OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
407 struct HandshakeState { | 407 struct HandshakeState { |
408 HandshakeState() { Reset(); } | 408 HandshakeState() { Reset(); } |
409 | 409 |
410 void Reset() { | 410 void Reset() { |
411 next_proto_status = SSLClientSocket::kNextProtoUnsupported; | 411 next_proto_status = SSLClientSocket::kNextProtoUnsupported; |
412 next_proto.clear(); | 412 next_proto.clear(); |
413 server_protos.clear(); | 413 server_protos.clear(); |
414 channel_id_sent = false; | 414 channel_id_sent = false; |
415 server_cert_chain.Reset(NULL); | 415 server_cert_chain.Reset(NULL); |
416 server_cert = NULL; | 416 server_cert = NULL; |
417 sct_list_from_tls_extension.clear(); | |
417 resumed_handshake = false; | 418 resumed_handshake = false; |
418 ssl_connection_status = 0; | 419 ssl_connection_status = 0; |
419 } | 420 } |
420 | 421 |
421 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the | 422 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the |
422 // negotiated protocol stored in |next_proto|. | 423 // negotiated protocol stored in |next_proto|. |
423 SSLClientSocket::NextProtoStatus next_proto_status; | 424 SSLClientSocket::NextProtoStatus next_proto_status; |
424 std::string next_proto; | 425 std::string next_proto; |
425 // If the server supports NPN, the protocols supported by the server. | 426 // If the server supports NPN, the protocols supported by the server. |
426 std::string server_protos; | 427 std::string server_protos; |
427 | 428 |
428 // True if a channel ID was sent. | 429 // True if a channel ID was sent. |
429 bool channel_id_sent; | 430 bool channel_id_sent; |
430 | 431 |
431 // List of DER-encoded X.509 DistinguishedName of certificate authorities | 432 // List of DER-encoded X.509 DistinguishedName of certificate authorities |
432 // allowed by the server. | 433 // allowed by the server. |
433 std::vector<std::string> cert_authorities; | 434 std::vector<std::string> cert_authorities; |
434 | 435 |
435 // Set when the handshake fully completes. | 436 // Set when the handshake fully completes. |
436 // | 437 // |
437 // The server certificate is first received from NSS as an NSS certificate | 438 // The server certificate is first received from NSS as an NSS certificate |
438 // chain (|server_cert_chain|) and then converted into a platform-specific | 439 // chain (|server_cert_chain|) and then converted into a platform-specific |
439 // X509Certificate object (|server_cert|). It's possible for some | 440 // X509Certificate object (|server_cert|). It's possible for some |
440 // certificates to be successfully parsed by NSS, and not by the platform | 441 // certificates to be successfully parsed by NSS, and not by the platform |
441 // libraries (i.e.: when running within a sandbox, different parsing | 442 // libraries (i.e.: when running within a sandbox, different parsing |
442 // algorithms, etc), so it's not safe to assume that |server_cert| will | 443 // algorithms, etc), so it's not safe to assume that |server_cert| will |
443 // always be non-NULL. | 444 // always be non-NULL. |
444 PeerCertificateChain server_cert_chain; | 445 PeerCertificateChain server_cert_chain; |
445 scoped_refptr<X509Certificate> server_cert; | 446 scoped_refptr<X509Certificate> server_cert; |
447 // SignedCertificateTimestampList received via TLS extension (RFC 6962). | |
448 std::string sct_list_from_tls_extension; | |
446 | 449 |
447 // True if the current handshake was the result of TLS session resumption. | 450 // True if the current handshake was the result of TLS session resumption. |
448 bool resumed_handshake; | 451 bool resumed_handshake; |
449 | 452 |
450 // The negotiated security parameters (TLS version, cipher, extensions) of | 453 // The negotiated security parameters (TLS version, cipher, extensions) of |
451 // the SSL connection. | 454 // the SSL connection. |
452 int ssl_connection_status; | 455 int ssl_connection_status; |
453 }; | 456 }; |
454 | 457 |
455 // Client-side error mapping functions. | 458 // Client-side error mapping functions. |
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
747 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and | 750 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and |
748 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success | 751 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success |
749 // and an error code otherwise. | 752 // and an error code otherwise. |
750 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been | 753 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been |
751 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller | 754 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller |
752 // takes ownership of the |*cert| and |*key|. | 755 // takes ownership of the |*cert| and |*key|. |
753 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); | 756 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); |
754 | 757 |
755 // Updates the NSS and platform specific certificates. | 758 // Updates the NSS and platform specific certificates. |
756 void UpdateServerCert(); | 759 void UpdateServerCert(); |
760 // Update the nss_handshake_state_ with SignedCertificateTimestampLists | |
761 // received in the handshake, via a TLS extension or (to be implemented) | |
762 // OCSP stapling. | |
763 void UpdateSignedCertTimestamps(); | |
757 // Updates the nss_handshake_state_ with the negotiated security parameters. | 764 // Updates the nss_handshake_state_ with the negotiated security parameters. |
758 void UpdateConnectionStatus(); | 765 void UpdateConnectionStatus(); |
759 // Record histograms for channel id support during full handshakes - resumed | 766 // Record histograms for channel id support during full handshakes - resumed |
760 // handshakes are ignored. | 767 // handshakes are ignored. |
761 void RecordChannelIDSupportOnNSSTaskRunner(); | 768 void RecordChannelIDSupportOnNSSTaskRunner(); |
762 // UpdateNextProto gets any application-layer protocol that may have been | 769 // UpdateNextProto gets any application-layer protocol that may have been |
763 // negotiated by the TLS connection. | 770 // negotiated by the TLS connection. |
764 void UpdateNextProto(); | 771 void UpdateNextProto(); |
765 | 772 |
766 //////////////////////////////////////////////////////////////////////////// | 773 //////////////////////////////////////////////////////////////////////////// |
(...skipping 878 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1645 PRBool last_handshake_resumed; | 1652 PRBool last_handshake_resumed; |
1646 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); | 1653 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); |
1647 if (rv == SECSuccess && last_handshake_resumed) { | 1654 if (rv == SECSuccess && last_handshake_resumed) { |
1648 nss_handshake_state_.resumed_handshake = true; | 1655 nss_handshake_state_.resumed_handshake = true; |
1649 } else { | 1656 } else { |
1650 nss_handshake_state_.resumed_handshake = false; | 1657 nss_handshake_state_.resumed_handshake = false; |
1651 } | 1658 } |
1652 | 1659 |
1653 RecordChannelIDSupportOnNSSTaskRunner(); | 1660 RecordChannelIDSupportOnNSSTaskRunner(); |
1654 UpdateServerCert(); | 1661 UpdateServerCert(); |
1662 UpdateSignedCertTimestamps(); | |
1655 UpdateConnectionStatus(); | 1663 UpdateConnectionStatus(); |
1656 UpdateNextProto(); | 1664 UpdateNextProto(); |
1657 | 1665 |
1658 // Update the network task runners view of the handshake state whenever | 1666 // Update the network task runners view of the handshake state whenever |
1659 // a handshake has completed. | 1667 // a handshake has completed. |
1660 PostOrRunCallback( | 1668 PostOrRunCallback( |
1661 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, | 1669 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, |
1662 nss_handshake_state_)); | 1670 nss_handshake_state_)); |
1663 } | 1671 } |
1664 | 1672 |
(...skipping 847 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2512 break; | 2520 break; |
2513 case SSL_NEXT_PROTO_NO_SUPPORT: | 2521 case SSL_NEXT_PROTO_NO_SUPPORT: |
2514 nss_handshake_state_.next_proto_status = kNextProtoUnsupported; | 2522 nss_handshake_state_.next_proto_status = kNextProtoUnsupported; |
2515 break; | 2523 break; |
2516 default: | 2524 default: |
2517 NOTREACHED(); | 2525 NOTREACHED(); |
2518 break; | 2526 break; |
2519 } | 2527 } |
2520 } | 2528 } |
2521 | 2529 |
2530 void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() { | |
wtc
2013/11/26 22:46:12
Nit: move the definition of the UpdateSignedCertTi
ekasper
2013/11/27 14:09:04
Done.
| |
2531 const SECItem* signed_cert_timestamps = | |
2532 SSL_PeerSignedCertTimestamps(nss_fd_); | |
2533 | |
2534 if (!signed_cert_timestamps || !signed_cert_timestamps->len) | |
2535 return; | |
2536 | |
2537 nss_handshake_state_.sct_list_from_tls_extension = std::string( | |
2538 reinterpret_cast<char*>(signed_cert_timestamps->data), | |
2539 signed_cert_timestamps->len); | |
2540 } | |
2541 | |
2522 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() { | 2542 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() { |
2523 DCHECK(OnNSSTaskRunner()); | 2543 DCHECK(OnNSSTaskRunner()); |
2524 if (nss_handshake_state_.resumed_handshake) | 2544 if (nss_handshake_state_.resumed_handshake) |
2525 return; | 2545 return; |
2526 | 2546 |
2527 // Copy the NSS task runner-only state to the network task runner and | 2547 // Copy the NSS task runner-only state to the network task runner and |
2528 // log histograms from there, since the histograms also need access to the | 2548 // log histograms from there, since the histograms also need access to the |
2529 // network task runner state. | 2549 // network task runner state. |
2530 PostOrRunCallback( | 2550 PostOrRunCallback( |
2531 FROM_HERE, | 2551 FROM_HERE, |
(...skipping 636 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3168 #ifdef SSL_ENABLE_OCSP_STAPLING | 3188 #ifdef SSL_ENABLE_OCSP_STAPLING |
3169 if (IsOCSPStaplingSupported()) { | 3189 if (IsOCSPStaplingSupported()) { |
3170 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); | 3190 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); |
3171 if (rv != SECSuccess) { | 3191 if (rv != SECSuccess) { |
3172 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | 3192 LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
3173 "SSL_ENABLE_OCSP_STAPLING"); | 3193 "SSL_ENABLE_OCSP_STAPLING"); |
3174 } | 3194 } |
3175 } | 3195 } |
3176 #endif | 3196 #endif |
3177 | 3197 |
3198 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, | |
3199 ssl_config_.signed_cert_timestamps_enabled); | |
3200 if (rv != SECSuccess) { | |
3201 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | |
3202 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); | |
3203 } | |
3204 | |
3178 // Chromium patch to libssl | 3205 // Chromium patch to libssl |
3179 #ifdef SSL_ENABLE_CACHED_INFO | 3206 #ifdef SSL_ENABLE_CACHED_INFO |
3180 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, | 3207 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, |
3181 ssl_config_.cached_info_enabled); | 3208 ssl_config_.cached_info_enabled); |
3182 if (rv != SECSuccess) | 3209 if (rv != SECSuccess) |
3183 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); | 3210 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); |
3184 #endif | 3211 #endif |
3185 | 3212 |
3186 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); | 3213 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); |
3187 if (rv != SECSuccess) { | 3214 if (rv != SECSuccess) { |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3313 | 3340 |
3314 int SSLClientSocketNSS::DoHandshakeComplete(int result) { | 3341 int SSLClientSocketNSS::DoHandshakeComplete(int result) { |
3315 EnterFunction(result); | 3342 EnterFunction(result); |
3316 | 3343 |
3317 if (result == OK) { | 3344 if (result == OK) { |
3318 // SSL handshake is completed. Let's verify the certificate. | 3345 // SSL handshake is completed. Let's verify the certificate. |
3319 GotoState(STATE_VERIFY_CERT); | 3346 GotoState(STATE_VERIFY_CERT); |
3320 // Done! | 3347 // Done! |
3321 } | 3348 } |
3322 set_channel_id_sent(core_->state().channel_id_sent); | 3349 set_channel_id_sent(core_->state().channel_id_sent); |
3350 set_signed_cert_timestamps_received( | |
3351 !core_->state().sct_list_from_tls_extension.empty()); | |
3323 | 3352 |
3324 LeaveFunction(result); | 3353 LeaveFunction(result); |
3325 return result; | 3354 return result; |
3326 } | 3355 } |
3327 | 3356 |
3328 | 3357 |
3329 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3358 int SSLClientSocketNSS::DoVerifyCert(int result) { |
3330 DCHECK(!core_->state().server_cert_chain.empty()); | 3359 DCHECK(!core_->state().server_cert_chain.empty()); |
3331 DCHECK(core_->state().server_cert_chain[0]); | 3360 DCHECK(core_->state().server_cert_chain[0]); |
3332 | 3361 |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3497 EnsureThreadIdAssigned(); | 3526 EnsureThreadIdAssigned(); |
3498 base::AutoLock auto_lock(lock_); | 3527 base::AutoLock auto_lock(lock_); |
3499 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3528 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
3500 } | 3529 } |
3501 | 3530 |
3502 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3531 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
3503 return server_bound_cert_service_; | 3532 return server_bound_cert_service_; |
3504 } | 3533 } |
3505 | 3534 |
3506 } // namespace net | 3535 } // namespace net |
OLD | NEW |