OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
86 #include "crypto/scoped_nss_types.h" | 86 #include "crypto/scoped_nss_types.h" |
87 #include "net/base/address_list.h" | 87 #include "net/base/address_list.h" |
88 #include "net/base/connection_type_histograms.h" | 88 #include "net/base/connection_type_histograms.h" |
89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_verifier.h" | |
96 #include "net/cert/scoped_nss_types.h" | 97 #include "net/cert/scoped_nss_types.h" |
97 #include "net/cert/single_request_cert_verifier.h" | 98 #include "net/cert/single_request_cert_verifier.h" |
98 #include "net/cert/x509_certificate_net_log_param.h" | 99 #include "net/cert/x509_certificate_net_log_param.h" |
99 #include "net/cert/x509_util.h" | 100 #include "net/cert/x509_util.h" |
100 #include "net/http/transport_security_state.h" | 101 #include "net/http/transport_security_state.h" |
101 #include "net/ocsp/nss_ocsp.h" | 102 #include "net/ocsp/nss_ocsp.h" |
102 #include "net/socket/client_socket_handle.h" | 103 #include "net/socket/client_socket_handle.h" |
103 #include "net/socket/nss_ssl_util.h" | 104 #include "net/socket/nss_ssl_util.h" |
104 #include "net/socket/ssl_error_params.h" | 105 #include "net/socket/ssl_error_params.h" |
105 #include "net/ssl/ssl_cert_request_info.h" | 106 #include "net/ssl/ssl_cert_request_info.h" |
(...skipping 2656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2762 host_and_port_(host_and_port), | 2763 host_and_port_(host_and_port), |
2763 ssl_config_(ssl_config), | 2764 ssl_config_(ssl_config), |
2764 cert_verifier_(context.cert_verifier), | 2765 cert_verifier_(context.cert_verifier), |
2765 server_bound_cert_service_(context.server_bound_cert_service), | 2766 server_bound_cert_service_(context.server_bound_cert_service), |
2766 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 2767 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
2767 completed_handshake_(false), | 2768 completed_handshake_(false), |
2768 next_handshake_state_(STATE_NONE), | 2769 next_handshake_state_(STATE_NONE), |
2769 nss_fd_(NULL), | 2770 nss_fd_(NULL), |
2770 net_log_(transport_->socket()->NetLog()), | 2771 net_log_(transport_->socket()->NetLog()), |
2771 transport_security_state_(context.transport_security_state), | 2772 transport_security_state_(context.transport_security_state), |
2773 cert_transparency_verifier_(context.cert_transparency_verifier), | |
2772 valid_thread_id_(base::kInvalidThreadId) { | 2774 valid_thread_id_(base::kInvalidThreadId) { |
2773 EnterFunction(""); | 2775 EnterFunction(""); |
2774 InitCore(); | 2776 InitCore(); |
2775 LeaveFunction(""); | 2777 LeaveFunction(""); |
2776 } | 2778 } |
2777 | 2779 |
2778 SSLClientSocketNSS::~SSLClientSocketNSS() { | 2780 SSLClientSocketNSS::~SSLClientSocketNSS() { |
2779 EnterFunction(""); | 2781 EnterFunction(""); |
2780 Disconnect(); | 2782 Disconnect(); |
2781 LeaveFunction(""); | 2783 LeaveFunction(""); |
(...skipping 500 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3282 case STATE_HANDSHAKE_COMPLETE: | 3284 case STATE_HANDSHAKE_COMPLETE: |
3283 rv = DoHandshakeComplete(rv); | 3285 rv = DoHandshakeComplete(rv); |
3284 break; | 3286 break; |
3285 case STATE_VERIFY_CERT: | 3287 case STATE_VERIFY_CERT: |
3286 DCHECK(rv == OK); | 3288 DCHECK(rv == OK); |
3287 rv = DoVerifyCert(rv); | 3289 rv = DoVerifyCert(rv); |
3288 break; | 3290 break; |
3289 case STATE_VERIFY_CERT_COMPLETE: | 3291 case STATE_VERIFY_CERT_COMPLETE: |
3290 rv = DoVerifyCertComplete(rv); | 3292 rv = DoVerifyCertComplete(rv); |
3291 break; | 3293 break; |
3294 case STATE_VERIFY_CT: | |
3295 rv = DoVerifyCT(rv); | |
3296 break; | |
3297 case STATE_VERIFY_CT_COMPLETE: | |
3298 rv = DoVerifyCTComplete(rv); | |
3299 break; | |
3292 case STATE_NONE: | 3300 case STATE_NONE: |
3293 default: | 3301 default: |
3294 rv = ERR_UNEXPECTED; | 3302 rv = ERR_UNEXPECTED; |
3295 LOG(DFATAL) << "unexpected state " << state; | 3303 LOG(DFATAL) << "unexpected state " << state; |
3296 break; | 3304 break; |
3297 } | 3305 } |
3298 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); | 3306 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); |
3299 LeaveFunction(""); | 3307 LeaveFunction(""); |
3300 return rv; | 3308 return rv; |
3301 } | 3309 } |
(...skipping 16 matching lines...) Expand all Loading... | |
3318 // SSL handshake is completed. Let's verify the certificate. | 3326 // SSL handshake is completed. Let's verify the certificate. |
3319 GotoState(STATE_VERIFY_CERT); | 3327 GotoState(STATE_VERIFY_CERT); |
3320 // Done! | 3328 // Done! |
3321 } | 3329 } |
3322 set_channel_id_sent(core_->state().channel_id_sent); | 3330 set_channel_id_sent(core_->state().channel_id_sent); |
3323 | 3331 |
3324 LeaveFunction(result); | 3332 LeaveFunction(result); |
3325 return result; | 3333 return result; |
3326 } | 3334 } |
3327 | 3335 |
3328 | |
3329 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3336 int SSLClientSocketNSS::DoVerifyCert(int result) { |
3330 DCHECK(!core_->state().server_cert_chain.empty()); | 3337 DCHECK(!core_->state().server_cert_chain.empty()); |
3331 DCHECK(core_->state().server_cert_chain[0]); | 3338 DCHECK(core_->state().server_cert_chain[0]); |
3332 | 3339 |
3333 GotoState(STATE_VERIFY_CERT_COMPLETE); | 3340 GotoState(STATE_VERIFY_CERT_COMPLETE); |
3334 | 3341 |
3335 // If the certificate is expected to be bad we can use the expectation as | 3342 // If the certificate is expected to be bad we can use the expectation as |
3336 // the cert status. | 3343 // the cert status. |
3337 base::StringPiece der_cert( | 3344 base::StringPiece der_cert( |
3338 reinterpret_cast<char*>( | 3345 reinterpret_cast<char*>( |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3402 // is fixed, we need to avoid using the NSS database for non-essential | 3409 // is fixed, we need to avoid using the NSS database for non-essential |
3403 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and | 3410 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and |
3404 // http://crbug.com/15630 for more info. | 3411 // http://crbug.com/15630 for more info. |
3405 | 3412 |
3406 // TODO(hclam): Skip logging if server cert was expected to be bad because | 3413 // TODO(hclam): Skip logging if server cert was expected to be bad because |
3407 // |server_cert_verify_result_| doesn't contain all the information about | 3414 // |server_cert_verify_result_| doesn't contain all the information about |
3408 // the cert. | 3415 // the cert. |
3409 if (result == OK) | 3416 if (result == OK) |
3410 LogConnectionTypeMetrics(); | 3417 LogConnectionTypeMetrics(); |
3411 | 3418 |
3412 completed_handshake_ = true; | |
3413 | |
3414 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) | 3419 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) |
3415 // Take care of any mandates for public key pinning. | 3420 // Take care of any mandates for public key pinning. |
3416 // | 3421 // |
3417 // Pinning is only enabled for official builds to make sure that others don't | 3422 // Pinning is only enabled for official builds to make sure that others don't |
3418 // end up with pins that cannot be easily updated. | 3423 // end up with pins that cannot be easily updated. |
3419 // | 3424 // |
3420 // TODO(agl): We might have an issue here where a request for foo.example.com | 3425 // TODO(agl): We might have an issue here where a request for foo.example.com |
3421 // merges into a SPDY connection to www.example.com, and gets a different | 3426 // merges into a SPDY connection to www.example.com, and gets a different |
3422 // certificate. | 3427 // certificate. |
3423 | 3428 |
(...skipping 27 matching lines...) Expand all Loading... | |
3451 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 3456 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
3452 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); | 3457 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); |
3453 TransportSecurityState::ReportUMAOnPinFailure(host); | 3458 TransportSecurityState::ReportUMAOnPinFailure(host); |
3454 } else { | 3459 } else { |
3455 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); | 3460 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); |
3456 } | 3461 } |
3457 } | 3462 } |
3458 } | 3463 } |
3459 #endif | 3464 #endif |
3460 | 3465 |
3466 if (result == OK) { | |
3467 // Only check Certificate Transparency if there were no other errors with | |
3468 // the connection. Note that in this case DoVerifyCTComplete will set | |
3469 // completed_handshake_ to true. | |
3470 GotoState(STATE_VERIFY_CT); | |
wtc
2013/11/26 01:47:23
DESIGN: A state is necessary only if we need to wa
Eran M. (Google)
2013/11/26 14:45:53
Done - note that as the return type of VerifyCT is
| |
3471 return OK; | |
3472 } | |
3473 | |
3474 completed_handshake_ = true; | |
3475 | |
3461 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 3476 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
3462 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 3477 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
3463 return result; | 3478 return result; |
3464 } | 3479 } |
3465 | 3480 |
3481 int SSLClientSocketNSS::DoVerifyCT(int result) { | |
3482 GotoState(STATE_VERIFY_CT_COMPLETE); | |
3483 | |
3484 if (!cert_transparency_verifier_) | |
3485 return OK; | |
3486 | |
3487 // Note that this is a completely synchronic operation: The CT Log Verifier | |
wtc
2013/11/26 01:47:23
synchronic => synchronous
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3488 // gets all the data it needs for SCT verification and does not do any | |
3489 // external communication | |
wtc
2013/11/26 01:47:23
Nit: missing a period (.)
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3490 return cert_transparency_verifier_->Verify( | |
3491 server_cert_verify_result_.verified_cert, | |
3492 std::string(), // SCT list from OCSP stapling response | |
wtc
2013/11/26 01:47:23
Nit: remove "stapling"
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3493 std::string(), // SCT list from TLS handshake | |
wtc
2013/11/26 01:47:23
Nit: TLS handshake => TLS extension
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3494 &ct_verify_result_); | |
3495 } | |
3496 | |
3497 int SSLClientSocketNSS::DoVerifyCTComplete(int result) { | |
3498 VLOG(1) << "CT Verification complete: result " << result | |
3499 << " Unverified scts: " << ct_verify_result_.unverified_scts.size() | |
3500 << " Verified scts: " << ct_verify_result_.verified_scts.size() | |
3501 << " scts from unknown logs: " | |
3502 << ct_verify_result_.unknown_logs_scts.size(); | |
3503 | |
3504 if (!ct_verify_result_.unverified_scts.empty() || | |
3505 !ct_verify_result_.unknown_logs_scts.empty() || | |
3506 !ct_verify_result_.verified_scts.empty()) { | |
3507 | |
wtc
2013/11/26 01:47:23
Nit: delete this blank line.
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3508 // Saving CT state in cert_status bits, in addition to the SCTs themselves | |
3509 // (which will be threaded into the SSLInfo, as well as into the HTTP | |
3510 // cache). | |
3511 // This persists the CT status and simplifies UI code for figuring out | |
3512 // the right CT info to display. | |
3513 bool has_verified_scts = !ct_verify_result_.verified_scts.empty() && | |
3514 result == OK; | |
3515 if (has_verified_scts || !ct_verify_result_.unverified_scts.empty()) { | |
3516 // Found SCTs from a known log. | |
3517 server_cert_verify_result_.cert_status = | |
3518 CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG; | |
wtc
2013/11/26 01:47:23
BUG: use |= instead of = here and on line 3526. (L
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3519 if (has_verified_scts) { | |
3520 server_cert_verify_result_.cert_status |= CERT_STATUS_HAS_GOOD_SCT; | |
3521 } | |
wtc
2013/11/26 01:47:23
Omit curly braces when the if statement's body is
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3522 } else { | |
3523 DCHECK(!ct_verify_result_.unknown_logs_scts.empty()); | |
3524 // When this bit is set but CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG isn't | |
wtc
2013/11/26 01:47:23
Nit: add a comma (,) at the end of this line.
Eran M. (Google)
2013/11/26 14:45:53
Done.
| |
3525 // that implies SCTs from unknown logs. | |
3526 server_cert_verify_result_.cert_status = CERT_STATUS_HAS_GOOD_SCT; | |
3527 } | |
3528 } | |
3529 | |
3530 completed_handshake_ = true; | |
3531 DCHECK_EQ(STATE_NONE, next_handshake_state_); | |
3532 | |
3533 return OK; | |
3534 } | |
3535 | |
3466 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 3536 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
3467 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 3537 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
3468 int ssl_version = SSLConnectionStatusToVersion( | 3538 int ssl_version = SSLConnectionStatusToVersion( |
3469 core_->state().ssl_connection_status); | 3539 core_->state().ssl_connection_status); |
3470 switch (ssl_version) { | 3540 switch (ssl_version) { |
3471 case SSL_CONNECTION_VERSION_SSL2: | 3541 case SSL_CONNECTION_VERSION_SSL2: |
3472 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | 3542 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); |
3473 break; | 3543 break; |
3474 case SSL_CONNECTION_VERSION_SSL3: | 3544 case SSL_CONNECTION_VERSION_SSL3: |
3475 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); | 3545 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); |
(...skipping 21 matching lines...) Expand all Loading... | |
3497 EnsureThreadIdAssigned(); | 3567 EnsureThreadIdAssigned(); |
3498 base::AutoLock auto_lock(lock_); | 3568 base::AutoLock auto_lock(lock_); |
3499 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3569 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
3500 } | 3570 } |
3501 | 3571 |
3502 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3572 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
3503 return server_bound_cert_service_; | 3573 return server_bound_cert_service_; |
3504 } | 3574 } |
3505 | 3575 |
3506 } // namespace net | 3576 } // namespace net |
OLD | NEW |