificateContextProperty(
|
| server_cert_->os_cert_handle(),
|
| CERT_OCSP_RESPONSE_PROP_ID,
|
| @@ -1228,7 +1219,7 @@ void SSLClientSocketOpenSSL::VerifyCT() {
|
| if (!cert_transparency_verifier_)
|
| return;
|
|
|
| - uint8_t* ocsp_response_raw;
|
| + const uint8_t* ocsp_response_raw;
|
| size_t ocsp_response_len;
|
| SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
|
| std::string ocsp_response;
|
| @@ -1237,7 +1228,7 @@ void SSLClientSocketOpenSSL::VerifyCT() {
|
| ocsp_response_len);
|
| }
|
|
|
| - uint8_t* sct_list_raw;
|
| + const uint8_t* sct_list_raw;
|
| size_t sct_list_len;
|
| SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len);
|
| std::string sct_list;
|
| @@ -1247,15 +1238,28 @@ void SSLClientSocketOpenSSL::VerifyCT() {
|
| // Note that this is a completely synchronous operation: The CT Log Verifier
|
| // gets all the data it needs for SCT verification and does not do any
|
| // external communication.
|
| - int result = cert_transparency_verifier_->Verify(
|
| - server_cert_verify_result_.verified_cert.get(),
|
| - ocsp_response, sct_list, &ct_verify_result_, net_log_);
|
| -
|
| - VLOG(1) << "CT Verification complete: result " << result
|
| - << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
|
| - << " Verified scts: " << ct_verify_result_.verified_scts.size()
|
| - << " scts from unknown logs: "
|
| - << ct_verify_result_.unknown_logs_scts.size();
|
| + cert_transparency_verifier_->Verify(
|
| + server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list,
|
| + &ct_verify_result_, net_log_);
|
| +
|
| + if (!policy_enforcer_) {
|
| + server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
|
| + } else {
|
| + if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
|
| + scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| + SSLConfigService::GetEVCertsWhitelist();
|
| + if (!policy_enforcer_->DoesConformToCTEVPolicy(
|
| + server_cert_verify_result_.verified_cert.get(),
|
| + ev_whitelist.get(), ct_verify_result_)) {
|
| + // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
|
| + VLOG(1) << "EV certificate for "
|
| + << server_cert_verify_result_.verified_cert->subject()
|
| + .GetDisplayName()
|
| + << " does not conform to CT policy, removing EV status.";
|
| + server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
|
| + }
|
| + }
|
| + }
|
| }
|
|
|
| void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) {
|
|
|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master