OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
86 #include "crypto/scoped_nss_types.h" | 86 #include "crypto/scoped_nss_types.h" |
87 #include "net/base/address_list.h" | 87 #include "net/base/address_list.h" |
88 #include "net/base/connection_type_histograms.h" | 88 #include "net/base/connection_type_histograms.h" |
89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_objects_extractor.h" | |
96 #include "net/cert/ct_verifier.h" | 97 #include "net/cert/ct_verifier.h" |
97 #include "net/cert/ct_verify_result.h" | 98 #include "net/cert/ct_verify_result.h" |
98 #include "net/cert/scoped_nss_types.h" | 99 #include "net/cert/scoped_nss_types.h" |
99 #include "net/cert/sct_status_flags.h" | 100 #include "net/cert/sct_status_flags.h" |
100 #include "net/cert/single_request_cert_verifier.h" | 101 #include "net/cert/single_request_cert_verifier.h" |
101 #include "net/cert/x509_certificate_net_log_param.h" | 102 #include "net/cert/x509_certificate_net_log_param.h" |
102 #include "net/cert/x509_util.h" | 103 #include "net/cert/x509_util.h" |
103 #include "net/http/transport_security_state.h" | 104 #include "net/http/transport_security_state.h" |
104 #include "net/ocsp/nss_ocsp.h" | 105 #include "net/ocsp/nss_ocsp.h" |
105 #include "net/socket/client_socket_handle.h" | 106 #include "net/socket/client_socket_handle.h" |
(...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
411 HandshakeState() { Reset(); } | 412 HandshakeState() { Reset(); } |
412 | 413 |
413 void Reset() { | 414 void Reset() { |
414 next_proto_status = SSLClientSocket::kNextProtoUnsupported; | 415 next_proto_status = SSLClientSocket::kNextProtoUnsupported; |
415 next_proto.clear(); | 416 next_proto.clear(); |
416 server_protos.clear(); | 417 server_protos.clear(); |
417 channel_id_sent = false; | 418 channel_id_sent = false; |
418 server_cert_chain.Reset(NULL); | 419 server_cert_chain.Reset(NULL); |
419 server_cert = NULL; | 420 server_cert = NULL; |
420 sct_list_from_tls_extension.clear(); | 421 sct_list_from_tls_extension.clear(); |
422 sct_list_from_ocsp_stapling.clear(); | |
421 resumed_handshake = false; | 423 resumed_handshake = false; |
422 ssl_connection_status = 0; | 424 ssl_connection_status = 0; |
423 } | 425 } |
424 | 426 |
425 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the | 427 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the |
426 // negotiated protocol stored in |next_proto|. | 428 // negotiated protocol stored in |next_proto|. |
427 SSLClientSocket::NextProtoStatus next_proto_status; | 429 SSLClientSocket::NextProtoStatus next_proto_status; |
428 std::string next_proto; | 430 std::string next_proto; |
429 // If the server supports NPN, the protocols supported by the server. | 431 // If the server supports NPN, the protocols supported by the server. |
430 std::string server_protos; | 432 std::string server_protos; |
(...skipping 11 matching lines...) Expand all Loading... | |
442 // chain (|server_cert_chain|) and then converted into a platform-specific | 444 // chain (|server_cert_chain|) and then converted into a platform-specific |
443 // X509Certificate object (|server_cert|). It's possible for some | 445 // X509Certificate object (|server_cert|). It's possible for some |
444 // certificates to be successfully parsed by NSS, and not by the platform | 446 // certificates to be successfully parsed by NSS, and not by the platform |
445 // libraries (i.e.: when running within a sandbox, different parsing | 447 // libraries (i.e.: when running within a sandbox, different parsing |
446 // algorithms, etc), so it's not safe to assume that |server_cert| will | 448 // algorithms, etc), so it's not safe to assume that |server_cert| will |
447 // always be non-NULL. | 449 // always be non-NULL. |
448 PeerCertificateChain server_cert_chain; | 450 PeerCertificateChain server_cert_chain; |
449 scoped_refptr<X509Certificate> server_cert; | 451 scoped_refptr<X509Certificate> server_cert; |
450 // SignedCertificateTimestampList received via TLS extension (RFC 6962). | 452 // SignedCertificateTimestampList received via TLS extension (RFC 6962). |
451 std::string sct_list_from_tls_extension; | 453 std::string sct_list_from_tls_extension; |
454 // SignedCertificateTimestampList received in a stapled OCSP response | |
455 // (RFC 6962). | |
456 std::string sct_list_from_ocsp_stapling; | |
452 | 457 |
453 // True if the current handshake was the result of TLS session resumption. | 458 // True if the current handshake was the result of TLS session resumption. |
454 bool resumed_handshake; | 459 bool resumed_handshake; |
455 | 460 |
456 // The negotiated security parameters (TLS version, cipher, extensions) of | 461 // The negotiated security parameters (TLS version, cipher, extensions) of |
457 // the SSL connection. | 462 // the SSL connection. |
458 int ssl_connection_status; | 463 int ssl_connection_status; |
459 }; | 464 }; |
460 | 465 |
461 // Client-side error mapping functions. | 466 // Client-side error mapping functions. |
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
753 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and | 758 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and |
754 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success | 759 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success |
755 // and an error code otherwise. | 760 // and an error code otherwise. |
756 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been | 761 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been |
757 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller | 762 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller |
758 // takes ownership of the |*cert| and |*key|. | 763 // takes ownership of the |*cert| and |*key|. |
759 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); | 764 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); |
760 | 765 |
761 // Updates the NSS and platform specific certificates. | 766 // Updates the NSS and platform specific certificates. |
762 void UpdateServerCert(); | 767 void UpdateServerCert(); |
763 // Update the nss_handshake_state_ with SignedCertificateTimestampLists | 768 // Update the nss_handshake_state_ with the SignedCertificateTimestampList |
764 // received in the handshake, via a TLS extension or (to be implemented) | 769 // received in the handshake via a TLS extension. |
765 // OCSP stapling. | |
766 void UpdateSignedCertTimestamps(); | 770 void UpdateSignedCertTimestamps(); |
771 #ifdef SSL_ENABLE_OCSP_STAPLING | |
Ryan Sleevi
2013/12/03 21:03:18
1) This should be #if defined
2) We shouldn't be u
wtc
2013/12/03 21:04:25
Nit: can you take the opportunity to remove all #i
ekasper
2013/12/04 19:25:15
Done.
| |
772 // Update the OCSP response cache with the stapled response received in the | |
773 // handshake, and update nss_handshake_state_ with | |
774 // the SignedCertificateTimestampList received in the stapled OCSP response. | |
775 void UpdateStapledOCSPResponse(); | |
776 #endif | |
767 // Updates the nss_handshake_state_ with the negotiated security parameters. | 777 // Updates the nss_handshake_state_ with the negotiated security parameters. |
768 void UpdateConnectionStatus(); | 778 void UpdateConnectionStatus(); |
769 // Record histograms for channel id support during full handshakes - resumed | 779 // Record histograms for channel id support during full handshakes - resumed |
770 // handshakes are ignored. | 780 // handshakes are ignored. |
771 void RecordChannelIDSupportOnNSSTaskRunner(); | 781 void RecordChannelIDSupportOnNSSTaskRunner(); |
772 // UpdateNextProto gets any application-layer protocol that may have been | 782 // UpdateNextProto gets any application-layer protocol that may have been |
773 // negotiated by the TLS connection. | 783 // negotiated by the TLS connection. |
774 void UpdateNextProto(); | 784 void UpdateNextProto(); |
775 | 785 |
776 //////////////////////////////////////////////////////////////////////////// | 786 //////////////////////////////////////////////////////////////////////////// |
(...skipping 879 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1656 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); | 1666 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); |
1657 if (rv == SECSuccess && last_handshake_resumed) { | 1667 if (rv == SECSuccess && last_handshake_resumed) { |
1658 nss_handshake_state_.resumed_handshake = true; | 1668 nss_handshake_state_.resumed_handshake = true; |
1659 } else { | 1669 } else { |
1660 nss_handshake_state_.resumed_handshake = false; | 1670 nss_handshake_state_.resumed_handshake = false; |
1661 } | 1671 } |
1662 | 1672 |
1663 RecordChannelIDSupportOnNSSTaskRunner(); | 1673 RecordChannelIDSupportOnNSSTaskRunner(); |
1664 UpdateServerCert(); | 1674 UpdateServerCert(); |
1665 UpdateSignedCertTimestamps(); | 1675 UpdateSignedCertTimestamps(); |
1676 #ifdef SSL_ENABLE_OCSP_STAPLING | |
1677 UpdateStapledOCSPResponse(); | |
1678 #endif | |
1666 UpdateConnectionStatus(); | 1679 UpdateConnectionStatus(); |
1667 UpdateNextProto(); | 1680 UpdateNextProto(); |
1668 | 1681 |
1669 // Update the network task runners view of the handshake state whenever | 1682 // Update the network task runners view of the handshake state whenever |
1670 // a handshake has completed. | 1683 // a handshake has completed. |
1671 PostOrRunCallback( | 1684 PostOrRunCallback( |
1672 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, | 1685 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, |
1673 nss_handshake_state_)); | 1686 nss_handshake_state_)); |
1674 } | 1687 } |
1675 | 1688 |
(...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1827 // so that we won't try to resume the non-client-authenticated session in | 1840 // so that we won't try to resume the non-client-authenticated session in |
1828 // the next handshake. This will cause the server to ask for a client | 1841 // the next handshake. This will cause the server to ask for a client |
1829 // cert again. | 1842 // cert again. |
1830 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) | 1843 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) |
1831 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1844 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
1832 } else if (rv == SECSuccess) { | 1845 } else if (rv == SECSuccess) { |
1833 if (!handshake_callback_called_) { | 1846 if (!handshake_callback_called_) { |
1834 false_started_ = true; | 1847 false_started_ = true; |
1835 HandshakeSucceeded(); | 1848 HandshakeSucceeded(); |
1836 } | 1849 } |
1837 | |
1838 // TODO(wtc): move this block of code to OwnAuthCertHandler. | |
1839 #if defined(SSL_ENABLE_OCSP_STAPLING) | |
1840 // TODO(agl): figure out how to plumb an OCSP response into the Mac | |
1841 // system library and update IsOCSPStaplingSupported for Mac. | |
1842 if (IsOCSPStaplingSupported()) { | |
1843 const SECItemArray* ocsp_responses = | |
1844 SSL_PeerStapledOCSPResponses(nss_fd_); | |
1845 if (ocsp_responses->len) { | |
1846 #if defined(OS_WIN) | |
1847 if (nss_handshake_state_.server_cert) { | |
1848 CRYPT_DATA_BLOB ocsp_response_blob; | |
1849 ocsp_response_blob.cbData = ocsp_responses->items[0].len; | |
1850 ocsp_response_blob.pbData = ocsp_responses->items[0].data; | |
1851 BOOL ok = CertSetCertificateContextProperty( | |
1852 nss_handshake_state_.server_cert->os_cert_handle(), | |
1853 CERT_OCSP_RESPONSE_PROP_ID, | |
1854 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, | |
1855 &ocsp_response_blob); | |
1856 if (!ok) { | |
1857 VLOG(1) << "Failed to set OCSP response property: " | |
1858 << GetLastError(); | |
1859 } | |
1860 } | |
1861 #elif defined(USE_NSS) | |
1862 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = | |
1863 GetCacheOCSPResponseFromSideChannelFunction(); | |
1864 | |
1865 cache_ocsp_response( | |
1866 CERT_GetDefaultCertDB(), | |
1867 nss_handshake_state_.server_cert_chain[0], PR_Now(), | |
1868 &ocsp_responses->items[0], NULL); | |
1869 #endif | |
1870 } | |
1871 } | |
1872 #endif | |
1873 // Done! | |
1874 } else { | 1850 } else { |
1875 PRErrorCode prerr = PR_GetError(); | 1851 PRErrorCode prerr = PR_GetError(); |
1876 net_error = HandleNSSError(prerr, true); | 1852 net_error = HandleNSSError(prerr, true); |
1877 | 1853 |
1878 // Some network devices that inspect application-layer packets seem to | 1854 // Some network devices that inspect application-layer packets seem to |
1879 // inject TCP reset packets to break the connections when they see | 1855 // inject TCP reset packets to break the connections when they see |
1880 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. | 1856 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. |
1881 // | 1857 // |
1882 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or | 1858 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or |
1883 // 1.2. We don't lose much in this fallback because the explicit IV for CBC | 1859 // 1.2. We don't lose much in this fallback because the explicit IV for CBC |
(...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2429 SSL_PeerSignedCertTimestamps(nss_fd_); | 2405 SSL_PeerSignedCertTimestamps(nss_fd_); |
2430 | 2406 |
2431 if (!signed_cert_timestamps || !signed_cert_timestamps->len) | 2407 if (!signed_cert_timestamps || !signed_cert_timestamps->len) |
2432 return; | 2408 return; |
2433 | 2409 |
2434 nss_handshake_state_.sct_list_from_tls_extension = std::string( | 2410 nss_handshake_state_.sct_list_from_tls_extension = std::string( |
2435 reinterpret_cast<char*>(signed_cert_timestamps->data), | 2411 reinterpret_cast<char*>(signed_cert_timestamps->data), |
2436 signed_cert_timestamps->len); | 2412 signed_cert_timestamps->len); |
2437 } | 2413 } |
2438 | 2414 |
2415 #ifdef SSL_ENABLE_OCSP_STAPLING | |
2416 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() { | |
2417 const SECItemArray* ocsp_responses = | |
2418 SSL_PeerStapledOCSPResponses(nss_fd_); | |
2419 if (!ocsp_responses || !ocsp_responses->len) | |
2420 return; | |
2421 | |
2422 if (ssl_config_.signed_cert_timestamps_enabled && | |
2423 nss_handshake_state_.server_cert) { | |
2424 std::string ocsp_response( | |
2425 reinterpret_cast<char*>(ocsp_responses->items[0].data), | |
2426 ocsp_responses->items[0].len); | |
wtc
2013/12/03 21:04:25
We are copying an OCSP response here. This seems t
ekasper
2013/12/04 19:25:15
This has changed - I now store the raw response an
| |
2427 ct::ExtractSCTListFromOCSPResponse( | |
2428 nss_handshake_state_.server_cert->os_cert_handle(), | |
2429 ocsp_response, | |
2430 &nss_handshake_state_.sct_list_from_ocsp_stapling); | |
2431 } | |
2432 // TODO(agl): figure out how to plumb an OCSP response into the Mac | |
2433 // system library and update IsOCSPStaplingSupported for Mac. | |
2434 if (IsOCSPStaplingSupported()) { | |
2435 #if defined(OS_WIN) | |
2436 if (nss_handshake_state_.server_cert) { | |
wtc
2013/12/03 21:04:25
Hmm... I wonder why we check nss_handshake_state_.
Ryan Sleevi
2013/12/03 21:07:15
Because Windows will fail to parse certificates th
| |
2437 CRYPT_DATA_BLOB ocsp_response_blob; | |
2438 ocsp_response_blob.cbData = ocsp_responses->items[0].len; | |
2439 ocsp_response_blob.pbData = ocsp_responses->items[0].data; | |
2440 BOOL ok = CertSetCertificateContextProperty( | |
2441 nss_handshake_state_.server_cert->os_cert_handle(), | |
2442 CERT_OCSP_RESPONSE_PROP_ID, | |
2443 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, | |
2444 &ocsp_response_blob); | |
2445 if (!ok) { | |
2446 VLOG(1) << "Failed to set OCSP response property: " | |
2447 << GetLastError(); | |
2448 } | |
2449 } | |
2450 #elif defined(USE_NSS) | |
2451 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = | |
2452 GetCacheOCSPResponseFromSideChannelFunction(); | |
2453 | |
2454 cache_ocsp_response( | |
2455 CERT_GetDefaultCertDB(), | |
2456 nss_handshake_state_.server_cert_chain[0], PR_Now(), | |
2457 &ocsp_responses->items[0], NULL); | |
2458 #endif | |
2459 } // IsOCSPStaplingSupported() | |
2460 } | |
2461 #endif | |
2462 | |
2439 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { | 2463 void SSLClientSocketNSS::Core::UpdateConnectionStatus() { |
2440 SSLChannelInfo channel_info; | 2464 SSLChannelInfo channel_info; |
2441 SECStatus ok = SSL_GetChannelInfo(nss_fd_, | 2465 SECStatus ok = SSL_GetChannelInfo(nss_fd_, |
2442 &channel_info, sizeof(channel_info)); | 2466 &channel_info, sizeof(channel_info)); |
2443 if (ok == SECSuccess && | 2467 if (ok == SECSuccess && |
2444 channel_info.length == sizeof(channel_info) && | 2468 channel_info.length == sizeof(channel_info) && |
2445 channel_info.cipherSuite) { | 2469 channel_info.cipherSuite) { |
2446 nss_handshake_state_.ssl_connection_status |= | 2470 nss_handshake_state_.ssl_connection_status |= |
2447 (static_cast<int>(channel_info.cipherSuite) & | 2471 (static_cast<int>(channel_info.cipherSuite) & |
2448 SSL_CONNECTION_CIPHERSUITE_MASK) << | 2472 SSL_CONNECTION_CIPHERSUITE_MASK) << |
(...skipping 737 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3186 LogFailedNSSFunction( | 3210 LogFailedNSSFunction( |
3187 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); | 3211 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); |
3188 } | 3212 } |
3189 | 3213 |
3190 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); | 3214 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); |
3191 if (rv != SECSuccess) | 3215 if (rv != SECSuccess) |
3192 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); | 3216 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); |
3193 | 3217 |
3194 // Added in NSS 3.15 | 3218 // Added in NSS 3.15 |
3195 #ifdef SSL_ENABLE_OCSP_STAPLING | 3219 #ifdef SSL_ENABLE_OCSP_STAPLING |
3196 if (IsOCSPStaplingSupported()) { | 3220 // Request OCSP stapling even on platforms that don't support it, in |
3197 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); | 3221 // order to extract Certificate Transparency information. |
3198 if (rv != SECSuccess) { | 3222 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, |
3199 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | 3223 (IsOCSPStaplingSupported() || |
3200 "SSL_ENABLE_OCSP_STAPLING"); | 3224 ssl_config_.signed_cert_timestamps_enabled)); |
3201 } | 3225 if (rv != SECSuccess) { |
3226 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | |
3227 "SSL_ENABLE_OCSP_STAPLING"); | |
3202 } | 3228 } |
3203 #endif | 3229 #endif |
3204 | 3230 |
3205 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, | 3231 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, |
3206 ssl_config_.signed_cert_timestamps_enabled); | 3232 ssl_config_.signed_cert_timestamps_enabled); |
3207 if (rv != SECSuccess) { | 3233 if (rv != SECSuccess) { |
3208 LogFailedNSSFunction(net_log_, "SSL_OptionSet", | 3234 LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
3209 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); | 3235 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); |
3210 } | 3236 } |
3211 | 3237 |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3348 int SSLClientSocketNSS::DoHandshakeComplete(int result) { | 3374 int SSLClientSocketNSS::DoHandshakeComplete(int result) { |
3349 EnterFunction(result); | 3375 EnterFunction(result); |
3350 | 3376 |
3351 if (result == OK) { | 3377 if (result == OK) { |
3352 // SSL handshake is completed. Let's verify the certificate. | 3378 // SSL handshake is completed. Let's verify the certificate. |
3353 GotoState(STATE_VERIFY_CERT); | 3379 GotoState(STATE_VERIFY_CERT); |
3354 // Done! | 3380 // Done! |
3355 } | 3381 } |
3356 set_channel_id_sent(core_->state().channel_id_sent); | 3382 set_channel_id_sent(core_->state().channel_id_sent); |
3357 set_signed_cert_timestamps_received( | 3383 set_signed_cert_timestamps_received( |
3358 !core_->state().sct_list_from_tls_extension.empty()); | 3384 !core_->state().sct_list_from_tls_extension.empty() || |
3385 !core_->state().sct_list_from_ocsp_stapling.empty()); | |
3359 | 3386 |
3360 LeaveFunction(result); | 3387 LeaveFunction(result); |
3361 return result; | 3388 return result; |
3362 } | 3389 } |
3363 | 3390 |
3364 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3391 int SSLClientSocketNSS::DoVerifyCert(int result) { |
3365 DCHECK(!core_->state().server_cert_chain.empty()); | 3392 DCHECK(!core_->state().server_cert_chain.empty()); |
3366 DCHECK(core_->state().server_cert_chain[0]); | 3393 DCHECK(core_->state().server_cert_chain[0]); |
3367 | 3394 |
3368 GotoState(STATE_VERIFY_CERT_COMPLETE); | 3395 GotoState(STATE_VERIFY_CERT_COMPLETE); |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3506 | 3533 |
3507 void SSLClientSocketNSS::VerifyCT() { | 3534 void SSLClientSocketNSS::VerifyCT() { |
3508 if (!cert_transparency_verifier_) | 3535 if (!cert_transparency_verifier_) |
3509 return; | 3536 return; |
3510 | 3537 |
3511 // Note that this is a completely synchronous operation: The CT Log Verifier | 3538 // Note that this is a completely synchronous operation: The CT Log Verifier |
3512 // gets all the data it needs for SCT verification and does not do any | 3539 // gets all the data it needs for SCT verification and does not do any |
3513 // external communication. | 3540 // external communication. |
3514 int result = cert_transparency_verifier_->Verify( | 3541 int result = cert_transparency_verifier_->Verify( |
3515 server_cert_verify_result_.verified_cert, | 3542 server_cert_verify_result_.verified_cert, |
3516 std::string(), // SCT list from OCSP response | 3543 core_->state().sct_list_from_ocsp_stapling, |
3517 std::string(), // SCT list from TLS extension | 3544 core_->state().sct_list_from_tls_extension, |
3518 &ct_verify_result_, | 3545 &ct_verify_result_, |
3519 net_log_); | 3546 net_log_); |
3520 | 3547 |
3521 VLOG(1) << "CT Verification complete: result " << result | 3548 VLOG(1) << "CT Verification complete: result " << result |
3522 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3549 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
3523 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3550 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
3524 << " scts from unknown logs: " | 3551 << " scts from unknown logs: " |
3525 << ct_verify_result_.unknown_logs_scts.size(); | 3552 << ct_verify_result_.unknown_logs_scts.size(); |
3526 } | 3553 } |
3527 | 3554 |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3581 SignedCertificateTimestampAndStatus(*iter, | 3608 SignedCertificateTimestampAndStatus(*iter, |
3582 ct::SCT_STATUS_LOG_UNKNOWN)); | 3609 ct::SCT_STATUS_LOG_UNKNOWN)); |
3583 } | 3610 } |
3584 } | 3611 } |
3585 | 3612 |
3586 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 3613 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
3587 return server_bound_cert_service_; | 3614 return server_bound_cert_service_; |
3588 } | 3615 } |
3589 | 3616 |
3590 } // namespace net | 3617 } // namespace net |
OLD | NEW |